LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Enterprise Reporter

Where do I send a feature request for a LevelBlue Marshal product?

Charles Creegan — Sun, 01 Mar 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
MailMarshal SPE
WebMarshal

Question:

Where do I send a feature request for a LevelBlue Marshal product?

Procedure:

If you want to request a new feature or you want to suggest an improvement for any product, you can contact Technical Support. You can also enquire through your account manager or reseller.

Web Filtering and Reporting (WFR) Hardware Support Matrix

Charles — Thu, 15 Dec 2016 12:57:44 GMT

This article applies to:

R3000
WFR/WF/SR

Question:

Where can I find the current Trustwave Web Filtering and Reporting Hardware Support Matrix?

Information:

The current Trustwave Web Filtering and Reporting Hardware Support Matrix can be found in the attachment below.

This information was last updated in December 2016.

Enabling SSH Password Authentication (Opening the Shell)

Andrew Davies — Tue, 13 Dec 2016 15:48:33 GMT

This article applies to:

Web Filter

Question:

How do I enable SSH password authentication for connection to a WebFilter server?

Procedure:

NOTE: In order to complete the following procedure, you must contact Trustwave Support and open a case to obtain the password needed in step 5.

PART I – Shut Down and Connect a Keyboard and Monitor

Bring the system down: Navigate to System > Control and click ShutDown
Click the ShutDown button to power off the system.
Connect a monitor to the VGA port and the keyboard to a USB or PS/2 port on the back of the system:

PART II – Single User Mode

Power up the system by pressing and holding the green check mark key (located on the LCD panel on the front of the chassis) for three seconds.
On the GNU GRUB screen press p to bring up the password dialog box, and enter in the password.

NOTE: Please contact Trustwave Support and open a case to obtain the password.
Press e to edit the entry.
Use the up arrow and down arrow keys to select the line that starts with ‘kernel’ and press e to edit the line.
At the end of this line, press the spacebar to put in a space and type the word single and then press enter

You should now be back to the previous screen. Press b to boot into single-user mode.

PART III – Enable SSH Password Authentication

At the prompt, type the command nano /etc/ssh/sshd_config
Use the arrow keys to find the line that says PermitRootLogin*, and change it to yes

*Note: this entry does not exist on all systems. If it is not present, skip to the next step.
Use the arrow keys to find the line that says PasswordAuthentication, and change it to yes
To save, press Ctrl+x, then press y, and hit enter
Restart sshd by running the command /etc/init.d/sshd restart
You will see “Starting sshd” set to OK.
Press Ctrl+d to boot the system back up into multiuser mode.

It will run through all of its checks, and bring you back to your logon screen.

Part IV - Test the Connection

Open a terminal window or start a PuTTY session to verify that SSH is enabled from a device on the same network (not the filter). You can download PuTTY from http://www.putty.org/
Enter SSH [Filter IP] (for example, SSH 10.10.10.11 ). When prompted to continue connecting, type yes.
Enter any user name. If you are prompted for a password, then SSH has been successfully enabled.
Repeat steps 1-4 to remove the monitor and keyboard, if necessary.

Alert Email: shadow.logs Pending

Denton Diederich — Wed, 28 Sep 2016 10:31:19 GMT

This article applies to:

R3000
Web Filter 300/500/700
WFR 350/550

Question:

Alert Email: The hourly health check detects "shadow.log pending"!

This alert email represents an urgent issue and customers should contact Trustwave Support ASAP.

Reply

If the Web Filter is sending you an alert email stating that there are shadow.logs pending, it means that traffic log transfers to your Security Reporter or external FTP server are failing, if you have a WFR or combo box where reporting is on the same hardware then call tech support now, some how the logs are not rotating to the reporter side.

Background: When a traffic log (shadow.log) transfer from the Filter fails, it keeps a copy of the log on its hard drive and attempts to send it again on the next log transfer session. This will continue until the log is successfully transmitted. Logs are transferred at the top of every hour. If transfer failures continue to happen, the logs that fail to transfer will begin to build up, and this alert will be sent if 4 or more logs are failing to be sent. The filter will also show "failed" in Reporting>configuration>logs section.

Troubleshooting a stand alone Reporter: First verify if the reporter IP is responding to pings? if you ftp logs to a third-party-server verify if that server pings?

If the pings fail, please troubleshoot the reason why or call support, so we may log in and look.

There are a few possible causes for this error. From the Web Filter GUI, go to the Reporting tab, and choose Report Configuration from the left. Make sure that it is not trying to export to a device you do not have. Also, verify that the addresses are correct in the settings for your export targets. If everything looks ok, then click the "Log" tab and then the "View Log" button in order to see the FTP transfer logs.

If there are connection errors shown, then check your network connections to the export targets (Reporter or FTP server, which ever is appropriate), as well as the status of these target devices (Reporter or FTP server, whichever is appropriate). If there are no visible error, but the PUT commands never seem to complete successfully, then the target device (Reporter or FTP server, whichever is appropriate) may be full. If the full target device is an Enterprise Reporter, contact Technical Support in order to resolve the issue.

No Uncategorized Sites In Reports

Alfred Alva — Mon, 01 Apr 2013 13:36:30 GMT

This article applies to:

Enterprise Reporter/Security Reporter

Question:

No Uncategorized Sites In Reports

Reply

Enterprise reporter:
If every report generated shows no uncategorized sites at all, check the Webclient settings. As a default, the Webclient will not display uncategorized sites.
To check that setting in the Enterprise reporter, log in the Webclient and go to Settings > Default Options. You will see the box labeled "Hide Uncategorized Category" checkmarked. Remove the checkmark and click on "Save". Change will take 24 hours to take effect.

Security reporter:
Go to Administration>Default report Settings and see if the box is checked "Hide Uncategorized Sites"

This article was previously published as:: 8e6 KB 276616

When applying an ER patch, the EULA does not appear and I am unable to install the patch.

Alfred Alva — Thu, 21 Mar 2013 05:58:32 GMT

This article applies to:

Enterprise Reporter

Question:

When applying an ER patch, the EULA does not appear and I am unable to install the patch.

Reply

When applying ER patch 4.1 or later, an End User License Agreement (EULA) must be served and accepted before the patch can begin installation.
Make sure that EULA is not being blocked due to Google Chrome POP-UP blocked setting enabled. you will then be able to accept the "End User License Agreement".

The EULA for the ER is served on port 8084 from the ER itself to the current workstation the GUI is run from. If communication on this port is not allowed by your firewall or network, then the EULA will not be served and thus, you will not be able to install the patch.

Please make sure this port is open for the ER. If you absolutely cannot allow communication on this port, please call 8e6 Technical Support at 888-786-7999 opt. 3.

This article was previously published as:: 8e6 KB 276611

Change regional settings for enterprise/security reporter.

Eric Hanson — Mon, 18 Feb 2013 14:19:40 GMT

This article applies to:

Enterprise Reporter version 3.0 and above.
Security Reporter version 3.0 and above.

Question:

How do I change the Regional Settings for a fully activated enterprise/security reporter?

Procedure:

To access Regional Settings, follow the steps below:

Login to the Security Reporter GUI.
Select Administration from the top menu.
Select System Configuration (see notes below).
Once System Administration loads go to the Network drop-down menu and select Regional Settings.

Notes:

Depending on your browser type, version, and configuration, selecting System Configuration may spawn an additional login window. If this occurs, type in your credentials, and then go back to the original SR GUI page and reselect System Configuration to launch.

Changing networks setttings for Enterprise/Security Reporter.

Eric Hanson — Mon, 18 Feb 2013 14:18:52 GMT

This article applies to:

Enterprise Reporter version 3.0 and above.
Security Reporter version 3.0 and above.

Question:

How do I change the network settings for a fully activated enterprise/security reporter?

Procedure:

To access Network Settings, simply follow the steps below:

Login to Security Reporter GUI.
Select Administration from the top menu.
Select System Configuration (see notes below).
Once System Administration loads go to the Network drop-down menu and select Network Settings.

Notes:

Enable Self-Monitoring for the enterprise/security reporter.

Eric Hanson — Mon, 18 Feb 2013 14:17:57 GMT

This article applies to:

Enterprise Reporter version 3.0 and above.
Security Reporter version 3.0 and above.

Question:

How do I enable the Self-Monitoring feature for a fully activated enterprise/security reporter?

Procedure:

To access the Self-Monitoring feature, simply follow the steps below:

Login to Security Reporter GUI.
Select Administration from the top menu.
Select System Configuration (see notes below).
Once System Administration loads go to the Server drop-down menu and select Self-Monitoring.
Follow the instructions to enable this feature.

Notes:

How do I access and enable Password Security Options for the Security Reporter

Mark Gamble — Fri, 28 Dec 2012 15:03:47 GMT

This article applies to:

ER/SR/Version 3.0 and above.

Question:

How do I set password restrictions for the Security/Enterprise Reporter?

Procedure:

Notes:

Depending on your browser type, version, and configuration, selecting System Configuration may spawn an additional login window.
If this occurs, type in your credentials, and then go back to the original SR GUI page and reselect System Configuration to launch.

How to enable optional features from the Security Reporter GUI.

Mark Gamble — Fri, 28 Dec 2012 14:52:23 GMT

This article applies to:

ER/SR/Version 3.0 and above.

Question:

What Optional Features can be enabled from the ER/SR GUI?

Procedure:

To access Optional Features login to Security Reporter GUI and select Administration from the top menu.
Select System Configuration (see notes below).
Once System Administration loads go to the Database drop-down menu and select Optional Features.

The following Optional Features can be enabled/disabled:
Search String Reporting
Block Request Count
Blocked Searched Keywords Report
Time Usage
Log Import Settings
Password Security Options

Notes:

Depending on your browser type, version, and configuration, selecting System Configuration may spawn an additional login window.
If this occurs, type in your credentials, and then go back to the original SR GUI page and reselect System Configuration to launch.

How to verify the Date Scope for and storage parameters for a Enterprise/security Reporter.

Mark Gamble — Fri, 28 Dec 2012 14:27:21 GMT

This article applies to:

SR/Version 3.0 and above.

Question:

How do I verify the date scope for processed data in my security reporter?

Procedure:

Date scope for total data	2012-07-31 - 2012-12-27
Database disk space utilization (used database space/total database space)	1.45 % (2.71/186.35 Gbytes)
Last 8 weeks hits/day average	2666605
Estimated total week(s) of data	3516 week(s)
Estimated number of week(s) until next expiration	3504 week(s)

Notes:

Depending on your browser type, version, and configuration, selecting System Configuration may spawn an additional login window.
If this occurs, type in your credentials, and then go back to the original SR GUI page and reselect System Configuration to launch.

How to enable a Secure Access port.

Mark Gamble — Fri, 28 Dec 2012 14:16:42 GMT

This article applies to:

SR/WFR version 3.0.10.xxx and above

Question:

How do I enable a Secure Access port to allow Trustwave support CLI access?

Procedure:

Login to Security Reporter GUI and select Administration from the top menu.
Select System Configuration (see notes below).
Once System Administration loads go to the Server drop-down menu and select Secure Access.
Identify the Port # field and enter an unused four-digit port in the 7000 port range.
Click the Start button and confirm that the specified port is populated in the connection field.

Notes:

Depending on your browser type, version, and configuration, selecting System Configuration may spawn an additional login window.
If this occurs, type in your credentials, and then go back to the original SR GUI page and reselect System Configuration to launch.

What do the Default Report Settings define

Alfred Alva — Thu, 27 Dec 2012 12:19:24 GMT

This article applies to:

Security Reporter 3.2 and up

Question:

What do the Default Report Settings do

Reply:

see the screen shot below:

1. Enter the Default Top ‘N’ Value of records that will be
generated for summary reports. The default is “50”
records.
2. Enter the maximum number of records that will be
included in a detail report’s Detail Result Limit. If the
number of records from a query exceeds the limit established
in this field, the overflow will be included in the next
set of records. The default is “1000” records per set.
3. Enter the maximum number of records that can be
returned by a detail report query before triggering the
Detail Result Warning Threshold message. This
warning message indicates that the number of records
exceeds the number specified in this field. The default is
“10000” records.
4. By default, the Hide Unidentified IPs checkbox is deselected.
This feature for Web Filters only indicates that
activity on machines not assigned to specific users will
be included in reports.
If you wish to exclude activity from machines not
assigned to specific users, click in the checkbox to enter
a check mark.
5. If using a Web Filter with this SR being configured, the
Hide Uncategorized Category checkbox displays and
is selected by default. This indicates that uncategorized
sites will not be displayed or counted in drill down
reports.
If you wish to include uncategorized sites in drill down
reports, click in the checkbox to remove the check mark.
6. If using one or more SWG policy servers with this SR
being configured, make a selection from the Combine
Duplicate Names pull-down menu:

Run a override account report

Alfred Alva — Thu, 27 Dec 2012 11:48:34 GMT

This article applies to:

SR 3.x and up

Question:

Run a override account report

Procedure:

To run a report on override accounts follow the steps below
1.log in a super admin or your assigned group
2.select Detailed Report
3. select drop down by username and type in overide name (not ldap name) and use % for wild cards
4.the name should appear if the right date scope is correct
5.move the name to the right using the arrows
6.run your report

Scheduled reboot in sync environment

Giovanni Romualdi — Fri, 21 Dec 2012 12:54:20 GMT

This article applies to:

WF 3.x, 4.x, 5.x
WFR 2.x, 3.x, 4.x, 5.x
MSC 2.x

Question:

I have multiple filters and I need to know if its possible to setup a scheduled reboot from my primary filter to the target filters. Is this something that can be done?

Information:

Schedule reboot of the Web filters or Security reporters is a feature that is not currently available.

Automating User Group Import

Giovanni Romualdi — Fri, 21 Dec 2012 12:53:25 GMT

This article applies to:

SR 2.x, 3.x
WFR 2.x, 4.x

Question:

Is there anyway I can automate the User group import on my reporter?

Information:

The User Group import process is an on-demand process which means there is no automation process but you will need to manually initiate it from the Security Reporter or from the Admin interface of the Enterprise reporter.

Lockout Manager - Real Time Security Report

Charles Creegan — Thu, 28 Jun 2012 09:39:28 GMT

This article applies to:

Enterprise Reporter
Security Reporter

Question:

How do I confugure the Lockout Manager when utilizing the 'Real Time Security Report' functionality

Procedure:

To set up the lockout function:

1. Click the checkbox corresponding to Lockout to activate

the Severity and Duration (minutes) fields.

2. Specify the Severity of the end users’ lockout:

• Low - Choosing this option opens the Low Lockout

Components containing the Available Categories/

Groups and Assigned Categories/Groups subpanels.

Select the library category/categories or protocol(s)

the end user should not access.

For bandwidth gauges, to specify a port number the

user should not access, type a specific value in the

Port Number field, and/or use the up/down arrow

buttons to increment/decrement the current value by

one.

Click Add (for URL gauges) or Add Port (for bandwidth

gauges) to move the selection(s) to the Assigned

Categories/Groups list box.

• Medium - Choosing this option will lock out an end

user from World Wide Web access if he/she reaches

the threshold limit set up for the gauge.

• High - Choosing this option will lock out an end user

from network access via a TCP connection if he/she

reaches the threshold limit set up for the gauge.

3. Specify the Duration (minutes) of the lockout (the default

is “15” minutes), or click the “Unlimited” checkbox.

Notes:

After setting up gauges for monitoring end user Internet

activity, notifications for Internet abuse should be set up in

the form of policy alerts. These messages inform the administrator

when an end user has triggered an alert for having

reached the threshold limit established for a gauge. If the

end user was locked out of Internet/network for an indefinite

time period as a result of his/her Internet activity, the administrator

can determine when to unlock that end user’s workstation.

These functions are available to a group administrator only

if permissions were granted by the administrator who set up

his/her account.

Malicious Code/Virus reports are empty

Giovanni Romualdi — Tue, 26 Jun 2012 12:03:56 GMT

This article applies to:

Question:

Why is the Malicious Code/Virus section of my SR's dashboard reports empty? I am filtering with an SWG.

Reply:

This is simply a side effect of using the SWG, rather than a WF unit. The WF can only block malware/virus traffic via URL filtering, for the most part, and hits to sites in these categories are logged into that Malicious Code/Virus section of the reports.

However, the SWG blocks virus/malware traffic based on signatures and behaviors, and this does not get logged in the same way as the WF handles it. Thus, this traffic does not end up in the dashboard reports, since the format is different (i.e. not URL-based). In essence, the Malicious Code/Virus reports would only show things for WF users, as it only shows URL-based hits in these categories.

How to apply a software update on the SR

Patricia Otteson — Tue, 26 Jun 2012 05:53:34 GMT

This article applies to:

Question:

How to apply a software update on the SR?

Reply:

Open a connection to the SR UI, click on Administration>System Configuration and log in with the SR supper user account. Only the super user account will be have access to System Configuration.

Under the "Server" drop-down select "Software Update" and apply the patch that is available to be applied.
This screen is also used for accepting LA/Beta software downloads, if choosing to download Limited Availability (LA) and/or Beta updates for previewing software features to be included in the General Availability (GA) release to be distributed to all SRs.

Notes:

Be sure to terminate all reports that are currently running or are scheduled to run before applying a software update and that port 8084 is open on your network.

Difference between Equus SR models and IBM models

Giovanni Romualdi — Fri, 22 Jun 2012 14:48:11 GMT

This article applies to:

SR 3.2

Question:

At a glance, what are some of the differences between SR models build by Equus and those built by IBM?

Reply:

SR 505 (IBM) and all models built by Equus are 1U units, with the 300 series model half the width of a standard 1U unit. For the 700 series models, SR 700 and 730 Equus models ship with 12 GB RAM, while the 2U SR 705 and 735 IBM models now ship with 24 GB RAM. Storage capacity is 750 GB for SR 500, and 1.6 TB for SR 505. Storage capacity is 1.5 TB for SR 700 and 2.3 TB for SR 705. Attached storage options are available for SR 730 and 735 using a Nexsan storage device:
• Basic storage: 3 TB for SR 730.
• Standard storage: 6 TB for SR 730 or SR 735.
• Extended storage: 12 TB for SR 730 or SR 735

Benefits of using SR virtual instead of the SR Appliance

Giovanni Romualdi — Fri, 22 Jun 2012 14:47:47 GMT

This article applies to:

SR 3.2

Question:

What are the benefits of using SR Virtual instead of the SR Appliance option?

Reply:

SR Virtual lets you use an existing computer to run the SR software image as a virtual machine, instead of installing and configuring a separate SR appliance. Virtualization is more cost effective in ensuring redundancy, failover and disaster recovery.

What version of SNMP is supported

Giovanni Romualdi — Fri, 22 Jun 2012 14:46:05 GMT

This article applies to:

SR
WF and WFR

Question:

What version of SNMP is supported on the SR and WFR?

Reply:

SNMP version 2c

Notes:

Optional.

Type of server software required for SR virtual

Giovanni Romualdi — Fri, 22 Jun 2012 14:45:42 GMT

This article applies to:

SR 3.2

Question:

Which type of server software is required in order to use SR Virtual?

Reply:

Trustwave has tested VMware ESXi 4.1 and 5.0 and supports these software versions, although other virtualization software may be used. Please consult with your Trustwave accounts representative or an Trustwave solutions engineer about software compatibility with SR Virtual

Generating reports for Anti.Dote vulnerabilities

Giovanni Romualdi — Fri, 22 Jun 2012 14:44:39 GMT

This article applies to:

SR 3.2

Question:

How do I generate a report for Anti.Dote Vulnerabilities?

Procedure:

Security Reports > Advanced Reports > Vulnerability Anti.Dote

The new Vulnerability Anti.Dote report—available if using SWG software version 10.0 or earlier—provides the ability to generate reports for SWG’s active, real-time content inspection feature that protects your network against vulnerabilities.

By default, the report graph shows the top six blocked vulnerabilities and the number of instances for each of these vulnerabilities which passed.
For each vulnerability record in the table, by default statistical counts are included for the number of IPs, users, blocked and passed vulnerabilities, and total instances for today’s date.
Clicking Report Wizard at the bottom left of the panel takes you to the Report Wizard >> Vulnerability Anti.Dote panel where you can download, email, save, or run the report using customized settings.