06-08-2011 05:30 AM
I got a very simple request this morning.
Show me logs of user X going to pornography sites.
I have 2 PA-4020s and Panorama. I know this traffic occured but cant generate it in report for anywhere.
This is a very critical and basic need.
Can anyone share techniques that help them get these reports?
Thanks,
Justin
06-08-2011 05:37 AM
Have you looked in the ACC or in the URL log and verified you actually have the event logged? Did you look at the correct time frame when generating a custom report or using ACC? Start searching the URL log with something simple: (category eq adult-and-pornography).
06-08-2011 06:16 AM
I just built a custom custom report using (category eq adult-and-pornography) and adding the source user and URL in the columns, and it worked well. Just had to select the Panorama URL database.
06-09-2011 05:06 AM
Thanks for the replies. When I try to do a custom report for the past 2 months, it just hangs forever. Could you provide the query string you used or maybe a screen shot ? I was able to use the (category eq adult-and-pornography) string for the past week and then export that to excel.
I'd like to be able to have a functioning query that stated , USERX , adult-and-porn, return all data stored.
Not knowing how much data in stored is a problem. I wish we could get our hands into the database, or manage one ourselves in SQL.
06-09-2011 05:40 AM
I would try past week or past two weeks first. You may want to call Support and open a ticket if it's hanging.
The filters work like Wireshark. If you wanted to look for a certain users, you would this query: (user.src eq USERX) and (category eq adult-or-sexually-explicit)
You could also setup a SYSLOG forwarding profile.
06-09-2011 05:48 AM
Thanks again.. We were told that Panorama was the log manager. It's a firewall management station, and every other product on the market does long term log storage. If I have to go tell my boss we need another syslog instance he's going to say "Why the h*** did we buy Panorama". I'm starting to wonder that myself.
06-09-2011 07:07 AM
If your report is hanging and not returning a result then you definitely want to open a support case and have that investigated.
-Benjamin
06-09-2011 07:19 AM
Thanks.. I think I've resigned to send my URL logs to syslog for now. BUT, I'm having trouble even doing that. If someone does this could you attach a screen shot ? I just want to send URL logs, not threat, or traffic.
THanks,
Justin
06-09-2011 07:22 AM
URL Logs are part of the Threat logs. So you should be able to forward just the Threat logs to your syslog environment in this case.
-Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
