|
|
Introduction
Advanced Web Reporting is an off-box reporting solution that rapidly indexes and analyzes logs produced by Cisco® S-Series Web Security Appliances. This Splunk-based tool provides scalable reporting for customers with high traffic and storage needs, enabling reporting administrators to gather detailed insight into web usage and malware threats.
Directory-Group-Based Reporting
With Advanced Web Reporting, administrators can generate reports based on a group or user ID as defined within a central authentication server such as Active Directory. Reports can easily be created along functional or geographical boundaries that have been defined by the authentication groups. Roles can be created to allow managers to view reports only for a defined set of directory groups (such as ones that they manage), protecting the privacy of individuals not within those groups.
Detailed Layer 4 Traffic Monitor (L4TM) Visibility
Advanced Web Reporting enables administrators to run reports on activities on non-web ports. These L4TM reports connect hosts associated with particular ports and users, and can be used to identify malicious behavior on non-standard ports, which would evade many traditional web security solutions.
SOCKS Reporting
For customers using SOCKS proxy settings, Advanced Web Reporting enables administrators to get information about SOCKS traffic.
Historical Data Import
Historical logs can be imported into Advanced Web Reporting during forensic investigations. Logs from any time period can be imported into the reporting tool for analysis, enabling human resources and legal personnel to conduct forensic investigations spanning several years. Administrators can hone in on a specific user's web activity, if needed.
Who Should Use Advanced Web Reporting?
On-box reporting on Cisco M-Series and S-Series appliances fulfills the reporting needs of the majority of customers. Advanced Web Reporting is an alternative reporting solution for customers that need extended storage for high transaction volumes or directory-group-based reporting. Advanced Web Reporting's report format is identical to reports available on-box on the S-Series and M-Series appliances.
What does the latest release of Cisco Advanced Web Reporting include?
New reporting functionality. Advanced Web Reporting now provides the same reports as a Cisco Web Security Appliance running AsyncOS® 7.7. Reports include SOCKS reports and web tracking and form-based search for SOCKS and L4TM transactions.
Support for Splunk 5.0. Advanced Web Reporting is supported on the Splunk 5.0 platform.
Heavy-duty performance tests. Cisco tested the WSA Advanced Web Reporting feature with much larger volumes of data, and published report load times. These test results can be found in the "Sizing and Scaling Recommendations" section at the beginning of the user guide.
Figure 1. Splunk Reports for URL Categories and Transactions Blocked
System Requirements
Advanced Web Reporting runs on Windows and Red Hat Linux. There is no support for virtualization for production instances of Advanced Web Reporting. Reference hardware can be commodity-grade with the minimum specifications below.
• Intel x86 64-bit chip architecture with 2 CPUs, 4 cores per CPU, and 2.5 to 3 GHz per core
• 16 GB RAM
• (4) 300-GB SAS hard disks at 10,000 rpm each in RAID 10 (800 IOPS or better)
• Gigabit Ethernet network interface card (NIC); a second NIC for a management network is recommended
Note: These hardware specifications are recommended for organizations with more than 25,000 users.
Please talk to your account team and refer to the documentation to understand the hardware specifications you will need to run Advanced Web Reporting at your organization.
For More Information
Contact your Cisco account team to request an evaluation version of Advanced Web Reporting.