Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 5341 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User initiated web traffic

Tam Ben-Jusu

Can the XG logs show whether an attempt to access a blocked website was user initiated or an automated pop-up, notification etc?



This thread was automatically locked due to age.
Parents
  • 0

    You can get some information, but not a lot.  Only useful for detective work ("No I did not click on porn, it must have been due to a page load").

    Go to Log Viewer.  Click the little icon that switches to Detailed View.  Now change module to Web Filter.

     

    You'll see a log line looks like this:


    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="1" web_policy="" category="Information Technology" category_type="Acceptable" url="http://www.sophostest.com/img/head-shadow.gif" content_type="image/gif" override_token="" response_code="" src_ip="10.108.107.93" dst_ip="176.34.160.144" protocol="TCP" src_port="58583" dst_port="80" bytes_sent="389" bytes_received="1837" domain="www.sophostest.com" exception="" activity_name="" reason="not eligible" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" status_code="200" transaction_id="" referer="http://www.sophostest.com/img/theme.css" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1017174944" app_name="" app_is_cloud="0"

     

     

    Here are the relevant fields:

    user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

    The user_agent tells you which browser, but it can also be things like Adobe Updater.

    The referrer tells you what page caused the load.  In this case a .css file caused a .gif to load.  But if a user clicks on a link the page they started from is also the referrer, so you don't really know if it was automatic or user click.  If the referrer is blank it is because they hit reload or used a bookmark.  The next diagnostic is to look at the timestamps.  If you see the one you are interested in was loaded at the same time as a bunch of other stuff with the same referrer then you can deduce it was a page load that loaded it.  But if it is a timestamp all on its own (or the first in a bunch) it is likely due to a user click.

Reply
  • 0

    You can get some information, but not a lot.  Only useful for detective work ("No I did not click on porn, it must have been due to a page load").

    Go to Log Viewer.  Click the little icon that switches to Detailed View.  Now change module to Web Filter.

     

    You'll see a log line looks like this:


    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="1" web_policy="" category="Information Technology" category_type="Acceptable" url="http://www.sophostest.com/img/head-shadow.gif" content_type="image/gif" override_token="" response_code="" src_ip="10.108.107.93" dst_ip="176.34.160.144" protocol="TCP" src_port="58583" dst_port="80" bytes_sent="389" bytes_received="1837" domain="www.sophostest.com" exception="" activity_name="" reason="not eligible" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" status_code="200" transaction_id="" referer="http://www.sophostest.com/img/theme.css" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1017174944" app_name="" app_is_cloud="0"

     

     

    Here are the relevant fields:

    user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

    The user_agent tells you which browser, but it can also be things like Adobe Updater.

    The referrer tells you what page caused the load.  In this case a .css file caused a .gif to load.  But if a user clicks on a link the page they started from is also the referrer, so you don't really know if it was automatic or user click.  If the referrer is blank it is because they hit reload or used a bookmark.  The next diagnostic is to look at the timestamps.  If you see the one you are interested in was loaded at the same time as a bunch of other stuff with the same referrer then you can deduce it was a page load that loaded it.  But if it is a timestamp all on its own (or the first in a bunch) it is likely due to a user click.

Children