You are on page 1of 23

Reporter 10.

x
Reporting Guide

Reporter 10.1.x Guide Revision 10.1.4.2/12/16/16


Reporter 10.x Reporting Guide/ Page 2
Copyrights
Copyright 2016 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and
the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other coun-
tries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only
and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are
disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS
DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

www.symantec.com
Reporter 10.x Reporting Guide/ Page 4

Blue Coat Reporter 10.x Reporting Guide


This document provides introductory information about the Blue Coat Reporter 10.x reporting features.The Reporter
online Help provides context-sensitive information for all reporting tasks.

This document provides the following.

n How to create a database and log source.


n How to use the dashboards.
n How to perform scheduling and filtering tasks.

Table Of Contents

Copyrights 3
Blue Coat Reporter 10.x Reporting Guide 4
Table Of Contents 4
Create a Database 6
Procedure 6
About Log Source Statuses 8
About Database Statuses 9
Refer to Other Documentation 9
About the Reporter Dashboard 10
What Can I Do From a Report? 11
Manage the Report 11

Drill Down For More Details 11

Apply a Report Filter 13


Filter Options 13

UseCase: Filter for Users Who Report to Me 14

Download a Report 15
Email a Report 16
Archive a Report 17
About the Export to PDF 17

Procedure 17

InBrief:CA + MA Database 18
Blue Coat Reporter 10.x Reporting Guide/Page 5

SolutionOverview 18

Malware Notes 20

Requirements 20

Reporter Configuration 21

Reporter Notes 21

Other Documentation Resources 21

In Brief:WAFReporting Database 22
Requirements 23

Reporter Configuration 23

Notes 23

Other Documentation Resources 23


Reporter 10.x Reporting Guide/ Page 6

Create a Database
After configuring the ProxySG appliance to upload access logs to an FTP server, you can now create a Reporter database
(and associated log source) that processes those access logs.

Procedure
1. Access the Reporter interface with Admin credentials.
2. Click Administration (link in upper-right corner).
3. Select General Settings tab > Data Settings >Databases.
4. Create a new database.
a. ClickNew. Reporter displays the Create New Database wizard.
b. Set TypeAccept the default ProxySG (main) option and click Next.
c. Name the database and clickNext.

d. Set the Default check for new log files, or how often this database queries for yet-to-be processed access
logs. Note:You can configure each Log Source to use this default or process at different times.
e. Click New Log Source. Reporter displays the CreateNewLog Source wizard.

5. Connect to the FTP server.

a. Select FTPServer Source and click Next.


b. Name the log source; click Next.
Create a Database/Page 7

c. Enter the FTP server access credentials(Hostname/IP, Port, Username, and Password).
d. Enter the Directory Path to the log files on the FTP server.
e. The default File Pattern value is an asterisk (*). Consult the online help about searching for specific log files.
For this initial task, Reporter processes all files with the .log or .log.gz extensions(and ignores all other
extensions).
f. If the access log directories contain multiple sub-folders, select Process Subdirectories to ensure all
content is processed). Click Next.

g. (Optional) Specify how often the this log source for new files (this setting takes precedence over the
database schedule).
o Use Database DefaultReporter uses the default setting from Step 4d.
o Custom ScheduleSpecify an alternate check time from the database default. For example, the
database checks daily, but this log source only requires a weekly check.

Click Next.

h. Specify a post-processing action, or what happens to the log files after Reporter adds the data to the
database.
o Rename:Append '.done' to the filenameReporter appends .done to the existing .gz or .log
suffix.
o Move to folderThe files move to the specified directory.
o Delete log fileFiles are deleted from the FTP server directory. Only select this option if you are
certain that you will never have the need to process these logs again.

Click Done. Reporter returns to the CreateNewDatabase wizard. ClickNext.

6. Specify how long data remains in this database. Reporter purges data from the database at the specified dates and
times.
Reporter 10.x Reporting Guide/ Page 8

Beginning with Reporter 10.1.3During the data purge, Reporter reclaims RAM. Blue Coat recommends that you
perform any large scale manual database purging during non-production hours.

Reporter expires a database based on the amount of time since the last processed log entrynot when the
database was created.

Click Next.

7. Click Done; Reporter creates the new database with associated log source.

About Log Source Statuses


Log sources feed access log data into assigned Reporter databases. You can view the status of each log source.

In Admin mode, select General Settings >Reporter Settings > Data Settings >Log Sources. Reporter displays each
database in a table.

The Status column provides the current state of data processing, which might depend on the status of the log source(s).

Status Definition
Processing The assigned database is currently processing available log lines from the log source.
Loading Reporter is currently loading data from the specified log source.
Idle Currently, there are no new log lines to process.
Initializing [Available from Reporter 10.1.5 and forward]

Reporter is currently downloading the web application attribute information file. This file is required to
properly process log data; therefore, log source processing cannot begin until this download com-
pletes.

If Reporter encounters a license or network connectivity problem to the Blue Coat sub-
scription service, Reporter cannot complete the download and log processing cannot pro-
ceed until the issue is resolved.

Unloading Reporter received the Stop Log Source command from the Action drop-down list.When
Reporter is able to pause current log processing, it will begin to unload the source from the
database.
Create a Database/Page 9

Status Definition
Unloaded The log source is currently unloaded from the database. This status is required before you
can edit configuration properties. Furthermore, log processing cannot resume until you
select Restart Log Source (from the Action drop-down list).

About Database Statuses


As Reporter databases process the data from the assigned log sources, you can view the current status.

In Admin mode, select General Settings >Reporter Settings > Data Settings >Databases. Reporter displays each
database in a table.

The Status column provides the current state of data processing.

Status Definition
Creating Reporter is creating a new, empty database.
Processing The database is currently processing available log lines from the log source.
Loading Reporter is currently loading from disk; log processing and report generation is not yet avail-
able. Depending on the database size, the load time might require substantial time.
Loaded The database is ready to generate reports based on the configured log source(s).
Expiring The database is loaded, but Reporter is currently expiring data. Therefore, log processing
is not occurring and some reports might not be available.
Unloading Reporter is currently unloading from disk; log processing and report generation are not
available. Depending on the database size, the unload time might require substantial time.
Unloaded Log processing and report generation are not possible from this database.
Deleting Reporter is deleting a database.

Refer to Other Documentation


With Reporter now deployed, refer to the Reporter 10.x WebGuide and the online Help for assistance with further con-
figurations and use.
Reporter 10.x Reporting Guide/ Page 10

About the Reporter Dashboard


After Reporter builds or begins to build a database, the Dashboard begins to populate data.

The Reporter dashboard provides a high-level view of web transactions.


What Can I Do From a Report?/Page 11

What Can I Do From a Report?


Each generated report provides multiple features and data points.

Manage the Report

The green MOREINFOelements in the screenshot take you directly to that topic.

AEach report displays a default graph or chart, based on what Blue Coat estimated to the best representation. You can
change the style from the drop-down list.

BTo ensure the latest processed data, click the refresh icon.

CSelect elements in the graph or in the data area to highlight it and see more details about that data.

DClick GraphOptions to change what data points the graphic contains. Adding or removing data points might change
the graphic type.

Drill Down For More Details


Each report contains options to view even more granular data details.
Reporter 10.x Reporting Guide/ Page 12

AClick any blue data link to view more details about that specific element.

BUse the Drill In drop-downs to isolate data. For example, on a particular data element, you want to see what Users ini-
tiated the request.

CSee Apply a Report Filter on page 13.


Apply a Report Filter/Page 13

Apply a Report Filter


Applying a report filter allows you to narrow the scope of displayed data, based on a specific time frame or another data
point, such as a specific user. The filtering mechanism adapts to the data in the report, which enables you to quickly select
one or more attributes to include or exclude from a report.

To access the filter options, click the Report Options link in any Report Data area header.

Filter Options
The filter comprises two elements: date and criteria. You can modify either or both to create a report filter.

1Date Filter

The default date filter displays data for all dates (that are processed in the database). To restrict the report data to specific
time frames, select an option from the Date is drop-down list:

n CustomAllows you to specify a date range.


n SinceDisplays all data from the specified date to current (or the final date in the access log database).
n CurrentDisplays data only from the current hour, day, week, month, or year (select one).
Reporter 10.x Reporting Guide/ Page 14

n PreviousDisplays data going back the specified time frame: hours, days, weeks, months, or years (select one).
Partial times are not displayed. For example, if you select the previous week, no current days from the current week
display.
n Current and PreviousDisplays data beginning today and going back the specified time frame: hours, days,
weeks, months, or years (select one). Partial time periods are included. For example, if you select current and
previous week, days in the current week display.

As you select each Date is option, the field options change. Some fields require you to enter values, such as 4 to indicate
how many previous days. The other fields display interactive calendars that enable you to quickly select date ranges. Click
to view screenshot.

2Criteria Filter

The default criteria filter displays all data points; for example, every user name, every category, every user agent, and so on.
Adding a criteria filter either restricts data to values or excludes data. For example, you want to see only one user (is) or you
want see every user but one (is not). Or you want to see every instance of malware with the keyword of trojan.

a. From the first drop-down list, select data point.


b. From the second drop-down list, select a qualifier (Is, Is not, Contains, Does not contain).

c. From the third drop-down list, select (or enter) a value. Depending on the data point you selected, this drop-down list
populates with valid choices.

If you know the name of the value and begin entering characters, the field auto-populates with a list of
choices present in the database.

d. (Optional) Click the + symbol to add additional value fields. The report displays all value matches.
e. (Optional) If you believe you will have future need for this custom filter, click Save as Template and name the filter.
The next time you have need for the same filter, click Load Template and select it.
f. Click Apply.

UseCase: Filter for Users Who Report to Me


This filtering ability requires LDAP implementation (About LDAP Integration). You are a manager and you want to filter the
Web Browsing per User report to display data only for people who report to you. On the Web Browsing per User and Cat-
egory report, you add a criteria filter with the User, Reports to, and Current User options.

If the username formats in the log files do not match the Reporter username configuration, no data is displayed.
See the Matching the Access Log Username Formats for Filters section in Manage Existing Databases.
Download a Report/Page 15

Download a Report
Each top-level report has an Download button. Reporter enables you to immediately generate a report as a PDF or a
spreadsheet-compatible file to your local system.

1. On any generated report, click Download. Reporter displays options.

2. Select which format the file is downloaded as.

n PDFReporter downloads the report as a PDF file.


n CSVReporter downloads a file, which contains the report data, with a .csv extension. Opening the file
requires a spreadsheet application, such as Microsoft Excel.
3. From the Report Data drop-down list, select how many rows of the report are downloaded.
4. ClickDownload.
Reporter 10.x Reporting Guide/ Page 16

Email a Report
As you are reviewing reports, you might see data that you feel someone else in your organization should see. Each single-
level report contains an Email button. Reporter enables you to send to a report (as a PDF or a spreadsheet-compatible data-
base file) to other recipients.

If the Email button is grayed out, Reporter is not configured to or able to communicate with the mail server. See
Connect Reporter to Email Server.

1. On any generated report, click Email. Reporter displays options. Show screen...

2. Select which format the file is downloaded as.

n PDFReporter attaches a PDF file to the e-mail. The recipient must have Adobe Acrobat to view the file.
n CSV Reporter attaches a file, which contains the report data, in a file with a .csv extension. The recipient
can open the file with a spreadsheet application, such as Microsoft Excel.
3. From the Report Data drop-down list, select how many rows of the report are downloaded.
4. In the To field, enter the valid e-mail address of the intended recipient. Separate multiple recipients with commas (,).
5. The default value in the Subject field is the full name of the report. Accept this value or enter a new subject line.
6. The CC (carbon copy) and BCC (blank carbon copy) recipient fields are optional.
7. The default value in the Message Body field is the name of the report, plus the word attached. Accept this value,
modify the text, or enter a new message body.
8. Click Email. Reporter forwards the report to the recipient(s).
Archive a Report/Page 17

Archive a Report
As you are reviewing reports, you might determine that a specific generated report needs to be permanently stored for
future reference. Your Reporter administrator might have configured Reporter to not process access log data that is older
than a specific time frame; archiving a report is a way to preserve that generated data. Consider, however, that the
Reporter administrator has the ability to delete archived reports to maintain disk space capacity. Communicate with your
administrator if there is a report that absolutely must remain archived. Reporter enables you to archive to a report as a PDF
or a spreadsheet-compatible database file.

About the Export to PDF


Some special characters that display in reports might not display in exported PDF files. Be advised of the following when
Reporter is set to specific languages.

n EnglishReporter displays all data values using Mac OS Roman encoding (upper-ascii Latin characters). The
character reference: http://en.wikipidia.org/wiki/Mac_OS_Roman. On this page (as of this production date), the
lower-ascii (rows 2-7, excluding control characters) and the orange background characters. Reporter does support
the upper-ascii math symbols or the Apple character.
n JapaneseReporter displays the values using the HeiseiMin-W3 font.
n Chinese (simple)Reporter displays values using the STSong-Light font.
n Chinese (traditional)Reporter displays values using the MSung-Light font.

Adobe provides all of these fonts for PDF display.

Procedure
1. On any generated report, click Archive. Reporter displays options. Show screen...

2. Select which format the file is archived as:

n PDFReporter archives the report as a PDF file.


n CSVReporter archives a file, which contains the report data, with a .csv extension. Opening the file
requires a spreadsheet application, such as Microsoft Excel.
3. From the Report Data drop-down list, select how many rows of the report are archived.
4. Click Archive.

The report is archived on the Reporter system on the main Reports tab in the Archived Reports group. From there, you
can access or delete the report from the archive.
Reporter 10.x Reporting Guide/ Page 18

InBrief:CA + MA Database
Reporter 10.1.4 introduces the ability to create a database that includes malware scanning and sandboxing results from the
Blue Coat ContentAnalysis (CA) appliances and Malware Analysis (MA) appliances that are deployed as part of your Blue
Coat security solution. This allows you to use Blue Coat ManagementCenter to view Unified ThreatReporting.

FireEye and LastLine integrations also supported. See Malware Notes on page 20 below.

This Topic Brief provides a solution overview, component requirements, and the Reporter configuration.

SolutionOverview
When all of the Blue Coat devices are deployed and communicating, the solution is essentially aggregated CA data and MA
sandboxing detonation results passed from the gateway SGOS device (for example, ProxySG appliance or Advanced
Secure Gateway) through Reporter to ManagementCenter.
InBrief:CA + MA Database/Page 19

AClients initiate web requests. The ProxySG appliance compares the content against the Blue Coat WebFiltering
WebPulse databases. If the result recognizes the domain hosting the file as a known malware source, the ProxySG appli-
ance denies the download and notifies the user. If the domain is not recognized, the ProxySG appliance sends the file to
Content Analysis for inspection.

BActions:

n If Content Analysis detects malicious content, it performs the configured action (Allow or Block) and notifies the
SGOS device of the activity.
n When Content Analysis detects a suspicious file (executable or a common malware attack vector) that does not
match any known malware signatures or triggers a malware score from static analysis or that is not on the whitelist,
the appliance forwards the file to the Malware Analysis appliance.

CMalware Analysis identifies the actions an executable file would take on a client workstation, including malicious URL
web requests and changes to system files. It evaluates the threat of a given file and provides a threat score as a number
between 1 and 10. The higher the number, the greater the threat. The Content Analysis sends the detection results (ulti-
mately destined for Reporter) to the ProxySG appliance.

DThe ProxySG appliance uploads transaction logs (bcreportermain_v1) to the staging FTP server.

n This data set is the result of the data the ProxySG appliance collects directly, as well as the results of Content
Analysis antivirus scanning. New access log fields: x-file-reputation-score, x-cylance-score, x-cas-date,
x-cas-time, x-event-id. If real-time sandboxing is enabled, the results include a general score and whether or not
additional sandbox results are coming (see E below).

n The upload also contains the standard transaction details used for standard reporting.

EWhen additional sandboxing results occur, the Content Analysis uploads those results to the Reporter FTP server (see
Other Documentation Resources on page 21 for a link to this procedure).

FWhen the Reporter database pulls the data from the FTP server, a new field (x-bluecoat-transaction-uuid),
Reporter reconciles and consolidates the ProxySG-source and CA-source data.

GWhen added as a device, Reporter provides the processed access log data to Blue Coat ManagementCenter.

HThe Admin views Content Analysis and possibly Malware Analysis detonationresults in supported reports.

n Potentially Infected Clients - Unified


n Threats - Unified
n Trend of Threats - Unified
n Trend of Sandboxing
n Trend of Predictive Analysis
n Trend of File Reputation
Reporter 10.x Reporting Guide/ Page 20

Malware Notes
n Risk scores 7 or higher are considered malicious (this threshold is configurable on the Content Analysis).
n Malware Analysis indicatorsIf Malware Analysis processing results in a detonation, the Malware Analysis sends
that result to the Content Analysis, which notifies the SGOS proxy device . The SGOS proxy device caches the
result and blocks subsequent requests that match. However, the log entries for these cache block actions do not
contain the sandboxing vendor or score. Because of this, you might not see the Malware Analysis benefits reflected
in the reports. For example, the SGOS proxy device might block 20 requests that match a cached result; the
Malware Analysis is credited with only one result (the one that resulted in the cache entry). When the SGOS proxy
device receives a clear cache action (for example, when new AV patterns are loaded), the Malware Analysis action
re-occurs on the next request.

n If the solution involves integration with FireEye or Lastline sandbox vendors, those results are included. Each
vendor employs different RiskScore scales.
o FireEyeA 0 score is safe; a 1 score is malicious.
o LastlineEmploys a scale of 0 (safe) to 100 (malicious).

To make the results consistent for Blue Coat's RiskScoring, the FireEye score gets multiplied by ten. The Lastline
score gets divided by ten.

Requirements
n ProxySG appliance minimum versionsSGOS 6.6.4.x or 6.5.9.2.
n Content Analysis1.3.6.1
n Malware AnalysisAny current version
n Reporter minimum version10.1.4.x, which provides the new x-bluecoat-transaction-uuid field.
n ManagementCenter minimum version1.5, which provides the enhanced reports.
InBrief:CA + MA Database/Page 21

Reporter Configuration
The only required Reporter configuration is to create a new database and select the Unified DB database
format.

a. In Admin mode, select General Settings > Reporter Settings > Data Settings >Databases.
b. Click New. Reporter displays the Create New Database dialog.
c. Select Unified DB.
d. Continue database configuration.

Reporter Notes
n You cannot view Unified reports from the Reporter interface; you must use ManagementCenter.
n If you create Unified DB databases, the View Reports link is not available.

Other Documentation Resources

n Content Analysis

Procedure for sending sandbox results to the Reporter FTPserver: CAS to Reporter Topic.

n MalwareAnalysis
n Management Center
Reporter 10.x Reporting Guide/ Page 22

In Brief:WAFReporting Database
Reporter 10.1.3 introduces the ability to create a database that enables Web Application Firewall (WAF) reporting. This
allows you to use Blue Coat ManagementCenter to view WAF reports, analyze, and adjust policy accordingly across the
ProxySG devices performing in WAF roles.

AClients initiate web requests; theBlue Coat Global Intelligence Network (GIN) provides website and web application rat-
ings and categorizations.

BIntegrated with Blue Coat Content Analysis and Malware Appliances, the ProxySG appliances in WAF roles protect con-
tent servers. The ProxySG appliances upload the WAF access log format (bcreporterwarp_v1) access logs to an FTP sta-
ging server.

CBlue Coat Reporter compiles a WAF database (requires a database created specifically for WAF).

DBlue Coat ManagementCenter, with Reporter added as a device, generates Security reports that contain WAF data.

EThe ITAdmin accesses ManagementCenter to view the reports, analyze, and adjust policies accordingly.
In Brief:WAFReporting Database/Page 23

Requirements
n ProxySG appliance:SGOS 6.6.3.
n Reporter:The minimum version is 10.1.3, which provides the new WAF database.
n ManagementCenter:The minimum version is 1.5, which provides the new WAF reports.

Reporter Configuration
The only required Reporter configuration is to create a new database and select the WAF database format.

a. In Admin mode, select General Settings > Reporter Settings > Data Settings >Databases.
b. Click New. Reporter displays the Create New Database dialog.
c. Select WAF.
d. Continue database configuration.

Notes
n You cannot view WAF reports from the Reporter interface; you must use ManagementCenter.
n If you create WAF databases, the View Reports link is not available.

Other Documentation Resources


n ManagementCenterReport DescriptionsThe Security section contains the WAF report descriptions.
n ManagementCenter documentation:https://bto.bluecoat.com/documentation/All-Documents/Management
Center.