You want to configure access logging for Symantec ProxySG or Advanced Security Gateway (ASG), and then send the log to a Reporter server.
This article helps you configure access logging on a ProxySG, upload the files to an FTP server, and then have Reporter process the logs. This article is meant to help in getting access logging and reporting up and running in a relatively short amount of time.
For full details on setting up access logging to Reporter, including other options, see the Symantec Reporter 10.x Deployment Guide.
ProxySG can upload access logs using various protocols. This article focuses on one specific protocol, and that is the FTP protocol.
Symantec recommends the FTP protocol for access log uploads because it offers the best options in case there is ever the need to restore or re-import the access log data. The direct connection configuration does not keep the access log data in raw format and is used for POC only, as per the following Article on Reporter upload Client. The data is imported into the Symantec Reporter database and the access log file is discarded. With FTP, you can easily create new profiles, recreate profiles, or send data into Symantec Technical Support if need be.
Make sure that sizing on Symantec Reporter deployments are appropriate. See the Symantec Reporter 10.x sizing guide. Because Reporter is resource intensive (disk, CPU, and memory), for the best performance consider using real hardware and not virtualized hardware.
Any proprietary or open source FTP server will work. For simplicity sake this article uses a free open source FTP server named FileZilla Server. Symantec does not implicitly or explicitly promote this free FTP server software. It is merely using it as an example in the configuration of access log to Reporter server setup. Use with discretion when selecting an FTP server.
Note: If interested in connecting to an external FTP server, or using the direct connect method, see the Symantec Reporter 10.x Deployment Guide.
The easiest way to set this up is to install the FTP server on the Reporter server, which should have lots of free disk space. After you set up and configure the FTP server, configure ProxySG to upload the access logs to the FTP server.
Next, test connectivity between the FTP server and ProxySG will be tested.
If testing from the ProxySG was unsuccessful, troubleshoot the problem as follows:
9.Repeat steps 4 through 8 above for any other log files that is needed to be uploaded. Make sure that when you set up the log files that the selection of the appropriate log, such as main, or SSL, or P2P, etc...is chosen
Step 2 discusses the frequency of uploads to the FTP server. If the ProxySG is configured for frequent uploads, such as every five minutes, then the FTP server will end up with a lot of small files in that incoming FTP server directory. If the proxy is used in a 24x7 environment, there will be 288 files uploaded to the FTP server on a daily basis. Over a month's time, that will result in approximately 8,600 files, and over a year's time, that will result in about 100,000 files uploaded. File system performance and backup performance can suffer greatly with that many files stored in a single directory. If a Reporter database rebuild needs to occur, all those files will need to be renamed, which can be a time consuming process.
Because of the size and number of files that are uploaded to the FTP user's incoming directory, some sort of periodic movement of files from the FTP user's home directory to a separate storage location may be warranted. For example, a job can be scheduled to kick off a batch file that will move the files from the FTP directory where Reporter looks for new files to another directory. That way a minimal number of files will be maintained. See KB article Access logs management with Reporter for further details.