The Web Security Authority.

TM

Blue Coat Reporter

What is Blue Coat Reporter?

The Blue Coat Reporter provides identity-based user and network reporting for evaluating Web security policies and resource management on an enterprise network. As an add-on product, Blue Coat Reporter provides a log analysis tool enabling network and security administrators to generate usage reports in HTML format. The Blue Coat Reporter can be installed on Windows, Sun Solaris and Red Hat Linux platforms.

Why Implement Blue Coat Reporter?

The Blue Coat Reporter dramatically extends Blue Coat Security Gateway policies by enabling administrators to: Identify possible security holes Track potentially dangerous user activity Report on blocked traffic by category and URL Conserve network bandwidth resources by identifying abuse patterns Report on Web usage by user, group, location, URL, and other factors Determine violators of corporate Web access policies

How to Implement Blue Coat Reporter?

1. 2. 3. 4.

There are four easy steps to implementing, configuring, and testing the Blue Coat Reporter solution: Install the Blue Coat Reporter Configure the accesslog format on the Blue Coat Security Gateway Port 80 appliance Import the accesslog into the Blue Coat Reporter Generate Reports

Note: Please refer to the AccessLog TechBrief to configure accesslog for your environment.

Technical Brief

Reporter
Step 1 Install the Blue Coat Reporter
The Blue Coat Reporter can be found at: http://download.BlueCoat.com/release/Reporter/index.html

Follow the easy download and installation instructions on your screen. Then launch the Blue Coat Reporter. The following launch screen and main page will be displayed:

Step 2 Configure the Accesslog Format on the Blue Coat Security Gateway
The next step is to configure the accesslog format for your Blue Coat Appliance. The Following format instructions will provide the following fields: Date/Time Username URL HTTP Method Size of object Content Filter Category

2 Copyright 2002 Blue Coat Systems, Inc.

To configure access logging follow these steps: Blue Coat Management Interface | Access Logging category | Format

Click on Install Next, select the Upload Type tab to specify the upload client type (FTP or Custom) and the format to save the log file such as gzip or txt. Make sure you can save and view the access log file before proceeding to the next step.

Step 3 Import Accesslog Into The Blue Coat Reporter

Next, access the Reporter application and select Create New Configuration. An initial screen will prompt you to enter the log source type and the path or route to obtain that file. If, for example, you have selected HTTP as the log source type, you will need to enter the URL for the log file located on your Blue Coat Security Appliance.

Then, the following screen appears and allows you to create a new Reporter configuration and point to the access log file found on your Blue Coat Security Appliance. When you point Reporter to the new log file, it will not automatically recognize the format. You will have to tell it to use Blue Coat Custom Log Format that you specified earlier in the Blue Coat Security Gateway configuration. Copy and paste in the log file format as shown in this example

Technical Brief

Reporter

Click Next.

Select all the check boxes in the next window that comes up and click Next.

Give a meaningful name to this configuration, such as WebReport.

We now need to instruct Reporter to build correlations between categories of IP addresses and URLs. This is done from the Administrative Menu. Click on the Administrative Menu link and Reporter will bring up the following screen. From here select Open Configuration.

4 Copyright 2002 Blue Coat Systems, Inc.

Next, you can open any report in the list. Select the Configuration name (WebReport in our example) and Click Open.

The following screen will appear.

Select Configuration Options.

Technical Brief

Reporter
Several things can be configured from this screen. For example, from the Network tab, the DNS server and SMTP server can be set to facilitate automated email with periodic reports.

Click on the Database Xrefs to begin setting up the correlations necessary to report on Categories URLs IP addresses. All possible reporting can be configured from here. If there is a report that you need to create that is not currently being crossreferenced, this is where it can be selected. The Configuration Options screen looks like this before changes are made.

The cross-references necessary to see which IP addresses go to a particular category and URL, requires the selection of a few boxes as shown here.

After making the selections click on the button at the top to save changes and go back to the Main Menu. Clicking any tab or the Back to Configuration button will save your changes.

6 Copyright 2002 Blue Coat Systems, Inc.

Step 4 Generating Reports

Click on Rebuild Database so that the database is built with the new crossreferences.

Click Next on the next screen so the database is rebuilt. Then View Statistics to see your comprehensive reports.

When you click on the Portal_Sites in the report, for example, you can then click on Top Source IPs on the left side to see which IP addresses correspond to a category.

Technical Brief

Contact Blue Coat Systems 1.866.30.BCOAT 408.220.2200 Direct 408.220.2250 Fax www.bluecoat.com

The Web Security Authority.TM

When you click on the Portal_Sites in the report, for example, you can then click on Top Source IPs on the left side to see which IP addresses correspond to a category. If there was more activity in the access log, this report would show more than one IP address in this report. If a Blue Coat Security Gateway is performing proxy

authentication, then these logs would display the authenticated username as well. Be sure to select the cross-references for Authenticated User in the Database Xrefs screen to display this information.

In this TechBrief we have discussed how to enable logging on a Blue Coat Security Appliance and then configure your add-on Blue Coat Reporter to display and correlate the log information. We have also shown a few of the many combinations of reports that can be easily created using the Blue Coat Reporter.

Blue Coat Systems, a Web security company, has developed the industrys first port 80 security appliance. Safeguarding many of the world's largest corporate networks, this high-performance security appliance intelligently protects against Webbased threats by policing Port 80 the primary hole in the enterprise security infrastructure. Headquartered in Sunnyvale, California, Blue Coat Systems can be reached at 408.220.2200 or at http://www.bluecoat.com. Copyright 2003 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Version 1.1