McAfee Content Security Reporter 2.0.0

(1)

Product Guide

Revision A

(2)

COPYRIGHT

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

(3)

Preface

Contents

About this guide

Find product documentation

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

Conventions

This guide uses these typographical conventions and icons.

Book title, term,

emphasis Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized. User input, code,

message

Commands and other text that the user types; a code sample; a displayed message.

Interface text Words from the product interface like options, menus, buttons, and dialog boxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

(6)

Find product documentation

McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation ₁ _{Click Product Documentation.}

2 Select a product, then select a version. 3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions. • Click Browse the KnowledgeBase for articles listed by product and version.

Preface

(7)

1

Introduction to Content Security

Reporter

McAfee®_{Content Security Reporter (Content Security Reporter) is a reporting software solution that}

helps you understand Internet and email usage, and IPS alert data within your organization.

Contents

About Content Security Reporter Features

About Content Security Reporter

Content Security Reporter collects data from devices on the network and manages it in a central database.

The collected data information helps you to identify these issues in your organization: • Liability exposure

• Productivity loss • Bandwidth overload • Security threats

Once identified, you can use this information to modify your Internet, email, and IPS policies to effectively enforce network protection.

How it works

Content Security Reporter is composed of several elements that work together to provide reporting capabilities.

(8)

Understand the role of each element to plan, use, and maintain Content Security Reporter.

Figure 1-1 Content Security Reporter element workflow

Content Security Reporter is server_{‑based software that contains:}

1 Database — The central storage component for all log data used by Content Security Reporter. 2 Query — Retrieves log data from the database, defines the type of data used to create a

dashboard or report, and defines how the data is displayed.

3 Filter — Applied to a query or dashboard to limit the data set to specific user names, websites, reputations, and so on.

4 Dashboard — Displays information through a collection of monitors to give you a customized view of your organization's Internet, email, and IPS alert data.

5 Report — Combines queries, filters, and other elements into PDF documents providing detailed information for analysis.

Features

Several Content Security Reporter features are essential for reporting capabilities. These features include:

• ePolicy Orchestrator integration — Content Security Reporter extends the ePolicy Orchestrator interface functionality to add new reporting capabilities while offering all standard ePolicy Orchestrator features and functions.

• Role_{‑based access — When Content Security Reporter is installed, only users with global} administrator permissions can create reports, run reports, and manage the report server. An administrator can grant user access to reports and report server settings by specifying Content Security Reporter permissions for each ePolicy Orchestrator permission set.

• Log sources — Used to obtain report data from network devices.

1

Introduction to Content Security Reporter

(9)

• Rule sets — Tells Content Security Reporter to look for a specific string of data during log file processing to replace it with a different string.

• Databases — Use the internal database or a supported external database, depending on your organization's data needs.

• Performance options — Performance optimization options to ensure that Content Security Reporter runs efficiently.

• Dashboards — Dashboards provide visibility into the network usage of your organization. • Analytics — Enable analytics on dashboards for additional filter and workflow options.

• Queries — Default queries are installed with Content Security Reporter that can be run as is, or duplicated and customized to create other useful dashboards and reports.

Content Security Reporter queries can be added to other ePolicy Orchestrator dashboards and reports, not just those installed by Content Security Reporter.

• Reports — Default reports are installed with Content Security Reporter that can be used as is, or duplicated and customized to fit your organization's needs.

• Maintenance — Regular maintenance options that promote optimal report server and database performance.

(10)

1

(11)

2

Installation

Download and install Content Security Reporter to run with ePolicy Orchestrator 4.6.5.

Contents

Changes in ePolicy Orchestrator System requirements

Install Content Security Reporter

Changes in ePolicy Orchestrator

Content Security Reporter works with McAfee®_{ePolicy Orchestrator}®_{software to provide reports from}

data collected by a filtering device placed on your organization's network.

After Content Security Reporter is installed, all standard ePolicy Orchestrator features and functions are available, as well as additional Content Security Reporter changes that occur on the ePolicy Orchestrator interface.

Table 2-1 Changes to ePolicy Orchestrator

Item Location

Reporting extensions View and manage Content Security Reporter extensions.

Report Server The report server provides ePolicy Orchestrator with Content Security Reporter features.

The report server and Content Security Reporter database server are added at the same time. McAfee recommends you do not change the default database server settings.

Content Security

Reporter permissions Configure access and usage rights to Content Security Reporter featureswithin each ePolicy Orchestrator user permission set. Report Server Settings

menu item Perform immediate or scheduled maintenance tasks, manage the serverstatus, log sources, databases, and system utilities. Queries A set of default Content Security Reporter queries are installed that can be

used as is, or duplicated and customized to provide the data used in reports or dashboard monitors.

Content Security Reporter queries can be added to other ePolicy Orchestrator dashboards and reports, not just those installed by Content Security Reporter. Dashboards A set of default Content Security Reporter dashboards are installed that can be

used as is, or duplicated and customized to provide detailed overviews of your network traffic.

Analytics Enable analytics on dashboards for additional filter and workflow options.

(12)

Table 2-1 Changes to ePolicy Orchestrator (continued)

Item Location

Reports A set of default Content Security Reporter reports are installed that can be used as is, or duplicated and customized to create useful data about Internet and email usage, IPS alerts, policy enforcement, productivity, and security threats in your organization.

Common Catalog menu

item Create, duplicate, or customize catalogs to store lists of items such as networkaddresses and URLs.

System requirements

To install and operate Content Security Reporter, the system must meet the minimum requirements consistent with the requirements to run ePolicy Orchestrator 4.6.5.

There are no license restrictions to install Content Security Reporter.

Table 2-2 Microsoft Server operating requirements — 32 bit

Operating system Version

Windows Server 2003 SP2 Standard, Enterprise, or Datacenter Windows Server 2008 SP2 Standard, Enterprise, or Datacenter

Table 2-3 Microsoft Server operating requirements — 64 bit

Operating system Version

Windows Server 2003 SP2 Standard, Enterprise, or Datacenter Windows Server 2008 SP2 Standard, Enterprise, or Datacenter Windows Server 2008 R2 Standard, Enterprise, or Datacenter Windows Server 2008 Small Business Premium

Supported browsers

• Mozilla Firefox 3.5 • Mozilla Firefox 3.6

• Microsoft Internet Explorer 7.0 • Microsoft Internet Explorer 8.0

Install Content Security Reporter

Download, install, and register Content Security Reporter software in ePolicy Orchestrator. • The software can be installed on the same computer as ePolicy Orchestrator, or on a

separate computer that has the ability to communicate with ePolicy Orchestrator.

Additional configuration may be necessary to ensure that they can communicate through any firewall that is in place.

• ePolicy Orchestrator must be installed and running correctly before you attempt to install Content Security Reporter.

2

Installation

(13)

Contents

Download the product files Install the software Install the extension Register the report server

Download the product files

Download the Content Security Reporter installation files from the McAfee download site.

Task

1 Start ePolicy Orchestrator 4.6.5.

2 Go to the McAfee Products Download page.

3 Under Download My Products, enter your grant number and click Go. 4 Download these Content Security Reporter files:

• Installation executable file appropriate for your computer • Extension .zip file for ePolicy Orchestrator (ePO)

Install the software

Install the Content Security Reporter software on the computer where you will configure it to run with ePolicy Orchestrator.

ePolicy Orchestrator can be active during this installation.

Task

1 Log on to the operating system as an administrator. 2 Run the installation executable file you downloaded. 3 Follow the on_{‑screen prompts to complete the installation.} 4 When prompted, enter a passkey.

McAfee recommends using a strong passkey: • Minimum of eight character

• No spaces • Case sensitive

• Mix of uppercase, lowercase, numeric, and special characters

Installation

(14)

Install the extension

Install the Content Security Reporter extension .zip file so it is available in ePolicy Orchestrator.

Task

1 Select Menu | Software | Extensions. 2 Click Install Extension.

3 Browse to the extension .zip file, then click OK.

A Reporting extension appears in the Extensions list, and a Report Server Settings menu option becomes available.

Register the report server

Register the report server with ePolicy Orchestrator.

Task

1 Select Menu | Configuration | Registered Servers. 2 Click New Server.

3 In the Registered Server Builder dialog box, set the server type as Report Server.

4 Enter a name for the server, or the IP address of the computer Content Security Reporter is installed, then click Next.

5 Enter the passkey you used during installation. 6 Click Test Settings.

A Test login successful message appears. 7 Click Save.

Report and database servers are added to the list of registered servers.

2

Installation

(15)

3

Report server settings

Report server settings allow the tuning of multiple settings to configure Content Security Reporter.

Contents

Log sources Databases

View the server status Configure a log source Configure the database

Configure performance options

Log sources

Content Security Reporter uses log sources to obtain the Internet and email usage data, and IPS alert data that is used in reports.

Content Security Reporter processes the information from log sources, then stores the data in an internal or external database.

See also

Configure a log source on page 19

Log source modes

Use a log source mode to obtain log file data from a log source.

The mode selected depends on the ability of your network device to send log data. When configuring a log source, select one of the available modes, or manually import a single log file.

• Accept incoming log files — Use this method when network devices send log data to Content Security Reporter.

• Collect log files from — Use this method when Content Security Reporter collects log files from network devices or log storage devices.

• The fields displayed on the Source tab differ depending on which option you choose. • Approximately 1 GB of temporary space is needed on the Content Security Reporter

server for every GB of log data collected and processed.

Log formats

Log formats determine how Content Security Reporter processes (also called parsing) data from log files, and how the data is stored in the database.

Content Security Reporter recognizes the structure of auto_{‑discover and fixed‑field log formats.}

(16)

User-defined columns

Up to four user_{‑defined columns can be configured for each log source during log file processing, and} can be used to substitute column data, or to obtain data from columns that are normally skipped. User_{‑defined columns are also used when repopulating database columns during database}

maintenance.

User_{‑defined columns do the following:}

• Include skipped log field data — During log file processing, some log file fields are skipped. For example, log file processing skips the McAfee®_{Web Gateway Referrer and Policy name fields. You can}

configure up to four_{‑user‑defined columns to pull the data from the skipped fields to include in} reports.

• Assign a custom value to column data — Substitute standard column data with a custom string value to make it easier to find and review in reports. For example, you want to assign test_‑lab to all

IP addresses beginning with 115 and assign other to any additional IP addresses. In the report, the user_{‑defined column displays either test}_‑lab or other in place of the numeric value of IP addresses.

When you create a user_{‑defined column, Content Security Reporter treats this as an additional} column and leaves the original column and original data in the log file. Using the previous example of substituting IP addresses, the original IP address column data remains unchanged and is still available for use in reports.

When entering a value in the Log file header value box, do not use quotation marks.

Processing and post-processing

When configuring a log source, use the Processing and Post_{‑Processing tabs to determine how Content} Security Reporter handles the data pulled from log files.

Page views setting

The Condense log records into page views setting on the Processing tab for a log source affects queries and disk space requirements for the reporting database.

Each line of a log file is a separate HTTP request for a webpage element. Viewing one webpage can result in multiple records in the log file.

The Condense log records into page views option consolidates multiple records from a log file into a single page view, or "hit", in reports. Condensing log records into page views generates a concise report view when using either summary or detailed queries. For example, condensing log records into page views could potentially reduce a 1 GB log file down to a 100 MB log file.

By default, the Condense log records into page views option is enabled. If you disable this option, each webpage you visit, and element on the page, are logged as separate HTTP requests. For example, if you visit www.example.com, and that page contains multiple elements, then the log data looks like this: www.example.com www.example.com/rss.xml www.example.com/advertisement.js adserver.example.com/ad1.jpg adserver.example.com/ad2.jpg adserver.example.com/ad3.jpg

3

Report server settings

(17)

With Condense log records into page views enabled, your log data will show only one HTTP request as a page view —www.example.com.

Custom columns

Custom columns substitute the data in the browser and cache columns in your log files with a word or phrase that better identifies the browser or cache value.

Custom columns are pre_{‑defined rule sets for predefined columns. Instead of reports containing}

Mozilla/4.0 (compatible; MSIE 7.0…), the reports contain Internet Explorer 7.0. However, the original

data value is retained in your database.

Each custom column uses a configured rule set to substitute technical data values from the browser or cache columns, and substitute with common identifiers to make the browser and cache data in your reports more recognizable.

See also

View custom columns on page 24

Custom rule sets

Rule sets are customized instructions that tell Content Security Reporter to look for a specific string of data during log file processing and replace it with a different string. This resulting string appears in reports and is more recognizable to users. A test function is available to validate the result of a rule set.

Rule sets make your custom columns and user_{‑defined columns work. Configure rule sets to find any} string that appears in a log file and replace it with a different string defined by you. The string can be letters, numbers, and symbols.

Custom column rule sets

Custom columns are predefined for the browser and cache columns. Each custom column has a corresponding rule set. You can modify the rule sets, but you cannot add or delete rule sets for the custom columns.

User

_{‑defined column rule sets}

User_{‑defined columns are customized by you for any available log record or header. You create the rule} sets for these columns, which can be edited, deleted, copied, and used by more than one user_‑defined column at a time.

See also

Configure rule sets on page 24

Browse time

You can specify the length of time for the browse time threshold.

Content Security Reporter estimates a user's browse time by calculating the difference between the time stamps of two log lines.

For example, if the log file shows that Jon Lock visits www.example.com at 03:00:00 p.m. and

news.example.com at 04:30:00 p.m., the browse time is the 1 hour 30 minutes that occurred between the time he visited www.example.com and news.example.com. However, Jon Lock probably did not spend more than one hour viewing a single webpage. To compensate for this, Content Security Reporter overrides the estimated browse time with a default browse time.

(18)

The browse time threshold option specifies the maximum length of time you expect a user to spend viewing a single webpage. The default is three minutes. When a user exceeds the browse time threshold, the default browse time is recorded in the database instead.

See also

Configure browse time options on page 24

Databases

Content Security Reporter uses a database to store data from log files and is installed with an internal database, or you can use a supported external database. Set up a database that is appropriate for the size of your organization and the amount of data your organization generates.

Contents

When to use an internal database When to use an external database

When to use an internal database

During installation, Content Security Reporter is automatically configured to use the internal database (MySQL 5.0). McAfee recommends using this database only if you need to store up to 50 GB of data. The internal database installs on the same drive as Content Security Reporter.

Log files and data from the internal database are not transferable to another database. Evaluate if using an internal database is necessary for your organization's needs.

You must have enough free drive space to accumulate data in the internal database. McAfee recommends using an internal database for these situations:

• Small_{‑ to medium‑size organizations} • Evaluating Content Security Reporter See also

Connect to the internal database on page 25

When to use an external database

Use an external database when there is more than 50 GB of data to store.

Connect Content Security Reporter to one of these supported external database platforms to store report data:

• Microsoft SQL Server 2005 • MySQL 5.0 • Microsoft SQL Server 2008 • MySQL 5.5 • Microsoft SQL Server 2012

Evaluate if using an external database is necessary for your organization's needs. McAfee recommends using an external database for these situations:

• There is more than 50 GB of data to store • In a medium_{‑ to large‑size organization}

3

(19)

• Do not want to condense log records into page views • Need to increase performance

• Need additional database management tools

Refer to the product documentation for your external database for instructions about backing up the database.

See also

Connect to an external database on page 26

View the server status

View the Server Status page for status information about the report server.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Server Status.

3 Click Refresh.

Configure a log source

Configure log source options in Content Security Reporter to collect network usage and alert data for generating reports.

Task

For option definitions, click ? in the interface. 1 Choose the log source mode and format.

a Select Menu | Configuration | Report Server Settings. b From the Setting Categories menu, select Log Sources. c From the Actions menu, select New.

The New Log Source window appears. d Enter a name for the log source.

e Choose from these log sources to process log files:

(20)

Table 3-1 Accept incoming log files

Option Definition

FTP / HTTP(S) Enter this information to create a logon account to accept log files from the network device:

• Logon name • Password

Syslog Enter this information to create a logon account to accept log files from the network device:

• Client addresses of the connecting machine to the Content Security Reporter server

• Server port • Protocol

• When McAfee Web Gateway (Webwasher) _{‑ Auto Discover is selected, enter a log header} For more information about sending log data using the FTP/HTTP(S) or Syslog options, consult the documentation for your network device.

Table 3-2 Collect log files from

McAfee®_{Web Gateway}

6.x (Webwasher) Enter this information:_{• Device address} • UI port

Use the Test button to verify that the settings work correctly. McAfee®_{Web Gateway}

7.x Enter this information:_{• Device address} _{• Password}

• UI port • Appliance name

• Logon name • Log file base name

Use the Test button to verify that the settings work correctly.

3

(21)

Table 3-2 Collect log files from (continued)

McAfee®_{SaaS Web}

Protection Service Enter this information:_{• Customer ID} • Logon name

• Password

• Your Customer ID is sent in the documentation received when you registered for McAfee SaaS Web Protection Service.

• In the Log Format field, McAfee SaaS Web Protection Service is selected by default.

• Ensure that access to the URL https://msg.mcafeesaas.com and port 443 is not blocked by your firewall or service between the Content Security Reporter server and the Internet.

• Content Security Reporter retrieves a maximum of 15 days worth of past data from McAfee SaaS Web Protection Service. FTP server Enter this information:

• FTP server address • Password

• Port • Directory

• Logon name

Use the Test button to verify that the settings work correctly. Directory on report

server Select the directory._{Use the Test button to verify that the settings work correctly.} McAfee®_Network

Security Manager Enter this information:_{• Device address} • Device port

In the Log Format field, McAfee Network Security Platform is selected by default.

f From the Log Format drop_{‑down list, select the log format that corresponds to your device.} 2 Configure user_{‑defined columns.}

a Click the User_{‑Defined Columns tab.}

b Select and configure up to four user_{‑defined columns.} c Select the Populate this column checkbox.

(22)

d From the Log record drop_{‑down list, select a source data type.}

• If the log record is not found in the drop_{‑down list, use the Log file header field to} define a header.

• When entering a value in the Log file header field, do not use quotation marks. e Select the Apply this rule set checkbox and select a previously created rule set from the drop_‑down

list.

3 Create a schedule for processing logs.

The Schedule tab is only available when the Collect log files from mode is selected.

a Click the Schedule tab.

b Specify the frequency, dates, and times. 4 Configure processing and post_{‑processing options.}

a Click the Processing or Post_{‑Processing tabs.}

b Choose from the available options, then click OK.

Tasks

• Create a MySQL database user account on page 22

Content Security Reporter accesses the McAfee Network Security Manager database using a MySQL database user account. McAfee recommends that you create a MySQL database user that is specifically used for the purpose of communication between Content Security Reporter and McAfee Network Security Manager.

• View log processing jobs on page 23

View a list of current running log processing jobs. • View log source statistics on page 23

View the cumulative and Syslog client statistics in Content Security Reporter. • Manage log processing jobs on page 24

Manage the list of log processing jobs that are queued, running, or completed. • View custom columns on page 24

View a list of built_{‑in columns.} • Configure rule sets on page 24

Configure rule sets, which are used in user_{‑defined columns during log file processing.} • Configure browse time options on page 24

Set the browse time threshold and default browse time for user browsing sessions. • Import a single log file on page 25

Import log files from a directory on the client computer.

Create a MySQL database user account

Content Security Reporter accesses the McAfee Network Security Manager database using a MySQL database user account. McAfee recommends that you create a MySQL database user that is

3

(23)

specifically used for the purpose of communication between Content Security Reporter and McAfee Network Security Manager.

Task

1 Log on to the McAfee Network Security Manager computer.

2 Locate the MySQL installation folder for McAfee Network Security Manager. For example, C:\Program Files (x86)\McAfee\Network Security Manager\MySQL

3 Open a command prompt and type the command cd <MySQL installation folder>\bin, then press Enter.

4 Log on to MySQL: type the command mysql ‑‑user=root mysql ‑p, then press Enter. 5 Type your password.

6 Create the account and specify where the Content Security Reporter server is located.

a Run the command CREATE USER 'User 1'@'192.168.0.1' IDENTIFIED BY 'mypassword'; b Press Enter

7 Grant privileges to the account for the specified database and tables.

a _{Run the command GRANT SELECT ON <database name>.* TO 'User 1'@'192.168.0.1';} b Press Enter

The default <database name> is lf.

For more information, see the MySQL 5.0 Reference Manual.

View log processing jobs

View a list of current running log processing jobs.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 From the Setting Categories menu, select Log Sources. 3 Click the Current Jobs tab.

4 To update the list of current running log processing jobs, click Refresh.

View log source statistics

View the cumulative and Syslog client statistics in Content Security Reporter.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 From the Setting Categories menu, select Log Sources. 3 Click the Statistics tab.

(24)

Manage log processing jobs

Manage the list of log processing jobs that are queued, running, or completed.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings.

2 From the Setting Categories menu, select Log Sources | Job Queue. 3 From the Actions menu, select a task you want to perform.

View custom columns

View a list of built_{‑in columns.}

Task

2 From the Setting Categories menu, select Log Sources | Custom Columns. The list of custom columns appears.

Configure rule sets

Configure rule sets, which are used in user_{‑defined columns during log file processing.}

Task

2 From the Setting Categories menu, select Log Sources | Custom Rule Sets. 3 From the Actions menu, select New.

4 Enter a name and description, then configure the remaining rule set options. 5 Click OK.

Configure browse time options

Set the browse time threshold and default browse time for user browsing sessions.

Task

2 From the Setting Categories menu, select Log Sources | Browse Time, then click Edit. 3 Choose the threshold and default time for browse time sessions, then click Save.

3

(25)

Import a single log file

Import log files from a directory on the client computer.

When using the Import Log option, the log file format must be the same as the log source to avoid errors.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 From the Setting Categories menu, select Log Sources. 3 Select a log source.

4 From the Actions menu, select Import Log.

A window opens that displays a local directory of the client. 5 Browse to the log file you want to import.

6 Click Open.

A message confirms that the selected log file is imported. 7 Click OK.

Content Security Reporter processes the log file and the processing status appears on the Current Jobs tab.

Configure the database

Use the already configured internal database, or configure a supported external database.

Contents

Connect to the internal database

Backup and restore the internal database Connect to an external database

Execute SQL

Connect to the internal database

Connect to the internal database that is installed with Content Security Reporter.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Reporter Server Settings. 2 From the Setting Categories menu, select Database. 3 In the Configuration section, select Default internal database.

(26)

Backup and restore the internal database

Back up the internal database to safeguard your data against hardware failures or other issues. Reinstate data from the backup using the restore feature.

Before you begin

McAfee recommends using the MySQL GUI Tools, which includes MySQL Administrator, to back up or restore the Content Security Reporter internal database.

The MySQL GUI Tools is available as a free download from the MySQL Downloads page and must be installed on the same computer as Content Security Reporter.

You will need the following information when using this tool: • Server Hostname — 127.0.0.1 • Password — dba

• Port — 9129 • Database name — reporting

• Username — dba

Task

1 Log off Content Security Reporter.

2 Shut down the Content Security Reporter Internal Database service.

3 Perform the backup or restore procedure using instructions in the MySQL Administrator documentation.

4 Restart the Content Security Reporter Internal Database service. 5 Log on to Content Security Reporter.

The backup and restore operation is complete and the internal database is functional.

Connect to an external database

Connect Content Security Reporter to a supported external database, based on the needs of your organization.

You will need to provide the database address, port, logon information, and name. Any user on the Microsoft SQL Server database must have db_owner privileges.

Install Content Security Reporter and the external database on the same computer, or on separate computers. If Content Security Reporter is installed on the same computer as the external database, there must be enough disk space to accumulate data according to your organization's needs.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Reporter Server Settings. 2 From the Setting Categories menu, click Database. 3 From the Actions menu, select Edit.

4 From the This external database drop_{‑down list, select a database type.}

3

(27)

5 Click Test to verify the settings are correct. 6 Click Save.

The connected database is listed as the Database Server in the registered servers list Menu |

Configuration | Registered Servers. McAfee recommends that you do not edit the database settings on the Registered Servers page.

Execute SQL

When working with technical support, Execute SQL opens a window that enables a reporting administrator to execute SQL statements while troubleshooting.

Task

For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 From the Settings Categories menu, select Database. 3 Click Edit.

4 Click Execute SQL.

5 In the Input field, enter an SQL statement, then click Run. 6 To exit the dialog, click OK.

Configure performance options

Configure the performance options to ensure that Content Security Reporter runs efficiently.

Contents

Edit memory allocation Configure concurrent jobs Manage the log processing cache

Manage the log processing summary cache

Edit memory allocation

Dedicate the amount of memory that will be available to the report server.

Task

2 From the Setting Categories menu, select Performance Options. 3 In the Memory section, click Edit.

(28)

4 Enter the amount of memory to reserve for Content Security Reporter, and select gigabytes or megabytes.

• Minimum memory value — 1024 MB • Maximum 32_{‑bit memory value — 1536 MB} 5 Click OK.

If the memory value entered is too large, Content Security Reporter will not restart.

Configure concurrent jobs

Choose how many log processing jobs can concurrently run.

Task

2 From the Setting Categories menu, select Performance Options. 3 In the Concurrent jobs section, click Edit.

4 Select the maximum amount of concurrent log processing jobs, then click OK.

Manage the log processing cache

View and manage the settings in the log processing cache.

Task

2 From the Setting Categories menu, select Performance Options | Cache. 3 From the Actions menu, select a task you want to perform.

Manage the log processing summary cache

View and manage the settings in the log processing summary cache.

Task

2 From the Setting Categories menu, select Performance Options | Summary Cache. 3 From the Actions menu, select a task you want to perform.

3

(29)

4

Reporting

Use dashboards to monitor Internet and email usage, and IPS alert data in your organization, and report your findings using preconfigured or customized queries and reports.

Contents

Monitoring with dashboards Querying the database Reports

Configure a dashboard Configure a query Running reports

Schedule queries and reports

Monitoring with dashboards

Dashboards provide the ability to constantly monitor Internet and email usage, and IPS alert data in your organization.

The following options are available to you for your dashboards needs:

• Dashboard Visibility — By selecting one of these options, you can control which users in your organization are able to view specific dashboards.

• Advanced Analytics — By enabling advanced analytics on a dashboard, additional filter and pivot actions become available to further customize and analyze dashboard data.

Default dashboards

Content Security Reporter comes with a set of default dashboards that you can run as they are, or duplicate and customize to suit your needs.

Default dashboards are available from the Dashboards tab and contain data obtained from Content Security Reporter default or customized queries. Dashboards display information such as:

• Hybrid activity • Productivity

• Internet activity • Security overview

• Policy enforcement

(30)

Custom dashboards

Create a dashboard, or duplicate and customize an existing dashboard for a specific and focused view of your organization's data.

For additional custom options, enable advanced analytics from the New Dashboard and Edit Dashboard windows. Enabling analytics provides you the following additional options:

• Filtering — Add additional filters to focus in on which data you want to display on a dashboard and within a specified time range.

• Pivot — For specific log record information, navigate from a configured monitor on the dashboard layout to another dashboard focused around the same log record information.

• Table and chart legends — Select data within a chart or table legend to view or remove data.

Monitors

Dashboards are collections of monitors. You can tailor dashboard information by adding monitors that provide specific Internet and email usage, and IPS alert information.

A monitor displays data from default or custom queries in the form of charts and tables. Each monitor is configured independently in order to display multiple combinations of your organization's data.

Querying the database

Content Security Reporter allows you to create and run queries and reports that provide Internet and email usage, and IPS alert data in the form of charts and tables. The data for these queries and reports is pulled from log data, and is stored in the registered internal or external database. Use any of the default queries and reports, or duplicate and modify existing queries and reports to create your own for a customized view of your organization's data.

Queries

Run a query independently, or combine queries within a report to view specific Internet and email usage, and IPS alert data within your organization.

Query results can be run on_{‑demand or on a regular schedule, and produce PDF output for viewing} outside of Content Security Reporter.

Content Security Reporter includes default queries that you can run as is, or create a customized query for your specific reporting needs.

Query Builder

Content Security Reporter provides a four_{‑step wizard to create queries or to duplicate and customize} default queries. Use the wizard to configure which data is retrieved and how it is displayed.

Custom query result types

Select a schema and result type to identify where and what type of data the query retrieves. Each type has its own set of data options (also called columns) to select from. The query type determines the amount of detail available for generating reports. The following query types are available to you:

• Detailed email delivery — Data based on the delivery status of sent emails.

• Detailed email detection — Information regarding viruses detected in sent and received emails. • Email summary — High_{‑level email usage information.}

4

Reporting

(31)

• Detailed web access — Represents web traffic details such as full request URLs and exact date and time of each request.

• Web summary — Generation of hourly data for reports such as hits per user, categories per week, bytes per log source, and more.

• IPS Alerts — Detailed information about alerts generated from IPS devices.

It is quicker to generate reports and queries that are based on summary data than detail data.

Custom query-level filters

Specify criteria by selecting properties and operators to limit the data retrieved by the query. Query_{‑level filters filter data only for the query in which they are applied.}

For example, you already have a query that shows the top sites visited within your organization. In order to show only the top sites visited by user jsmith, you would select the Username column and type

jsmith in the Value column property field. The results of the query will generate the top corresponding

sites to the user jsmith.

Use column properties to filter data only when report‑level filters cannot be used.

When you want more filtering capabilities and control over data in all queries — such as hourly, weekly, or monthly versions of the same queries — use report_{‑level filters.}

Custom query charts and columns

Content Security Reporter provides a number of layout options to display the data it retrieves. Choose from a variety of layout options to best display your data.

Reports

Content Security Reporter includes highly customizable, flexible, and easy_{‑to‑use reporting capabilities.} Reports are customizable documents that display data from one or more Content Security Reporter elements in a single PDF document for focused and offline analysis.

Use the Report Builder to create and run reports that display charts and tables with user_{‑configured data.} The most recently run report is stored within Content Security Reporter and readily available for viewing.

Reporting is available with any of these subscriptions: • McAfee®_{Web Gateway}

• McAfee®_SiteAdvisor®_{Enterprise software}

• McAfee®_SmartFilter®_software

• McAfee SaaS Web Protection Service

Default reports

Content Security Reporter installs several default reports made of Content Security Reporter queries and filters. Default reports are available from Content Security Reporter Shared Groups.

Default reports produce data from Content Security Reporter summary and detailed queries, for example:

Reporting

(32)

• Your users' Internet activity

• The most blocked websites, malware, and applications • The most used websites and applications

• Potential security threats to your organization

Custom reports

Create a new custom report, or duplicate and customize a default report to suit your needs. The following display and setting options are available to you to customize your reports: • Query — Information found within a report is based on the data generated within queries.

• Display options — Using these options, you can modify how the data is displayed within a report. • Runtime parameters — Using these options, you can modify what data appears in a report.

Configure a dashboard

Create a dashboard that allows you to see your organization's data and how you want to see it.

Create a dashboard

Set up customized dashboards to view your organization's Internet and email usage, and IPS alert data.

Task

For option definitions, click ? in the interface.

1 Add a new dashboard to Content Security Reporter. a On the menu bar, click Dashboards.

b In Dashboard Actions, click New, and type a name for the dashboard that allows you to easily identify it.

c In Dashboard Visibility, select who can view this dashboard. 2 Enable additional filtering capabilities.

a In Analytics, select Enabled.

b From the drop_{‑down list, select a filter.} c Click OK.

See also

Custom dashboards on page 30

Add monitors to dashboards

Add monitors to a dashboard for a customizable view of your organization's data.

You must have write permissions for the dashboard you are modifying.

Every monitor type supports different configuration options. For example, a query monitor allows the query, database, and refresh interval to be changed.

4

Reporting

(33)

Task

1 Select Menu | Reporting | Dashboards and select a dashboard. 2 Click Add Monitor.

The Monitor Gallery appears at the top of the screen 3 From the View drop_{‑down list, select a query.}

The available monitors in that category appear in the gallery.

4 Drag the monitor onto the dashboard. As you move the cursor around the dashboard, the nearest available drop location is highlighted. Drop the monitor into your desired location.

The New Monitor dialog appears.

5 Configure the monitor as needed (each monitor has its own set of configuration options), then click OK.

6 After you have added monitors to this dashboard, click Save Changes to save the newly configured dashboard.

7 When you have completed your changes, click Close.

Tasks

• View additional details on page 33

View additional data details in monitors using the drill down links. • Filter dashboard data on page 34

Use filters to further customize the data in dashboard tables and charts. • Pivot options on page 34

Use pivot options to add a new dashboard or view specific data. • Add data items to Common Catalog on page 35

Use Common Catalog as a central data repository for IP addresses, sites, and user names. • View Global Threat Intelligence information on page 36

View McAfee®_{Global Threat Intelligence}™_{information to assess threats from malware, sites,}

URLs, and IP addresses. • View a site on page 36

When viewing a dashboard, drill down to view a website. See also

Monitors on page 30

View additional details

View additional data details in monitors using the drill down links.

Additional details are only available from configured monitors.

Task

1 Select Menu | Reporting | Dashboards.

2 From the Dashboard drop_{‑down list, select a dashboard.}

Reporting

(34)

3 Click a data type within a table or chart.

A list of data items appear, which are generated from the selected data type. 4 Click a line of data.

The Details page appears.

Filter dashboard data

Use filters to further customize the data in dashboard tables and charts.

Filter options are only available when analytics is enabled on a dashboard.

Task

1 Select Menu | Reporting | Dashboards. 2 Choose from these options:

• Filter data by adding your own filter. a Click Add Filter.

b Select a Filter Type and enter a Filter Value. c Click OK.

In the Filter Value field, you can enter the filter pattern using these wildcard values:

• Asterisks (*) are used to match one or more characters. For example, *a* matches all filter type results containing a.

• Question marks (?) are used to match one character. For example, ?jones matches all filter type results beginning with any one character and ending with jones. You can use multiple ? in your filter value.

• Filter data from a monitor table or chart legend. a Click the down arrow next to a data item.

b From the drop_{‑down list, select Add Filter.} • Filter data by date range.

a Enter a number value in the Show last field. b Select a frequency.

c Click Go.

The applied filter will appear in the Add Filter area of the dashboard.

Pivot options

Use pivot options to add a new dashboard or view specific data.

Pivot options are only available when analytics is enabled on a dashboard.

4

Reporting

(35)

Task

• Pivot from the data in a monitor table or chart legend. a Click the down arrow next to a data item.

b From the drop_{‑down list, select Pivot to.} • Pivot from the Details page.

a Click table or chart data within a monitor. b Click on an item from the data table. c Click on a highlighted data item. d From the drop_{‑down list, select Pivot to.}

Add data items to Common Catalog

Use Common Catalog as a central data repository for IP addresses, sites, and user names.

Select Menu | Common Catalog to create a catalog list. Common Catalog does not support IPv6 addresses.

Task

• Add data items to Common Catalog from a monitor table or chart legend. a Click the down arrow next to a data item.

b From the drop_{‑down list, choose from these options:}

• Add to List — Deposits the data item into a Common Catalog list. • Remove from List — Removes the data item from a Common Catalog list.

To select multiple lists, press Ctrl or Shift and select the lists intended for the data item. • Add data items to Common Catalog from the Details page.

a Click table or chart data within a monitor. b Click on an item from the detail table. c Select a highlighted data item.

d From the drop_{‑down list, choose from these options:}

• Add to List — Deposits the data item into a Common Catalog list. • Remove from List — Removes the data item from a Common Catalog list.

To select multiple lists, press Ctrl or Shift and select the lists intended for the data item.

Reporting

(36)

View Global Threat Intelligence information

View McAfee®_{Global Threat Intelligence}™_{information to assess threats from malware, sites, URLs, and}

IP addresses.

Task

• View Global Threat Intelligence information from a monitor table or chart legend. a Click the down arrow next to a data item.

b From the drop_{‑down list, select View GTI info.}

• View Global Threat Intelligence information from the Details page. a Click table or chart data within a monitor.

b Click on an item from the detail table. c Select a highlighted data item.

d From the drop_{‑down list, select View GTI info.}

View a site

When viewing a dashboard, drill down to view a website.

View site options are only available when analytics is enabled on a dashboard.

Task

• View a site from a monitor table or chart legend. a Click the down arrow next to a URL.

b Select View site from the drop_{‑down list.} • View a site from the Details page.

a Click table or chart data within a monitor. b Click an item from the detail table. c Click the highlighted URL.

d From the down_{‑down list, select View site.}

A browser window appears displaying the selected website.

Configure a query

Before generating a report, configure the queries to use in your reports. View Top Users by Browse Time example:

4

Reporting

(37)

When configuring a query, consider the following user scenario for viewing the top users in your organization by overall browse time.

Assume the users in your organization have access to the Internet, and you would like to block specific users from the sites they visit most often.

Use the View Top Users by Browse Time query to compare which users in your organization use the most browse time. After you have identified which users in your organization use the most browse time, Content Security Reporter allows you to block these users from accessing their most visited websites. In this scenario, you are able to:

• Define which users in your organization use the most browse time. • Compare the users in your organization that use the most browse time. • Assess which website these top users visit most often.

• Block the websites that the top users visit most often.

Task

1 Select a query type.

a Select Queries & Reports | Actions and click New, or select an existing query from the list and click Edit.

The Query Builder opens with the Result Types view active.

b From the Database Type drop_{‑down list, select Content Security Reporter.} c Select the query options you want from the available lists. d Click Next to move to the Chart page.

2 Select a query layout.

a From the Display Results As list, select a graph or table for the query layout. Select a layout for your query that will best display your data.

b Select the display options you want from the available lists. c Click Next to move to the Columns page.

When entering the maximum value for the display, it is recommended to use a lower value. For example, instead of using 200 as the maximum value, enter 10 in the value box.

3 Select query columns.

a From the Available Columns list, select which columns to apply to your query. b In Selected Columns, select, drag, and position each column.

c Click Next to move to the Filter page.

If you selected a Table result type on the Chart page, the columns you select here are the columns of that table. Otherwise, these are the columns that make up the query details table.

4 From the Available Properties list, select which properties to use for filtering your query and the appropriate values for each.

Reporting

(38)

5 Click Run to check that you get the type of results you expect.

If the query did not appear to return the expected results, click Edit Query to go back to the Query Builder and edit the details of the query.

If you do not need to save the query, click Close.

Before generating a report, you must first configure the queries to use in your reports. 6 Save the query.

a Click Save to view the Save Query page.

b Type a name for the query, add any notes, and select a group. c Click Save.

See also

Query Builder on page 30

Running reports

Generate a report using default or customized queries. For example, create a report that shows the top blocked malware in your organization using data available from your configured queries.

By default, you must have administrator rights to be able to view, modify, and run existing reports as well as add new reports. To give other users the ability to create and run reports, select Menu | User Management | Permission Sets and edit the Content Security Reporter permission for each user type.

If the report includes runtime parameters, you can specify those parameters when running the report.

Task

1 Select a query.

a Select Queries & Reports | Actions | Report and click New, or select an existing report from the list and click Edit.

The Report Builder opens with the Report Layout view active.

b From the toolbox, drag a query chart to the report layout configuration area. The Configure Query Chart dialog box opens.

c Select the available query options. d Click OK.

2 Customize the report.

a In the Name, Description and Group tab, type a name, description, and which group to use.

Use the Header and Footer and Page Setup tabs to specify how you want the query to appear in the report.

b Use the Runtime Parameters tab to select report_{‑level filters.}

4

Reporting

(39)

3 Click Run to generate the report.

At this point, you can choose to run the report to get the information immediately, save to use it another time, configure its appearance further by adding additional content.

See also

Custom reports on page 32

Schedule queries and reports

Create a schedule to regularly run queries and reports.

Task

1 Select Menu | Automation | Server Tasks.

2 From the Actions menu, select New Task to open the Server Task Builder on the Description page. 3 Type a name for the task, and use the Notes area to add any additional information such as the

expected results. Select whether you want the task enabled or disabled, and click Next to move to the Actions page.

4 From the Actions drop_{‑down list, select Run Query or Run Report.}

5 Select the query or report, its language, and whether you want to export the contents to a file, or send it to someone else, or run another command.

If you are exporting to a file, you must specify a destination directory before you can continue. 6 Click Next to move to the Schedule page.

7 Use the options to specify when you want the query or report to run, and for how long. 8 Configure any report_{‑level filters.}

9 Click Next to view a summary of the query or report settings. 10 Click Save.

The query or report is available to view, run, or edit from the Server Tasks list. See also

Query Builder on page 30 Custom reports on page 32

Reporting

(40)

4

Reporting

(41)

5

Content Security Reporter maintenance

Content Security Reporter requires regular maintenance to promote optimal performance and to protect your data. Database maintenance options allow you to perform tasks that optimize database performance and free database space. Over time, records are added to the database and more space is used. To free space in the database, you can delete older records you no longer need.

System maintenance options allow you to configure tasks that remove system status information and server logs to reduce disk space usage.

McAfee recommends that you perform database maintenance tasks during off‑peak times. During maintenance, the database and new queries and reports are not available. Make sure you read the instructions for each maintenance task before starting the maintenance job in Content Security Reporter.

Contents

Maintain the database Maintain the system

Collect system information for troubleshooting Upgrade

Uninstall Content Security Reporter System backup

Maintain the database

Schedule database maintenance tasks to run at a regular frequency and start time, or perform the tasks manually for immediate results.

Contents

Configure automated database maintenance jobs Run manual database maintenance jobs

Manage database maintenance jobs

Configure automated database maintenance jobs

Configure the settings for when Content Security Reporter performs database maintenance jobs.

Task

2 From the Setting Categories menu, select Database Maintenance.