Full audit logs capture data on all traffic that passes through the Web Security Service. This is where you see a combination of all log types (allowed traffic, blocked traffic, blocked file types, and blocked malware) in one log. The information displayed by Full Audit requires that your account is enabled for Full logging. This is set up by your provider based on your provisioning terms.
Note: To view a full audit log, you must have Full Audit permission for Manage Log, and Audit Log permission for Manage Audit Logs.
To view a full audit log:
1. Select the Logs tab, then select the Full Audit subtab.
2. Specify the groups to include in the logs (deleted groups are displayed with the ** prefix). Select All Groups; or, to specify one or more groups:
l Click to select a single group.
l Shift-click or click and drag to select contiguous groups.
l Ctrl-click to select non-contiguous groups.
3. Select one or more dates from the last 90-day period:
l Click to select a single date.
l Shift-click or click and drag to select contiguous dates.
l Ctrl-click to select non-contiguous dates.
4. Optionally, set log filters based on the following table.
If you don’t select filtering options, the log returns all records for the specified groups and dates.
Filters
URL 1. Select the checkbox and specify a search option:
l Contains returns URL addresses containing the string in the text box.
l Does not contain returns URL addresses that don’t have the string in the text box.
l RegExp returns URL addresses typed in the form of a regular expression.
2. Type the string in the text box to be matched based on the criteria. Type a minimum of one character.
3. Specify whether the search applies to domain only, or to the domain and full path. An example of a domain ishttp://streamerapi.finance.yahoo.com
An example of a domain and path is
http:// streamerapi.finance.yahoo.com/1.0
-183
-WSS 4.4.0-2
Filters
Time 1. Select the checkbox and specify a search option:
l Between returns logs on activity that occurred within the specified time range.
l Not between returns logs on activity that occurred outside (before and after) the specified time range.
2. Enter the starting time in the first text box. For time, use the following 24-hour format:hh:mmwhere hhis from 00 to 23 andmmis from 00 to 59. Examples of valid time formats:08:00or13:30.
3. Enter the ending time in the second text box. This value must be at least one minute from the starting time. For example, if starting time is 04:03, ending time must be at least 04:04. If your starting and ending times are 04:04 to 04:04, no records are returned even if data exists for 04:04:22.
User 1. Select the checkbox and specify a search option:
l Contains returns logs on users whose name contains the text string you provide.
l Does not contain excludes users whose name contains the text string you provide.
l Equals returns logs on the user whose name exactly matches the text string you provide.
l Does not equal returns logs on users whose names do not exactly match the text string you provide.
2. Type a text string of up to 64 characters, the maximum length for user names, in the text box to be matched based on the criteria. Valid characters are a to z, A to Z, and 0 to 9.
Filters
IP 1. Select the checkbox and specify a search option:
l Contains returns logs on IP addresses that contain the numeric string you provide.
l Does not contain excludes IP addresses that do not contain the numeric string you provide.
l Equals returns logs on the IP address that exactly matches the numeric string you provide.
l Does not equal returns logs on IP addresses that do not exactly match the numeric string you provide.
2. Type a numeric string in the text box to be matched based on the criteria.
Valid characters are 0 to 9 and the dot separator.
Category Select the checkbox and specify the category:
l Click to select a single category.
l Shift-click or click and drag to select contiguous categories.
l Ctrl-click to select non-contiguous categories.
Search String This refers to the queries typed by users for their web searches.
Note: Most search engine results are identified, but some online searches might not be included in the results.
1. Select the checkbox to use this data point.
2. Select one search criteria:
l Contains returns logs on users whose name contains the text string you provide.
l Does not contain excludes users whose name contains the text string you provide.
l Equals returns logs on the user whose name exactly matches the text string you provide.
l Does not equal returns logs on users whose names do not exactly match the text string you provide.
3. Type a text string in the text box to be matched based on the criteria.
-185
-WSS 4.4.0-2
To change the number of returned records:
1. Open the Max Results drop-down menu and select the number of records to display for the search.
Note that the Filter text box is disabled if you set the Max Results value to 200. To use the Filter box, select another Max Results value.
2. Click Search.
Matching records are displayed in tabular format. The following table describes the data displayed by Full Audit logs.
Full Audit data
Date The date you selected for the log. If you selected multiple dates, the log allocates one row per date.
Time The time the user performed a particular web activity that is being tracked for quota.
Group Name The group to which the user belongs.
User Name The name of the user being tracked for usage.
IP Address The IP address from which traffic was generated.
Note: If the log is about outbound malware, the IP address is located within your organization.
Category The requested URL’s category. Displays Uncategorized if the URL has no category. See"Category descriptions " on page 78.
URL The URL address that the user has accessed.
Search Engine String: The query string typed by the user to make searches on the web.
File Type The file type that was downloaded or uploaded. See"Blocking file types"
on page 101.
Mime Type The content of the file that was downloaded or uploaded. For example, a file type of gif would have a content type of image.
Size The file size in bytes. File sizes contribute to bandwidth usage.
Malware Name The name of the malware, for example, storm.gen.
Malware Type The malware category. For example, a malware called storm.gen would have the category or type Trojan Horse.
Malware Direction Displays inbound for downloaded malware or outbound for uploaded malware. If outbound, use the IP address to identify the system that has the malware.