You can also read through these steps on this page: Analyzing SonicWALL log files with WebSpy.

Creating and Importing SonicWALL log files

Analyzing SonicWALL log files

We intend to make some SonicWALL specific report templates available on our SonicWALL how to page soon.

Until then, feel free to create your own templates, or modify our existing web reports to include the extra goodies contained in the SonicWALL logs.

TIP: To modify an existing web report, right-click the report and choose ‘Duplicate template’. Then choose the “SonicWall Web” schema. You’ll then have a report template that you can modify to include all the SonicWALL summaries, such as Categories, and Source and Destination Interface.

If you need some assistance getting the report(s) you need, feel free to contact me, or support@webspy.com.

Take a look at our dedicated Astaro pages to get an idea of what can be achieved when analyzing Astaro Web Gateway log files with WebSpy Vantage.

I’ve created some quick videos to show you how to enable the correct logging options on the Astaro Security Gateway appliance, how to import these log files into Vantage, and analyze the data on the Summaries screen.

Configure Logging

The best way to configure logging is to setup a 3rd party syslog server (such as Kiwi Syslog) on a machine in your network, then configure the Astaro Security Gateway to send syslog messages to that server. The syslog server then creates log files that can be imported into WebSpy Vantage. This video takes you through that process.

Importing and Analyzing Astaro logs

Once you have successfully configured syslogging on your Astaro Security Gateway, you can import the log files into WebSpy Vantage and analyze activity on the Summaries screen. This video takes you through that process.

We intend to make some Astaro specific report templates available on our Astaro How To page soon.

Until then, feel free to create your own templates, or modify our existing web reports to include the extra goodies contained in the Astaro logs.

TIP: To modify an existing web report, right-click the report and choose ‘Duplicate template’. Then choose the “Astaro Security Gateway – Filter with category” schema. You’ll then have a report template that you can modify to include all the Astaro summaries, such as Actions and Categories.

If you need some assistance getting the report(s) you need, feel free to contact me, or support@webspy.com.

Google states that the most obvious change is that you get to the right content much faster than before because you don’t have to finish typing your full search term, or even press “search.” Another alleged benefit is that seeing results as you type will help you formulate a better search term by providing instant feedback.

Google anticipates that Instant will not slow your Internet connection. Even though they are serving more results pages, the additional load this enhancement creates is very small when compared to other types of web services such as streaming video and online gaming. Google has also worked to minimize the amount of data that is sent and received during the search process. For example, when rendering new results as you type, Google only send the parts of the page that change, without updating the static elements, such as a the page frame around the results.

How will Google Instant affect your log files?

Google clearly anticipates that Instant will significantly affect user search behavior, but what effect will it have on the data in log files and accuracy of Internet usage reporting?

To test this I turned on Instant search and typed in “london population with instant search”, turned Instant search off and typed in “london population without instant search”. I made sure both searches were typed in during a similar time frame, approximately 10 seconds. I then ran a report in Vantage on site keywords and got below results:

Looking at the above hits and size results it is clear that Google Instant search will substantially decrease the number of hits generated during a typical Google search while increasing the amount of data downloaded.

We’ve just completed our ‘WebSpy Reporting for Cisco IronPort’ video. Although this video is aimed at the Cisco channel we’d thought we share it with the rest of the WebSpy community as it provides a great high level overview of Vantage Ultimate’s ability to, not only import and spit out reports, but to learn about an organization’s structure in order to securely deliver the right report to the right person at the right time.

Vantage Ultimate is structured in two parts. One windows application, that handles administration of importing log files, learning about your organizational structure, creating and running reports, and one web application (aka the web module) where users can securely log in to view the report that has been produced for them.

Have a look at the short video below to find out what WebSpy’s founder, Jack Andrys, and product operations manager, Scott Glew, have to say about WebSpy’s and IronPort’s compatibility, as well as a demo of Vantage Ultimate in action.

What’s the point with secure and easy report distribution you might ask? Well, among other things:

Distribute Information. Distribute Responsibility.

IT Managers are too often left with the responsibility of managing and enforcing acceptable Internet usage for the entire organization.

Using Vantage Ultimate administrators can distribute reports to managers or department heads that show the activity of their direct subordinates, placing the responsibility of enforcing acceptable usage with the managers themselves.

Empower Users. Full Disclosure.

You can use Vantage Ultimate to distribute reports to each member in your organization detailing their own personal Internet usage (sites visited, search terms used etc). This empowers users to modify their own behavior once they understand how much of their activity is productive or unproductive and what it costs the organization. It also serves as a gentle reminder to employees that their activities are being recorded and that they should keep their online behavior within the bounds of the organization’s acceptable use policy.

From a privacy point of view, Vantage Ultimate is an easy way to provide employees with full disclosure regarding the information recorded about them.

Self Serve, On-Demand Investigation.

You can also use Vantage Ultimate to distribute original data storages to any of your organization’s members, enabling them to conduct their own ad-hoc drilldowns on any information they require. For example, distribute storages to HR managers enabling them to investigate the activity of employees that have handed in their resignation notice, but still have access to confidential company resources.

Protect Employee Privacy.

By assigning permissions to each of your Vantage Ultimate users, you can ensure they can only view the reports they are allowed to view. However, some employees need to view the traffic of all users, but do not necessarily need to identify users. For example, a network administrator may need to view the amount of traffic downloaded from a particular site per user, but does not need to know which users where involved.

This is easily achieved using the ‘Identify users’ permission, which masks all usernames with a hash code.

For more information about WebSpy’s compatibility with Cisco IronPort and free 30 day trials, visit www.webspy.com/ironport

So let’s use WebSpy Vantage to drill into that Anonymous user and find out what is going on.

One way to do this is to run an Ad-hoc analysis on the Summaries screen and drilldown into the Anonymous user to view all the information about that user. However, TMG and ISA tend to log a lot of information that may not be relevant to this particular investigation, so I’ve created some report templates (one for ISA and one for TMG) and a set of Aliases that pull out some relevant information.

Download our Anonymous Traffic Investigation Report

If you’re running WebSpy Vantage download the Anonymous Traffic Report Templates & Aliases

Then open the .Templates file on the Reports tab, and the .Aliases file on the Aliases tab. Once you have both files opened, go to the Reports tab and click either the ‘Anonymous Traffic Investigation (ISA)’ or the ‘Anonymous Traffic Investigation (TMG)’ report. Then click the ‘Generate report’ link and run the report template on your ISA or TMG storage.

The report gives you the ability to drill into the Allowed, Denied and Failed traffic to see a list of the unauthenticated IPs, Sites, Rules responsible for blocking or allowing the traffic, unauthenticated Applications and Result Codes.

Main causes of anonymous traffic

What you will probably find is that most of the Anonymous traffic is being denied by your TMG or ISA firewall. When a client first requests a web page, the proxy will challenge the client for authentication. These events are often logged with the result code 12209 meaning ‘authorization is required to fulfill the request’. These requests are therefore denied by the proxy until the client’s credentials are authenticated.

Have a look at the amount of traffic being denied and then checkout the Result Codes associated with the denied traffic. Chances are you’ll see ‘proxy authentication required’ appear predominantly.

If you also look at the Applications section you may also find that Windows Updates are sailing through your TMG or ISA firewall unauthenticated.

Filter out unauthenticated traffic from Reports

The most logical next step is to filter out the information you do not want in your reports. You’ll probably still want to include Windows Update traffic in your reports, but you’re probably not so interested in the ‘proxy authentication required’ information. So let’s filter that out.

To do this:

1. Go to the Reports tab and select the report you want to filter (such as your Organization report)
2. Click ‘Edit Template’, then click ‘Template Properties’.
3. In the filter section at the bottom of the dialog, click Add | Field value filter.
4. Select the ‘Result Code’ summary and select the Status Code Names (ISA-FTMG) alias.
5. On the toolbar, search for Authorization, and check the following two items:
   • The server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
   • The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
6. Ensure the ‘Exclude’ radio button is selected and click OK.

If you decide that you don’t care about seeing ANY unauthenticated traffic in your reports, you can always simply filter out the Anonymous user from your reports.

To do this:

1. Go to the Reports tab and select the report you want to filter (such as your Organization report)
2. Click ‘Edit Template’, then click ‘Template Properties’.
3. In the filter section at the bottom of the dialog, click Add | Field value filter.
4. Select the ‘Username’ summary.
5. On the toolbar, click Add and type ‘anonymous’. Click OK.
6. Ensure the Exclude radio button is selected and click OK.

Hopefully this article improves your understanding of the ‘anonymous’ user, and gives you some actions to take for your specific reporting situation.

If you have any questions, please leave a comment below.

“I would like to know how much of my bandwidth is being eaten by each protocol. I will then use this information to determine if circuit may need to be increased due to increased traffic”.

This customer was collecting syslog messages from a Cisco Firewall, then using WebSpy Vantage to generate reports. In theory, this sounds like a fair plan. Unfortunately, the Cisco Firewall logs many different types of messages. Some to do with denied packets, some to do with authentication, some for vpn and so on. The information contained within each message changes. Some events include the size information that is required for any type of bandwidth assessment and some don’t. Correlating the required events to get any sort of accurate ‘bandwidth’ representation is a bit of a nightmare.

Fortunately, there’s a simpler method. If you search the Cisco website or the Internet for bandwidth utilization reporting, you’ll no doubt be pointed in the direction of NetFlow.

NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information [Source Wikipedia http://en.wikipedia.org/wiki/Netflow]

There are a couple of commands to enter on your router to turn NetFlow on, and then you just need a NetFlow collector to receive the Netflow information and generate reports.

Fortunately WebSpy has developed a little tool called FlowMonitor that collects the Netflow information and writes a log file that can then be imported into WebSpy Vantage and reported on.

The FlowMonitor Management Console

Once your FlowMonitor logs are imported into WebSpy Vantage, you can run the default FlowMonitor report to see the size of traffic flowing between IP addresses, subnets, router interfaces or protocols. Alternatively you can create your own custom reports to see exactly what you want to see.

NetFlow doesn’t record usernames or URLs so it’s not great for reporting on the web sites your users are visiting, but it is great for network administration and trouble shooting. Identify chatty IP addresses, protocols that are chewing too much bandwidth, the times throughout the day when incoming or outgoing links become heavily utilized and so on.

For information on how to configure your router and deploy FlowMonitor, see the FlowMonitor Installation and User Guide. You can also download a free trial here.

FlowMonitor is a handy little tool. Ask your friendly WebSpy account manager about it today!

Vantage uses multiple threads to perform certain tasks. As general rule, the more threads being used simultaneously, the higher the CPU utilization. There are a few situations where Vantage uses multiple threads simultaneously:

CPU usage when importing log files

When importing more than one log file, each log will be imported with a separate thread. As CPU usage increases when more threads are used, importing a single log file won’t push your CPU, but importing a folder full of logs will.

CPU usage when generating reports

CPU performance can also be affected by the structure the report you are running. Report templates have what we call ‘Nodes’ in them. You can go into a report template, right-click | add node. Think of each node as an SQL query. When generating a report, each node gets processed in a separate thread, and if the nodes are ‘at the same level’ they get processed at the same time.  Here’s a screenshot showing what I mean by nodes at the same level.

A report template with two 'levels' of nodes

The three ‘red’ nodes will be processed at the same time, and then the three ‘green’ nodes will be processed at the same time. The green nodes won’t be processed until the red nodes have been processed. The more nodes being processed at the same time increases the number of simultaneous threads and the amount of CPU being used.

CPU usage when filtering reports

CPU usage is also affected by the number of records being processed from your storage. If you are running a report on your entire storage with no filters, then Vantage will be pushing all records in your storage through the reporting engine. If you run the same report but with a filter for a specific user, then Vantage will seek through the records in the storage until it finds a record for that user, then push that record through the reporting engine. This results in a ‘trickle’ of records being pushed through the reporting engine so it doesn’t get a chance to really push your CPUs.

A filter that excludes a lot of information that exists in your storage is the most common reason for low CPU utilization while running a report.

In Short

The number of logs, report template structure and filters can all have an effect on the way Vantage utilizes your CPUs.

We also have some exciting ideas on our roadmap to ensure Vantage utilizes as many CPUs as you can throw at it. Until then, I hope the above information helps you understand when and why your CPU usage will and won’t be pushed.

WebSpy’s Industry Fit

WebSpy is a global leader in reporting and analysis on Internet activity when used in partnership with security vendors such as Microsoft ISA Server, Microsoft Forefront TMG, Cisco IronPort, Blue Coat, Sophos, Astaro, Barracuda, Squid Proxy, and many more.

Below image neatly summarizes how WebSpy report on log files from vendor devices in the Unified Threat Management (UTM) and Secure Web Gateway (SWG) sectors, and specifically focus on reporting and analysis on Internet activity aspects within the SIEM sector.

THE REASONS

1. WebSpy Adds Value to Existing Product Portfolio

There’s a multitude of reputable, solid and reliable security vendors that frequently form a part of our resellers’ product portfolio. Their network and security devices do a great job providing network structure and actively protecting against security issues.

However, analysis and reporting is not their forte, not their core, and more often than not reporting is only a feature within their complete network and security solution.

Gartner’s latest Magic Quadrants on SWG and UTM vendors (or “SMB Multifunctional Firewalls” as labelled by Gartner) clearly highlights the security vendor’s weakness in reporting.

Straight from the horse’s mouth, here’s some vendor reporting issues as highlighted by Gartner:

• “Lacking enterprise-class administration and reporting capabilities.”
• “Advanced ad-hoc reporting features are lacking and custom reports are limited to filter settings on existing reports.”
• “Reports are very basic, and there are only a limited number of pre-developed reports.”
• “Per-user reports and forensic investigations are weak.”
• “On-box reporting is very basic and requires Windows and SQL database licenses for the reporting server.”
• “The number of canned reports is low and some reports do not have obvious features, such as pie graph options. Some customers complained about the scalability of the reporting interface.”
• “Users describe the vendor’s reporting and alerting as difficult to use.”
• “Although management is strong, users cite quality of reporting as a deficiency.”

With this information at hand it comes as no surprise that resellers want WebSpy’s reporting solutions to complement and add value to existing Internet security devices and provide their clients with valuable, advanced, customized and scalable reports on the exact use of web servers, web proxy, servers, email server, firewalls, switches, routers, and spam and virus application.

2. WebSpy Helps Generate and Facilitate SWG and UTM sales opportunities

You’ll be surprised by the amount of clients who base the decision of which Internet security device to purchase on reporting abilities.

WebSpy has a proven track record of assisting both Internet security vendors, such as IronPort, Microsoft ISA Server, Sophos, and their resellers in securing sales of their Internet security appliances. On numerous occasions our resellers have been able to secure deals, which could have been lost to a competing vendor/reseller, simply because they were able to throw advanced reporting into the mix.

3. WebSpy Substantially Increase Sales Revenue through Add-On Sales

Our resellers have found that recommending WebSpy reporting with every Internet security and network installation gives them the ability substantially increase add-on sales revenue with limited efforts involved.

The fact we offer competitive upgrade rebates if a reseller’s client have already invested time and money in a competing third-party reporting solution, or on-appliance reporting, naturally makes the transition to WebSpy even smoother.

Not convinced? Have a look at these:

• 10 Reasons to report on ISA Server using WebSpy
• 10 Reasons to report on IronPort using WebSpy
• 10 Reasons to report on Sophos using WebSpy
• 8 Reasons NOT to Use Microsoft Forefront TMG’s Reporting

Here’s a quick video outlining some of the differences between TMGs Reporting, and what can be achieved using WebSpy Vantage. The video does not illustrate all the limitations outlined below, so please read on.

Whats is in the Forefront TMG report?

The default TMG report contains the following sections

• Summary
• Web Usage
• Application Usage
• Traffic and Utilization
• Security
• Malware Protection
• URL Filtering
• Network Inspection System

Each section contains overviews such as ‘Top users’ and ‘Top Sites’.

If your reporting requirements can be satisfied with these overviews – that’s great! Unfortunately, when you start thinking about what system administrators and other people in your organization actually need to make informed decisions, this report is quite limiting.

The 8 Limitations of Microsoft Forefront TMG’s Reporting

Here is what I consider to be the 8 main limitations of Microsoft Forefront TMG’s reporting functionality.

1. No Drilldowns

Want to see the sites that the top 5 users accessed? Want to see the users that downloaded the most traffic from youtube? These are fairly standard reporting requirements that simply cannot be achieved using the inbuilt TMG reporting.

WebSpy Vantage lets you either interactively drilldown into a user or site, or produce a regular report that includes further details about what your top users have actually been up to.

2. No Filtering

When you generate a report in TMG, you can only filter the report by a date range. There is no way to filter out anonymous (unauthenticated) traffic or exclude traffic coming from advertising servers (such as doubleclick and 2mdn.net) that tend to dominate most of the top 10 sites.

This can easily be achieved using WebSpy’s software. Check out my video on how to remove clutter from your web reports.

3. No Customization

Customization of each overview in the TMG report is limited to the number of items to show (e.g. top 5 or top 50 users), and the sort order (Incoming Bytes, Outgoing Bytes, Requests and Total Bytes).

What about the time a user spent browsing the web, or the number of users that visited a specific site? There is no way to add custom columns such as total browsing time, average session time, or number of users/sites/IPs to the report tables.

Or say you simply want to change your top users chart from a bar to pie to easily see the percentage used. Nope sorry!

If you do make one of the two available customizations in a TMG report, you then get the annoying Apply / Discard message to save changes to the configuration database.

All of these customizations can be achieved using WebSpy Vantage, and it doesn’t touch your TMG server to apply a change to a report.

4. Limited Report Distribution

When you generate a report, you get the option to email it to a specific email address. What if you would like to create a report for every department, and then email it to the managers of each department? Or better yet, host the report on a secure web server where department managers can log in and view their reports?

WebSpy Vantage Ultimate comes with a secure ‘Web Module’ specifically for this purpose and managers still receive a link to the report via email.

5. Cluttered ‘Top Sites’ List

The ‘Top sites’ list can become particularly cluttered due to the inclusion of sub-domains. I don’t want to mentally add up the size values from farm1.static.flickr.com, farm2.static.flickr.com, and farm3.static.flicr.com – I just want to know how much was downloaded from flickr.com.

This is compounded by the inability to exclude sites that are merely placing advertising banners on the actual sites users are visiting (as mentioned in the ‘No Filtering’ limitation above).

WebSpy Vantage breaks URLs down into separate components and lets you analyze each part separately. Look at the Site Domains summary to remove sub-domains and see only flickr.com. Or perhaps you want to see the keywords a user entered into search engines like Google? Or perhaps the top pages accessed within a website? No problem. Just include the Site Keywords or Site Resource summaries in your Vantage reports.

6. No Grouping or Aliasing

There is no way to group users into departments or locations, or IP addresses into subnets, or extensions such as .html, .pdf or .exe into file types. The ability to group and represent raw log data in more meaningful ways, as offered by WebSpy Vantage, can increase the value of a report tremendously.

7. No Productivity Assessment

One of the major features introduced in TMG since ISA Server 2006 is the included URL categorization technology.

Although the TMG report gives you an overview of the categories that have been visited, the report does not use this information to display a productivity assessment for your users.

WebSpy Vantage not only provides this assessment, but also the ability to customize the categories that are deemed productive as this can vary wildly depending on the industry and organization.

8. Not browser independent

This is a minor limitation that can be a major annoyance. The report that TMG produces is a HTML report that only displays correctly in Internet Explorer. As Forefront TMG is a Microsoft product, this is not exactly surprising, but still very annoying if IE is not your default browser.

How to get awesome reports from Forefront TMG

If you have had personal experience with any of the above limitations, you’ve probably been hunting for an alternative solution. I strongly recommend checking out the WebSpy Vantage range of products, and if you would like secure report distribution via the ‘Web Module’, Vantage Ultimate is what you are after.

If you agree or disagree with anything in this article, I encourage you to leave your thoughts in the comments.

Cheers!

Scott

We are all well aware of the less desirable effects this behavior has on a business. Loss of productivity, wasting precious bandwidth and potential for sexual harassment law suits.

Now imagine that the financial advisor’s near-nude photo browsing is being captured and broadcasted live on one of Australia’s national news network for millions of people to see, and later watch on YouTube. Wait, you don’t have to imagine. This actually happened.

Another wealth advisor at the bank was being interviewed on the financial market’s reaction to the Australian Reserve Bank keeping interest rates on hold. However, I don’t think anyone paid attentions to the interest updates as all eyes were on fixed on the computer screen in the background.

Hopefully this will act as a a reminder to all organizations – No matter how strict your acceptable Internet/Email usage policy is, it is worthless if adherence to it is not properly monitored.

TMG or UAG? What is the difference?

TMG is an outgoing proxy that protects your internal users from malware, viruses and the like. TMG generates some great web proxy log files to import into WebSpy Vantage allowing you to monitor where your users are going on the Internet, how much they’re downloading etc.  TMG, unlike ISA, now has deep packet inspection for HTTPS traffic, plus a bunch of other new features.

UAG is an incoming proxy that provides employees, partners and vendors secure remote access to corporate resources such as Outlook Web Access (OWA) and Sharepoint (MOSS). It utilizes the TMG engine, but this is mainly just to protect the UAG server (more on this topic here http://technet.microsoft.com/en-us/library/ee522953.aspx).

TMG can also publish your OWA and MOSS sites, but this is no longer recommended by Microsoft. They recommend using a dedicated UAG server to perform this function.

Upgrading to TMG

If you’re thinking about migrating your ISA server (2004 or 2006) to TMG, you may like to check out this migration guidance video with Mohit Saxena (Senior Technical Lead) and Jim Harrison (Program Manager). http://edge.technet.com/Media/ISA-to-TMG-Migration-Guidance/

Microsoft Forefront TMG Migration Video

Reporting on TMG

If you’re using TMG at the moment, we invite you to analyze your web proxy and/or firewall logs using WebSpy Vantage and tell us what you think!  Download your copy of WebSpy Vantage here, and import your logs using the Microsoft FTMG format:

Microsoft Forefront Threat Management Gateway

In the mean time, I thought I’d share a way to re-brand the main elements in the Web Module by editing a few files and replacing a few images.

The only issue with this technique is that any future auto-updates for the Web Module will overwrite your edited files, so you just need to keep a copy of your customized files, so that you can restore them again after the auto-update.

Before you begin

In order to edit anything, you first need to know where your Web Module is located on your web server’s hard drive. This can be found by opening IIS Manager (Start | Control Panel | Administrative Tools | Internet Information Services (IIS) Manager) expanding the left hand server/site tree to find your Web Module.

• In IIS7, select the Web Module and click Basic Settings… in the right hand ‘Actions’ panel. The location is specified in ‘Physical Path’.
  

  Finding the Web Module's physical path in IIS7

• In IIS6, right-click the Web Module and select Properties… then go to the Home Directory tab. The location is specified in ‘Local Path’.

Windows may also prevent you from editing these files directly due to permissions issues. I’ve found a good technique is to copy the files you want to edit to your desktop, edit them, and then copy them back into the Web Module’s physical path. Windows will then prompt you to elevate to administrator and the copy/replace will succeed.

Ready To Go…

There are a few places where the WebSpy logo and WebSpy Text is presented.

• The login page
• The header bar
• The welcome Page
• Report cover pages

The Login page

The logo displayed on the login page can be found at /images/logo.png. Replace this image with your own logo. Then open Default.aspx in the Web Module’s root folder in a text editor such as notepad, and replace the following line

<img runat=”server” alt=”WebSpy” src=”~/Images/Get.ashx?image=Logo” />

with

<img runat=”server” alt=”WebSpy” src=”~/Images/logo.png” />

Before

Web Module's Login Page Before logo.png Change

After

Web Module Login Page After logo.png change

The header bar

The header bar utilizes the image located a /Images/bauble.png. Replace this image with your own custom image.

Then open Navigation.Master in the Web Module’s root folder in a text editor such as notepad, and replace the following line

Also look for the text:

Before

Web Module's Header Bar Before Bauble.png and Text Changes

After

Web Module's Header Bar After Bauble.png and Text Change

The Welcome Page

When you first login to the Web Module, you are presented with a Welcome Page. The first line on this page reads “Welcome to the WebSpy Vantage Web Module. You can change this by editing the first line in the Welcome.aspx file located in the Web Module’s root folder. Edit the section in bold below:
<%@ Page Language=”C#” MasterPageFile=”~/Navigation.Master” AutoEventWireup=”true” CodeBehind=”Welcome.aspx.cs” Inherits=”WebSpy.Vantage.WebModule.Welcome” Title=”Insert Custom Text Here” %>

Before

Web Module's Welcome Page Before Text Change

After

Web Module's Welcome Page After Text Change

The Report Cover Pages

The Image used on the cover page of reports is much easier to change.

1. Login to the Web Module as Administrator
2. Go to the Options Tab
3. Click ‘Report Logo’ under Web Module Options
4. Click Choose File, and select the image or logo you would like displayed on your report cover page
5. Click Upload

Before

Web Module's Report Cover Page Before Report Logo Change

After

Web Module's Report Cover Page After Report Logo Change

Summary

The changes above cover a majority of the areas your users will come into contact with in the Web Module. There may be a few more instances of the word “WebSpy” but for the most part, it should just be a matter of opening the relevant .aspx file and editing the html.

As I mentioned, if you auto-update the Web Module (via the system tray icon on the Web Module server), your edited files will be overwritten. I recommend keeping a copy of your edited files in a safe place outside the Web Module’s physical folder, so that you can copy them back in after the update. If the only changes you make are the ones above, then you’ll need to keep a copy of:

• /Navigation.Master
• /Default.aspx
• /Welcome.aspx
• /Images/logo.png
• /Images/bauble.png

We will also be adding the functionality to make these changes ‘properly’ in a future build, so follow us on Twitter, or subscribe to our RSS feed for updates!

Cheers!

New research from Robert Half Technology indicates that over half of chief information officers (CIOs) do not allow employees to visit social networking sites for any reason while they’re at work. This information comes from a survey of 1,400 CIOs from companies around the US with 100 or more employees.

Is this strictness justified? Amber Naslund makes some good points in a WebProNews interview. Among other things she says that instead of employers telling their staff how they should not be using social media, they should try balancing that by giving them some ways that they should use it.

What I say – People are not robots, employers need to find a middle-way

In some parts of the world, bandwidth is charged at exorbitant rates, so some sort of safeguard and watchfulness are required from a pure cost standpoint.

I feel it is unreasonable, however, to expect employees to work without some sort of social interaction, especially in a client-facing role. Humans are social creatures and being social stimulates all sorts of wonderful brain activity; production CAN be increased as long as employees understand what REASONABLE use of the Internet entails.

“Phone bills are itemized, and web browsing should be too!”

More often than not, this distinction is not explained or understood. We all have telephones on our desk these days, but it would be unthinkable for us as employees to spend all day chatting to our wives, husbands, girlfriends, boyfriends. Phone bills are itemized, and web browsing should be too.

While this may come across as a plug for our products, it is far more than that. I truly believe that blocking defeats the purpose and the spirit of the Internet in general. I’ve dealt with companies that lock down everything except for 50 sites. I’ve also dealt with companies that perform no monitoring, reporting, or any such user governance. Both forms of policies (if you can call the latter example a policy) are extreme and do no good in the long term.

At WebSpy we have found the majority consensus of our customer base to be alike: they return to us and tell us that their bandwidth usage, and their employee browsing habits have all changed for the better when their employees have it explained to them that before work, after work and during lunch, no one really cares what you do or where you go – within reason (and seriously, browsing for porn at work is unbelievably stupid) – and that everything you say and do online bears some reflection back to your employer.

Education always triumphs over draconian measures!

Rather than sneer at your user base with some ideological feeling of moral superiority, educate and explain to them what the consequences of their browsing habits are. Ultimately, they will still appreciate their pay cheque arriving and will avoid the chance of jeopardizing such things. Inserting Internet usage policies into contracts protects the employer and informs the employee exactly where he stands.

Would love to hear YOUR thoughts on this subject!

If you’re considering upgrading your ISA Server to TMG, this means that you can start your deployment using the Release Candidate, and simply switch it to a licensed version with no additional configuration changes once the full release is available. At least, that is what Vladimir Holostov (Lead Program Manager, Release Manager for Forefront TMG 2010) states on the Forefront TMG (ISA Server) Product Team Blog:

“The final product will be released later this year and you can expect it to behave exactly like the Release Candidate. You can install Forefront TMG 2010 RC today and upgrade to a licensed version once available without changing the configuration of your deployment.”

To offer some peace of mind for organizations considering the deployment, Vladimir also mentions that “Forefront TMG 2010 RC is deployed at three major Microsoft sites located around the world in Haifa, Bellevue and Redmond. More than 20,000 employees are already protected by TMG and these deployments have already accumulated more than 5,000 hours of runtime, performing extremely well under heavy load”.

No major features have been added to the Release Candidate since Beta 3, however there have been improvements geared around tightening up security, reliability and performance and telemetry. For more information about the release candidate, please visit the
Forefront TMG (ISA Server) Product Team Blog.

You can also download the release candidate here

I mentioned in my last blog posting that WebSpy has introduced support for reporting on Microsoft Forefront TMG log formats in the Vantage product range. To try it out, please make sure you have installed Vantage 2.2 (any flavour – Premium, Giga or Ultimate), and then select Tools | Check for updates to download build 2.2.0.10 or above. You can then import your TMG log files by selecting the Microsoft FTMG loader in the import wizard.

Importing Microsoft Forefront Threat Management Gateway Log Files

We’re very interested to hear your thoughts on the reporting functionality, so please go ahead and give it a go!

We’ve got a great deal at the moment where you get 20% off Live and Sentinel if you purchase them online with Analyzer Standard.

Watching a single video on YouTube will probably generate a list of about three to five sites such as lax-v41.lax.youtube.com, www.youtube.com, img.youtube.com, and so on. Your list of top sites also probably contains hits to ad servers and tracking servers, such as doubleclick.net, google-analytics.com and imrworldwide.com. All this clutter gets in the way of determining what sites were ‘intentionally’ visited.

Fortunately there are a few simple steps you can take to exclude this information from your reports. Watching is much easier than reading, so I thought I’d create a video demo to walk you through the process.

By the way, this is the first video demo of what I hope will be many more to come. I created it using TechSmith’s Camtasia Studio which is by far the best screen recording software I’ve used. All the zooming you see throughout the demonstration is completely auto-magical! It’s a brilliant piece of software that has saved me hours of time. Props to the guys at TechSmith! The one pitfall of Camtasia is that it seems to make me sound like a geek with a raw Aussie accent… I hope they fix that in the next version.

Anyway, I hope you find this useful.

What can log data do for you?

Organisations today are deploying a variety of security solutions to counter the ever increasing threat to their email and Internet investments. Often, the emergence of new threats spawns solutions by different companies with a niche or a specialty for that specific threat – whether it is a guard against viruses, spam, intrusion detection, Spyware, data leakage or any of the other segments within the security landscape.

This heterogeneous security environment means that there has been a proliferation of log data generated by the various systems or devices. As the number of different log formats increases coupled with the sheer volume of log data, the more difficult it becomes for organisations to turn this data into meaningful business information.

Transforming data into information means that you know the “who, what, when, where, and how” – giving you the ability to make informed business decisions. There is no point capturing data if you do not use it to improve aspects of your business. Reducing recreational web browsing, improving network performance, and enhancing security, are just a few outcomes that can be achieved using information from regular log file analysis.

To achieve these outcomes, it is important for organisations to have a log management process in place with clear policies and procedures and also be equipped with the appropriate tools that can take care of the ongoing monitoring, analysis and reporting of these logs.

Having tools that are only used when a major problem has occurred only gives you half the benefit. Regular reporting is required in order to be pro-active and track patterns or behaviours that could lead to a major breach of policy or impact mission critical systems.

10 tips to help organizations get started with an effective proactive logging and reporting system:

1. Establish Acceptable Usage Polices
Establish policies around the use of the Internet and email and make staff aware that you are monitoring and reporting on usage. This alone is an effective step towards reducing inappropriate usage, but if it’s not backed by actual reporting, employees will soon learn what they can get away with.

2. Establish Your Reporting Requirements
Gather information on what you want to report and analyse. Ensure this supports your obligations under any laws or regulations relevant to your industry or geography.

3. Establish Reporting Priorities
Establish priorities and goals based on your organisation’s risk management policies. What are the most important security events that you need to be alerted to?

4. Research your existing logging capabilities
Research the logging capabilities of the devices on your network such as proxy servers, firewalls, routers and email servers and ensure they are producing an audit log or event log of activity.

5. Address shortfalls between your reporting requirements and log data
Open each log file to get a feel for what information is captured and identify any shortfalls with your reporting requirements. Address any shortfalls by adjusting the logging configuration or implementing an independent logging tool such as WebSpy Sentinel.

6. Establish Log Management Procedures
Establish and maintain the infrastructure and administration for capturing, transmitting, storing and archiving or destroying log data. Remember that archiving reports may not be enough as sometimes you may be required to go back and extract from the raw data.

Ensure data is kept for an appropriate period of time after each reporting cycle and that the raw data related to important events is securely archived.

7. Evaluate and decide on a Log File Analysis Product
Evaluate log file analysis and reporting products such as WebSpy Vantage to make sure your log formats are supported, your reporting requirements are met and that it is capable of automated ongoing reporting.

Ensure it can be used by business users as well as specialist IT staff, removing the dependence on these busy and critical staff members.
Make sure the vendor is willing to work with you to derive value from your log data. Often a vendor that supports many different log formats will have some insight that may help you in obtaining valuable information from your environment.

8. Establish Standard Reporting Procedures
Once a report product has been decided on, establish how regularly reports should be created, who is responsible for creating them, and who is able to view them. Store user reports in a secure location to ensure confidentiality is maintained.

9. Assign Responsibilities
Identify roles and responsibilities for taking action on events, remembering that responsibility is not only the security administrator’s domain.

10. Review and Adapt to Changes
Because of the metamorphic nature of the security environment it is important to revisit steps 1-9 regularly and fine tune this process to get the maximum value.

Download pdf version.