For Reporter to report on viruses on your network, it needs to have first detected evidence of such in the access logs, it processes through. This article suggests two ways you can troubleshoot why you may not be seeing virus activity in your reports.
Checking your access logs:
To check you access log to see if it's registered any virus activity , follow these steps:
- Find a access log, and open it in a text editor, such as Notepad for Windows, or VI for LINUX.
- You may have to unzip the access log first, or renamed it from a *.done file name to a *.zip, and then unzip it.
- At the top of each access log, is a header that shows you what each column in the access log stands for. Find the x-virus-id column. on most access logs, its the last column.
- Trace this column down, and look for a named virus, detected by the proxy-AV. If the column is consistently a dash " - " then your proxy AV is not providing the SG with the viruses it has detected.
Watching a test virus being detected by your SG:
To conduct a live troubleshooting trial or a test virus, on a SG, follow these steps.
- Verify if the raw logs contain the virus-ID, here are the following steps.
- Login to the ProxySG web interface.
- Click on Statistics
- Click on Access Logging
- Click start Tail (the button is on the bottom)
- Have a user go to a test virus, such as http://www.eicar.org/download/eicar.com, and download the test virus.
- View the logs and check for x-virus-id tag - often it's the last, or the second to last entry in the log line.
CPL policy needed to write to the SG access log:
If you find that the PRoxy SG is not writing out the name of the virus to the access logs, you should check to see if this CPL code is configured.
Here is the CPL code the customer used.
define Cache policy avscan
If the (x-virus-id) is a – then the ProxySG is not writing out to the access log, viruses that it finds, or configured appropriately for a PROXY AV. This article can help you verify if the your two appliances- Proxy AV and the Proxy SG - are setup properly - PROXY AV
For information on the proper access log fields, needed for Bluecoat Reporter, see 000021974
NOTE3: For more information on how Viruses are detected, and reported in the access log, see 000010081