- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Show logged URL instead of Application/Site
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show logged URL instead of Application/Site
Hi Mates,
something that bugs me a long time.
We use manual created Application/Site-Objects with match by URL List.
Mostly the logs only show now the Application/Site-Object Name instead of one of the matching URLs.
So, Rules match because specific URLs are used ✅.
Search the log for this specific URL - no hits ❌.
Search the log for the IP of this specific URL -> shows hits but with the App-Name 💔.
Best would be to show the matched URL and in WHICH Application/Site-Object (if there is any).
Can we change this behavior or is this an RFE?
Cheers,
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like below?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Btw, example I gave is from my lab, I just checked one of the logs for "ask" user check rule I created for ssl inspection.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes.
I sometimes see logs look like this as well. Cannot find one now 😅
In your screenshot you marked the app-name. It shows the URL. I assume there is no object with that URL.
On the right side of your LOG there is a Web Traffic Section. With the URL. That's what I expect.
The various ways of the logs look a like also bugs me 😉 Sometimes one section field is on the lefty sometimes on the righty...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even if I do search appi_name:tsn.ca, I get exact same thing. This is R81.20 jumbo 96 lab.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Surfing to tsn.ca looks like this for me on Mgmt R81.20 T84. This is not a new issue but today I felt to report it here 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cant see any images, sorry. I cant sadly input any "embedded" images any more myself, as it gives me an error I reached 1000 images upload, so has to be attached 🙂
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to add it in the post. But now also added it as attachement too 😁
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see it now 🙂
Not sure what to say, sorry. I checked every log regarding this in my lab in the last 6 months and they all show exactly what I sent you.
Dont know if it might be worth doing below sk...
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmmm no will not do that yet.
But thanks for breaking your head with me 😀
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K, fair enough...I just had that sk in my notes, but maybe not needed here. I would open TAC case if I were you just to double check everything. If you need me to test anything in my lab, let me know.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried setting Extended Logging on the rule matching the custom site object? Be warned however that this will log every URL pulled by the browser, and should most definitely NOT be used on generic Internet surfing rules for hundreds or thousands of Internet surfing workstations.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good idea.
Log was set to "Log"+Accounting.
To not kill the system I tried it now with Detailed Log + Accounting. I do not think that change a lot at all. Log Details look the same. Already had details like browsing time and in/out packets/bytes etc.
Will have to create a test rule for this case and the set it to extended log. Will report again when did this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For what its worth, I also tested with extended logging option and logs look exactly the same, but let us know if test rule shows you anything different.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way to get the URLs accessed is via Extended Logging on the relevant rule(s).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So we have the full picture...
Do you currently inspect HTTPS traffic, how is QUIC handled?
Note sk131712 & sk178845 are typically relevant here.
