Report Viewer: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
Line 100: Line 100:
In this example, we've added 2 conditions to see all traffic from a single client IP address (192.168.72.128) going to a specific domain (microsoft.com).  
In this example, we've added 2 conditions to see all traffic from a single client IP address (192.168.72.128) going to a specific domain (microsoft.com).  


Some Conditions will also have a Quick Add selection to automatically select conditions. A common use case for this is choosing which rack/policy will be queried. Once selected, this will automatically be added to the Conditions list.  
The ''Quick Add'' button also allows you to quickly create some commonly used conditions. A common use case for this is choosing which rack/policy will be queried. Once selected, this will automatically be added to the Conditions list. This also allows adding conditions for Hosts or Usernames based on the hosts and usernames currently known.
 
<blockquote>
''Note:'' Conditions that do not apply to the data being queried will be silently ignored. For example if there is a condition that says 'policy_id' '=' '1' all report entries will show the data for data when the policy_id = 1. So for example all the web filter reports will only show web filter data from the 1st policy. However, the data for ''Reports'' > ''System'' > ''CPU Load'' queries the system_stat_events table which contains no 'policy_id' column. In this case the condition will be silently ignored and the CPU load for the whole system is displayed.
</blockquote>


==== Condition Operators ====
==== Condition Operators ====

Revision as of 16:43, 23 September 2016

Reports

Reports provide a graphical view of the network traffic and actions of your Untangle. Various reports are available within applications and base system components. The reports can be manipulated to drill down, customize, and export data in many ways using the Report Viewer.

Web Filter - Reports
Web Filter - Reports


Report Viewer

Web Filter - Reports
Web Filter - Reports

There are five panels in the Report Viewer:

  • Application Selector (Green)(Left): This allows you to choose from the system and application report groupings. By selecting an option here, the results in the Report Selector section will be filtered to show just that application. When using the report viewer within an application, this pane is not shown.
  • Report Selector (Blue)(Left): This panel is broken into two areas containing reports and event log queries. The "Select Report" contains a list of pre-defined reports and event log queries. Saved custom reports will also appear in the reports list.
  • Report Chart (Yellow)(Top): Shows the currently selected report and contains options to change the type of chart, customize the report, change the report start and end times, and view the report in Event Log format. You can also interact directly with the report. Data series can be removed from the view using the legend and hovering over data series will show the values in reader friendly format.
  • Current Data (Orange)(Right): Displays the raw data that is being used to generate the report. Data points will be displayed in reader friendly format when hovering over the graph. The data can be exported to a CSV text file that can be viewed by your favorite spreadsheet or text editor. Additionally, by clicking the filter icon in this pane, conditions can be applied instantly. This window will only display with report charts and is not displayed for event reports.
  • Conditions (Red)(Bottom): Conditions can be used to filter the traffic information shown in reports and events. Multiple conditions can be added to drill down and inspect data. The available conditions will vary based on which application you are viewing.


Report Charts

The Report Chart contains several features to help manipulate the view of the report to your liking.

Web Filter - Report Viewer
Web Filter - Report Viewer

Along the top and bottom toolbars you will find the following selections:

  • Top Toolbar:
    • Chart Type (if available): Choose from Line, Bar, Bar Overlapped, Bar 3D, Bar 3D Overlapped. This feature is not available for pie charts.
    • Customize: Build and save customized reports. Custom reports will be saved in the report selection.
    • View Events: View the individual events that were used to build the report in Events format.
    • Download: Download a .png image of the chart.
  • Bottom Toolbar:
    • Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
    • Refresh: Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
    • Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.


The legend will appear at the bottom of the chart for line or bar charts, and to the right for pie charts. By clicking the fields in the legend a data series can be removed or re-added. This can help to remove clutter and focus on certain data series.

Note: Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries.


Events

Event Log
Event Log

Event reports show recent 1000 events sorted by time_stamp with the most recent events at the top. When opening an event report it will automatically refresh and show you the default query.

The columns along the top will show the relevant columns for the specific event report and type of event being viewed. The example above shows the Web Filter event log so you can see many columns related to the web request and what action was taken.

Along the top and bottom toolbars you will find the following selections:

  • Top Toolbar:
    • Filter: A filter can be used to instantly select any rows that match your filter string and display only those rows. Use the Case sensitive check box to match case and Clear Filters button to remove the filter and display all data.
    • Export: Export ALL events of the relevant query to a CSV text file that can be viewed by your favorite spreadsheet or text editor. This is necessary for large datasets. Browsers can not handle huge datasets in the DOM and will become not responsive if given too much data. As such, there is an 1000 event limit on events displayed in the UI, however the Export button will give you all events in a potentially very large text file. Generating and downloading the export may take some time.
  • Bottom Toolbar:
    • Number of Events: The default is to show 1,000 events. This can be increased to 10,000 or 50,000.
    • Time Selection: Select the start and end time of the report. Beware that running queries (viewing reports) against a huge number of days can still be expensive if the server is busy.
    • Refresh: Force the writing of all events currently buffered in memory to the database, and then re-query the database for current data.
    • Auto Refresh: Automatically refresh every few seconds. This is useful to keep displayed while debugging an issue or if you want to see whats happening in real time.

Finally, you have the page management which you can use to browse through the current events being displayed.

Note: Some queries are more expensive than others to run. Depending on your hardware and the current amount of traffic Untangle is processing it is possible that you can slow network traffic by running expensive queries. This can be especially true for queries that only return a few events because it will collect events up until 1000 events. If 1000 events don't exist it will scan the entire database and return whatever events do exist. For example, "Infected Web Events" in Virus Blocker typically only returns a few events. This query can take some time because it will scan the entire web request table looking for "Infected Web Events."


Conditions

The Conditions panel appears at the bottom panel and can be used to filter the queries used in both reports and events. Multiple conditions can be added to drill down and inspect data. Conditions can also be added to pie charts quickly from the Current Data window by using the filter icon.

The left hand drop down lists the available conditions that can be added. These will vary based on the application you are viewing. These can be matched to data by selecting an operator and entering the query string you're looking for. After entering a condition the report or event you are viewing will automatically refresh.

Conditions
Conditions

In this example, we've added 2 conditions to see all traffic from a single client IP address (192.168.72.128) going to a specific domain (microsoft.com).

The Quick Add button also allows you to quickly create some commonly used conditions. A common use case for this is choosing which rack/policy will be queried. Once selected, this will automatically be added to the Conditions list. This also allows adding conditions for Hosts or Usernames based on the hosts and usernames currently known.

Note: Conditions that do not apply to the data being queried will be silently ignored. For example if there is a condition that says 'policy_id' '=' '1' all report entries will show the data for data when the policy_id = 1. So for example all the web filter reports will only show web filter data from the 1st policy. However, the data for Reports > System > CPU Load queries the system_stat_events table which contains no 'policy_id' column. In this case the condition will be silently ignored and the CPU load for the whole system is displayed.

Condition Operators

The second field in the condition is the logical operator that will be used in evaluating the condition value defined in the last field. In most use cases the default "=" operator is what you want to use. However, there are several other operators available that make the reports and alerts a whole lot more powerful.

A detailed outline of each operator is on the Operators page.

Conditions Example - Rack by Policy ID

In many cases, you may just want to see the traffic related to a specific rack within policy manager. This can be accomplished very easily by adding a condition using the Quick Add feature.

Quick Add
Quick Add


  1. Open Report Viewer or Reports tab.
  2. In the Conditions panel, select Quick Add.
  3. Choose Policy ID and the rack name.
  4. The conditions is applied and will remain applied as you switch between reports.


Alternately, you can manually enter the condition. To do this, go to Policy Manager > Settings and take not of the rack ID number. Then, in the drop down condition list, select Policy ID, select the operator =, and then enter the rack ID.

Conditions Example - Web Filter Categories

From pie charts, you can quickly add a condition from the Current Data window. This can be handy for use with the Web Filter category selection which we'll use for this example. Once the condition is applied, we can then use other reports to drill down to find out more information about the traffic such as which user might be responsible.

Quick Add
Quick Add


  1. Open Report Viewer or the Web Filter Reports tab.
  2. Select the Top Categories report (by size or requests). In our example, you can see Games was at the top.
  3. Next to Games, click the "filter" icon.
  4. The conditions window displays with the category name Games pre-populated.
  5. Click Done to add the condition.
  6. To find the user(s) or machine(s) generating the traffic you can click to any other report such as Top Hostnames or Top Usernames



Application Specific Report Pages