Report Viewer

From Edge Threat Management Wiki - Arista
Revision as of 22:35, 12 June 2018 by Dmorris (talk | contribs)
Jump to navigationJump to search

Reports

Reports provide a graphical view of the network traffic and actions of your Untangle. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.

Web Filter - Reports
Web Filter - Reports


Report Viewer

Web Filter - Reports
Web Filter - Reports

There are a few panels in the Report Viewer:

  • The top panel: This top panel (just below the navigation menu) allow you specify which data is viewed. By default, there is just a timeframe and no conditions, so reports will show all data for the specified timeframe. Conditions can be viewed to view more specific data, such as a specific host, user, domain, application, web category, etc.
  • The left panel: This allows you to choose the report you wish to view. At the bottom you can use the search box to quickly find reports with the specified string in the title. You can also import and create new reports using the "Add/Import" button.
  • The chart panel: This panel shows you the specified report. It also includes several action buttons at the top.
  • The data panel: The data panel, hidden by default, can be displayed by clicking on the "Data View" button in the chart panel. This will show the raw data used to generate the chart and allow the user to export the data by clicking the "Export Data" button at the bottom.


Report Charts

The Report Chart contains several features to help manipulate the view of the report to your liking.

Web Filter - Report Viewer
Web Filter - Report Viewer

Along the top and bottom toolbars you will find the following selections:

  • Top Toolbar:
    • Chart Type (if available): Choose from Line, Bar, Bar Overlapped, Bar 3D, Bar 3D Overlapped. This feature is not available for pie charts.
    • Customize: Build and save customized reports. Custom reports will be saved in the report selection.
    • View Events: View the individual events that were used to build the report in Events format.
    • Download: Download a .png image of the chart.
  • Bottom Toolbar:
    • Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
    • Refresh: Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
    • Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.


The legend will appear at the bottom of the chart for line or bar charts, and to the right for pie charts. By clicking the fields in the legend a data series can be removed or re-added. This can help to remove clutter and focus on certain data series.

Note: Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries.


Events

Event Log
Event Log

Event reports show recent 1000 events sorted by time_stamp with the most recent events at the top. When opening an event report it will automatically refresh and show you the default query.

The columns along the top will show the relevant columns for the specific event report and type of event being viewed. The example above shows the Web Filter event log so you can see many columns related to the web request and what action was taken.

Along the top and bottom toolbars you will find the following selections:

  • Top Toolbar:
    • Filter: A filter can be used to instantly select any rows that match your filter string and display only those rows. Use the Case sensitive check box to match case and Clear Filters button to remove the filter and display all data.
    • Export: Export ALL events of the relevant query to a CSV text file that can be viewed by your favorite spreadsheet or text editor. This is necessary for large datasets. Browsers can not handle huge datasets in the DOM and will become not responsive if given too much data. As such, there is an 1000 event limit on events displayed in the UI, however the Export button will give you all events in a potentially very large text file. Generating and downloading the export may take some time.
  • Bottom Toolbar:
    • Number of Events: The default is to show 1,000 events. This can be increased to 10,000 or 50,000.
    • Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
    • Refresh: Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
    • Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.

Finally, you have the page management which you can use to browse through the current events being displayed.

Note: Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries. This can be especially true for queries that only return a few events because it will collect events up until 1000 events. If 1000 events don't exist it will scan the entire database and return whatever events do exist. For example, "Infected Web Events" in Virus Blocker typically only returns a few events. This query can take some time because it will scan the entire web request table looking for "Infected Web Events."


Conditions

The Conditions panel appears at the bottom panel and can be used to filter the queries used in both reports and events. Multiple conditions can be added to drill down and inspect data. Conditions can also be added to pie charts quickly from the Current Data window by using the filter icon.

The left hand drop down lists the available conditions that can be added. These will vary based on the application you are viewing. These can be matched to data by selecting an operator and entering the query string you're looking for. After entering a condition the report or event you are viewing will automatically refresh.

Conditions
Conditions

In this example, we've added 2 conditions to see all traffic from a single client IP address (192.168.72.128) going to a specific domain (microsoft.com).

The Quick Add button also allows you to quickly create some commonly used conditions. A common use case for this is choosing which rack/policy will be queried. Once selected, this will automatically be added to the Conditions list. This also allows adding conditions for Hosts or Usernames based on the hosts and usernames currently known.

Note: Conditions that do not apply to the data being queried will be silently ignored. For example if there is a condition that says 'policy_id' '=' '1' all report entries will show the data for data when the policy_id = 1. So for example all the web filter reports will only show web filter data from the 1st policy. However, the data for Reports > System > CPU Load queries the system_stat_events table which contains no 'policy_id' column. In this case the condition will be silently ignored and the CPU load for the whole system is displayed.

Condition Operators

The second field in the condition is the logical operator that will be used in evaluating the condition value defined in the last field. In most use cases the default "=" operator is what you want to use. However, there are several other operators available that make the reports and alerts a whole lot more powerful.

A detailed outline of each operator is on the Operators page.

Conditions Example - Rack by Policy ID

In many cases, you may just want to see the traffic related to a specific rack within policy manager. This can be accomplished very easily by adding a condition using the Quick Add feature.

Quick Add
Quick Add


  1. Open Report Viewer or Reports tab.
  2. In the Conditions panel, select Quick Add.
  3. Choose Policy ID and the rack name.
  4. The conditions is applied and will remain applied as you switch between reports.


Alternately, you can manually enter the condition. To do this, go to Policy Manager > Settings and take not of the rack ID number. Then, in the drop down condition list, select Policy ID, select the operator =, and then enter the rack ID.

Conditions Example - Web Filter Categories

From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.

Quick Add
Quick Add


  1. Open Report Viewer or the Web Filter Reports tab.
  2. Select the Top Categories report (by size or requests). In our example, you can see Games was at the top.
  3. Next to Games, click the "filter" icon.
  4. The conditions window displays with the category name Games pre-populated.
  5. Click Done to add the condition.
  6. To find the user(s) or machine(s) generating the traffic you can click to any other report such as Top Hostnames or Top Usernames



Application Specific Report Pages