ProxySG & Advanced Secure Gateway

 View Only

  • 1.  CAS Report Access Field

    Posted Apr 01, 2019 04:54 AM

    Hi!

    I would like to see the unified report in Management center and I'm trying to add the following field into Proxy ASG  Access log but got the error as the unrecognized field.  

    x-file-reputation-score, x-cylance-score, x-cas-date, x-cas-time, x-event-id

    Has anyone achieved this?

    Thanks in advance...

     

     



  • 2.  RE: CAS Report Access Field

    Posted Apr 01, 2019 05:28 AM

    Hi Sriram,

     

                   These are specific to CAS as these services are called in my CAS as part of file checking/scanning. All these are not passed to ProxySG for you to log it.



  • 3.  RE: CAS Report Access Field

    Posted Apr 01, 2019 09:30 AM

    Hi Aravind,

    In the CAS logs, I could see the transaction Id only.  Has there any way can add the additional logs fields into CAS?. Also in the Reporter Guide, it mentioned that Proxy ASG will collect the CAS scanning result also.

     

    The ProxySG appliance uploads transaction logs (bcreportermain_v1) to the staging FTP server.

    • This data set is the result of the data the ProxySG appliance collects directly, as well as the results of Content Analysisantivirus scanning. New access log fields: x-file-reputation-score, x-cylance-score, x-cas-date, x-cas-time, x-event-id.

    https://origin-symwisedownload.symantec.com//resources/webguides/reporter/103/Content/Topics/Admin/Databases/createcamadb.htm?Highlight=MA%20Database

    Could please help to achieve the unified reporting?



  • 4.  RE: CAS Report Access Field

    Posted Apr 02, 2019 12:59 AM

    Hi Sriram,

     

                  Answer from Gunnarin thread https://www.symantec.com/connect/forums/proxy-asg-cas-integration-reporter also answers this. You don't need to find ways to inject these to ProxySG access log. Instead, they will be combined at reporter based on the transaction id and reports are maed available. Step D in the guide https://origin-symwisedownload.symantec.com//resources/webguides/reporter/103/Content/Topics/Admin/Databases/createcamadb.htm?Highlight=D%E2%80%94 mentiones about this. Bcreportermainv1 format + the CAS logs will give you the full view.



  • 5.  RE: CAS Report Access Field

    Posted Apr 03, 2019 05:56 AM

    Hi aravind,

    Thanks for the reply.

    CAS doen't have any input apart from the transaction ID. Bluecoat Access logs doesn't have any filed about the CAS services statistics. I'm wondering how we can get the report without these (x-file-reputation-score, x-cylance-score, x-cas-date, x-cas-time, x-event-id) inputs.??

    Please clarify on this. I already tried with single Database where Proxy ASG and CAS are under same log source but still no luck.

    Thanks in Advance...



  • 6.  RE: CAS Report Access Field

    Posted Apr 04, 2019 03:11 AM

    Hi Sriram,

     

                     These fields are added based on the sandboxing result. MA will inject this into the log passed to reporter and to unified DB. This will have information only if sandboxing happens. If not it is just the transaction id alone. Then MC will use this Unified DB to show you threat reports.



  • 7.  RE: CAS Report Access Field

    Posted Apr 23, 2019 12:09 PM

    Hi Sriram,

    I'm assuming your ASG is running v6.7.x, right? 

    Here are a few reference links that may help:

    1. Create a Unified Database in Reporter
    2. Uploading Content/Malware Analysis results to Reporter
    3. Add Reporter to Management Center
    4. List of 'Unified' Reports (search for keyword 'unified')

    If you want to validate entries for the log fields you cited above, "x-file-reputation-score, x-cylance-score, x-cas-date, x-cas-time, x-event-id", set the Content Analysis FTP settings to an FTP server you can get the log files from and inspect the contents.

    HTH