Report Viewer: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
 
(6 intermediate revisions by 2 users not shown)
Line 2: Line 2:
<noinclude>
<noinclude>
= Reports =
= Reports =
Reports provide a graphical view of the network traffic and actions of your Untangle. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  
Reports provide a graphical view of the network traffic and actions of your NG Firewall. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  


[[Image:112_report_viewer_081015.png|700px|center|Web Filter - Reports]]
</noinclude>
</noinclude>
{{Screenshot|reports}}


= Report Viewer =
= Report Viewer =
<includeonly>
<includeonly>
Reports provide a graphical view of the network traffic and actions of your Untangle. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  
Reports provide a graphical view of the network traffic and actions of your NG Firewall. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.  
</includeonly>
</includeonly>


[[Image:112_report_viewer_color.png|700px|center|Web Filter - Reports]]
There are a few panels in the Report Viewer:  
There are five panels in the Report Viewer:  


* Application Selector (Green)(Left): This allows you to choose from the system and application report groupings. By selecting an option here, the results in the Report Selector section will be filtered to show just that application. When using the report viewer within an application, this pane is not shown.  
* The top panel: This top panel (just below the navigation menu) allow you specify which data is viewed. By default, there is just a timeframe and no conditions, so reports will show all data for the specified timeframe. Conditions can be viewed to view more specific data, such as a specific host, user, domain, application, web category, etc.


* Report Selector (Blue)(Left): This panel is broken into two areas containing reports and event log queries. The "Select Report" contains a list of pre-defined reports and event log queries. Saved custom reports will also appear in the reports list.  
* The left panel: This allows you to choose the report you wish to view. At the bottom you can use the search box to quickly find reports with the specified string in the title. You can also import and create new reports using the "Add/Import" button.


* Report Chart (Yellow)(Top): Shows the currently selected report and contains options to change the type of chart, customize the report, change the report start and end times, and view the report in Event Log format. You can also interact directly with the report. Data series can be removed from the view using the legend and hovering over data series will show the values in reader friendly format.  
* The chart panel: This panel shows you the specified report. It also includes several action buttons at the top.


* Current Data (Orange)(Right): Displays the raw data that is being used to generate the report. Data points will be displayed in reader friendly format when hovering over the graph. The data can be exported to a CSV text file that can be viewed by your favorite spreadsheet or text editor. Additionally, by clicking the filter icon in this pane, conditions can be applied instantly. This window will only display with report charts and is not displayed for event reports.
* The data panel: The data panel, hidden by default, can be displayed by clicking on the "Data View" button in the chart panel. This will show the raw data used to generate the chart and allow the user to export the data by clicking the "Export Data" button at the bottom.


* Conditions (Red)(Bottom): Conditions can be used to filter the traffic information shown in reports and events. Multiple conditions can be added to drill down and inspect data. The available conditions will vary based on which application you are viewing.


=== Conditions ===


=== Report Charts ===
The Report Chart contains several features to help manipulate the view of the report to your liking.
[[Image:Report_viewer_071415.png|600px|center|Web Filter - Report Viewer]]
Along the top and bottom toolbars you will find the following selections:
*Top Toolbar:
** Chart Type (if available): Choose from Line, Bar, Bar Overlapped, Bar 3D, Bar 3D Overlapped. This feature is not available for pie charts.
** Customize: Build and save customized reports. Custom reports will be saved in the report selection.
** View Events: View the individual events that were used to build the report in Events format.
** Download: Download a .png image of the chart.
* Bottom Toolbar:
** Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
** Refresh:  Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
** Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.
The legend will appear at the bottom of the chart for line or bar charts, and to the right for pie charts. By clicking the fields in the legend a data series can be removed or re-added. This can help to remove clutter and focus on certain data series.
<blockquote>
''Note:'' Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries.
</blockquote>
<noinclude>
= Events =
</noinclude>
<includeonly>
=== Events ===
</includeonly>
[[Image:112_eventlogs_071415.png|600px|center|Event Log]]
Event reports show recent 1000 events sorted by time_stamp with the most recent events at the top.
When opening an event report it will automatically refresh and show you the default query.
The columns along the top will show the relevant columns for the specific event report and type of event being viewed. The example above shows the [[Web Filter]] event log so you can see many columns related to the web request and what action was taken.
Along the top and bottom toolbars you will find the following selections:


*Top Toolbar:
The Conditions panel appears at the top panel and can be used to filter data displayed in reports. For example, to view a "specific" host's report, you can add a condition for Client = "192.168.1.100" and then all reports available will only show data where the client is 192.168.1.100. Multiple conditions can be added to drill down and inspect data. Conditions can also be added quickly by clicking on slices in pie charts.
** Filter: A filter can be used to instantly select any rows that match your filter string and display only those rows. Use the ''Case sensitive'' check box to match case and ''Clear Filters'' button to remove the filter and display all data.
** Export: Export ALL events of the relevant query to a CSV text file that can be viewed by your favorite spreadsheet or text editor. This is necessary for large datasets. Browsers can not handle huge datasets in the DOM and will become not responsive if given too much data. As such, there is an 1000 event limit on events displayed in the UI, however the ''Export'' button will give you all events in a potentially very large text file. Generating and downloading the export may take some time.


* Bottom Toolbar:
The Add Condition dropdown contains many commonly used conditions, or the full list of all tables and columns can be browsed by clicking on the "More" button to add conditions for any database column.
** Number of Events: The default is to show 1,000 events. This can be increased to 10,000 or 50,000.
** Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
** Refresh:  Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
** Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.
 
Finally, you have the page management which you can use to browse through the current events being displayed.  


<blockquote>
<blockquote>
''Note:'' Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries. This can be especially true for queries that only return a few events because it will collect events up until 1000 events. If 1000 events don't exist it will scan the entire database and return whatever events do exist. For example, "Infected Web Events" in [[Virus Blocker]] typically only returns a few events. This query can take some time because it will scan the entire web request table looking for "Infected Web Events."
''Note:'' Conditions will not apply to all reports. For example, If viewing a specific users report by adding a condition where ''Username'' = ''foobar'' - many reports will be greyed out and unviewable. This is because the data used to generate those reports is not relevent to the specific user (it does not contain a username column). For example, the CPU usage report is a system report that is not relevant to a specific network user and so there is no way to filter that data by user.  
</blockquote>
</blockquote>
<noinclude>
= Conditions =
</noinclude>
<includeonly>
=== Conditions ===
</includeonly>
The Conditions panel appears at the bottom panel and can be used to filter the queries used in both reports and events. Multiple conditions can be added to drill down and inspect data. Conditions can also be added to pie charts quickly from the Current Data window by using the filter icon.
The left hand drop down lists the available conditions that can be added. These will vary based on the application you are viewing. These can be matched to data by selecting an operator and entering the query string you're looking for. After entering a condition the report or event you are viewing will automatically refresh.
[[Image:112_addconditions_071415.png|600px|center|Conditions]]
In this example, we've added 2 conditions to see all traffic from a single client IP address (192.168.72.128) going to a specific domain (microsoft.com).
Some Conditions will also have a Quick Add selection to automatically select conditions. A common use case for this is choosing which rack/policy will be queried. Once selected, this will automatically be added to the Conditions list.


==== Condition Operators ====
==== Condition Operators ====
Line 108: Line 41:
A detailed outline of each operator is on the [[Operators]] page.
A detailed outline of each operator is on the [[Operators]] page.


===== Conditions Example - Rack by Policy ID =====
===== Conditions Example - Policy by Policy ID =====


In many cases, you may just want to see the traffic related to a specific rack within policy manager. This can be accomplished very easily by adding a condition using the Quick Add feature.
In many cases, you may just want to see the traffic related to a specific policy within Policy Manager. This can be accomplished very easily by adding a condition using the Quick Add feature.


[[Image:112_quickadd_policy.png|300px|right|Quick Add]]
# In the Conditions panel, select '''Add'''.
 
# Choose '''Policy ID''' and specify equals and the policy ID in question.
 
# The conditions is applied and will remain applied as you switch between reports.
# Open Report Viewer or Reports tab.
# In the Conditions panel, select '''Quick Add'''.
# Choose '''Policy ID''' and the rack name.
# The conditions is applied and will remain applied as you switch between reports.
 
 
Alternately, you can manually enter the condition. To do this, go to Policy Manager > Settings and take not of the rack ID number. Then, in the drop down condition list, select Policy ID, select the operator ''='', and then enter the rack ID.


===== Conditions Example - Web Filter Categories =====
===== Conditions Example - Web Filter Categories =====


From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.  
From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.  
[[Image:112_current_data_games.png|300px|right|Quick Add]]


# Open Report Viewer or the Web Filter Reports tab.
# Open Report Viewer or the Web Filter Reports tab.
# Select the '''Top Categories''' report (by size or requests). In our example, you can see Games was at the top.
# Select the '''Top Categories''' report (by size or requests). In our example, you can see Games was at the top.
# Next to Games, click the "filter" icon.
# Click on the Games pie slice, and when prompted to add a condition click Yes.
# The conditions window displays with the category name Games pre-populated.  
# All Reports can now be viewed for Games only traffic.
# Click '''Done''' to add the condition.
# For example, the Top Clients (by request) will show the clients that visited the most gaming sites.
# To find the user(s) or machine(s) generating the traffic you can click to any other report such as '''Top Hostnames''' or '''Top Usernames'''
# For exmaple, the Web Usage (scanned) will show "Gaming" web usage throughout the day of the network.
 


<noinclude>
<noinclude>

Latest revision as of 16:38, 19 September 2022

Reports

Reports provide a graphical view of the network traffic and actions of your NG Firewall. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.


Report Viewer

There are a few panels in the Report Viewer:

  • The top panel: This top panel (just below the navigation menu) allow you specify which data is viewed. By default, there is just a timeframe and no conditions, so reports will show all data for the specified timeframe. Conditions can be viewed to view more specific data, such as a specific host, user, domain, application, web category, etc.
  • The left panel: This allows you to choose the report you wish to view. At the bottom you can use the search box to quickly find reports with the specified string in the title. You can also import and create new reports using the "Add/Import" button.
  • The chart panel: This panel shows you the specified report. It also includes several action buttons at the top.
  • The data panel: The data panel, hidden by default, can be displayed by clicking on the "Data View" button in the chart panel. This will show the raw data used to generate the chart and allow the user to export the data by clicking the "Export Data" button at the bottom.


Conditions

The Conditions panel appears at the top panel and can be used to filter data displayed in reports. For example, to view a "specific" host's report, you can add a condition for Client = "192.168.1.100" and then all reports available will only show data where the client is 192.168.1.100. Multiple conditions can be added to drill down and inspect data. Conditions can also be added quickly by clicking on slices in pie charts.

The Add Condition dropdown contains many commonly used conditions, or the full list of all tables and columns can be browsed by clicking on the "More" button to add conditions for any database column.

Note: Conditions will not apply to all reports. For example, If viewing a specific users report by adding a condition where Username = foobar - many reports will be greyed out and unviewable. This is because the data used to generate those reports is not relevent to the specific user (it does not contain a username column). For example, the CPU usage report is a system report that is not relevant to a specific network user and so there is no way to filter that data by user.

Condition Operators

The second field in the condition is the logical operator that will be used in evaluating the condition value defined in the last field. In most use cases the default "=" operator is what you want to use. However, there are several other operators available that make the reports and alerts a whole lot more powerful.

A detailed outline of each operator is on the Operators page.

Conditions Example - Policy by Policy ID

In many cases, you may just want to see the traffic related to a specific policy within Policy Manager. This can be accomplished very easily by adding a condition using the Quick Add feature.

  1. In the Conditions panel, select Add.
  2. Choose Policy ID and specify equals and the policy ID in question.
  3. The conditions is applied and will remain applied as you switch between reports.
Conditions Example - Web Filter Categories

From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.

  1. Open Report Viewer or the Web Filter Reports tab.
  2. Select the Top Categories report (by size or requests). In our example, you can see Games was at the top.
  3. Click on the Games pie slice, and when prompted to add a condition click Yes.
  4. All Reports can now be viewed for Games only traffic.
  5. For example, the Top Clients (by request) will show the clients that visited the most gaming sites.
  6. For exmaple, the Web Usage (scanned) will show "Gaming" web usage throughout the day of the network.


Application Specific Report Pages