Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1185 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a means to see exact YouTube videos accessed on XG?

Jason Sauders

Hi all. I have Sophos XG set up at home and have been looking for a way to hone things in a bit to monitor traffic that my kids are accessing. They gravitate to YouTube and I have an IP range set up with a firewall rule to set a web proxy with HTTPS scanning against this specific group. The kids' devices have static IP address assignments that belong to this IP range that was set up. I also have YouTube redirected for this group that goes to one of the more restrictive DNS names to target the more "filtered" area of YouTube for this IP range but alas I'm wondering if I can take this a step further.

Everything seems to work good without issue, but I was wondering if there's a way to see exact videos played. If I look in the log viewer I sometimes catch a "referer" listed in the logs, and via a rather complicated means (and what seems to be a huge stroke of luck) I'm able to copy/paste that URL into my browser and see the YouTube video.

Is there not a better means to do this? I have the Sophos cert installed on their devices and thought I'd get more info (and in a more approachable manner) than what I'm seeing currently once the certificate was installed..

Basically I want to see the URL, or title, or anything more descriptive than a catch-all category listing in the report that says "YouTube streaming has used xyz amount of bandwidth). Any ideas?

Thanks for any thoughts!



This thread was automatically locked due to age.
  • 0

    Hi,

    you can create additional reports and also review logviewer -> web page.

    Ian

  • 0 in reply to rfcat_vk

    I'm not sure that it's that straight forward, unless I'm missing something. I tinkered around with the reports and attempted to make one that would generate the URLs that have been accessed but the most I can get are generic totals of the amount of usage stemming from a particular domain, e.g. youtube.com. That in itself isn't what I'm looking for. I'm hoping to find a way that I can go into a report or the log viewer and effectively see the URLs pertaining to each YouTube video that was viewed. On that note I did mess around in the log viewer as well but it doesn't seem that straight forward. At times I can spot a detailed entry where "referer=" is listed and that can sometimes get me to a video, but it's a bit raw and feels far more like pure luck than predictable reporting. Is there something I'm missing?

  • 0 in reply to Jason Sauders

    You could use an Web filter on the Log Viewer, you should filter first the user, then filter again with the option "start with";

    https://www.youtube.com/watch?v=

    Here's an example on how It looks like:

    This isn't going to give you the video name directly on the Log Viewer, but at least the full URL of the video is present, and depending on how It has accessed you will be able to see the channel name on the "Referrer". (If your doing TLS Decryption.)

  • 0 in reply to Prism

    Ah, I see now. The one thing that was tripping me up (and this didn't come to light until I focused on your example and compared it on my end a few times) is it seems as if the URL as reported in itself doesn't resolve if I simply copy/paste, but instead I need to remove the ending portion of the URL that is visible in the log viewer, namely this section: &pbj=1. After doing so I can get to the exact URL as noted in the web filter portion of the log viewer.

    It's a bit convoluted since there are *so* many logs that come up, even if you filter by the watch?v= suggestion. For every authentic video log I see there must be another 10-20 of random /api/stats style URLs that come up as well. Just may require a bit more digging than I thought, but at least it's a start. Appreciate the insight!

  • 0 in reply to Prism

    Any idea how this translates to identifying YouTube app traffic from an iPhone? I'm trying to replicate the same steps from an iOS device and the logs are quite simply littered with endless entries, but I'm not seeing anything that could translate to the watch?v= URLs mentioned earlier. It may be here and I just haven't seen it yet but so far I'm striking out with getting this kind of data out of an iOS device logs from log viewer to identify the video being watched. For the record this iOS device does have the Sophos cert installed as well.

  • 0 in reply to Jason Sauders

    Is the traffic going through the XG?
    ian

  • 0 in reply to rfcat_vk

    Yes. All traffic does in my case. XG is my DNS server, DHCP server, etc. as well.

  • 0 in reply to Jason Sauders

    So, if you use the IP address of the device you should be able to the results in logviewer.

    ian

  • 0 in reply to rfcat_vk

    I'm doing that. I have the log viewer isolated to just this iOS device alone. I do see traffic as there are many entries, but nothing seems relevant in the form of a URL I can copy/paste to a browser and see what video that was.

    As experienced above I can take the URL I spot in the handful of log entries and remove the &pbj=1 section at the end to visit the video in a different tab that the child laptop accessed, but if you remove the laptop from the equation and introduce a child's iPad, I can't see an approachable means to get a feel for exacts as I was able to with the laptop being involved.