Symantec Reporter 10.5.x Administrator's Guide: Revision - Wednesday, March 11, 2020

Symantec® Reporter 10.5.
x
Administrator's Guide
Revision — Wednesday, March 11, 2020
Symantec Reporter Administrator Guide
Legal Notice
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term
“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Copyright © 2020 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does
not assume any liability arising out of the application or use of this information, nor the application or use of any product
or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
Wednesday, March 11, 2020
2 of 132
Reporter 10.5.1.1
Table Of Contents
Table Of Contents 3
About Reporter Licensing 8

Reporter Licensing Levels 8
Prerequisite—Enable Connectivity to Important Symantec Services 8
Reporter Licensing Commands 9
About Connectivity for Reporter Virtual Appliances 9
About Connectivity for Reporter RP-S500 Appliances 9
Considerations for Deploying a Reporter Appliance in a Closed Network 9
License Troubleshooting 10
About Reporter Architecture 11

Topography—With FTP Staging Server 12
Topography—No FTP Staging Server 13
Related Information 14
Conceptual 14
Configuration 14
About Log Processing 15

Optimize Log Processing Configurations 15
About the Decimal Digits 15
About the Page View Combiner 22

Requirements 23
Additional Reference 24
About the Default Browse Time Calculations 25

Page View Criteria Used for Browse Time 25
Examples 25
Scenario 1 25
Scenario 2 26
Scenario 3 26
Scenario 4 26
Reporter Resource Sizing 27

Access Log Storage 27
Databases 27
Database Backups 27
RP-S500 Appliances 27
3 of 132
Virtual Appliances 27
Detailed Specifications 28
About Retrieving Logs From the WSS 29

Topography 29
Additional Information 30
Manage Access 31
About Users 31
Admins 31
Standard User 31
About Roles 31
Add a Consent Banner 31
Procedure—Add a Consent Banner 32
How a User Logs in to Reporter with a Consent Banner 32
About Role-Based Access 34
Plan the Roles 35
LDAP Group-Based Option 35
Create a New Reporter User 36
Define a User or Group Role 38
Authenticate Users with SSL Mutual Authentication 39
About LDAP Integration 42

About Nested Groups 42
Connect to LDAP Server 44
Prerequisites 44
Procedure 44
Assign Roles From LDAP 47
Prerequisite 47
Procedure 47
Administrative Tasks 48
Recommended Tasks 48
Set Up Email for Admin Alerts and User Reports 48
Clone 48
Manage Databases 48
Purge for Disk Space 48
Manually Edit Configuration Files and Databases 48
Other Tasks 49
CLI Reference 49
Upgrade Reporter 50
4 of 132
Reporter 10.5.1.1
Can I downgrade Reporter to a previous version? 50

Upgrade Information 50
Procedure 50
Optimize a Filtered Report 51
Report Optimization Can Impact Resources 51
Some Reports are Not Eligible for Optimization 51
Optimize a Report 52
Undo Report Optimization 53
Connect Reporter to an Email Server 54
Prerequisites 54
Procedure 54
Alerts 56
Prerequisite 56
Email Alerts 56
Alert Levels 57
Set Reporter Email "To" Address 58
Define NTP Server Location 59
Monitor Reporter Operations 60
View Current Reporter System Overview 60
System Resources 60
Database Overview 60
View Current Users and Active Reports 61
View the System Event Log 61
View User-Initiated Information 61
Create a Database 62
About Log Sources 62
Procedure 62
Refer to Other Documentation 68
Remove Personally Identifiable Information From a Database 68
Important Notes About User Information Removal 68
Remove User Information 69
Manage Existing Databases 71
Empty Database 71
Expire Now 71
Unload a Database to Conserve Resources 71
Change Database and Log Source Parameters 72
Match Access Log Formats for Filtering 73
Remove User Information 74
Change Cost Calculators 74
Change Default Report Row Limits 75
Create Custom Log Fields 77
About the dbfields.cfg File 77
Procedure: Customize the Database Files 78
5 of 132
Additional Information: Index Pairs and Triplets 82

Database Backup 83
Database Backup Properties and Requirements 83
Create, Update, and Restore Backups 83
About CLI Database Backup 88
Download Logs From the WSS 90
Prerequisites 90
Generate an API in the Web Security Service 90
Create a WSS Log Source in Reporter 91
Change the Reporter Interface Language 94
Support Languages 94
How Do I? 94
Convert International Domain Names 95
Change a Password 96
Reset the Administrator Password 97
Prerequisites 97
Procedure 97
Manually Edit Configuration Files 99
About the File Editor 99
Global Intelligence Network (GIN) Application Name Mapping 99
Procedure: View/Edit Configuration Files 99
Troubleshoot 101
Reference: CLI 103
CLI Behavior and Command Changes 103
Reference: CLI 104
CLI Behavior and Command Changes 104
Reference: Ports and Protocols 105
Inbound Connections 105
Outbound Connections 105
Required IP Addresses and URLs 106
Reference: Log Fields 107
Reference: Web API Parameter Syntax 114
Common Parameters 114
End Point: /api/create 122
End Point: /api/status 123
End Point: /api/cancel 124
End Point: /api/download 124
End Point: /api/listDatabases 124
End Point: /api/listFields 124
Debugging 125
Relative Dates 126
Trend Reports 126
6 of 132
Reporter 10.5.1.1
Diagnose Reporter 127

Restore a Configuration Backup 131
Import a Configuration Backup 132
7 of 132
About Reporter Licensing

Symantec Reporter requires a license according to the maximum disk space that the product uses. Each version specifies
CPU and RAM sizing. For a complete sizing schematic, see "Reporter Resource Sizing" on page 27.
Reporter licensing requires accessing MySymantec. Before licensing Reporter, make sure you have your MySymantec
credentials.
Reporter Licensing Levels

n Reporter RP-S500
The license matches the total disk space (original specification). Check the current System Resources consumption
on the Admin link System Overview > System Diagnostics page.
n Reporter VA
Symantec offers three levels of licensing for virtual appliances (VAs) based on the total usable disk space available
on these virtual appliances:
o RP-V50
o RP-V100
o RP-V200
Prerequisite—Enable Connectivity to Important Symantec Services

Reporter (or the license staging web server) must be able to connect to specific Symantec resource locations. Verify that
your firewall allows the following Symantec URLs.
URL Protocol Description
support.symantec.com https/TCP Support links to software, support cases, and

443 documentation.
upload.bluecoat.com https/TCP Upload portal logs and other large files.

443
download.bluecoat.com http/TCP 80 Licensing portal; redirects to support.symantec.com
esdhttp.flexnetoperations.com https/TCP Software portal.

443
device- https/TCP License related.

services.es.bluecoat.com 443
8 of 132
Reporter 10.5.1.1
Note: See "Reference: Ports and Protocols" on page 105 for a full list of required ports and
protocols.
Reporter Licensing Commands

You must download the Reporter license from the Symantec licensing portal using a CLI command. See License Reporter
for more information.
If your network requires a proxy connection to the Internet, you must also use the proxy-settings CLI command to
specify that proxy.
About Connectivity for Reporter Virtual Appliances

Unless you have purchased a VA offline license, constant Internet connection is required for Reporter to communicate
regularly with the license validation server to confirm that the serial number is valid. If communication with the server
fails, the Reporter license may be suspended.
To ensure license integrity, Reporter VA periodically communicates with the Symantec license portal to validate the issued
licenses. This requires continuous successful network connectivity with the Symantec network.
To allow for temporary WAN outages, this operation continues for 12 hours or until a successful license validation
occurs. After 12 hours of unsuccessful validation, the Reporter license state changes to invalid. Until this license issue is
resolved, you can continue to use all Reporter functionality except for new database and log source creation;
furthermore, Reporter halts the processing of all new data in existing databases.
About Connectivity for Reporter RP-S500 Appliances

Reporter RP-S500 appliances can be deployed in open or closed networks.
Considerations for Deploying a Reporter Appliance in a Closed

Network
If you deploy the Reporter RP-S500 or VA in a closed network, you must:
n Obtain the license separately and place it on a server that Reporter can access.
n Disable the Web Application Attribute feature.
9 of 132
License Troubleshooting
By default, web application information is included in the Reporter database. If this feature is not manually disabled and
Reporter is unable to download the current web application attributes from Symantec, log data will not be consumed and
log sources will remain in the "Initializing" state until either the application attributes are downloaded or this feature is
disabled.
10 of 132
Reporter 10.5.1.1
About Reporter Architecture

Symantec Reporter is a key component in the Secure Web Gateway solution. Reporter generates and displays reports
based on web traffic access log data that is sent from one or more gateway ProxySG appliances. Analyzing reports gives
insight regarding the integrity of the network and user web browsing habits and policy compliance.
This allows you to:
n Identify possible security threats (such as malware/spyware).
n View user activity by user, group, URLs, or other aspect.
n View blocked web traffic (such as categories and URLs).
n Identify which users consume how much network bandwidth from web use.
11 of 132
Topography—With FTP Staging Server
A—Employees perform web content requests.
B—The gateway ProxySG appliance records transactions and uploads access logs to a dedicated FTP server.
C—The Reporter device (appliance or VA), retrieves the data from the FTP server—the defined log source—and populates
the defined database. More than one log source can feed a database (for example, multiple locations). Reporter users
(admins and users with role-based access) generate and view reports.
Note: Reporter VA is not supported in closed networks. If you require more information,
see "About Reporter Licensing" on page 8.
12 of 132
Reporter 10.5.1.1
D—Based on trends viewed in the reports, admins adjust the web-use and security polices on the gateway Proxy
appliance.
Reporter performs the following major tasks:
n Processes raw log data received from ProxySG appliances and populates databases.
n Manages the databases and generates reports.
n Manages the Reporter appliance/VA functions.
Topography—No FTP Staging Server

Reporter no longer requires an intermediary FTP server for staging ProxySG appliance access logs. You have the option
to configure the Upload Client to send the access logs directly to the Reporter appliance, which has an internal FTP
server.
13 of 132
This topography is similar to the previous diagram except that for process B, the appliance upload client sends access logs
directly to the Reporter appliance over FTPS.
Related Information
Conceptual
n "About Log Processing" on the facing page
n "About the Page View Combiner" on page 22
n "About the Default Browse Time Calculations" on page 25
Configuration
n "Create a Database" on page 62
14 of 132
Reporter 10.5.1.1
About Log Processing

Log processing involves the following components.
n Log Reader—Reads access log data into Reporter memory.
n Page View Combiner (PVC)—This sub-component of the log reader attempts to provide more realistic user
browsing statistics by combining the initial request and its secondary referral requests as one page count. For
detailed information about the PVC, see "About the Page View Combiner" on page 22.
n Log Processor—Populates the databases with the log data.
Optimize Log Processing Configurations

This section describes some conditions that affect log-processing efficiency.
About Access Log Naming Conventions

This section provides suggestions for ProxySG appliance access-log-naming conventions, especially for deployments that
require processing a large number of log files over a longer duration of time.
For optimal Reporter performance, configure your access logs to use the following filename format:
xxxxxxxxxxxxxxxNddddddddddd.log.gz
where:
n x represents any valid character that can be used in naming a log file (letters, digits, underscore, dash).
n N represents a non-decimal-digit character.
n d represents a decimal digit. This number, preceding the log file extension, determines the order in which the log
files are processed. The log file ordering is performed identically for FTP and local disk log sources. A date string
that represents the log line dates within the file is preferred. If you mix cloud files with on-premise files, use the
12-digit cloud date syntax described above.
n .log.gz is the extension of the (compressed) log file.
About the Decimal Digits

The decimal-digit number is the key part of the format.
n If this number does not provide a complete ordering on the set of log files, then the log-processing speed suffers
because of internal log table thrashing.
15 of 132
n A filename format of MMDDhhmmss is inadequate because the files process chronologically, except at year-end when
they temporarily process out-of-order because of the December (MM = 12) rollover into January (MM = 01) where
January files sort before December.
n A filename format of hhmmss is more problematic because log files are processed out-of-order whenever one day
rolls into the next.
n Given these constraints, to ensure the most efficient log file ordering, format this eleven-digit number as:
YYJJJhhmmss, where:
o YY = two-digit year (00 – 99)
o JJJ = three-digit Julian day of the year (001 – 366)
o hh = two-digit hour of the day (00 – 23)
o mm = two-digit minute of the hour (00 – 59)
o ss = two-digit second of the minute (00 – 59)
With this format Reporter can properly order log files through the year 2021.
n The default filename format used for log files on the ProxySG appliance has the following text and specifiers:
SG_%f_%c_%l%m%d%H%M%S.log.gz.
o %f = log name (facility)
o %c = name of the external certificate used for encryption, if any
o %l = the fourth parameter of the ProxySG appliance IP address (101.102.103.104)
o %m = two-digit month (01 – 12)
o %d = two-digit day (01 – 31)
o %H = two-digit hour (00 – 23)
o %M = two-digit minute (00 – 59)
o %S = two-digit second (00 – 59)
o .log.gz = extension
The suggested filename format for log files on the ProxySG appliance slightly alters the default and has the
following text and specifiers: SG_%f_%c_%l%m%d_%y%j%H%M%S.log.gz.
o %y = two-digit year, without century (00 – 99)
o %j = three-digit Julian day within year (001 – 366)
The value of this naming convention for log files is evident when processing large numbers of log files, spanning
multiple days and months. The value is less evident when log-file generation and processing occurs regularly (daily
16 of 132
Reporter 10.5.1.1
or more frequently) so that out-of-order files occur infrequently. However, when reprocessing large sets of log
files, the naming convention is essential.
About Chronological Ordering

Each database creates and manages its own memory-resident log table. Each log table is comprised of hour-tables
containing data for each hour the database log processors spend reading log files. These tables typically consume most
of the active memory in Reporter and therefore have a significant impact on overall log-processing performance. (When
you unload a database it no longer consumes active memory.)
If all log files were processed in chronological order, more than one hour-table would not be necessary in memory. It is
common for the log-processing process to encounter batches of log files that span multiple hours between them. If they
are processed out of chronological order, performance significantly improves by allowing the number of hour-tables to
grow, provided there is sufficient process memory. Conversely, during low memory conditions, reducing the number of
hour-tables prevents unnecessary memory starvation and subsequent disk operations (swapping files in and out of
memory).
Reporter orders log files based on a numeric field in the filename, when it is present. The default filenames created by the
ProxySG contain a Month/Day/Hour/Minute/Second timestamp immediately preceding the .log or .log.gz suffix; for
example: SG_Main_HQ-1_1102081500.log.gz. If the filename ends with .log or .log.gz, the log processor parses it for
any purely numeric sequence immediately preceding the required suffix. If one is found, it is then used to sequentially
order that batch of log files. You can significantly improve log processor performance by naming the log files with any
ordered numeric values that comply with this format. For example: anyfilenameprefix123.log or some-other-prefix-
84757.log.gz.
About Database Purging

Most of the database is kept in memory. If the entire database is not occasionally purged, it continues to consume more
of the process memory as new log files are processed. As the database grows, configuration settings that were previously
beneficial might become detrimental.
As a general guideline, Symantec recommends that databases contain a maximum of 30 days of log data. However, the
amount of log data (number of rows) has more impact than the number of days (age of data) in the data sets.
Reporter also allows the administrator to purge the database based on the number of log lines. Purge the log lines by
expiration, automatically (scheduled), or manually.
About Log Source Statuses
Log sources feed access log data into assigned Reporter databases. You can view the status of each log source.
On the Administration > General Settings page, select Reporter Settings > Data Settings > Log Sources. Reporter
displays each database in a table.
17 of 132
The Status column provides the current state of data processing, which might depend on the status of the log source(s).
Status Definition
Error An error has occurred.
Processing The assigned database is currently processing available log lines from the log source.
Loaded Reporter has finished loading.
Loading Reporter is currently loading data from the specified log source.
Idle Currently, there are no new log lines to process.
Initializing
Reporter is currently downloading the web application attribute database file. This file is required to process
log data. If Reporter encounters a license issue or fails to connect to the Symantec subscription service,
Reporter cannot complete the download and the log processing cannot proceed until the issue is resolved.
See "About Offline Licensing and Log Processing" on the facing page
Warning: The attribute download can be disabled if Reporter log sources are stuck
in Initializing. See "Disable the Web Application Attribute" below.
Unloading Reporter received the Stop Log Source command from the Action drop-down list. When Reporter is able to
pause current log processing, it will begin to unload the source from the database.
Unloaded The log source is currently unloaded from the database. This status is required before you can edit
configuration properties. Furthermore, log processing cannot resume until you select Restart Log Source
(from the Action drop-down list).
Disable the Web Application Attribute

If you are deploying an RP-S500 in a closed network, you must complete this procedure. You should also complete this
18 of 132
Reporter 10.5.1.1
procedure if Reporter log sources are stuck in Initializing.
1. Enter enable
2. Enter the admin password.
3. Enter stop-reporter
4. Enter y
5. Enter edit-settings edit preferences.cfg
6. Append the following lines to the config file:
intelligence_services = {
web_app_attr_download = "false"
} # intelligence_services
7. Enter edit-settings commit preferences.cfg
8. Enter start-reporter
9. Enter y
Reporter Log Processing
In a new installation, Reporter must obtain web application attributes from the Global Intelligence Network (GIN) over an
internet connection before it can begin processing log data. At every startup, you can see these messages in the system
event log: message a will show that Reporter is verifying that it has this additional data. Message b may periodically occur
if Reporter is unable to obtain the data. Once the web application data is obtained, it is stored locally for a period of time
until a refresh is required, as determined by the web application. Any time Reporter starts up, message c must show
before log processing can resume. If message b is not soon followed by message c, check for connectivity between
Reporter and the internet.
a. Initializing Web Application data - Log processing disabled
b. Web Application data failed data initialization - Log processing disabled
c. Web Application data initialized successfully - Log processing enabled
Note: Reporter dynamically obtains external data while processing log data. Reporter will
not process log data until the web application data is initialized successfully.
About Offline Licensing and Log Processing
Offline licensing and log processing is supported on Reporter RP-S500 appliances. Offline licensing and log processing is
also available for Reporter VAs if you have purchased an offline license.
19 of 132
Note: To enable offline licensing and log processing, disable the Web Application Attribute
feature. See Considerations for Deploying a Reporter Appliance in a Closed Network for
additional information.
Reporter VAs require a stable internet connection in order to function properly and to validate the birth certificate and
serial number. See About Connectivity for Reporter Virtual Appliances for more information.
Note: If your firewall uses HTTPS certificate validation, you must exempt device-
services.es.bluecoat.com from validation or add the Certificate Authority chain to the
Certificate Authority list.
About Database Statuses
As Reporter databases process the data from the assigned log sources, you can view the current status.
On the Administration > General Settings page, select Reporter Settings > Data Settings > Databases. Reporter
displays each database in a table.
The Status column provides the current state of data processing.
Status Definition
Corrupt The database is corrupt. This may temporarily occur when loading, unloading, restoring, or emptying a
database
Creating Reporter is creating a new, empty database.
Deleting Reporter is deleting a database.
Emptied The Reporter database has been emptied.
Emptying The Reporter database is being emptied.
20 of 132
Reporter 10.5.1.1
Status Definition
Expiring The database is loaded, but Reporter is currently expiring data. Therefore, log processing is not occurring
and some reports might not be available.
Loaded The database is ready to generate reports based on the configured log source(s).
Loading Reporter is currently loading from disk; log processing and report generation is not yet available.
Depending on the database size, the load time might require substantial time.
Processing The database is currently processing available log lines from the log source.
Restored The database has been successfully restored.
Unloaded Log processing and report generation are not possible from this database.
Unloading Reporter is currently unloading from disk; log processing and report generation are not available.
Depending on the database size, the unload time might require substantial time.
21 of 132
About the Page View Combiner

Symantec Reporter calls the page view combiner (PVC) during log processing (unless you selected to disable it when
creating the database). The PVC combines multiple HTTP requests that are associated with a single web page into a single
log line. When a user browses to a web page, most often that page triggers requests for more content, either from the
same web server or another server (for example, a media server that stores video or image content). Rather than regard
each of these requests as separate, the PVC combines all of the bytes into the original request.
The goals of the PVC are to:
22 of 132
Reporter 10.5.1.1
n Reduce the number of database entries from the original log file, which improves report generation performance.
n More closely represent user browsing activity, because each object (requested by the first page from content
servers) is not counted as a separate entry.
A—An employee requests web content from www.example.com.
B—The example.com server S1 sends additional requests to other servers in its farm for advertisements and video
content. It receives four data objects.
n example.com/main.html
n i.example.com/ads/sponsor1.gif
n example.com/news/story1.html
n example.com/news/video1
C—The gateway ProxySG appliance adds access log entries for all of these content elements.
D—The Reporter PVC combines the log lines into one page view and saves it in the database. The Reporter user
generates and views a report that contains one page-view entry for the original request to www.example.com.
It is possible that a web request that would normally be combined to represent one page view might be split into two
page views. This occurs when, as a result of internal processing, the log sources are halted or restarted, or the request is
recorded across two log files.
If this occurs, no data is lost, but the database contains two page views. Continuing with the example in the previous
illustration:
8:40:20 cnn.com/html
8:40:20 i.cnn.com/ads/sponsor1.gif
[------end of log file------------]
[----beginning of new log file----]
8:40:21 cnn.com/news/story1.html
8:40:21 cnn.com/news/video1.asf
The first two entries are shown as one page view; the second two as another within the database. However, they
represent a single page view that was requested by a user.
Requirements
PVC can happen only when the the following fields are present in the logs:
n cs-referer
n sc-status
n rs(Content-Type)
Symantec-recommended log formats contain these fields (see also "Reference: Log Fields" on page 107).
23 of 132
If these log fields are not present, no page-view combining can occur, and so report data represents each separate web
request.
Note: HTTPS logs do not contain the cs(Referer) field; therefore, the PVC process cannot
occur. The field is not included because it would expose personal user data (such as bank
account information).
Additional Reference
n See "Reference: Log Fields" on page 107.
24 of 132
Reporter 10.5.1.1
About the Default Browse Time Calculations

Some reports provide a datapoint called browse time. The intention of this statistic is to estimate how long a user
spends browsing a particular website or category of a website.
Page View Criteria Used for Browse Time

Reporter calculates brows time by matching each source IP address and each user in the logs with a website. After a
match occurs, Reporter tracks the activity of each user as seen in the access logs.
As Reporter processes each log line in each log file, it finds and adds up browse time for each client IP address. If Reporter
determines that a request is a page view, the transaction is assigned 30 seconds of browse time. However, if another
page view is discovered within 30 seconds in the page view combiner (PVC) cache time window (10 seconds by default),
Reporter subtracts the time of the previous page view from the next and counts the result. If the next page view occurs
more than 30 seconds after the previous page view, the previous page view remains at 30 seconds.
Reporter calculates browse time in real time during log processing. Furthermore, Reporter can subtract only the time
difference from the last page view if it still exists in the PVC cache. For example, if a Reporter administrator sets the
default browse time to 60 seconds per page and leaves the PVC cache time windows to 10, the 60-second value applies
by default unless another page view is found for the same client IP address and user agent within the 30-second PVC
window. Therefore, there may be pages with anywhere between zero and 30 seconds or 60 seconds of browse time.
Typically, the default browse time is set to 30 seconds by default, which means that all pages have a browse time from
zero to 30 seconds, but never longer.
For related information, see "About the Page View Combiner" on page 22.
Examples
Consider the following browse time examples.
Tip: These examples assumes the default values of 30 seconds for browse time with a
default PVC cache of 30 seconds or fewer. For example, if a user visits cnn.com and never
loads another page (does not click through the various articles links) for three hours, the
resulting browse time is 30 seconds.
Scenario 1
Employee A visits cnn.com for 40 seconds, visits yahoo.com for 20 seconds, and then leaves the browser on youtube.com
for 2 minutes but does not watch a video or click links on the site.
25 of 132
n Reporter calculates 30 seconds for cnn.com, 20 seconds for yahoo.com, and 30 seconds for youtube.com, for a total
browse time of 80 seconds.
n If, however, the same user browses videos on youtube.com every 29 seconds, the resulting browse time is 30
seconds for each video, resulting in a total browse time of 120 seconds.
Scenario 2
Employee A opens two different browsers—such as Internet Explorer and Firefox—at the same time and performs the
above scenario. The result is a doubling of the browse time.
Scenario 3
Employee A uses only one browser. By default, all page views are given the default browse time, which is 30 seconds. (This
value is configurable.) If Reporter processes another page view from the same client IP address on the same user agent
while the first page view is still in the PVC cache (which also has a30-second window by default), Reporter lowers the
browse time for the first page view to the time difference between the page views.
Scenario 4
Employee B visits images.google.com for 5 seconds and then clicks a picture, views it for 15 seconds, clicks the back
button, clicks a different picture, and views it for 45 seconds. Reporter records 5 seconds for images.google.com, then 15
seconds for the the first picture (plus whatever time it takes to click back and click on the second image), and then records
30 seconds for the last picture.
26 of 132
Reporter 10.5.1.1
Reporter Resource Sizing

This section provides the supported server information required to operate Reporter.
Access Log Storage

n ProxySGs may send their access logs directly to Symantec Reporter for long-term storage.
n Reporter supports FTP, FTPS, and SCP file transfers. (Reporter 10.1 does not support FTPS and SCP.)
n Access logs are generally transferred and stored as files compressed to a ~6:1 ratio.
Databases
Access log files may be processed into one or more databases.
n A database is roughly twice the size of its compressed access-log files, or half the size of its raw access-log files.
n Locally stored access-log files may be processed into databases using Local Log Sources.
n Remotely stored access-log files may be processed directly into databases using FTP Log Sources.
n Reporter officially supports these FTP servers, although other servers may also work with Reporter:
o Windows FTP (through IIS)
o Linux: VSFTPD
Database Backups
n Customers may choose to create one or more backups of any of their databases.
n Each database backup mirrors the size of its database when the backup occurred.
RP-S500 Appliances
n 24 TB (9.7 TB available)
n RAID 10
n 262144 RAM
n 20 CPU (40 hyperthreaded)
Virtual Appliances
Symantec Reporter 10.5.1.1 supports ESXi 6.0 and 6.5 servers with ESXi Essentials, Essentials Plus, Standard, Enterprise,
or Enterprise Plus licenses. (Versions 10.1 and 10.2 do not support ESXi 6.5.) Your environment and goals determine the
27 of 132
appropriate license. Reporter can operate with the Essentials license; however, if you employ multiple vSphere servers, a
higher-level license is likely required.
The following table provides the Reporter VA per-license specifications.
VA License CPUs Minimum Memory Maximum Drive Space
RP-V50 8 cores 65536 MB 2200 GB
RP-V100 16 cores 131072 MB 4400 GB
RP-V200 32 cores 196608 MB 8800 GB
Note: For more information about licensing, including product behavior when a license is
not valid, see "About Reporter Licensing" on page 8.
Detailed Specifications
The following table provides detailed specifications for all current Reporter 10.x platforms.
n Hardware Appliance (S models)—Specifications according to the hardware model.
n Virtual Appliance (V models)—Values in blue are limited by the terms of the license.
Hardware Model RP-S500-20 RP-V50 RP-V100 RP-V200
Drive Count 24 1 1 1
Minimum Drive Size 950 1950 3950 7950
Maximum Drive Size 1050 2200 4400 8800
Drive Limit 24 1 1 1
Minimum Memory 262144 65535 131072 196608
Maximum Memory 262144 1048576 1048576 1048576
Memory Limit 262144 1048576 1048576 1048576
CPU Count 40 8 16 32
Minimum CPU Speed 2750 0 0 0
Maximum CPU Speed 2850 0 0 0
CPU Virtual Core Limit 40 8 16 32
CPU Scale Multiplier 100 100 100 100
28 of 132
Reporter 10.5.1.1
About Retrieving Logs From the WSS

If your enterprise has a Symantec Web Security Service (WSS) account and is sending web traffic to the service for policy
checks and reporting, you can configure Reporter to download the cloud-based access logs for local processing and
reporting. This provides flexibility across your enterprise.
Communication between Reporter and the Web Security Service requires an API key that you create in the WSS service
portal.
Topography
A—User Group A resides at the corporate location. The access method to route requests to the Web Security Service is
proxy forwarding.
B—User Group B resides at a branch location. The access method is firewall/VPN.
29 of 132
C—User C is a mobile user who connects through the WSS agent or a registered mobile device.
D—The Reporter admin is at the corporate location. Depending on the deployment, the dedicated Reporter FTP server or
Reporter appliance itself receives logs from the Web Security Service over a secure (HTTPS) connection to the destination
directory that you specify.
Note: To retrieve logs from the Web Security Service, Reporter must have access to the
internet.
Additional Information
Upon the first successful communication with the cloud service, Reporter downloads all available log data. After that,
Reporter downloads only new log data.
Each access log contains a one-hour segment of data. Reporter saves log files in the destination directory with date-
formatted file names similar to:
cloud_###_##############.log.gz.
The second numerical portion of the sequence represents the following date/time information:
Year/Month/Day/Hour/Minute/Second
For example, 201911221300 means that the log file was collected by the Web Security Service service at 1:00 pm on
November 22, 2019.
Note: The cloud service prevents Reporter from downloading access logs that are less than
two hours old.
30 of 132
Reporter 10.5.1.1
Manage Access
Reporter classifies three types of users—two admins and users—who can access the web interface.
About Users
Admins
n Default Administrator—This is the Reporter administrator account that is created when Reporter is installed. The
default administrator has access to all Reporter functions, including administration options and all reports. This
user can be deleted by another administrator, but users cannot delete themselves, and the last administrator on
the system cannot be deleted.
n Administrator—The default administrator can create additional administrator users. Like the default
administrator, these administrators have access to all Reporter functions, including administration options and all
reports.
Standard User
A standard user who logs into Reporter has access to the report databases to which they are assigned. Standard users do
not have access to the Administration page, but they can change their Reporter access password and default email
address.
Proceed to "Create a New Reporter User" on page 36.
About Roles
Reporter allows you to create role-based access control. You can manually assign users to a role or integrate your LDAP
active directory.
Proceed to one of the following to learn more:
n "About Role-Based Access" on page 34
n "About LDAP Integration" on page 42
Add a Consent Banner

When you want your users to agree to certain terms, policies, or conditions, you can force them to click through a
"Consent Banner" before logging in to Reporter. When you implement a Consent Banner, the user must provide consent
before the appliance performs authentication and grants access. This feature is included in Reporter 10.4 and later.
31 of 132
Procedure—Add a Consent Banner

1. Select Administration > General Settings > System Settings > Preferences.
2. In the Consent Banner field, select Display Banner to enable the feature.
3. Optional—To add an image to the banner, click Browse to find the image.
Note: PNG and JPG are the only supported banner image types. The system does not
support images larger than 100KB. All custom banner images are re-sized to no larger
than 500px by 100px. Re-sized images are scaled to a height of 500px or to a length
of 100px.
4. Add the banner text and click Save.
The system displays the text in the banner exactly as you format it in the text box.
5. Log out and log back in to view the new banner.
How a User Logs in to Reporter with a Consent Banner

1. The user accesses the URL for Reporter.
2. The browser displays the Consent Banner.
3. The user provides consent by clicking Accept.
4. Depending on the authentication method, the user logs in to Reporter in one of the following ways:
32 of 132
Reporter 10.5.1.1
n Standard: The user enters their credentials and logs in to Reporter.
n Common Access Card (CAC): The user is authenticated with the CAC certificate and the system displays the
home page.
33 of 132
About Role-Based Access

The Reporter administrator can restrict non-admin Reporter user access to a limited report set. Typically, non-admin
Reporter users are IT or HR professionals within an enterprise. IT specialists likely monitor network health and
performance, whereas HR personnel monitor employees' acceptable web use. When you give such users access to
Reporter, you might elect to limit them to report types that fit their roles.
A role is defined as access to database fields. Your Reporter deployment contains at least one database and likely has
multiple. Access logs from a gateway ProxySG appliance populate databases from which Reporter generates the reports.
The report data is defined by database fields. For example, the Content Type field indicates the type of media served in
the transaction. Therefore, you define a role by assigning which database fields are viewable.
To define roles, you must understand what database field provides what data type.
Suggested
Field Description
Role
Action Protocol communication action between client and server ( tcp_miss , tcp_hit ). IT
Category Browsed web content category. HR
Cert Svr Domain The name of the entity that was authenticated. For example, www.example.com . IT
Certificate The authentication category to which a certificate belongs. IT

Category
Certificate Error The type of error that caused a problem with a certificate or the server's use of the IT
certificate.
Cipher Strength The code for the number of bits used to encrypt web traffic (HTTPS). IT
Client IP The IP address of the user’s system. IT
Content Type The type of web media served; for example, PDF file. IT
Group The (enterprise-defined) group to which the user belongs; for example, Finance or HR, IT
Engineering .
Log Source The IP address of the ProxySG appliance that sent the log files. IT
Malware The name of any type of malware, spyware, or other malicious code encountered by IT
users
Method Limit set of browser methods, such as GET , POST , and HEAD . IT
Port The port over which web content arrived. IT
Protocol The transport protocol used to deliver web content; for example, HTTP or RTSP. IT
Site The name of the browsed website. HR, IT
Status Status response from server; for example: 200/success , 404/not found , 503/not IT
available .
34 of 132
Reporter 10.5.1.1
Suggested
Field Description
Role
User The user name (requires authenticated usernames in the access logs). HR
User Agent The application that requested the web content; for example, Mozilla Firefox or IT
QuickTime.
Verdict The policy verdict; for example, allowed or denied. HR
Plan the Roles

Symantec recommends planning the roles before attempting to define them in Reporter. Based on the information in
the previous table, you can create a matrix and follow that when you configure Reporter.
Example
User Group/Department Location Admin Role Name Database DB Fields
hub.porter IT (Admin) Corporate Yes Admin All All
jimmy.bond IT; Malware & Security Corporate No IT Security All Client IP, Malware, Cert fields
maya.santos HR; Site B HR Site B No HR San Jose User, Category, Verdict
Planning Form
DB
User Group/Department Location Admin Role Name Database
Fields
LDAP Group-Based Option
You have the option to integrate your existing LDAP active directory with Reporter, which allows you to assign Group
names to roles. See "About LDAP Integration" on page 42.
35 of 132
Create a New Reporter User

Any Reporter user who has administrative credentials can create new administrative and standard users. For optimal
security, Symantec strongly recommends limiting the number of users who have administrative credentials. You can
create new administrator users and standard users anytime.
Tip: If you plan to employ role-based access, consider creating new standard users after
you define the roles. This is not required, however, as you can edit an existing user and
assign the role.
1. On the Administration > General Settings page, select Access Control > Local Users.
2. Click New. Reporter displays the Create New User wizard.
a. Enter the Username that the user enters to access Reporter. If you have a planning sheet with names, be
sure to enter them exactly as printed. Click Next to move to the next page: Set Password.
Note: Reporter 10.5.x supports usernames with dots, for example:

john.edward.smith
b. Enter a New Password, which is the access credential password for this user; repeat in the Validate
Password field. Again, if you are following a planning sheet, enter the password exactly as printed. If you are
creating the passwords, record them accurately. Click Next to move to the next page: Set Permissions.
c. Select the user type.
n Administrator—The user has full access to Reporter and all roles.
n User—The user has limited access to Reporter. If you select this option, select the role(s) to which this
user belongs (if Reporter contains defined roles).
d. Click Done. The new user displays on the Local Users page.
Created users can now access Reporter when you give them the network address and their credentials.
Specify the Connection Duration

By default, the Reporter Management Console remains indefinitely connected for all users. For more security control, you
can set a time value after which the Management Console disconnects and forces users to re-log in with their access
credentials.
1. On the Administration > General Settings page, select System Settings > Server Settings.
2. In the Web Server Settings > Session Timeout area, slide the time duration bar to set the session time limit.
36 of 132
Reporter 10.5.1.1
3. Click Save.
Related Steps
Reporter allows you to define roles based on users or groups (LDAP).
n "About Role-Based Access" on page 34
n "About LDAP Integration" on page 42
n "Define a User or Group Role" on the next page
37 of 132
Define a User or Group Role

Symantec Reporter allows you to restrict user access to all but the reports they require for their positions within the
enterprise. In Reporter, a role is defined by access permissions to which non-admin users are assigned. These permissions
can be as broad as access to an entire database or as granular as access to specific data fields within generated reports.
Tip: Defining user roles requires planning. Before creating roles, Symantec recommends
creating a list of roles within your enterprise and a list of users who requires access to
specific report data. See "About Role-Based Access" on page 34 for planning information.
1. From the Reporter Management Console (logged in with administrator credentials), select General Settings >
Reporter Settings > Access Control > Roles.
2. Click New; Reporter displays the Create New Role dialog.
3. Specify the role parameters.
a. Name the role; the more specific the name, the easier it will be to assign your users to their correct roles.
Click Next to move to the next page of the wizard: Permissions.
b. Select the databases that users in this role can access.
c. By default, the role has access to all database fields. To limit the fields that reports in this role display, clear
the unnecessary field options (or select No Fields to clear all options, then select the required options).
38 of 132
Reporter 10.5.1.1
d. (Optional) To further limit report data, apply a filter to the role. For example, you want a role that is limited
to report data indicating which users experienced content filtering and policy denials.
e. Click Done. Reporter displays the new role on the Roles page.
Authenticate Users with SSL Mutual Authentication

In mutual SSL authentication, an SSL connection between a client and a server is established only if the client and server
validate each other’s identity during the SSL handshake. The server and the client must each have their own valid X.509
certificate and the associated private key in order to perform SSL mutual authentication.
Certificates and private keys can be stored in multiple locations. On the client, one such location is a Common Access
Card (CAC). However, a CAC card or reader is not required for SSL mutual authentication, you can install the certificates
on your browser and into Reporter's truststore.
The following example describes an SSL mutual authentication transaction.
1. The user requests access to the Reporter Management Console.
2. Reporter presents its certificate to the browser.
3. The browser validates Reporter's certificate. This includes the following checks:
n The certificate subject must match the appliance’s hostname.
n The certificate must be issued by a CA listed in the browser’s Trusted Root Certificate store.
4. The browser confirms that the appliance has the certificate's private key by challenging the appliance to sign
random data. The browser validates the signature using the appliance's certificate.
39 of 132
5. If appliance authentication succeeds, the browser accesses the client certificate and private key using the installed
certificate or CAC. It then presents the certificate to the appliance.
6. The appliance validates the certificate that the browser presents. This includes the following checks:
n The certificate must be issued by a CA included in Reporter's truststore.
n The appliance confirms that the browser has the certificate's private key by challenging the browser to sign
random data. The appliance validates the signature using the browser’s certificate.
n The certificate must have a valid signature and not be expired.
7. If the certificate is validated, the browser is connected to the Reporter service.
8. (If applicable) The appliance presents a Consent banner. The user provides consent.
9. Once connected via SSL mutual authentication, Reporter verifies that the user specified in the certificate's subject is
found in the Reporter user database. If so, the appliance grants access to Reporter.
Prerequisites
Before using SSL mutual authentication, you must meet the following prerequisites:
n The browser must have an X.509 certificate installed that will pass Reporter's client authentication trust validation.
That is, the Certificate Authority (CA) chain for the certificate must first be installed into Reporter's client-
authentication truststore.
n The appliance certificate must be from a CA listed in the browser’s Trusted Root Certificate store. Install any missing
client certificates or custom root CA certificate into the browser. For browser installing instructions, refer to
http://wiki.cacert.org/FAQ/BrowserClients and select your browser of choice.
Set up SSL Mutual Authentication
1. If it does not already exist, create the client authentication truststore:
(config)# ssl create ccl client-authentication
2. Import the root CA certificate(s) and any intermediate certificate(s) required to validate the client certificates into
Reporter's truststore.# configure
(config)# ssl
(config-ssl)# inline ca-certificate CA Certificate name
*** command will prompt for CA contents
(config-ssl)#
(config-ssl)# edit ccl client-authentication
(config-ccl-client-authentication)# add CA Certificate name>
3. Verify that the certificate was installed in the CA Certificate List (CCL) with the appropriate command:
(config)# ssl view ccl client-authentication
40 of 132
Reporter 10.5.1.1
See ssl for more information on the certificate viewing commands.
4. Optional—Make the client authentication method optional; client authentication is off by default.
(config)# security client-authentication set-optional
See security for more information on the client-authentication commands.
5. Import the client-authentication certificate with its CA chain into the browser. This is the same CA chain you
installed in Step 1.
Note
n When SSL mutual authentication is enabled, all devices using Reporter as the host require X.509 certificates. For
example, to access file services and API's in a mandatory setting, a certificate is required.
n Browsers retain the certificate used. If you have more than one X. 509 certificate installed and you want to use a
different certificate, you must close and reopen your browser to change certificates.
n CAC users should remember that they are authenticated and signed in as long as their card is in the scanner. If
users log out of the system but do not remove their card, the system automatically logs them back in.
41 of 132
About LDAP Integration

If your organization uses a Lightweight Directory Access Protocol (LDAP)-compatible database, you can assign LDAP
groups to specific Reporter roles so that the security network administrator can maintain a single-source authentication
directory. For example, if the LDAP database has a user group named HR, you can assign the HR LDAP group to the HR
role you created in Reporter. When users from the HR group log in to Reporter with their LDAP credentials, they are
authenticated and allowed access to the reports that are assigned to that role.
About Nested Groups

Some LDAP directories, such as Active Directory, allow a group to contain other groups. When a group is a member of
another group, it is called a nested group. With nested groups, a user is associated with the groups that are:
42 of 132
Reporter 10.5.1.1
n Any group that the user is a member of;
n Any groups those groups are a member of; and
n Any groups those groups are a member of and any groups those groups are a member of.
The nesting continues for as many layers of groups that exist. For example, the directory contains a group called
Engineering, which contains members Engineering A, Engineering B, and Engineering C, all of which are also groups
that contain members (users). With nested groups, a member of Engineering A is also a member of Engineering. When
nesting is enabled on Reporter, all members of Engineering A, Engineering B, and Engineering C have access to the
role assigned to Engineering. Reporter supports nested groups; when nesting is enabled and a group is assigned to a
role, users in all groups in the nest have access to the role. Enable nested group support when configuring access control.
43 of 132
Connect to LDAP Server

Specify the Lightweight Directory Access Protocol (LDAP) server that Reporter uses to authenticate users. Reporter
supports Microsoft Active Directory and Novell eDirectory with pre-configured settings. You can also create your a custom
LDAP server connection.
Prerequisites
To configure these options, you must know:
n The IP address of the primary LDAP server (secondary optional, but recommended).
n LDAP searching access credentials (if required).
n Naming attributes.
n Base DN information.
Procedure
In Reporter on the Admin page.
1. Select General Settings > System Settings > External Servers > LDAP/Directory. Reporter displays the
Create new LDAP realm wizard.
2. Select the LDAP system that your enterprise employs.
n Microsoft Active Directory
n Novell eDirectory
n Other LDAP
Click Next to move to the next wizard screen: Set Name.
3. Name the realm that contains the list of users who will have access to the roles. By default, Reporter allows
disconnected logins, which means that users are able to log in when Reporter cannot connect to its LDAP servers.
For the highest security level, clear the Allow Disconnected Login option. Click Next to move to the next wizard
screen: Set Servers.
4. Enter the LDAP server information.
44 of 132
Reporter 10.5.1.1
a. For the Primary LDAP server, enter the Host IP address.
b. The default Port is 389. If you select Use SSL, which secures the connection from the Reporter server to
the LDAP server, the default port changes to 636. If you have configured your LDAP servers to use a
different port, enter it here.
c. (Optional) Enter Secondary Server information. Reporter attempts to connect this server should the
primary become unavailable.
d. Click Next to move to the next wizard screen: Set Search Credentials.
5. Specify whether Credentials are required to search the LDAP directory.
n No Credentials Required—The LDAP server does not require a password for search access.
n Use Credentials—Selecting this option displays more fields. Enter the LDAP server User Name (FQDN)
and the password required for search access.
Click Next to move to the next wizard screen: Set Naming Attributes.
6. Verify or enter the user attributes.
n If you selected Microsoft Active Directory or Novell eDirectory, Reporter populates the naming
attributes with default LDAP realm values. If your realm information differs, enter the correct attributes.
Otherwise, click Next to move to the next wizard screen: Set Base DNs.
n If you selected Other LDAP, you must enter the naming conventions that match your custom LDAP
configuration and then click Next to move to the next wizard screen: Set Base DNs.
7. Enter all User Base DNs and Group Base DNs that are searchable by Reporter.
45 of 132
Note: Reporter can search multiple trees, but you must add a new realm (base
DN) for each tree by clicking the plus icon. Each realm is searched in the order
shown on this dialog. If a tree contains multiple servers such that no individual
server contains all users, you should set the base DNs at a level in the tree that is
higher than where the servers diverge. You will need to add an additional base
DN for each unique partition in the tree. Reporter requires a base DN for each
partition that is not globally replicated.
n In this example, the first User Base DN is the default location for users in Active Directory for the
example.com company. The first Group Base DN, Builtin, is also the default for Active Directory.
n dc= represents LDAP naming in the directory. The DNS name example.com becomes dc=example,dc=com in
the LDAP naming convention. This is the format that Active Directory uses. Typically, Base DNs are not set at
a dc= level in the directory.
Click Next to move to the next wizard screen: Test Connection.
8. Testing the LDAP server connection is optional but recommended to verify functionality before entering into
production. Click Test LDAP Settings. If any errors occur, click Previous to return to the problematic setting
screen and correct the information.
Following a successful test, click Done.
46 of 132
Reporter 10.5.1.1
Assign Roles From LDAP

If your enterprise uses Lightweight Directory Access Protocol (LDAP) authentication, you can assign LDAP groups to
specific Reporter roles. This allows the security network administrator to maintain a single-source authentication system.
For example, if the LDAP system has a user group named HR, you can assign the HR LDAP group to the HR role you
created in Reporter. When users from the HR group enter their username and password to access Reporter, they are
authenticated and allowed access to the reports that are assigned to that role.
For more information about roles, including planning information, see "About Role-Based Access" on page 34.
Prerequisite
Configure Reporter to communicate with your LDAP servers. See "Connect to LDAP Server" on page 44.
Procedure
In Reporter on the Admin page.
1. On the Administration > General Settings page, select Access Control > LDAP Groups.
2. Click New. Reporter displays the Create New Item wizard.
3. Reporter detects the specified LDAP groups.
a. Select an LDAP group to have permissions to access this role.
b. (Optional) Selecting Include nested groups allows all members in the group tree to have access to this
role; if this option is not selected, only members in the specified group have access to this role. For more
information about nested LDAP groups, see "About LDAP Integration" on page 42.
c. Click Next to move to the next wizard screen: Set Permissions.
4. Select a Permissions option and do one of the following:
n Select LDAP Group and select the roles to which this group has access.
n Select Administrator to give this group full access to Reporter.
5. Click Done. The LDAP Groups page contains the new group.
47 of 132
Administrative Tasks
After completing the Reporter initial configuration process, consider completing other configuration tasks, depending on
your network and business requirements.
Recommended Tasks
Set Up Email for Admin Alerts and User Reports
Two Reporter functions require you to setup email communication with your SMTP server.
n Admin Receives Alerts—Receive alerts from Reporter when Warning or Critical thresholds are breached.
n User Emails Report—Reporter users can email reports to other relevant people in the company.
Proceed to "Connect Reporter to an Email Server" on page 54.
Clone
Migrate configuration and user accounts from Reporter 9.5.x to 10.5.1.1.x.
For a series of tasks, proceed to Clone Migration.
Manage Databases
After you create databases and manage begin generating and managing reports (filters, emailing, and so on), you might
find a need to modify existing configurations.
For a series of tasks, proceed to "Manage Existing Databases" on page 71.
Purge for Disk Space

You can configure Reporter to purge databases or logs based on a schedule or disk capacity threshold.
For a series of tasks, proceed to Purge Critical Disk Limits.
Manually Edit Configuration Files and Databases

n "Manually Edit Configuration Files" on page 99
n "Create Custom Log Fields" on page 77
48 of 132
Reporter 10.5.1.1
Other Tasks
n "Upgrade Reporter" on the next page
n "Change the Reporter Interface Language" on page 94
n "Change a Password" on page 96
n "Reset the Administrator Password" on page 97
n License Reporter
n "Set Reporter Email "To" Address" on page 58
n "Define NTP Server Location" on page 59
n "Reference: Web API Parameter Syntax" on page 114
CLI Reference
Some tasks are only available through the Reporter CLI. See CLI Commands.
49 of 132
Upgrade Reporter
Can I downgrade Reporter to a previous version?
Because of continuous, incremental changes to database architecture for each new Reporter version, you cannot
downgrade the Reporter appliance or VA instance to a previous version.
Upgrade Information
Unless stated in this section, there are no known issues when you upgrade Reporter to a newer version. You are not
required to regenerate databases. Reports function as they did before.
Procedure
Before upgrading, do the following.
1. Unload all databases:
a. On the Administration > General Settings page, select Reporter Settings > Data Settings > Databases.
b. In the Actions drop-down list, Unload the appropriate database.
2. Verify that Reporter is not currently processing logs:
a. Admin > General Settings > Data Settings > Log Sources
b. Use the Actions option to halt any processing.
3. Verify that RAID is not performing a re-sync.
# show raid array
You must use the CLI to upgrade Reporter.
1. Log in to Mysmantec.
2. Select My Products.
3. Find the row that contains the serial number for your product and click the download icon: .
4. Go to the bottom of the page and click Download Software.
Refer to the Getting Started guide for more information.
5. Place the download package on a local web server.
6. On Reporter, enter the following CLI command.
50 of 132
Reporter 10.5.1.1
# installed-systems load <url>
7. Enter # installed-systems view to view the installed system.
8. Enter # restart to perform a graceful restart.
9. Reload all databases.
a. Select General Settings > Reporter Settings > Data Settings > Databases.
b. In the row of the database to change, select Unload Database from the drop-down list in the Actions
column.
Log processing automatically resumes.
Review the Release Notes to understand if upgrading to a particular release impacts existing features.
Optimize a Filtered Report

Although Reporter's standard reports are optimized, reports that have additional filters can sometimes take a significant
time to run because no data aggregation has been performed. Reporter 10.4 and later allows you to optimize these
custom reports, allowing them to run more quickly in the future.
Report Optimization Can Impact Resources

Always consider the database size and current resource state before optimizing a report.
n The report optimization process consumes additional memory and disk resources that can impact current
processes. Depending on the size of the database and the number of additional filter criteria, the report operation
process can consume significant resource. Always review your System Diagnostics (Administration > System
Overview > System Diagnostics) before optimizing a report.
n Depending on the size of the database, report optimization can sometimes take hours. The database could be
suspended during that time. However, only log processing and log expiration are affected and will not resume
until optimization is complete.
n Each additional report criteria will increase memory and disk usage.
Some Reports are Not Eligible for Optimization

Consider the following:
n If a report has more than three unique database summary or filter columns, it cannot be optimized.
For example, a report summarized by user and filtered by user has a single column. It can be optimized. But, a
report summarized by site and user, and filtered by category and verdict, has 4 unique columns and cannot be
optimized.
51 of 132
n When you optimize a report, time columns are not counted toward the optimization limit.
For example, consider the following two-level summary report that has:
o Summary columns for year and week
o Filters for day of week to exclude Saturday and Sunday
o Filters on category and verdict
This report would only require a pair aggregation optimization on category and verdict. This is because time-based
columns and filter criteria are not included in the unique column list when searching for an aggregation to use
(because the entire database and its aggregations are already organized around per-hour and per-day time
periods).
n When you optimize a report, the data for the entire database is optimized, as is all future data for that filter criteria.
So, if you optimize a user report filtered by site and later create a site report filtered by user, the site report is
already optimized.
Optimize a Report
1. Review the "Report Optimization Can Impact Resources" on the previous page.
2. Select the Reports tab.
3. Create a new filtered report and save it by clicking Save As.
Alternatively, select an existing custom report.
4. Select Actions > Optimize.
5. Confirm that you want to continue with the optimization process.
52 of 132
Reporter 10.5.1.1
The system starts the optimization process.
6. Click OK when the optimization is complete to run the report again.
You'll notice the report completes more quickly.
Undo Report Optimization

To undo report optimization, you must edit the configuration file as described in "Manually Edit Configuration Files" on
page 99 and "Create Custom Log Fields" on page 77.
53 of 132
Connect Reporter to an Email Server

To enable Reporter to send administrators alerts when system resources reach specified use levels and to allow users to
email reports to others, you must establish a connection between Reporter and your SMTP server.
Specify the primary and backup SMTP servers to which Reporter connects.
Prerequisites
To configure these options, you must know the following.
n The IP address of the primary and backup SMTP servers.
n Custom SMTP port numbers, if applicable.
n The authentication credentials to these servers.
Procedure
1. On the Administration > General Settings page, select Reporter Settings > System Settings > External
Servers > Email.
54 of 132
Reporter 10.5.1.1
a. Enter the Primary SMTP Server IP address or hostname. To add a custom SMTP port, enter the IP address
followed by a colon and port number. For example: 198.51.100.24:587
b. Specify the From address used in emails, for example: SiteBReporter@mycompany.com. This email address
displays in From field of the sent email and must be a valid address. You can use an existing generic IT
address if you have one or add a new address to your email database.
c. If they are required by the server, enter the SMTP server access credentials.
d. (Optional) Enter the information for a backup SMTP server, if available.
2. Click Save.
55 of 132
Alerts
Administration > General Settings > Reporter Settings > System Settings > Alerts
Configure Reporter to send an alert email to specified recipients when report processing breaches a system resource
threshold setting. Reporter monitors the following resources:
n Disk Storage—The current amount of filled disk space (GBs) and total capacity on the system.
n Physical Memory—The current amount of GBs used by physical memory, the percent used, and total capacity of
the Reporter process.
Use this data to adjust system resources. For example, if the same system consistently sends disk space alert messages,
reconsider your Reporter sizing requirements.
Prerequisite
Configure Reporter to connect to one of your enterprise's SMTP (mail) servers. See "Connect Reporter to an Email Server"
on page 54.
Email Alerts
1. On the Administration > General Settings page, select Reporter Settings > System Settings > Alerts.
2. Specify who receives the alerts.
a. Enter the e-mail addresses of the alert recipients. Typically, this is an IT member who is responsible for
managing Reporter and/or network efficiency.
b. By default, Reporter sends notifications when either the Warning or Critical thresholds are breached. You
have the option to clear one or both (clear both prevents any notification).
c. (Optional, recommended) To verify that Reporter sends notifications to the correct addresses, click Test
56 of 132
Reporter 10.5.1.1
Alert Email.
d. After you verify that the recipients received the test message, click Save.
Alert Levels
Reporter purges based on disk storage critical limits. Set disk-usage critical limits in the Alert Levels section of General
Settings.
1. Select General Settings > Reporter Settings > System Settings > Alerts > Alert Levels.
2. With the slider control, set a Warning level. This setting sends an alert to administrators when disk usage reaches
the chosen limit.
3. With the slider control, set a Critical level. The Critical setting determines that Reporter initiates a purge when disk
usage is within 1% of the set limit.
4. Click Save.
Tip: You can restore purge settings back to default by clicking Reset followed by
clicking Save.
57 of 132
Set Reporter Email "To" Address

Reporter enables you to send reports to specified recipients via email. The first time you send a report via email, the email
address you enter in the To address becomes your default Reporter email address. You can change the To address on a
per-report basis without changing the default, or you can change the default.
Tip: If you get the message that email is unavailable, contact the Reporter administrator to
set up the email server.
Follow these instructions to change the default To email address:
1. On the [Administration | Settings] > General Settings page, select Personal Settings > Email.
2. Enter the new email address.
3. Click Save.
58 of 132
Reporter 10.5.1.1
Define NTP Server Location

By default, Symantec Reporter obtains the time over the Internet from of a pool of NTP servers. If your Reporter
appliance cannot or is not permitted to connect to the Internet, it cannot obtain the proper time for the location and
reports might contain mis-aligned information.
Use a CLI command to define a specific NTP server. For example, your company has an internal designated NTP server
that provides the time for a regional location.
1. Use a terminal to access the Reporter CLI. Press 1 through SSH. Do not use the serial console.
Copyright (c) 2019, Symantec Corporation

Welcome to the Symantec Reporter CLI
Version:10.5.1.1.1.1
-----------MENU----------
1) Command Line Reference
2) Setup
------------------------------
2. Enter enable.
If the administrator set an enable mode password, enter it when prompted.
3. Stop the NTP daemon (process): ntp disable.
4. Initiate a file view with the ntp edit command. Reporter launches a vi editor.
In the file, the following section provides the default NTP server connections.
#Use public servers from the pool.ntp.org project.

#Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.my_domain.com iburst
server ntp2.my_domain.com iburst
5. Edit these lines to change to the new servers.
< server ntp.example.com iburst

< server ntp2.exammple.com iburst
6. Save and exit the file.
7. Restart the NTP daemon: ntp enable.
59 of 132
Monitor Reporter Operations

Reporter provides features that enable you to monitor events and current operations.
The following information describes links on the Administration > System Overview > Reporter System Information
left-side menu. In same cases, you are able to perform executive actions.
View Current Reporter System Overview

The System Diagnostics link provides several metrics. If you are in communication with Symantec Technical Support, you
might be asked to provide information that Reporter displays in this area.
System Overview
n Reporter Version—The current version of Reporter that is installed on the appliance or VA.
n Number of CPUs—The number of CPUs honored by Reporter.
n SSL—By default,Reporter is accessed over a secure connection and this setting is enable.
n Operating System—The current operating system that is currently running on the Reporter system.
n Web Server Port—By default, the Reporter access URL requires port number 8082. For example:
https://192.168.0.1:8082.
n Current Log Lines—The total number of log lines in loaded databases.
The Licensing Information area provides the state and expiration date of the current license.
Tip: VA version—Reporter monitors the system resource configurations against the

specifications in the installed license. If Reporter detects significant differences between
them, it generates an alert event indicating the appliance is running with an unsupported
license configuration.
For the Upload Diagnostics feature, see "Diagnose Reporter" on page 127.
System Resources
This area displays how much system resource that Reporter is currently consuming. This includes physical memory. If the
Used levels consistently approach the Capacity levels, re-evaluate your sizing requirements.
Database Overview
This area provides a table of database and log processing statistics. The History links provide much more granular
information.
60 of 132
Reporter 10.5.1.1
View Current Users and Active Reports

The Active Users/Reports link provides the following information.
n Active Users—Who is logged into this Reporter instance right now, including details such as access privilege
(admin or user) and log in time. If you do not recognize a user access, you have to option to select Actions
> Force User Logout and investigate.
n Active Reports—Provides all of the metrics for a given report that is active right now, including the log source and
database used to generate the report; the output type (such as PDF); the accessing user and their role; and the
current report state. You might need to perform a maintenance task that cannot wait for off-peak hours, which
might require the halt report Action. This information allows you notify the users.
View the System Event Log

The System Event Log is a record of all Reporter transactions, which can assist you with troubleshooting. See "Diagnose
Reporter" on page 127.
View User-Initiated Information

View Archived Reports
Reporter users can archive (save) a report on the Reporter instance. They might do this to ensure the report remains
accessible while an investigation occurs. An admin has the ability to remove these reports. For example, the local disk
storage requires more space and some reports are from a lengthy amount of time ago. The page provides the report
owner information for contacting.
View Scheduled Tasks

Reporter users can schedule various report tasks, such as setting specific generation times. The Scheduled Tasks page
displays pending tasks. This page also displays failed tasks, which allows you to monitor task efficiency. The Run Status
field indicates upcoming scheduled tasks (Not Run). If the status is Failed, there was a problem with the report
generation task. Notify the person listed in the User field so they can investigate and re-configure the task. You also
have the ability to alter tasks. For example, an employee who schedules Reporter tasks might no longer be with the
company.
61 of 132
Create a Database
After configuring the ProxySG appliance to upload access logs to an FTP server, you can create a Reporter database (and
associated log source) that processes those access logs.
About Log Sources

Consider the following when planning how to create databases and assign log sources:
n You can configure multiple ProxySG appliances to send access logs to single directory—whether to the root
directory or a subdirectory.
n No directories can be shared across multiple log sources, even if they are at the top level. This is especially
important when a subdirectory is part of a tree that is owned by a different log source that has the Process
Subdirectories option selected.
o If no log sources are processing subdirectories, the rule is that no single directory can be shared.
o If a subdirectory is checked by any log source, the rule is that no directories in the log source directory tree
can be shared.
n Never configure a log source to process subdirectories followed by moving the processed log files into a directory
that is under the top directory. This causes an endless log processing loop.
n If you configured the ProxySG appliance to upload access logs directly to the Reporter appliance, you will create a
Local Log Source. A single instance of this source can only process logs from a single directory; however, you can
configure the log source to process log files in any subdirectories under the configured top directory.
Procedure
Follow these steps to create a database that uses a ProxySG log source.
1. Access the Reporter web UI with Admin credentials.
2. Click Administration in the upper-right corner.
3. Select the General Settings tab and then Data Settings > Databases.
4. Create a new database.
a. Click New to open the Create New Database wizard.
b. Set Type—Accept the default ProxySG (main) option.
c. Select Include Advanced Options to configure advanced options in the next screen. Leave this box
unchecked to use the default settings. (See "Advanced Field Settings" on page 67 for custom field creation.)
Click Next.
d. Name the database and click Next.
62 of 132
Reporter 10.5.1.1
e. Determine whether to disable Page View Combining. By default, page view combining is enabled.
Deselect the option to disable page view combining. Show screen...
f.
Note: Disabling page view combining requires the system to use more storage
and processing power.
g. Set the Default check for new log files, or how often this database queries for yet-to-be processed
access logs. Show screen...
63 of 132
h.
Note: You can configure each Log Source to use this default at different times.
i. Click New Log Source to open the Create New Log Source wizard.
5. Connect to the log source.
a. Select one of the following:
n FTP Server Source — If the ProxySG appliance is configured to upload access logs to a dedicated FTP
server.
64 of 132
Reporter 10.5.1.1
n Local File Source — If you configured the ProxySG appliance to upload access logs directly to the
Reporter appliance.
b. Click Next.
6. Name the Log Source; click Next.
7. If you selected Local File Source proceed to Step 9; otherwise, continue to the next step.
8. Enter the FTP Server Source attributes.
a. Select FTP Server Source and click Next.
b. Name the log source; click Next.
c. Enter the FTP server access credentials (Hostname/IP, Port, Username, and Password).
d. Enter the Directory Path to the log files on the FTP server.
e. The default File Pattern value is an asterisk (*). For this initial task, Reporter processes all files with the .log
or .log.gz extensions and ignores all other extensions.
f. If the access log directories contain multiple sub-folders, select Process Subdirectories to ensure that all
content is processed.
g. (Optional) Edit the Number of Retry Attempts and Retry Interval settings.
h. (Optional) Click Show Matching Files to verify that the specified directory contains the correct files.
65 of 132
i. Click Next.
j. Proceed to Step 10.
9. Enter the Local File Source location.
a. Enter the Directory Path to the log files on this Reporter appliance.
Tip: To create a new directory, click the folder icon.
b. The default File Pattern value is an asterisk (*). For this initial task, Reporter processes all files with the .log
or .log.gz extensions (and ignores all other extensions).
c. If the access log directories contain multiple sub-folders, select Process Subdirectories to ensure that all
content is processed.
d. (Optional) Click Show Matching Files to verify that the specified directory contains the correct files.
e. Click Next.
10. (Optional) Specify how often to check this log source for new files. (This setting takes precedence over the schedule
in the Create new database wizard.)
o Use Database Default— Reporter uses the same setting as specified in the Create new database wizard.
o Custom Schedule—Specify check time that is different from the database default. For example, the
database checks once daily, but you would like this log source checked only once a week.
Click Next.
11. Specify a post-processing action, or what happens to the log files after Reporter adds the data to the database.
66 of 132
Reporter 10.5.1.1
o Rename: Append '.done' to the filename — Reporter appends .done to the existing .gz or .log suffix
and leaves the file on the server.
o Move to folder—Reporter moves the log files to the specified directory.
o Remove: Delete log file— Reporter deletes the log files from the FTP server directory.
o
Warning: Select Remove only if you are certain that you will never need to
process these logs again.
Click Done to return to the Create New Database wizard. Click Next.
12. Specify how long data will remain in the database. Reporter purges data from the database at the specified dates
and times.
During the data purge, Reporter reclaims RAM. Symantec recommends that you schedule large-scale database
purging during non-production hours.
Tip: Reporter expires a database based on the amount of time since the last
processed log entry—not on when the database was created.
13. Click Next and then click Done. Reporter creates the new database with its associated log source.
Advanced Field Settings

Advanced settings enables an additional configuration tab which allows the creation of custom log fields. The Advanced
Settings tab is enabled by selecting the Include Advanced Options checkbox when choosing which type of log your
database is going to handle. See "Procedure" on page 62 for database creation. The fields created in the Advanced
Settings tab are log fields. See image below for an example of custom log field creation.
Note: A custom log field cannot be removed from a database once added. Custom
database fields can be created in Admin mode in Reporter 10.3 and later. See Create a
Database.
67 of 132
Refer to Other Documentation

With Reporter now deployed, refer to the Reporter 10.x WebGuide and the online Help for assistance with further
configurations and use.
Remove Personally Identifiable Information From a Database

Reporter allows administrators to remove a user's Personally Identifiable Information (PII) from a database. You might
want to do this for privacy reasons or because a user has requested it.
Important Notes About User Information Removal

n PII consists of user names and associated client IP addresses. After removal, that PII information is represented in
subsequent reports by five asterisks ("*****") or all zeros ("0.0.0.0")
n The PII removal process does not alter existing database backups or access log files. Those backups and files will still
contain the user's information..
n The removal operation cannot be undone. If you remove a user's information, you cannot restore it without
emptying the database and consuming the access logs again. Because you cannot restore the user information, be
careful to specify the correct user name(s).
n To ensure all PII is removed, you should also configure your ProxySG appliances to remove the user's data.
68 of 132
Reporter 10.5.1.1
n During the PII removal process, no new access log data is added to the database.
n Depending on the number of users and the database size, the removal operation can take some time. You might
want to remove PII during non-peak hours.
Remove User Information

1. Select Administration > General Settings > Data Settings > Databases.
2. Select a database and click Actions > Remove User Info.
3. In the User Data Protection window, select one or more users. Click the user to select it. When the user is selected,
the user is moved to the Remove Data for Users field.
69 of 132
Enter the first few letters of a user name to move to that section of the list. For example, to find the user
williams06, type wi. You can also enter text directly into the Remove Data for Users field or copy text from the
clipboard.
4. Click Submit to remove the user information.
70 of 132
Reporter 10.5.1.1
Manage Existing Databases

After you create databases and assign log sources, you might have a requirement to alter database parameters, change
default values, halt processing actions, and so on.
Empty Database
This feature allows you to empty the dmanatabase while retaining the user roles, schedules, and configurations. This
operation can be used to clear data from a corrupted database. After Empty is finished, the database must be loaded
before log sourcing can start again. The database status might change to corrupt during the empty operation. Empty can
be used to clear data from the corrupted database.
1. On the Administration > General Settings page, select Reporter Settings > Data Settings > Databases.
2. In the Actions drop-down list, Unload the appropriate database.
3. In the Actions drop-down list, Empty the appropriate database.
4. Click Yes when prompted to empty the database. A notification saying Database empty started will appear in
the database section.
5. In the Actions drop-down list, Load the appropriate database once the database has been emptied. The database
must be loaded for log sourcing to start.
Note: Administrators can verify if a database has been properly emptied on the
Administration > System Overview page. In the Database Overview section, the
Date Range should return with no data.
Expire Now
This feature allows you to purge the database based on the number of log lines. You can also perform this task on
demand as this task does not need to be scheduled. However, you can set a custom purge limit.
1. Select General Settings > Reporter Settings > Data Settings > Databases.
2. In the row of the database to change, select Expire Database from the drop-down list in the Actions column.
3. Set the amount of log lines to expire and click Expire Now.
Unload a Database to Conserve Resources

Unloading the database takes it offline, which means that it no longer collects data. You might encounter a scenario
where a database is not currently necessary, but you are not ready to completely remove it from the system because it
might be required at a later time. You cannot view reports for an unloaded database and scheduled events for an
unloaded database will not run.
71 of 132
2. In the row of the database to change, select Unload Database from the drop-down list in the Actions column.
3. The Status column changes from Loaded to Unloaded. (Depending on the size of the database, this process might
require several minutes to complete.)
4. To reload the database, repeat the procedure and select Load Database (if the database is currently unloading, this
option is not available).
Change Database and Log Source Parameters

When you created databases and assigned log file sources, you followed steps in a wizard. For any database, you can
access each of those wizard pages individually and change a parameter.
Note: The default timezone setting is UTC. Modify the settings for your time zone if you
want database expiration to occur in local time.
Database
n Database name
n Log sources
n Database data expiration
2. In the row of the database to change, select the drop-down list in the Actions column.
3. Select an option to change.
n Set Name — Change the name of the database.
n Set Log Sources — Add or delete the location of folders that feed log data into the database.
n Set Expiration — Change the expiration time frame of access log data.
4. Change the parameter.
5. Click Save.
Note: Clicking Reset reverts the parameters to their previously saved values.
72 of 132
Reporter 10.5.1.1
Log Source
n Description (name)
n Folder location
n Post-processing actions
Note: Changing log source options requires halting the log source processing.
1. Select General Settings > Reporter Settings > Data Settings > Log Sources.
2. You cannot change log source parameters while the log source is operating. In the row of the log source to change,
select the drop-down list in the Actions column.
Select Stop Log Source. Notice that the status column displays unloaded. If the log source is processing a log file
when you select Stop Log Source or unload its database, it immediately stops processing the current log file. If
you later reload the database or restart the log source, the log source locates the unfinished log file and completes
its processing first, then resumes normal operation.
3. Re-select the drop-down list in the Actions column and select an option to change.
n Set Description—Change the description of the log source.
n Set Location for Local/FTP File Source—Change the location of this specific log source.
n Set Processing Action—Change what happens to log files after Reporter processes them.
4. Click Save.
Note: Clicking Reset reverts the parameters to their previously saved values.
5. Select the drop-down list in the Actions column again and select Start Log Source. Reporter beings processing
logs from the new or additional locations.
Match Access Log Formats for Filtering

In generated reports, the Reports To, Self, and Live Group filter criteria requires Reporter to match the username
format used in the log files sent from the ProxySG appliance. If the formats do not match, these filters return no results.
The username format can be one of the following.
n Login Name—Example: ellen.ripley
n Domain Name\Login Name—Example: EX-LV426\ellen.ripley
73 of 132
n LDAP FQDN—Example: "cn=ellen.ripley,ou=users,dc=bravo,dc=examplecorp,dc=com"
Login Name is the default ProxySG appliance access log and Reporter setting. If the ProxySG username format differs
from the Reporter configuration, perform the following steps.
2. In the row of the database to change, select Actions > Other Options.
3. In the Username Log Settings area, select the matching format.
4. Click Save.
Remove User Information

See "Remove Personally Identifiable Information From a Database" on page 68.
Change Cost Calculators

Some reports display data that estimates how much user browsing activity translates to costs. By default, Reporter
estimates the costs at .1 United States dollar per MB and 20 United States dollars per hour. If you do not believe that
these values accurately represent your enterprise costs, you can change the calculation rates. For localization, you can also
change the type of currency.
2. In the row of the database to change, select Actions > Set Other Options.
3. In the Cost Calculation area, enter new value.
74 of 132
Reporter 10.5.1.1
a. From the Currency drop-down list, select the monetary value for your country.
b. Cost per MB field—Reporter uses this value to calculate the cost based on the amount of downloaded
content by each user.
c. Cost per Hour field—Reporter uses this value and estimated user browse time to calculate how money
each user cost the company.
4. Click Save.
Clicking Reset reverts the values to their previously saved values.
Change Default Report Row Limits

Reporter enables users to e-mail reports to others, download reports to local systems, and store archived versions on the
Reporter server. In some enterprises, access log databases can grow very large, which means performing any of the
aforementioned actions can clog exceed system capabilities and storage capacities. You can impose limits on how much
of a report is sent or stored.
2. In the row of the database to change, select Actions > Other Options.
3. In the Report Generation Limits area, enter new value.
75 of 132
4. Click Save.
Tip: Clearing an option removes the limit for that parameter; do so with caution and
understanding of resource impact.
76 of 132
Reporter 10.5.1.1
Create Custom Log Fields

You can manually edit database files for the purpose of modifying the log fields to better suit your business
requirements. Reporter 10.3.1.1 — You can use the web interface to create these fields. Symantec strongly recommends
that you use this option.
Warning: Modifying log fields is an advanced task. Symantec strongly recommends that
you have a thorough knowledge of Reporter databases and log fields. Mistakes made while
editing these files will render Reporter inoperable.
About the dbfields.cfg File

The dbfields.cfg file contains information about all log fields that Reporter databases can use. You can add custom log
fields to this file. When creating a custom log field, you must know the type of the new field, such as string, number, or
IP. A best practice is to search this file for the closest definition that matches your new field. For example, if you are
adding a new string field, use the existing cs_method log field definition as a template. If you are adding a new IP field, use
the existing proxy_ip log field definition as a template.
The order of these log field definitions is important to Reporter functionality, which is why the block of text must be
copied into the correct place in the list of fields. If your new log field is a non-counter column (string or IP), then you
should place it above the hits field. If it is a counter field (number), place it above the cost_bytes log field.
The following example creates a new string log field (bold code font), which must be placed above the hits log field.
Copy the text for the existing log field.
...
cs_method = {
label = "_shared.cs_method_fld"
…other existing data…
string_bag_field = "false"
}#cs_method
… other log fields…
cs_username= {
label = "custom_field"
… other copied data…
string_bag_field = "false"
}#cs_username
hits = {
Modify the copied data to create your custom log field. Change the label value to reflect the label(s) that display in the
Reporter user interface.
Tip: If a user changes the browser language, these new labels are not localized.
77 of 132
Change the first and last line of the configuration node to create a new handle for this log field—this handle is used when
editing the database configuration file (described in the next step). When creating a new handle, do not use spaces or
special characters. Leave the other data as is. When completed, the dbfields.cfg should look similar to the following for a
new string log field.
Original Custom
cs_method = { MyCustomDBField= {
label = "_shared..." label = "MyCustomField"
plural_label = "_shared... plural_label = "CustomFields"
type = "string" type = "string"
format_type = "string" format_type = "string"
filterable = "true" filterable = "true"
relative_width = "1" relative_width = "1"
time_based = "false" time_based = "false"
url_field = "false" url_field = "false"
category_field = "false" category_field = "false"
counter_field = "false" counter_field = "false"
hidden_from_base = "true" hidden_from_base = "true"
hidden_from_deadend = "false" hidden_from_deadend = "false"
dataset_field = "true" dataset_field = "true"
internal_field = "false" internal_field = "false"
ip_field = "false" ip_field = "false"
string_bag_field = "false" string_bag_field = "false"
} # cs_method } # MyCustomDBField
Tip: "Reference: Log Fields" on page 107
Procedure: Customize the Database Files

Step 1—Create a database.
Create a database in Reporter. During the database creation process (wizard), do not specify log sources. Ignore the
warning that indicates that the database will not contain data. Upon creation completion, Reporter displays the list of
available databases.
78 of 132
Reporter 10.5.1.1
Tip: See "Create a Database" on page 62. If you perform edits to an existing database, you
must rebuild the database to enact the changes.
Step 2—Stop the Reporter service.

1. Use a terminal to access the Reporter CLI via SSH. Do not use the serial console.

Version:10.5.1.1.1.1
-----------MENU----------
2) Setup
------------------------------
Press 1.
2. Enter enable and provide the password.
3. Enter stop-reporter to halt the Reporter service. (This does not shut down the appliance.)
Step 3—Edit the dbfields.cfg file to add custom fields.

As described in the section above, you can edit the dbfields.cfg file to add new log field(s) to be made available in
reports. This file is located in the configure directory.
1. To begin editing, enter the following command.
configure edit dbfields.cfg
Reporter copies the current file to a restricted directory and launches a vi editor to access the copy.
2. Edit the file as necessary.
3. After you complete the edits, close the vi editor. Reporter displays a dif of the changes—the original setting and
the revised—which allows you to verify the edits and syntaxes.
4. Enter configure commit <file_name>. Keep in mind that this saves only the edits; the changes do not take effect
until you restart the Reporter service.
Tip: If you want to back out the changes, enter configure discard <file_name>,
which reverts the file to its previous state.
79 of 132
Step 4—Locate the database file(s) that must use the new fields.
For the reports to contain the customized points of data, you must edit each database file in three places. First, locate the
file.
1. Enter the following command.
configure list databases
Reporter displays a list of all created databases.
2. If you do not know which database you want to edit, you must open each one and read the header. To view a
database, enter the following command.
configure edit databases/<filename>.cfg
For example:
configure edit databases/database_e0dee9700d8711e68ae3f249de84051e.cfg
3. After you locate the correct file, proceed to Step 5a; if the file in view is not correct, enter configure discard
<file_name> and perform the previous step on the next candidate.
Step 5a—Add the new field to the list of fields for this database.
You must edit the database file in three places. The first edit is add the new field to the field list.
n In the database configuration file, locate the line containing fields = located just below the database = {
configuration node.
n Locate the log field that you used for your template and copy that section of the configuration file. The order of
these fields is important to Reporter functionality and you must put the new log field in the correct place.
n If your new log field in a non-counter column such as string or IP, paste the section above the hits field.
n If it is a counter column (number), paste it above the cost_bytes section.
n Edit this portion to match the new database handle you created in dbfields.cfg.
Consider the following new string database example.
...
MyCustomDBField = {
case_insensitve = "false"
} # MyCustomDBField
hits = {
case_insensitive = "false"
} # hits
...
80 of 132
Reporter 10.5.1.1
Step 5b—Add the new log field to the field order for this database.
The second edit amends the order in which Reporter process fields. Locate the line containing field_order = {. This is a
list of fields for the database. They are numbered beginning from 000. The order of these fields is important to Reporter
functionality, so you must add the new log field in the correct place:
n If the new log field is a non-counter column (string or IP), add it above the hits field in the list, which positions it as
the last non-counter field.
n If it is a counter column (number), add it above the cost_bytes field. This puts it as the last counter column. The
cost, url, and categories_text fields are calculated fields and must come last.
n You must renumber the fields to allow for the newly added field.
Consider the following example.
...
031 = "x_rs_certificate_hostname_category"
032 = "x_rs_connection_negotiated_cipher_strength"
033 = "MyCustomDBField"
034 = "hits"
035 = "page_views"
...
Step 5c—Add the new log field to the database.

The database configuration file contains a list of log fields that relate the fields from the logs to the fields in the
database. The third and final edit is to add the new field.
n Locate the line in the database configuration file that contains log = {. Below this are multiple groupings of
configuration data (processing, format, search_engines, and fields).
n Locate the fields = { contained in the log section. You must add a new field in this section.
n Locate the field that you used previously for your log field template (a previous example used cs_method).
n Copy that section of configuration information and paste it below as a new log field. The order is not critical in this
configuration.
n Change the handle of the new configuration node to the handle of the new log field.
n Edit the name of the log field. This is the same name of the column found in the logs obtained from the ProxySG
appliance. You must also edit the db_field value to be the handle of the new custom log field.
The following example demonstrates a completed edit.
...existing log fields...

x_rs_certificate_negotiated_cipher_strength = {
type = "flat"
index = "0"
name = "x_rs_certificate_negotiated_cipher_strength"
db_field = "x_rs_certificate_negotiated_cipher_strength"
81 of 132
} # x_rs_certificate_negotiated_cipher_strength
MyCustomDBField = {
type = "flat"
index = "0"
name = "field_name"
db_field = "MyCustomDBField"
} # MyCustomDBField
day_of_week = {
type+ = "flat"
derived_from_1 = "date"
} day_of_week
...more existing log fields...
Step 6—Commit changes and restart the Reporter service.

After you complete the custom edits, perform the following.
1. After you complete the edits, close the vi editor. Reporter displays a dif of the changes—the original setting and the
revised—which allows you to verify the edits and syntaxes.
2. To save the changes, enter configure commit <file_name>. Keep in mind that this saves only the edits; the
changes do not take effect until you restart the Reporter service.
Tip: If you want to back out the changes, enter configure discard <file_name>,
which reverts the file to its previous state.
3. To restart the Reporter service, enter start-reporter.
4. Access the Reporter web UI.
5. Assign log sources to the new database and generate reports.
Tip: After you restart the Reporter service (described in the following procedures), the
Reporter CLI displays lines as various processes start up. If any lines contain ERRO as part of
the code, a configuration error occurred. Review the files you edited and rectify the errors.
Furthermore, if you perform and commit edits and attempt to access the Reporter
Management Console but it is unresponsive, you likely committed erroneous syntax.
Additional Information: Index Pairs and Triplets

The following Symantec Knowledge Base article describes how to add index pairs and triplet pairs, which can optimize
performance:
article.TECH241380.html
82 of 132
Reporter 10.5.1.1
Database Backup
Reporter allows administrators to back up databases. This operation can be done from the Manage Backups interface or
from the CLI command terminal. Administrators using Reporter 10.3 and later should use the Manage Backups feature
in the web UI. For versions prior to 10.3, see "About CLI Database Backup" on page 88.
Database Backup Properties and Requirements

n In Reporter 10.5.x and later, all Reporter backups are saved to the db_backups directory. The db_backups
directory is located in the access log folder where local log sources are saved—/db_backups.
n On upgrade to Reporter 10.5.x, all existing backups are moved into the db_backups directory.
n Each Reporter database backup is saved in subdirectory named with a Reporter database ID and timestamp. For
example: ae7729501cfd11eabc4cf5007a1a14df_1576521144. Do not change the name of the database backup. If
you change the name, Reporter will not recognize the backup.
n A larger Reporter appliance is recommended when storing multiple databases or large databases.
Create, Update, and Restore Backups

Reporter provides the ability to create and manage database backups using the Manage Backups feature.
Manage Backups
1. On the Administration > General Settings page, select Reporter Settings > Data Settings > Databases
2. Click on the Actions arrow and select Manage Backups to access the interface.
83 of 132
Backup Types
This section is for additional information on the Manage Backup feature user interface. You can create or update two
kinds of backups:
n Stable — Created or updated from an unloaded database. The backup data is fully up-to-date from the time the
database was unloaded.
n Unstable — Created or updated from a loaded, actively processing database. The backup data is mostly up-to-date
but not completely.
To create or update a stable backup using the CLI you must stop Reporter completely (stop-reporter). To create or
update a stable backup using the web UI you can unload the specific database before creating or updating it.
Creating or updating unstable backups permits you to perform the backup while log data and reports are actively being
processed. When the unstable backup is completed you can unload the database to complete the backup—thereby
putting the database into a stable state—and then quickly reload the database. Database down time is thus kept to a
minimum.
Actions
n Restore: Restores an unloaded database to a previous state.
n Update: Updates the backup to reflect the current state of the database. Use Update to stabilize an unstable
backup, after you have unloaded the database.
n Delete: The backup is deleted.
Create a Database Backup
The following instructions are for creating a new database backup using the Manage Backups feature. Remember that
when you create a backup of a loaded database it will be unstable until you unload it and then update it.
1. Access the Manage Backups interface.
2. Select Create New Backup to create a backup of your selected database.
84 of 132
Reporter 10.5.1.1
Tip: Local time is used when creating a backup. This time can be changed in System
Settings > Preferences. See Set Report Date and Time Format.
Update a Backup
Use Update to update a backup to the current state of the selected database.
2. If you want a stable backup, click the Actions arrow and select Unload Database. Otherwise, go to the next step.
3. Click the Actions arrow and select Manage Backups.
4. For the desired backup click the Actions arrow and select Update.
Caution: If you are updating a stable database it becomes unstable. To make it stable you
would need to unload the database, update the backup, and then reload the database to
make it stable.
Restore a Database
Use Restore to recover an unloaded database to a previously saved state. In Reporter 10.x an unloaded database is in
one of three states:
n Unloaded — The database has been unloaded.
n Restored — The database has been restored.
85 of 132
n Emptied — The Empty action has been completed.
You may restore a stable database that is in any of these three states; however, restoring a Restored database from the
same backup would have no effect.
Follow the instructions to restore a database from a backup.
2. If the database is not already unloaded, click on the Actions arrow and select Unload Database.
3. Access the Manage Backups interface.
4. For a stable database click the Actions arrow and select Restore.
5. When the Restore action has finished—a process that may take a long time for multiple-terabyte databases—click
the Actions arrow for the database and select Load Database.
6. If you go back to the Manage Backups interface you will see that the Last Action for the backup is now Restore.
View Backup Files
Unless specified otherwise, all Reporter database backups are saved to the folder db_backups. You can view your saved
database backups using the following CLI command:
86 of 132
Reporter 10.5.1.1
# access-logs list-dirs
To view only the saved database backups in the db_backups directory:
# access-logs list-files db_backups/<full path to backed-up files>
Export Backup
To export your database backups do the following:
1. Enable FTP, FTPS, or SCP. See Server Settings.
2. Use an FTP, FTPS, or SCP client to move the database backup to the new location.
Import Backup
To import your database backups do the following:
1. Enable FTP, FTPS, or SCP. See Server Settings.
2. Use an FTP, FTPS, or SCP client to move a database backup from a remote directory to the db_backups directory.
After you have imported the database backup to Reporter, you can manage it like any other Reporter database backup.
Delete a Backup
To free up disk space you may want to delete older backups.
Warning: Deleting a backup is permanent. You cannot undo this action.
Follow these instructions to delete a backup.
2. For the database whose backup(s) you want to delete click the Actions arrow and select Manage Backups.
3. In the Manage Backups interface, for the backup to delete click the Actions arrow and select Delete.
87 of 132
About CLI Database Backup
Warning: Manage Backups is recommended for creation and management of Reporter

databases. The UI for Manage Backups is available in Reporter 10.3 and later. See "Create,
Update, and Restore Backups" on page 83
The following instructions are for creating a database backup using the CLI command terminal. Reporter can backup and
maintain multiple databases from the CLI command terminal. Reporter database backup should be performed while
Reporter is offline. If Reporter is online when the backup starts, the backup database will be marked as unstable. An
unstable database does not mean it is broken.
See CLI Commands for a list of CLI commands and sub-commands.
CLI Backup Functionality

Use the CLI to Create a Database Backup
The following instructions is for creating a new database backup from the CLI command terminal. Reporter must be
stopped before creating a stable backup when using the command line. See CLI Commands for stop-reporter usage.
1. In the CLI enter enable mode.
2. Type stop-reporter
3. To see the current list of databases for which you can create a backup, enter dbbackup list create
4. Type dbbackup create <database index number>
5. Enter y to confirm the backup creation.
Warning: After the backup process begins do not attempt to interrupt it by pressing
Ctrl+C. As of Reporter 10.3, if you interrupt a backup it will enter the "busy" state but will
never complete. The only way to recover is to restart the appliance (not just Reporter). After
Reporter is back online, the backup will be in a Failed state, and you can either update or
delete it.
Use the CLI to Restore From a Database Backup
Follow these instructions to restore a database from backup. A database cannot be restored from the command line if
Reporter is online.
3. To see the current list of backups that can be restored to databases, enter dbbackup list restore
88 of 132
Reporter 10.5.1.1
4. Type dbbackup restore <backup index number>
5. Enter y to confirm the restoration from backup.
Use the CLI to Delete a Database Backup
To free up disk space you can delete older backups. You cannot delete a backup if Reporter is online.
Warning: Deleting a backup is permanent. You cannot undo this action.
3. To see the current list of database backups that can be deleted, enter dbbackup list delete
4. Type dbbackup delete <backup index number>
5. Enter y to confirm the deletion.
89 of 132
Download Logs From the WSS

The Symantec Web Security Service provides an API that allows you to configure Reporter to receive access logs generated
by the service. This allows you to use your current Reporter configuration to generate reports based on data from all
sources that connect to the cloud for security and policy processing.
Tip: If you configure cloud log download on the Reporter appliance rather than using a
dedicated FTP server, a single instance of a Local File Source can process logs only from a
single directory on Reporter; however, you can configure the log source to process log files
in any subdirectories under the selected top directory.
Tip: To learn more, see "About Retrieving Logs From the WSS" on page 29.
Two configurations comprise the solution.
1. In the Web Security Service portal, generate an API key.
2. Create a Reporter database that uses the cloud service log source.
Prerequisites
n Your enterprise must have a Web Security Service and you must have a password to access the Admin portal.
n The Reporter appliance must have access to the Internet to receive logs from the Web Security Service. If your
current Reporter deployment inhibits Internet access, consider installing another instance of Reporter at the
external network edge. Then automate or otherwise move the log files to the existing server.
Generate an API in the Web Security Service

1. Access the Web Security Service portal: https://portal.threatpulse.com.
Log in with Admin credentials.
2. In Service mode, select Account Maintenance > Account Provisioning > MDM/API Keys.
3. Create an API for Reporter.
90 of 132
Reporter 10.5.1.1
a. Click Add API Key. The portal displays the Create API keys dialog.
b. Name the API and set the Password (record these, as they are required during the Reporter configuration).
c. Click Add.
4. Select the new key and click Enable.
Create a WSS Log Source in Reporter

Use the Web Security Service API create a secure connection between the service and Reporter.
1. Log in to Reporter and select Administration > General Settings > Reporter Settings > Data
Settings > Cloud Log Source.
2. Set the destination, log check schedule, and log deletion.
91 of 132
a. Select Enabled.
b. For Synchronization Type select one of the following:
n Real-time Integration—Download log files in real time.
n Periodic Download—Download log files according to a schedule. Set the Schedule of how often
Reporter checks for new logs from the cloud service.
The shortest increment is one hour, because all cloud log files contain one hour of data. By design, the
Web Security Service prevents Reporter from downloading logs that are less than two hours old.
Given that the minimum time chunk is one hour, you will need to allow some time for the data to
accumulate in the destination directory.
c. For Download logs dated beginning, select the age of the logs to download as soon as you click Save.
n Use the selector to specify a beginning Date.
n Select 90 days ago to download the past three months of logs.
n Select Current Hour if you do not want to download older logs.
d. Select the Destination Directory, which is the folder on the Reporter appliance that stages the Web Security
Service access logs.
92 of 132
Reporter 10.5.1.1
Tip: To create a new directory click the folder icon.
e. Enter the Cloud API Username and Cloud API Password that you defined in the Web Security Service
portal.
f. Click Test Username and Password. If the test fails, check the API key in the Web Security Service portal
(Service mode Account Maintenance > API Keys). Also check the external connection.
g. Select Enable automatic deletion of cloud log files older than <X> days to limit the age of the
Web Security Service log files in the designated directory.
h. If you select the previous check box you can select Enable emergency deletion of cloud log files when
disk usage reaches "Critical" level, retaining at least <X> days to automatically delete as many
Web Security Service log files as needed to reduce disk usage to below the Critical level, while leaving the
number of specified days. Go to Administration > General Settings > Reporter Settings > System
Settings > Alerts to specify the Critical level.
3. Create a new database that points to this log source, or add this new log source to an existing database if you
want to achieve more unified reporting.
93 of 132
Change the Reporter Interface Language

If your access log data was generated in a supported language, you can change the language of the Reporter Management
Console.
Support Languages
n Chinese (Simple and Traditional)
n English (UK)
n English (US)
n French
n Japanese
How Do I?
You must change the language before logging in (you can log out and change the language at any time). The list is located
on the bottom-right corner of the log in screen.
94 of 132
Reporter 10.5.1.1
Convert International Domain Names

An Internationalized Domain Name (IDM) is one that contains non-ASCII characters; for example, Asian-language
characters. If the Access Logs contains this type of data, you can configure Reporter to convert this characters to
Punycode.
1. On the Administration > General Settings page, select System Settings > Server Settings.
2. In the Report Generation area, select Enable Internationalized Domain Names.
3. Click Save.
95 of 132
Change a Password
Logged-in Reporter users can change their access passwords.
Notes
n You are not allowed to change your password if you accessed Reporter using your LDAP access credentials. If you
are unsure about this, contact your network security IT representative.
n The initial Reporter admin has the ability to remove other admin users.
Procedure
1. On the [Administration | Settings ] > General Settings page, select Personal Settings > Change Password.
2. Enter your initial password, followed by your new password twice.
3. Click Save.
Also see: "Reset the Administrator Password" on the facing page and password-policy.
96 of 132
Reporter 10.5.1.1
Reset the Administrator Password

When you or someone in your organization performed the initial configuration of the Symantec Reporter appliance, you
defined the initial Admin password to accompany the default admin username. These credentials identify the person who
has total access to the Reporter appliance and the Management Console (user interface). If you lose or cannot remember
this password, you can reset it without losing all of your configurations.
Prerequisites
n Physical access to the appliance.
n Connection:
o Physical appliance: Serial Port
o VA: Open console on the hypervisor.
Procedure
1. After you gain access to the console, press Enter three times to active it.

Version:10.5.1.1.1.1
Copyright (c) 2019, Symantec
-----------MENU----------
2) Setup
------------------------------
2. Press 2 to enter the setup wizard and reset the password.
3. Given that this appliance is already setup, the Network Settings values are already populated. Assuming that you
want to retain these settings, press Enter for each option.
Type new value to change the setting or ENTER to accept the current setting
Select Network Interface Controller (NIC) to use from available list:
1. NIC 0:0 (link) [Active]
2. NIC 1:0 (link)
3. NIC 1:1 (no link)
Use NIC [1]:
IP address [192.168.15.1]:
Netmask [255.255.255.0]:
Gateway [192.168.15.1]:
<snip>
4. The Admin Account section follows the Network Settings section.
Admin Account
Set admin user name [admin]:
97 of 132
Set admin user password [********]: admin_password

Confirm password: admin_password
Admin user name and password successfully set.
Press Enter to accept the current name (admin) and define a new password twice.
Tip: The minimum password length is eight (8) characters; the password cannot

contain dictionary words.
As indicated, the Admin password is reset.
Tip: When the CLI prompts you for the Enable mode password, enter the Admin password.
As of version 10.1.5, they are the same; you no longer are required to maintain two separate
passwords.
Also see: password-policy
98 of 132
Reporter 10.5.1.1
Manually Edit Configuration Files

Access configuration files that are hosted on the appliance to perform custom configurations based on your enterprise's
requirements. For example, change the currency units that display in reports or change the SSL connection settings per
TLS setting.
Warning: Symantec considers accessing and editing configuration files an advanced task.
Only perform this if you are knowledgeable about Reporter. Changing these settings might
adversely affect your Reporter deployment.
You can safely view the configuration files without committing any changes. This can help you plan your changes and
verify with necessary personnel that such changes are necessary and safe for your environment. However, viewing the
configuration files requires you to stop the Reporter process. Symantec recommends that you perform any viewing or
editing tasks during non-productivity hours.
Tip: This topic provides a high-level procedure for editing configuration files. For the
specific procedure to customize databases, see "Create Custom Log Fields" on page 77.
About the File Editor

The next section describes how to view and modify configuration files, which requires that you access the Reporter CLI.
The first time you invoke the edit sub-command for a specific file, Reporter copies the current version of that file to a
restricted directory and launches the reputable vi editor to access the copy. When you commit the changes, Reporter
moves the modified copy back to its configuration directory, thus overwriting the previous file. If you re-invoke the edit
command on the same file before you commit or discard the changes, Reporter accesses the modified copy. Unless you
immediately complete subsequent editing, Symantec recommends committing or canceling file changes before re-editing
a file.
Global Intelligence Network (GIN) Application Name Mapping

Global Intelligence Network (GIN) application mapping will translate old application names into their new corresponding
categories. All new application names will be included in the configuration file. Users can view and modify the application
mapping in the configuration file. For example, if traffic from Hotmail is reclassified as Outlook traffic, the old Hotmail
traffic will be available under the Outlook application name. See "Procedure: View/Edit Configuration Files" below for
GIN application name mapping.
Procedure: View/Edit Configuration Files

1. Use a terminal to access the Reporter CLI. Do not use the serial console.
2. Enter enable. Enter the enable mode password when prompted.
99 of 132
3. Enter edit-settings list .
Reporter displays the available configuration files and sub-directories. You can browse the lists. If you decide to edit
a configuration, proceed to the next step.
4. Enter stop-reporter. This halts the Reporter service (it does not shut down the appliance).
5. Initiate a file view with the edit-settings edit <file_name> command. For example:
edit-settings edit preferences.cfg
Reporter launches a vi editor. Find the section to view modify. For example, you want to change the TLS settings.
protocols = {
http = {
ssl = {
ssl_v2 = "false"
ssl_v3 = "true"
tls_v1 = "true"
.
.
.
6. If necessary, perform edits to the configuration.
7. After you complete the edits, close the vi editor. Reporter displays a dif of the changes—the original setting and the
revised—which allows you to verify the edits and syntaxes.
8. Enter edit-settings commit <preferences.cfg>. Keep in mind that this saves only the edits; the changes do not
take effect until you restart the Reporter service.
Tip: If you are uncertain and want to back out the changes, enter edit-settings
discard, which reverts the file to its previous state.
9. Repeat Steps 3 to 8 as necessary to edit other configurations.
10. After you complete all necessary edits, restart the Reporter service.
start-reporter
Tip: If you invoke the start-reporter command without committing changes to any
opened configuration file (edit mode), Reporter flushes those uncommitted changes
and does not make a backup copy.
100 of 132
Reporter 10.5.1.1
Troubleshoot
If the Reporter service fails to restart, the Reporter CLI displays the event log output from the start-up sequence. Lines
containing the ERRO code indicate what caused the startup failure and indicate which file(s) must be re-edited to allow a
successful start-up.
Review the files you edited and rectify the errors. Be advised that the Reporter Management Console remains
unresponsive if the service start-up fails.
101 of 132
Reporter Administration & Deployment Guide
Reference: CLI
Note: For Reporter 10.3 and later go to this page.
The Reporter CLI provides a set commands through a serial console that allows you to manage and change networking
settings (IP, Mask, Gateway, DNS), configure / change username / password, and generate SSL self-signed certificate.
--------------------MENU--------------------
1) Command Line Interface
2) Setup console
--------------------------------------------
Enter option:
Option 2 begins the guided setup, as described in Install Reporter on a Virtual Appliance.
Option 1 enters basic CLI mode.
Command Sub-Commands Description
CLI Behavior and Command Changes

The following commands have been changed or their behavior has been modified in Reporter 10.3.
New Command Old Command Version Description / Behavior Change
licensing license 10.3 and later licensing replaced the license command.
shutdown shutdown 10.3 and later shutdown graceful is no longer available. shutdown will
graceful perform a graceful shutdown.
103 of 132
Reference: CLI
Note: For Reporter 10.3 and later go to this page.
The Reporter CLI provides a set commands through a serial console that allows you to manage and change networking
settings (IP, Mask, Gateway, DNS), configure / change username / password, and generate SSL self-signed certificate.
--------------------MENU--------------------
1) Command Line Interface
2) Setup console
--------------------------------------------
Enter option:
Option 2 begins the guided setup, as described in Install Reporter on a Virtual Appliance.
Option 1 enters basic CLI mode.
Command Sub-Commands Description
CLI Behavior and Command Changes

The following commands have been changed or their behavior has been modified in Reporter 10.3.
New Command Old Command Version Description / Behavior Change
licensing license 10.3 and later licensing replaced the license command.
shutdown shutdown 10.3 and later shutdown graceful is no longer available. shutdown will
graceful perform a graceful shutdown.
104 of 132
Reporter 10.5.1.1
Reference: Ports and Protocols

Consult these tables when deploying Reporter behind a firewall or proxy.
Note: These are the default ports. Some ports can be changed and others not used,
depending on your deployment.
Inbound Connections
Service Port(s) Protocol Configurable Destination Description
Web UI/API SSL 8082 TCP No Admin HTTPS UI access (encrypted)
FTP 21 TCP Yes Local / accesslogs Non-secure access logs file

directory uploads/downloads/inspection
FTPS 990 TCP Yes Local / accesslogs Secure access logs file
directory uploads/downloads/inspection
SCP 2024 TCP No Local / accesslogs Secure access log file uploads
directory
SNMP 161 TCP Yes Admin SNMP communication
CLI SSH 22 TCP No Admin CLI management shell access
Outbound Connections
LDAP 389 TCP Yes LDAP server User

authentication
LDAPS 636 TCP Yes LDAP server (encrypted) User

authentication
SMTP 25 TCP No SMTP server Emails,

reports, and
event
notifications
HTTPS 443 TCP No Symantec Licensing and

updates for
products,
subscriptions,
ect..
DNS 53 UDP/TCP No Domain name server Hostname

resolution
105 of 132
FTP 21 TCP Yes FTP log file server Access log file

upload
NTP 123 UDP No Time server Network time

synching
SNMP trap 162 TCP Yes SNMP trap server SNMP

communication
syslog 514 UDP/TCP Yes syslog server(s) Sending syslog

messages to
remote host
(disabled by
default)
Cloud log download 443 TCP No Symantec WSS Request

download of
archived
access logs
from the Cloud
Reporting
service
Required IP Addresses and URLs

URL Protocol Description
support.symantec.com https/TCP Support links to software, support cases, and

443 documentation.
upload.bluecoat.com https/TCP Upload portal logs and other large files.

443
download.bluecoat.com http/TCP 80 Licensing portal; redirects to support.symantec.com
esdhttp.flexnetoperations.com https/TCP Software portal.

443
device- https/TCP License related.

services.es.bluecoat.com 443
106 of 132
Reporter 10.5.1.1
Reference: Log Fields
This section provides a reference table that lists the report field to log field association. Report fields are what comprise
various reports, based on the information contained in the access log. The contents of an access log are determined by
the log field names (which determine what data types are captured during the ProxySG appliance logging process). Some
log field names correlate to absolute data (such as URLs), others derive information from access log variables (such as
browsing duration). For creating and managing custom log fields, see Custom Log Fields.
Log Field Best Practices

Certain access log fields are critical to proper Reporter operation. To prevent Reporter from disregarding some log lines,
the databases require the following fields:
n cs-host, cs-uri-host, or cs-uri-hostname
n sc-status
n cs-uri-scheme
n c-ip, x-client-ip, x-client-address, c-dns or x-cs-username-or-ip
n rs(Content-Type)
n sc-filter-result or x-exception-id
n x-virus-id
For the page view combiner (PVC) to operate correctly, Reporter requires the following additional fields:
Tip: See "About the Page View Combiner" on page 22.
n cs(Referer) or x-cs(Referer)-uri
n x-exception-id or sc-filter-result (x-exception-id preferred)
n sc-filter-category, cs-category, or cs-categories
For the PVC to operate correctly for video reports, Reporter requires the following additional fields:
n cs-uri-scheme
n c-ip, x-client-ip, x-client-address or c-dns, x-cs-username-or-ip
n sc-status
107 of 132
n x-virus-id
n cs-method
n time-taken
n cs-uri-scheme
n s-session-id
To properly populate all default dashboard reports, Reporter requires the following fields in addition to those above:
n cs-username, x-cache-user, cs-userdn, x-radius-splash-username, x-cs-session-username, or x-ldap-

attribute(displayName)
n cs-category, sc-filter-category, or cs-categories
n x-bluecoat-application-name
n x-bluecoat-application-operation
To populate all default video reports, Reporter requires the following fields:
n c-ip, x-client-ip, x-client-address, c-dns, or x-cs-username-or-ip
n x-cache-info
n cs-auth-group or cs-auth-groups
n x-rs-streaming-content
Main Log Field Names
The following table provides what log field provides data for what report field. iIalicized report field text indicates that the
resulting data is derived (sometimes combined with data from other fields).
Report Field
Report Field Name Log Field Name Log Field Name
Name
cs(Referer) cs(Referer) browse_time Calculated at run-time from user

session and stored as database field.
c_ip c-ip cs_auth_group cs-auth-group
108 of 132
Reporter 10.5.1.1
Report Field
Report Field Name Log Field Name Log Field Name
Name
cs_bytes cs-bytes cs_host cs-host
cs_method cs-method cs_uri_ cs-uri-extension

extension
cs_uri_path cs-uri-path cs_url_query cs-url-query
cs_url_scheme cs-url-scheme cs_user_agent cs(User-Agent)
cs_username cs-username date date
date_time date + time day_of_week Derived from date
hour_of_day Derived from time. month Derived from date
requests (same as Calculated during database rs_content_ rs(Content-Type)

page views or hits) generation and stored as database type
field.
s_action sc-bytes sc_filter_ cs-categories (or cs-category

category or sc-filter-category )
sc_status sc-status time time
total_bytes cs-bytes + sc-bytes url Combined from (uri-

scheme://cs-host/cs-url-path
[cs-url-query]).
verdict x-exception-id ( sc-filter- week Derived from date.

result if x-exception-id is not
present).
x_virus_id x-virus-id year Derived from date.
Reports/Log Fields Matrix

This section provides a table that lists which main-format access log fields are required to populate each pre-defined
report in the User Behavior, Security, and Bandwidth Usage groups on the Reports tab. Use this reference to
understand how log fields relate to report data and aid in your customization of reports.
Report Field Name Log Field Name
date + time YYYY-MM-DD + HH:MM:SS (GMT/UTC)
gmttime DD/MM/YYYY:hh:mm:ss GMT
localtime DD/MMM/YYYY:hh:mm:ss +nnnn
timestamp Seconds since epoch in UTC/GMT
109 of 132
Report Field Name Log Field Name
x_timestamp_unix_utc Seconds since epoch in UTC/GMT
x_timestamp_unix Seconds since epoch in local time
Main Log Required Field Matrix

These reports are URL-centric; they display reports that reflect browsing activity.
Report Group Report Name Required Fields
User Behavior Blocked Web Browsing per User sc-filter-result, cs-username, cs-bytes, sc-
bytes
Web Browsing per Category {cs-categories -or- sc-filter-category}, cs-

bytes, sc-bytes
Web Browsing per Day date, sc-bytes, cs-bytes
Web Browsing per Day of Week date, cs-bytes, sc-bytes, time, time-taken
Web Browsing per Group cs-auth-group, cs-bytes, sc-bytes
Web Browsing per Hour of Day time, cs-bytes, sc-bytes, time-taken
Web Browsing per Month date, cs-bytes, sc-bytes, time, time-taken
Web Browsing per Site cs-host, {cs-categories -or- sc-filter-

category}, cs-bytes, sc-bytes, time_taken
Web Browsing per User cs-username, cs-bytes, sc-bytes
Web Browsing per User and cs-username, sc-filter-category or cs-

Category categories, sc-bytes, cs-bytes
Web Searches cs-uri-query (Also requires Symantec Web Filter (BCWF)

to be enabled.)
110 of 132
Reporter 10.5.1.1
Report Group Report Name Required Fields
Security Blocked Web Browsing by User sc-filter-result, cs(User-Agent), cs-bytes, sc-

Agent bytes
Blocked Web Sites sc-filter-result, cs-host, {sc-filter-category -

or- cs-categories}, cs-bytes, sc-bytes
Filtering Verdict Trend by Day date, sc-filter-result
Malware Requests Blocked by Site cs-bytes, cs-host, sc-bytes, sc-filter-category,

time-taken
Potential Malware Infected Clients c-ip, cs-bytes, cs-host, sc-bytes, sc-filter-

category, time-taken
Potential Threats x-virus-id, sc-filter-category
ProxyAV Malware Detected: Client c-ip, cs-bytes, sc-bytes, time-taken, x-virus-id

IP
ProxyAV Malware Detected: Names cs-bytes, sc-bytes, time-taken, x-virus-id
ProxyAV Malware Detected: Sites cs-bytes, cs-uri-path, cs-uri-query, cs-uri-

scheme, sc_bytes, time-taken, x-virus-id
Risk Groups sc-filter-category
SSL Certificate Categories {cs-username -or- c-ip}, s-action, x-rs-

certificate-hostname, sc-bytes, cs-uri-port
SSL Certificate Errors x-rs-certificate-observed-errors, x-rs-

certificate-hostname, sc-bytes, cs-uri-port
Trend of Potential Threats x-virus-id, sc-filter-category
Bandwidth Bandwidth Cost per User date, cs-username, sc-bytes, cs-bytes

Usage
Bandwidth Cost per User and Site cs-username, cs-host, sc-filter-category or cs-
categories, cs-bytes, sc-bytes
Bandwidth Used per Day date, sc-bytes, cs-bytes
Bandwidth Used per Day of Week date, sc-bytes, cs-bytes
Bandwidth Used per Hour of Day date, sc-bytes, cs-bytes
Bandwidth Used per Month date, sc-bytes, cs-bytes
Requests per Content Type rs(Content-Type), cs-bytes, sc-bytes
Requests per Protocol cs-uri-scheme, cs-bytes, sc-bytes
Web Requests per Client IP c-ip, cs-bytes, sc-bytes
111 of 132
Web Application Reports

Report Field Name Required Fields
Web Application Name x-bluecoat-application-name, hits, page-views,

browse-time, cost-time, total-bytes, cost-bytes,
sc-bytes, cs-bytes, cache-bytes, rs-bytes
Web Application Operation x-bluecoat-application-operation, hits, page-

views, browse-time, cost-time, total-bytes,
cost-bytes, sc-bytes, cs-bytes, cache-bytes, rs-
bytes
Web Application Detailed Report x-bluecoat-application-name, x-bluecoat-

application-operation, c-ip, total-bytes, cost-
bytes, hits, sc-bytes, cs-bytes, page-views,
browse-time, cost-time, cache-bytes
Web Browsing per Web Application Name and x-bluecoat-application-name, c-ip, total-bytes,
Client IP cost-bytes, sc-bytes, cs-bytes, hits, page-
views, browse-time, cost-time, cache-bytes
Web Browsing per Web Application Name and User x-bluecoat-application-name, cs-username, total-
bytes, cost-bytes, sc-bytes, cs-bytes, hits,
page-views, browse-time, cost-time, cache-bytes
Video Usage Reports

Client IP Video c-ip, total-bytes, cost-bytes, sc-bytes, cs-bytes, hits,

page-views, browse-time, cost-time, cache-bytes
Flash Streaming Bandwidth Cost per Day date, page-views, browse-time, sc-bytes, rs-bytes,
total-bytes, cs-bytes, cache-bytes
Group Video cs-auth-group, total-bytes, cost-bytes, sc-bytes, cs-

bytes, hits, page-views, browse-time, cost-time, cache-
bytes
Video Application Delivery Method x-rs-streaming-content, total-bytes, cost-bytes, sc-

bytes, cs-bytes, hits, page-views, browse-time, cost-
time, cache-bytes
Video Application Type x-cache-info, total-bytes, cost-bytes, sc-bytes, cs-

bytes, hits, page-views, browse-time, cost-time, cache-
bytes
Video Applications x-rs-streaming-content, cs-host, total-bytes, sc-bytes,

cs-bytes, hits, page-views, browse-time, cost-time,
cache-bytes, cost-bytes
112 of 132
Reporter 10.5.1.1
Video Page Detail cs-host, filename, c-ip, sc-bytes, cs-bytes, hits, page-
views, browse-time, cost-time, cache-bytes, total-bytes
Video Site cs-host, total-bytes, sc-bytes, cs-bytes, hits, page-

views, browse-time, cost-time, cache-bytes
113 of 132
Reference: Web API Parameter Syntax

The following reference sections describe all parameters to each Web API endpoint. As a general rule, complex parameter
values are pipe (|) separated lists; for example: abc|def|123.
Common Parameters
The following parameters are used by all HTTP endpoints (create, cancel, status, and download).
Parameter: username
Description
A user name that has permissions to log in to the Reporter user interface. As with the web interface, the web API enforces
access control based on identity and roles. The web API also supports both local users and LDAP users.
Example
username=bcrepuser
Parameter: password
Description
A password for a user account that has permissions to log in to the Reporter user interface.
Example
password=bluepass
Parameter: reportId
Description
The reportId that is contained in the response to the /webapi/create request. This parameter is required for all requests
except the /webapi/create request.
Example
reportId=14329
114 of 132
Reporter 10.5.1.1
Parameter: responseFormat
Description
The HTTP response type (not the output format of the report). Valid values are xml, html, and plain (default). The
response format applies to the create, cancel, and status endpoints, but not to download.
Example 1
Request:
responseFormat=plain
Response:
reportId:5111890
state:2
percent_done:97
user:user_admin
role:_admin
reportName:Date_Data_12
database:database_5a541ee0aa0e11debf01f18168b313eb
Example 2
Request:
responseFormat=xml
Response:
result
<reportId>327774</reportId>
<reportName>test adf asdf</reportName>
<state>2</state>
<percentDone>0</percentDone>
<user>user_9d2f2430aa0e11debf01f18168b313eb</user>
<role>role_866df230aa0e11debf01f18168b313eb</role>
<database>database_42587110aa0e11debf01f18168b313eb</database>
</result>
Parameter: database
Description
Reporter database for the report.
Example
database=secdb1
115 of 132
Parameter: role
Description
User role that will be used for access control.
Example
role=repgenerator
Note: Reporter administrators can use a hidden role named: _admin. This role has access to
all fields and all databases and can be used as the role parameter, the same as a user-
defined role.
Parameter: format
Description
The output format of the generated report. Valid values are csv, pdf, or json.
Example
format=pdf
The default is pdf.
Parameter: label
Description
User-defined name to give to the report.
Example
label=bobreport
Parameter: summarizeBy
Description
List of database fields that provide summary information (similar to SQL GROUP BY). Reports can have up to three
summarizeBy fields. If there are no summarizeBy fields, the report is a Full Log Detail report.
Syntax
summarizeBy=<option>
116 of 132
Reporter 10.5.1.1
Examples
One-level report
summarizeBy=c_ip
Two-level report
summarizeBy=cs_username|c_ip
Three-level report
summarizeBy=cs_username|c_ip|cs_host
Two-level report with maximum of five and ten rows respectively for each level
summarizeBy=cs_username|cs_host&rows=5|10
Parameter: columns
Description
List of database fields to display (in addition to the summarizeBy fields).
Examples
columns=hits
columns=hits|page_views
Parameter: rows
Description
Configures the number of rows that are returned for each level of the report. Up to three values can be configured (for
three-level summary reports). Values are pipe (|) separated.
Examples
rows=1000
rows=10|10|10
Parameter: sort
Description
Field name that Reporter uses to sort the data. Only one field is allowed.
Examples
sort=hits
117 of 132
If not specified, the default is to sort by order of summarizeBy fields.
Parameter: action
Description
Action to perform with the generated report. Valid actions are archive, email, and download. The email and archive
actions are the most simple to use. A single HTTP request to /webapi/create generates the report and performs the
specified action. The default action is archive. If this parameter is not set the default action, archive, will be performed.
Downloading a report is more complicated and requires a sequence of requests to generate the report, verify that the
report is complete, and download the result.
Reporter will save reports on a different device if you set the action as archive or download.
n Archive: Reporter saves the report to disk. The report can then be downloaded multiple times.
n Download: Reporter saves the report to system memory. The report can be downloaded only once. After the
report is downloaded, the report is deleted from the system memory.
Note: Reporter will remove a report from system memory if the report is not downloaded
within a certain amount of time.
Examples
action=email
Note: When the action=email, the emailTo parameter is required. The SMTP server on
Reporter must be configured already. See the subsequent emailXX parameters for other
options.
Parameter: emailTo
Description
This parameter is required if action=email. It specifies the primary recipient(s) of the report in RFC822 format.
Examples
emailTo=rptadmin@example.com
118 of 132
Reporter 10.5.1.1
Parameter: emailCC
Description
This parameter is available when action=email. It specifies the carbon copy (CC) recipient(s) of the report in RFC822
format.
Example
emailCC=ITwatchlist@example.com
Parameter: emailBCC
Description
This parameter is available when action=email. It specifies the blind carbon copy (BCC) recipient(s) of the report in
RFC822 format.
Examples
emailCC=ITwatchlist@example.com
Parameter: emailSubject
Description
This parameter is available only when action=email. It specifies the text to be included in the email subject line.
Example
emailSubject=Monday+web+use+reports
Note: To be properly processed by command shells, use either plus signs (+) instead of
spaces or enclose the string in double-quotes (").
Parameter: emailBody
Description
This parameter is valid only if the action is email. Specifies the text to be included in the email message body.
Examples
emailBody=This+report+provides+weekly+web+use+data+for+the+
west+coast+office
119 of 132
Note: To be properly processed by command shells, use either plus signs (+) instead of
spaces or enclose the string in double-quotes (").
Parameter: filterN
Description
Reports can contain multiple filters (analogous to the WHERE clause of a SQL query). Each filter is composed of three
components separated by a pipe (|) character: field, operator, and values. If a report includes multiple filter parameters,
the filters are ANDed together; however, if a single filter contains multiple values, the values are ORed together. By
default, no filters are applied.
Examples
filter0=sc_filter_category|IS|*spyware*|*suspicious*
Parameter: graphType
Description
The type of graph to be rendered into the report. This parameter is valid only when format=pdf. Graphs are currently not
supported for two and three-level reports. The valid graph types are Pie, Column, Line, Area, Scatter, Bar, and Stackbar.
Examples
graphType=Pie
Note: If graphType is specified, you must also specify graphColumns. The default is no graph
or report.
Parameter: graphColumns
Description
Indices of the columns to be graphed. Valid only when specifying a graphType.
Examples
graphColumns=1
graphColumns=1|2|3
120 of 132
Reporter 10.5.1.1
Note: If graphColumns is specified, you must also specify graphType. The default is no
graph or report.
Parameter: dateRelativeUnit
Description
Specifies a date filter using relative dates instead of absolute start and end times. Valid values are hour, date, week, month,
and year. If dateRelativeUnit is set, dateStart and dateEnd must be the number of relative units (not Unix epoch or an
ISO 8601 string).
Examples
n dateRelativeUnit=week&dateStart=0 // Current week
n dateRelativeUnit=week&dateStart=5&edateEnd=0 // 5 weeks previous to the current week (does not include

current week)
n dateRelativeUnit=week&dateStart=5 // Previous 5 weeks (includes current week)
Parameter: dateStart
Description
Configures a beginning date filter. There are three syntaxes for the date:
n Unix epoch (number of seconds since January 1, 1970 UTC)
n ISO 8601 formatted string (for example: 2019-12-31T13:00:00-00:00)
n If dateRelativeUnit is set, it is the number of those units relative to the current time (for example: 5).
n Default—The beginning date is the date of the oldest data.
Examples
n dateStart=2019-12-31T13:00:00-00:00
n dateStart=1254299093
n dateStart=5
121 of 132
Parameter: dateEnd
Description
Configures an ending date filter. There are three different syntaxes for the date:
n Default—The end date is the date of the newest data.
Examples
n dateEnd=2019-12-31T13:00:00-00:00
n dateEnd=1254299093
n dateEnd=5
Parameter: showLast
Description
Only applicable for trend reports (must be summarized by date field): true or false.
End Point: /api/create
Creates a new report definition and begins generation of the report.
Required Parameters
n username
n password
n database
n role
n label
n summarizeBy and/or columns (must have summarizeBy, columns, or both)
Optional Parameters
n format
n sort
n action
122 of 132
Reporter 10.5.1.1
n filterN
n graphType
n graphColumns
n dateStart
n dateEnd
n dateRelativeUnit
n emailTo
n emailCC
n emailBCC
n emailSubject
n emailBody
Example—One-level summary report; archived to server

https://<definedIPaddress>:8082/api/create?
username=test&
password=test&
database=mydb&
role=myrole&
label=myreport1&
summarizeBy=sc_filter_category
Example—Two-level summary report; sorted, filtered, and archived to server

https://<definedIPaddress>:8082/api/create?
username=test&
password=test&
database=mydb&
role=myrole&
label=myreport2&
summarizeBy=sc_filter_category|c_ip&
columns=hits|page_views&
sort=c_ip:desc&
filter0=sc_filter_category|IS|Adult/Mature%20Content|Alcohol/Tobacco&action=download
End Point: /api/status
Checks the status of a report. Returns the running time and the percent complete.
Required Parameters
n username
n password
n reportId
123 of 132
End Point: /api/cancel

Cancels a running report.
Required Parameters
n username
n password
n reportId
End Point: /api/download

Downloads the report. To download report you need set action= download or action=archive during the create request.
The response is the generated report (CSV, PDF, or JSON).
Required Parameters
n username
n password
n reportId
End Point: /api/listDatabases

Returns a list of databases that the given role can access.
Required Parameters
n username
n password
n role
End Point: /api/listFields

Returns a list of databases that the given role can access.
Required Parameters
n username
n password
n role
n database
124 of 132
Reporter 10.5.1.1
Sample Output
Valid values for summarizeBy parameter:
===================================================
year
month
week
...
Valid values for summarizeBy (in Trend Reports):
===================================================
year
month
week
...
Valid values for columns parameter (in a Summary Report):
===================================================
hits
page_views
browse_time
...
Valid values for columns parameter (in a Detail Report):
===================================================
year
month
week
...
Valid values for filter parameter:
===================================================
day_of_week
hour_of_day
c_ip
sc_status
...
Debugging
f you receive an HTTP status code of 400 to 499, it means that the request sent to Reporter was invalid. There are several
reasons for invalid requests, such as invalid field, username, password, and so on. In addition to the generic status code
(for example: 400), Reporter returns a more detailed error message in the body of the HTTP response that explains
which part of the request is invalid and why. Some HTTP tools (such as wget) do not provide access to the response body
for non-200 responses. To debug the issue, enter the URL into the browser address bar (Firefox, Internet Explorer) and
press Enter. The browser displays the detailed error message. For example, the following request:
https://localhost:8082/api/create?username=test&password=test1test&database=draper&role=test
&label=report1 &columns=date|url|hits|page_views|bogus
Generates the following error message:
httpStatusCode: 400
httpMessage: Bad Request
detailedMessage: Invalid column bogus
125 of 132
Relative Dates
When creating a report (/api/create), you can specify a date filter using absolute units or relative units. Absolute dates
can be specified as the Unix epoch or as an ISO 8601 string. Relative dates are powerful but are slightly more complex.
Relative dates specify date filters in one of the following categories: Current, Previous, and Current and Previous.
If the dateRelativeUnit parameter is set, dateStart and dateEnd define the number of units into the past. The following
are valid units: year, month, week, day, and hour.
It is important to understand that dateStart and dateEnd always represent a point in time that is on a boundary of a
whole unit (year, month, week). A value of zero for dateStart or dateEnd represents the nearest whole unit in the past.
Therefore, if dateStart is set to zero and dateRelativeUnit is set to year, the dateStart represents January 1, of the
current year. If dateStart is set to zero and dateRelativeUnit is set to week, the dateStart represents Sunday of the
current week.
Examples
In the following examples, dateRelativeUnit=year and today's date is 2019-10-01 (YYYY-MM-DD). Thus, dateStart or
dateEnd have the following absolute values:
0 = 2019-01-01 12:00:00 PM GMT

1 = 2018-01-01 12:00:00 PM GMT
2 = 2017-01-01 12:00:00 PM GMT
…
Current Year: (2019-01-01 to today)
dateRelativeUnit=year&dateStart=0
Previous Year (2018-01-01 to 2019-01-01)
dateRelativeUnit=year&dateStart=1&dateEnd=0
Previous Two Years (2017-01-01 to 2019-01-01)
dateRelativeUnit=year&dateStart=2&dateEnd=0
Current and Previous Year (2018-01-01 to today)
dateRelativeUnit=year&dateStart=1
Trend Reports
To create trend reports:
1. Summarize by a time based field. See "End Point: /api/listFields" on page 124 to view a list of summarizeBy fields
that are usable used in trend reports.
2. Set showLast parameter to true.
126 of 132
Reporter 10.5.1.1
Diagnose Reporter
If Reporter is experiencing a type of connection or other error, the review the System Event Log. With serious problems,
you might work with Symantec Technical Support to upload diagnostic information for analysis.
Tip: See also: "Restore a Configuration Backup" on page 131
Shutdown Information (RP-S500)
Caution: Do not shut down the appliance using the switch or by removing the power
cables. Abruptly removing power can result in irreparable data loss. Always use the
shutdown command from the CLI to power down the appliance.
For the Reporter appliance (RP-S500), the CLI provides a command to shutdown the appliance.
#enable
#shutdown graceful
Allows Reporter to unload its databases and stop all log processing before terminating the process and powering down
the appliance.
When Proxied Through a ProxySG Appliance

If the Reporter connection proxies through a ProxySG appliance that has SSL Interception enabled, you experience a
certificate issue when attempting to access Reporter. You must use the browser to export the certificate and add it to
the ProxySG appliance.
Symptom
Users receive a certificate error in the browser.
Scenarios
You must repeat this procedure any time a new Reporter certificate is generated, which most likely occurs from one of
the following actions.
n You use the generate-ssl-certificate command to generate a new certificate (see CLI Commands).
n The Reporter appliance is restored to factory defaults.
127 of 132
Workaround
1. Obtain the browser certificate.
a. Access the Reporter Management Console (https://<ip_address>:8082).
b. When Reporter displays the certificate error, click Information.
c. Export the certificate—open it in Notepad.
d. Copy the PEM.
2. Add to the ProxySG appliance.
a. From the ProxySG appliance Management Console, select Configuration > SSL > Certificates.
b. Click Import.
c. Paste the PEM.
d. Click Apply.
e. Click the Certificate Lists tab.
f. Add the same certificate to the Browser Trusted List of Certificates.
Analyze the Reporter System Event Log

The event log is a record of all Reporter transactions. These logs are accessible on the Admin > System Overview >
Reporter System Information > System Event Log page and reviewing them might assist you with troubleshooting.
When you select a session event log, Reporter displays the Warnings, Errors, and Critical levels of transaction data .
128 of 132
Reporter 10.5.1.1
1. Select an even log session.
2. In the options header, select which details to display. In the data area, the symbols indicate to the type of journal
entry.
The header displays icons, which enables you customize which types of data are displayed:
n Info—Not selected by default in some modes. This options toggles the most verbose event log records, as
every type of Reporter transaction displays.
n Warnings—A light event that Reporter can often overcome by re-attempting later. For example, Reporter
is not able to contact the SMTP server when attempting to send an e-mail.
n Errors—Errors are messages indicate something went wrong, possibly resulting in data loss. Continuing the
SMTP example, Reporter reached the maximum retry attempts for a non-responsive SMTP server. That
message is not sent and Reporter logs an error.
n Critical—Critical errors messages should be rare. They occur when a Reporter system crash is eminent. An
example of this type of message is if your databases directory does not have write permissions, Reporter
cannot continue and shuts down. Critical messages provide valuable information to a support person.
Upload Diagnostics to Symantec

If you call Symantec Technical Support to report a serious issue with Reporter, you might be assigned a Service Request
(SR) number by the Symantec support person, asked to enter that number, and upload system diagnostics.
The Administration > System Overview > Reporter System Information page contains the SR Number field. When
you enter the number and click Upload, Reporter sends comprehensive diagnostic data to Symantec for problem
analysis.
Tip: If your network firewall is configured to block unproxied traffic, see the Connect to an
Explicit Proxy for External Communication section in "Administrative Tasks" on page 48.
Reporter creates a .zip file named reporterdiags, which contains the diagnostic information.
If you cannot access the Reporter Management Console, you must run the bcrdiagnostics.exe application from a
command line and answer the prompts.
RAID Array (RP-S500)
For the Reporter appliance (RP-S500), the CLI provides a RAID command that displays the current status of the RAID
array. With this, you can view the current hard drive status.
129 of 132
#enable
#raid status
...
Update Time : Mon Jul 27 20:56:38 2015
State : clean
Active Devices : 24
Working Devices : 24
Failed Devices : 0
Spare Devices : 0
...
In the above output excerpt, the State is clean. The possible values are the following.
n Clean—RAID rebuild is completed and there are no pending writes to mirror disks.
n Clean, degraded—RAID rebuild is completed and there are no pending writes to mirror disks; however, an array
contains faulty disks.
n Active, resyncing—RAID rebuild is completed and there are pending/ongoing writes to primary/mirror disks.
n Active, degraded—RAID rebuild is completed and there are pending/ongoing writes to primary/mirror disks; an
array contains faulty disks.
130 of 132
Reporter 10.5.1.1
Restore a Configuration Backup

Every hour, Reporter performs a configuration settings backup and stores it on the appliance. This allows you to restore
a recent configuration set following an event that corrupts the current configuration. For example, the power source for
the appliance goes down. Such an event might cause configuration files to become corrupt. An indication of a
configuration file problem is an event log message similar to the following:
Failed to find web server protocol configuration.
If this error or similar occurs or you discover that your Reporter configuration is not working properly, attempt to restore
to a backed up configuration.
1. Access the Reporter CLI: option 1) Command Line Reference.

Version:10.5.1.1.1.1
-----------MENU----------
2) Setup
------------------------------
2. Enter enable.
If the administrator set an enable mode password, enter it when prompted.
3. Enter restore-settings manual list.
Reporter# restore-settings manual list

20161128123456
20161209185245
20161209193047
...
20161212183047
Reporter displays the available backed-up configurations. The backed-up identification is a date and time format
(year/month/day/hour/seconds):
YYYYMMDDHHM
Note: If you stop Reporter before step 3, you can use the reporter-settings
automatic command to list the available backups. Likewise, you can subsequently
enter reporter-settings automatic <backup_ID> to restore a particular
configuration backup.
4. Enter stop-reporter.
131 of 132
Reporter# stop-reporter
Are you sure you want to stop Reporter (this could take several minutes - or more)? [y/n] y
.....bcreporter stop/waiting
This halts the Reporter service (it does not shut down the appliance).
5. Enter the restore-settings manual <backup_ID> command, where backup_ID is the configuration from the
restore-settings manual list command. If you know the time of the event that caused the corruption, be sure
to select a backup configuration prior to that time.
Reporter# restore-settings manual 20161212183047

Are you sure you want to replace your current settings with those from set 20161219193047? [y/n] y
Settings succesfully restored.
6. Restart Reporter with the start-reporter command.
Tip: If you invoke the start-reporter command without committing changes to any
opened configuration file (edit mode), Reporter flushes those uncommitted changes
and does not make a backup copy.
Import a Configuration Backup

Reporter allows you to save a backup of the Reporter configuration to the file directory used by FTP and SCP. The
following command saves the Reporter configuration to the /.settings.backups/ directory:
# backup-settingsSettings backup name
After executing the backup-settings command, you can use FTP or SCP to move backup files to and from the file directory.
For example, you can create a settings backup file on one Reporter appliance, copy it to your FTP server, and then move it
to the /.settings.backups/ folder on a different Reporter appliance.
Caution: The backup settings can only be restored onto a Reporter that is running the same
version that was running when the backup was created. It is highly recommended that you
create a new backup every time you upgrade to a new Reporter version.
To support this new command, the restore-settings command has been modified to have two options:
n automatic—This option behaves like the previously available restore-settings command to view and restore the
available, automatically backed up settings sets.
n manual—This option is new and is used to view or restore the available settings .zip files from the
/.settings.backups/ folder.
132 of 132

Symantec Reporter 10.5.x Administrator's Guide: Revision - Wednesday, March 11, 2020

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Symantec Reporter 10.5.x Administrator's Guide: Revision - Wednesday, March 11, 2020

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Reporter 10.5.x Administrator's Guide: Revision - Wednesday, March 11, 2020

Uploaded by

Copyright:

Available Formats

Symantec® Reporter 10.5.

Copyright © 2020 Broadcom. All Rights Reserved.

Wednesday, March 11, 2020

About Reporter Licensing 8

About Reporter Architecture 11

About Log Processing 15

About the Page View Combiner 22

About the Default Browse Time Calculations 25

Reporter Resource Sizing 27

About Retrieving Logs From the WSS 29

About LDAP Integration 42

Can I downgrade Reporter to a previous version? 50

Additional Information: Index Pairs and Triplets 82

Diagnose Reporter 127

About Reporter Licensing

Reporter Licensing Levels

Prerequisite—Enable Connectivity to Important Symantec Services

URL Protocol Description

support.symantec.com https/TCP Support links to software, support cases, and

upload.bluecoat.com https/TCP Upload portal logs and other large files.

download.bluecoat.com http/TCP 80 Licensing portal; redirects to support.symantec.com

esdhttp.flexnetoperations.com https/TCP Software portal.

device- https/TCP License related.

Reporter Licensing Commands

About Connectivity for Reporter Virtual Appliances

About Connectivity for Reporter RP-S500 Appliances

Considerations for Deploying a Reporter Appliance in a Closed

n Disable the Web Application Attribute feature.

About Reporter Architecture

This allows you to:

n Identify possible security threats (such as malware/spyware).

n View user activity by user, group, URLs, or other aspect.

n View blocked web traffic (such as categories and URLs).

Topography—With FTP Staging Server

A—Employees perform web content requests.

Reporter performs the following major tasks:

n Manages the databases and generates reports.

n Manages the Reporter appliance/VA functions.

Topography—No FTP Staging Server

n "About the Page View Combiner" on page 22

n "About the Default Browse Time Calculations" on page 25

About Log Processing

n Log Reader—Reads access log data into Reporter memory.

n Log Processor—Populates the databases with the log data.

Optimize Log Processing Configurations

About Access Log Naming Conventions

n N represents a non-decimal-digit character.

n .log.gz is the extension of the (compressed) log file.

About the Decimal Digits

o YY = two-digit year (00 – 99)

o JJJ = three-digit Julian day of the year (001 – 366)

o hh = two-digit hour of the day (00 – 23)

o mm = two-digit minute of the hour (00 – 59)

o ss = two-digit second of the minute (00 – 59)

o %f = log name (facility)

o %c = name of the external certificate used for encryption, if any

o %l = the fourth parameter of the ProxySG appliance IP address (101.102.103.104)