Report Viewer: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
(3 intermediate revisions by 2 users not shown)
Line 2: Line 2:
<noinclude>
<noinclude>
= Reports =
= Reports =
Reports provide a graphical view of the network traffic and actions of your Untangle. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  
Reports provide a graphical view of the network traffic and actions of your NG Firewall. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  


[[Image:112_report_viewer_081015.png|700px|center|Web Filter - Reports]]
</noinclude>
</noinclude>
{{Screenshot|reports}}


= Report Viewer =
= Report Viewer =
<includeonly>
<includeonly>
Reports provide a graphical view of the network traffic and actions of your Untangle. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  
Reports provide a graphical view of the network traffic and actions of your NG Firewall. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  
</includeonly>
</includeonly>


[[Image:112_report_viewer_color.png|700px|center|Web Filter - Reports]]
There are a few panels in the Report Viewer:  
There are a few panels in the Report Viewer:  


Line 23: Line 23:
* The data panel: The data panel, hidden by default, can be displayed by clicking on the "Data View" button in the chart panel. This will show the raw data used to generate the chart and allow the user to export the data by clicking the "Export Data" button at the bottom.
* The data panel: The data panel, hidden by default, can be displayed by clicking on the "Data View" button in the chart panel. This will show the raw data used to generate the chart and allow the user to export the data by clicking the "Export Data" button at the bottom.


=== Report Charts ===
The Report Chart contains several features to help manipulate the view of the report to your liking.
[[Image:Report_viewer_071415.png|600px|center|Web Filter - Report Viewer]]
Along the top and bottom toolbars you will find the following selections:
*Top Toolbar:
** Chart Type (if available): Choose from Line, Bar, Bar Overlapped, Bar 3D, Bar 3D Overlapped. This feature is not available for pie charts.
** Customize: Build and save customized reports. Custom reports will be saved in the report selection.
** View Events: View the individual events that were used to build the report in Events format.
** Download: Download a .png image of the chart.
* Bottom Toolbar:
** Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
** Refresh:  Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
** Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.
The legend will appear at the bottom of the chart for line or bar charts, and to the right for pie charts. By clicking the fields in the legend a data series can be removed or re-added. This can help to remove clutter and focus on certain data series.
<blockquote>
''Note:'' Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries.
</blockquote>
<noinclude>
= Events =
</noinclude>
<includeonly>
=== Events ===
</includeonly>
[[Image:112_eventlogs_071415.png|600px|center|Event Log]]
Event reports show recent 1000 events sorted by time_stamp with the most recent events at the top.
When opening an event report it will automatically refresh and show you the default query.
The columns along the top will show the relevant columns for the specific event report and type of event being viewed. The example above shows the [[Web Filter]] event log so you can see many columns related to the web request and what action was taken.
Along the top and bottom toolbars you will find the following selections:
*Top Toolbar:
** Filter: A filter can be used to instantly select any rows that match your filter string and display only those rows. Use the ''Case sensitive'' check box to match case and ''Clear Filters'' button to remove the filter and display all data.
** Export: Export ALL events of the relevant query to a CSV text file that can be viewed by your favorite spreadsheet or text editor. This is necessary for large datasets. Browsers can not handle huge datasets in the DOM and will become not responsive if given too much data. As such, there is an 1000 event limit on events displayed in the UI, however the ''Export'' button will give you all events in a potentially very large text file. Generating and downloading the export may take some time.
* Bottom Toolbar:
** Number of Events: The default is to show 1,000 events. This can be increased to 10,000 or 50,000.
** Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
** Refresh:  Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
** Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.
Finally, you have the page management which you can use to browse through the current events being displayed.
<blockquote>
''Note:'' Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries. This can be especially true for queries that only return a few events because it will collect events up until 1000 events. If 1000 events don't exist it will scan the entire database and return whatever events do exist. For example, "Infected Web Events" in [[Virus Blocker]] typically only returns a few events. This query can take some time because it will scan the entire web request table looking for "Infected Web Events."
</blockquote>
<noinclude>
= Conditions =
</noinclude>
<includeonly>


=== Conditions ===
=== Conditions ===
</includeonly>


The Conditions panel appears at the bottom panel and can be used to filter the queries used in both reports and events. Multiple conditions can be added to drill down and inspect data. Conditions can also be added to pie charts quickly from the Current Data window by using the filter icon.


The left hand drop down lists the available conditions that can be added. These will vary based on the application you are viewing. These can be matched to data by selecting an operator and entering the query string you're looking for. After entering a condition the report or event you are viewing will automatically refresh.
The Conditions panel appears at the top panel and can be used to filter data displayed in reports. For example, to view a "specific" host's report, you can add a condition for Client = "192.168.1.100" and then all reports available will only show data where the client is 192.168.1.100. Multiple conditions can be added to drill down and inspect data. Conditions can also be added quickly by clicking on slices in pie charts.


[[Image:112_addconditions_071415.png|600px|center|Conditions]]
The Add Condition dropdown contains many commonly used conditions, or the full list of all tables and columns can be browsed by clicking on the "More" button to add conditions for any database column.
 
In this example, we've added 2 conditions to see all traffic from a single client IP address (192.168.72.128) going to a specific domain (microsoft.com).
 
The ''Quick Add'' button also allows you to quickly create some commonly used conditions. A common use case for this is choosing which rack/policy will be queried. Once selected, this will automatically be added to the Conditions list. This also allows adding conditions for Hosts or Usernames based on the hosts and usernames currently known.


<blockquote>
<blockquote>
''Note:'' Conditions that do not apply to the data being queried will be silently ignored. For example if there is a condition that says 'policy_id' '=' '1' all report entries will show the data for data when the policy_id = 1. So for example all the web filter reports will only show web filter data from the 1st policy. However, the data for ''Reports'' > ''System'' > ''CPU Load'' queries the system_stat_events table which contains no 'policy_id' column. In this case the condition will be silently ignored and the CPU load for the whole system is displayed.
''Note:'' Conditions will not apply to all reports. For example, If viewing a specific users report by adding a condition where ''Username'' = ''foobar'' - many reports will be greyed out and unviewable. This is because the data used to generate those reports is not relevent to the specific user (it does not contain a username column). For example, the CPU usage report is a system report that is not relevant to a specific network user and so there is no way to filter that data by user.  
</blockquote>
</blockquote>


Line 112: Line 43:
===== Conditions Example - Rack by Policy ID =====
===== Conditions Example - Rack by Policy ID =====


In many cases, you may just want to see the traffic related to a specific rack within policy manager. This can be accomplished very easily by adding a condition using the Quick Add feature.
In many cases, you may just want to see the traffic related to a specific policy within policy manager. This can be accomplished very easily by adding a condition using the Quick Add feature.


[[Image:112_quickadd_policy.png|300px|right|Quick Add]]
# In the Conditions panel, select '''Add'''.
 
# Choose '''Policy ID''' and specify equals and the policy ID in question.
 
# Open Report Viewer or Reports tab.
# In the Conditions panel, select '''Quick Add'''.
# Choose '''Policy ID''' and the rack name.
# The conditions is applied and will remain applied as you switch between reports.  
# The conditions is applied and will remain applied as you switch between reports.  
Alternately, you can manually enter the condition. To do this, go to Policy Manager > Settings and take not of the rack ID number. Then, in the drop down condition list, select Policy ID, select the operator ''='', and then enter the rack ID.


===== Conditions Example - Web Filter Categories =====
===== Conditions Example - Web Filter Categories =====


From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.  
From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.  
[[Image:112_current_data_games.png|300px|right|Quick Add]]


# Open Report Viewer or the Web Filter Reports tab.
# Open Report Viewer or the Web Filter Reports tab.
# Select the '''Top Categories''' report (by size or requests). In our example, you can see Games was at the top.
# Select the '''Top Categories''' report (by size or requests). In our example, you can see Games was at the top.
# Next to Games, click the "filter" icon.
# Click on the Games pie slice, and when prompted to add a condition click Yes.
# The conditions window displays with the category name Games pre-populated.  
# All Reports can now be viewed for Games only traffic.
# Click '''Done''' to add the condition.
# For example, the Top Clients (by request) will show the clients that visited the most gaming sites.
# To find the user(s) or machine(s) generating the traffic you can click to any other report such as '''Top Hostnames''' or '''Top Usernames'''
# For exmaple, the Web Usage (scanned) will show "Gaming" web usage throughout the day of the network.
 


<noinclude>
<noinclude>

Revision as of 18:27, 3 May 2022

Reports

Reports provide a graphical view of the network traffic and actions of your NG Firewall. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.


Report Viewer

There are a few panels in the Report Viewer:

  • The top panel: This top panel (just below the navigation menu) allow you specify which data is viewed. By default, there is just a timeframe and no conditions, so reports will show all data for the specified timeframe. Conditions can be viewed to view more specific data, such as a specific host, user, domain, application, web category, etc.
  • The left panel: This allows you to choose the report you wish to view. At the bottom you can use the search box to quickly find reports with the specified string in the title. You can also import and create new reports using the "Add/Import" button.
  • The chart panel: This panel shows you the specified report. It also includes several action buttons at the top.
  • The data panel: The data panel, hidden by default, can be displayed by clicking on the "Data View" button in the chart panel. This will show the raw data used to generate the chart and allow the user to export the data by clicking the "Export Data" button at the bottom.


Conditions

The Conditions panel appears at the top panel and can be used to filter data displayed in reports. For example, to view a "specific" host's report, you can add a condition for Client = "192.168.1.100" and then all reports available will only show data where the client is 192.168.1.100. Multiple conditions can be added to drill down and inspect data. Conditions can also be added quickly by clicking on slices in pie charts.

The Add Condition dropdown contains many commonly used conditions, or the full list of all tables and columns can be browsed by clicking on the "More" button to add conditions for any database column.

Note: Conditions will not apply to all reports. For example, If viewing a specific users report by adding a condition where Username = foobar - many reports will be greyed out and unviewable. This is because the data used to generate those reports is not relevent to the specific user (it does not contain a username column). For example, the CPU usage report is a system report that is not relevant to a specific network user and so there is no way to filter that data by user.

Condition Operators

The second field in the condition is the logical operator that will be used in evaluating the condition value defined in the last field. In most use cases the default "=" operator is what you want to use. However, there are several other operators available that make the reports and alerts a whole lot more powerful.

A detailed outline of each operator is on the Operators page.

Conditions Example - Rack by Policy ID

In many cases, you may just want to see the traffic related to a specific policy within policy manager. This can be accomplished very easily by adding a condition using the Quick Add feature.

  1. In the Conditions panel, select Add.
  2. Choose Policy ID and specify equals and the policy ID in question.
  3. The conditions is applied and will remain applied as you switch between reports.
Conditions Example - Web Filter Categories

From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.

  1. Open Report Viewer or the Web Filter Reports tab.
  2. Select the Top Categories report (by size or requests). In our example, you can see Games was at the top.
  3. Click on the Games pie slice, and when prompted to add a condition click Yes.
  4. All Reports can now be viewed for Games only traffic.
  5. For example, the Top Clients (by request) will show the clients that visited the most gaming sites.
  6. For exmaple, the Web Usage (scanned) will show "Gaming" web usage throughout the day of the network.


Application Specific Report Pages