When an Internet request goes through the Lenovo NetFilter filtering system, Lenovo NetFilter records information about the request in its ‘Request Logs’. You can use the Lenovo NetFilter Reporter subsystem to create different kinds of reports from the Request Logs. The Reporter can gather requests that match some criteria (such as requests issued from a specific IP address or requests to a specific web site), sort the results, calculate statistics, and present the results in a table or a pie or bar chart.

For each request, the Lenovo NetFilter system saves information about the following:

·       The client (user or workstation) making the request

·       The request target

·       The filtering results and

·       Optional information about the filtering infrastructure, such as the interceptor IP address and the policy server ID (These both require special configuration.)

You can use these data fields to mine records that interest you and to group records so that statistical calculations may be performed on them.

Viewing Reporter Logs

You can view Reporter messages and errors from the Logs menu in the WebAdmin go to Administration > Services.  Click on the Host Name for the Server to open the 'Server Management' window.  Review the log files and error messages by clicking on the More icon.

Reporter Logs – Messages Tab

A message is a record of an events generated by the reporting daemon (a.k.a. nsreporter), including processing of Demand, Scheduled and Continuous reports.  You can access the Reporter messages at Logs > Reporter Messages.

Reporter Errors

An error is a record of error events generated by the reporting daemon.  This information can be used by your Lenovo NetFilter Support staff to help troubleshoot unexpected Reporter behavior.  You can access the report errors at Logs > Reporter Messages.

When creating Reports, the Demand Report will warn if there is no log data and the Scheduled Report warns if the interval is too large for the available log data.

Request Logs

You can use the 'Request Logs' window in the WebAdmin to view Request Logs from all or individual Reporters. 

In Logs > Request Logs, click on the Advanced icon and then on Add Filter.  Select Server from the dropdown list. The localhost and the Reporters display in the ‘Logger Servers’ list.  You can view the filtered traffic for all servers or just a specific server by removing the checkmark for the servers you do not wish to view.

Information logged by default

Lenovo NetFilter logs the following information in the Request Log file by default, without additional configuration and in all filtering configurations:

·       The date and time of the request

·       The client IP address, the client name (if there is a user authorization procedure), and the filtering policy group to which the client belongs

·       Categories or pseudo categories assigned to the request (See section below entitled ‘Pseudo’ Categories Capture Error Codes, Filtering Criteria.)

·       The denied flag, which indicates whether the request was denied or allowed

·       The complete URI of the HTTP request

·       The extended binary format file also logs the destination host IP address.

In the text format and extended binary format file there are two fields for categories. One field keeps all assigned categories and the second one keeps only the categories that caused request denial. If the request was not denied, both fields have the same value. The fixed binary format file includes only the second type of categories field.

The Reporter partially parses the URI, so reports can include designated parts of the URI, such as the protocol, host or domain of the URI, instead of the complete URI.

Information logged with special configuration

If specially configured, Lenovo NetFilter can also log additional information.  Please see Logging Use Cases for more information.

Flexible Logging

Flexible logging allows you to specify request log record fields that should be written to log files or sent to a remote logger server.  The 'Request Log Record Fields' section found in Policy Server Settings (nsd) allows you to specify request log fields. This global setting specifies the fields set for remote logger, text format and extended binary log files.

Available fields are:

·       url

·       client

·       group

·       policy

·       ip

·       dst

·       denied

·       category

·       interceptor peer

·       server_id

·       method

·       agent

·       referrer

·       type

·       data

·       module

·       workstation

·       screenshot image

·       allcategories

·       deniedcategories

For a complete list, please see the ‘Request Log Record Fields’ settings in Policy Server Settings

Group Segmented Logging

Group Segmented Logging allows you to segment your log files by Group or by a specific tag.  This makes it easier to manage and search through request log archives for specific logs.

‘Pseudo’ Categories Capture Error Codes, Filtering Criteria

The default information logged about a request include both real and “pseudo” category assignments. Lenovo NetFilter assigns real categories to a request, based on its page contents (such as sports, travel, or news) or its file type (images or no text files). Pseudo categories, on the other hand, capture information about error codes and filtering criteria. If you capture the pseudo categories in reports, you will find them very useful for reviewing and assessing users’ browsing behavior and the operation of your filtering network.

The three types of pseudo categories are as follows:

1.    The requested content has not yet been categorized. (For example, Lenovo NetFilter assigns the temporary pseudo category “New URL” to a URL very briefly, until the Lenovo NetFilter categorization engines are ready to assign categories based on the subject content.)

2.    The requested page or entire website is included on a special list or resides on one of the Lenovo NetFilter URL and Keyword lists, used to refine and provide exceptions to category-based filtering.

3.    An authorization or network issue is preventing categorization, as is the case with the Invalid Serial, Unauthorized Access, Database Error, Network Timeout, and Network Unavailable pseudo categories.