From UntangleWiki

Untangle Server User's Guide

Reports

Other Links: Reports Description Page Reports Screenshots Reports Forums Reports FAQs

---

Contents 1 About Untangle Reports 2 Configuration 2.1 External Report Viewing 2.2 Email Recipients 2.3 Data Retention 2.4 Replacing IP Addresses with User Names 3 Accessing Untangle Reports 3.1 Email Reports 3.2 Online Reports 4 Enabling SNMP and Syslog Monitoring 5 If you’re not receiving Untangle Reports 6 Reports FAQs 6.1 Why am I not receiving Untangle Reports? 6.2 Why am I not receiving the Detailed Report through email? 6.3 What is the difference between event logs and Untangle Reports? 6.4 Can I send Untangle Reports to anyone? 6.5 I just upgraded my Untangle box. My reports are missing. Why? 6.6 The key statistics does not appear to match the data in the graph. Why? 6.7 The spam/phishing stats don't seem to add up. Why? 6.8 Timestamp ( date ) column is not displayed properly after I export reports to CSV file. Why?

About Untangle Reports

Untangle Server generates Untangle Reports, and makes them available through:

• Email
• Online
• CSV file (for further data analysis)

Report data provided by email is – by comparison to online report data – a summary report. While the emailed report provides a significant amount of information on your network traffic, you cannot drill down to get extreme granularity. When this is needed, you should use the emailed report as a guide so that you can identify specific instances for further analysis with online reporting and/or with CSV-based report data.

Data presented in reports is for a rolling seven-day period. Although the emailed report is titled Daily Report, it is for a seven-day period that was issued on that day.

Please note that upon a new Untangle server installation, Untangle Reports are unavailable until after the first full day of server usage.

Top

Configuration

Configuration of Untangle Reports has been simplified, beginning with Untangle 7.0. There are a few settings which you may configure as needed.

External Report Viewing

If you wish to access the online version of Untangle Reports from a location external to the Untangle server, click the Config tab at the left of your screen, followed by Administration. The Administration screen will open in the main part of your screen. Under External Administration, check the Enable External Report Viewing checkbox.

Email Recipients

From Untangle Reports, click the Generation tab. You may add new report recipients by clicking the (plus)Add button, then entering their email address in the Recipients list. The format of the email address is validated, but the legitimacy of the email address cannot be validated. Repeat as many times as needed, then click the Save button.

Data Retention

If desired, you may change Data Retention from its default setting (8 days) to a value of your choosing. From Untangle Reports, click the Generation tab. Settings for Data Retention is at the bottom of this section. When done, click the Save button. Please note that increasing the number increases the amount of disk space that is needed for data storage, and could have negative effects.

Replacing IP Addresses with User Names

If you are using Untangle Server's Active Directory integration, this topic doesn't apply to you because Untangle Reports show user names by default in an Active Directory environment.

Untangle Reports contain IP addresses. To enhance readability, you can replace internal IP addresses (addresses inside the protected network) with user names. If you are using DHCP, you do not need to map IP addresses to user names.

Caution: For external addresses (addresses outside the protected network), do not configure external IP addresses.

1. From Untangle Reports, click the Settings button.
2. Click the Name Map tab.
3. Click the plus (Add) button above the table. A new row appears in the table.
4. Specify the Name Map (IP address) and user name, and click the Save button.

Top

Accessing Untangle Reports

1. Launch the Untangle Client from a browser. For security reasons, Administrators connected directly via keyboard, monitor, and mouse to the Untangle Server cannot launch a browser.

   Tip: You can also click the View Untangle Reports link instead of the Launch Untangle Client link to access Untangle Reports.

2. From Untangle Reports, click the View Reports tab.
3. Click the Launch Browser button. Untangle Report portal appears in your browser window.
4. Choose from among the reports. For more information about these reports, go to About Untangle Reports.

Logging On To Untangle Reports Home Page

1. In a browser, type https://PublicAddress/reports where PublicAddress is either the public hostname or public IP address of the Untangle Server. For example, https://10.0.0.1/reports. If a non-standard HTTPS port is used, the port number must also be entered. As an example, if port 8443 is used for remote admin and report viewing, you would enter https://10.0.0.1:8443/reports.
2. Specify your login and password. The Untangle Reports home page displays. If you do not have a valid login, contact your administrator.

When connected to the Untangle Reports portal, you will see the screen as shown below:

Top

Email Reports

The Untangle Server makes Untangle Reports available through email and online. Top-level information presented in the email report is identical to that provided online, though the online report provides the capability to get information at a deeper level. A full complement of reports are available for each Untangle software product that is shown at the left side of the above graphic.

While the sheer number of reports that are available to the user is too large to present here, they can be summarized as follows:

• Hourly Usage reports show a product’s average usage on an hour-by-hour basis over a seven-day reporting period. Reports typically show both acceptable and non-acceptable use.
• Daily Usage reports show a product’s usage on a daily basis over a seven-day reporting period. There is no delineation on time-of-day usage. Reports typically show both acceptable and non-acceptable use.
• Top Ten Lists break down usage over a seven-day reporting period, and data is provided in table form as well as in pie charts. There is no delineation on time-of-day usage. Reports vary from product to product, but typically include:
  • Spam Blocker: top spam recipients
  • Phish Blocker: top recipients of phising traffic
  • Spyware Blocker: top blocked sites by hits, top blocked hosts by hits, top blocked cookies, top suspicious traffic networks, top suspicious hosts by hits
  • eSoft Web Filter: top web users (by hits, size), top categories of violations (blocked, logged), top websites (by hits, size), top violators by hits (host, user), top violations (blocked, logged).
  • Web Filter: same reporting as eSoft web filter
  • Kaspersky Virus Blocker: top virus detected (total, email-based, web-based)
  • Virus Blocker: same reporting as Kaspersky Virus Blocker
  • Intrusion Prevention: top attacks (by hits)
  • Protocol Blocker: top protocols by hits (blocked, detected), top hosts by hits (blocked, logged), top users by hits (blocked, logged)
  • Firewall: top blocking rules, top blocked hosts, top blocked users
  • Remote Access Portal: top users
  • OpenVPN: top users
  • Attack Blocker: top blocked hosts, top limited hosts

Top

Online Reports

As mentioned previously, online reports allow you to analyze reporting data in granular detail. In reports provided for each software product, data contained in email reports is limited to that which is included under the Summary Report for each product (referring to the above graphics). All products have one or more tabs that contain event data for the product, which you are already familiar with in the Untangle rack. This allows you to refer to the specific event that causes the user/host/site to show up in the report.

In addition, the online Summary Report contains hyperlinks which allow you to drill down for further information. Using the sample below, each user who shows up on the piechart (left) is shown also in the table (right), with a colored tile to help you locate them in the pie chart, and a hyperlink that allows you to analyze their usage at a deeper level. Follwing that link, you can see their usage on an hourly basis, on a daily basis, their acceptable web usage, unacceptable web usage, and bandwidth used.

Another major enhancement shows up near the top of each table. Immediately under the label Key Statistics is an icon. Clicking on the icon causes your Untangle server to collect data used in the report and store it into a CSV file, which you can download and have immediately available to you for analysis as you see fit. While many of the downloadable data sets appear trivial by themselves, they allow you to study in depth when used in conjunction with corresponding event data.

Top

Enabling SNMP and Syslog Monitoring

Although Untangle Reports provide you extensive network monitoring capabilities, you might already have an existing network monitoring system such as IBM's Tivoli Monitoring. In that case, Untangle Server can provide data to your existing network monitoring system.

1. From the Untangle Client, click the Config tab > Remote Admin. The Remote Admin Config windows launches.
2. Click the Monitoring tab, then the SNMP tab or the Syslog tab.
3. Click the Enable radio button.
4. Type the appropriate configuration information, and click the Save button.

Top

If you’re not receiving Untangle Reports

If you’re not receiving your Untangle Reports, there are a few common causes that are worth mentioning here.

• In order to receive reports, you must have Software Products installed in the virtual rack and turned on. Go to Turning On and Off Software Products. Only those products are that are installed and turned on can be reported on.

• When the Untangle server is first installed, you must allow one full day of operation before reports are generated. There must be one full 24-hour day of operation for the first report to be created.

• If your Untangle Server is turned on, it's possible that the reports have not yet been emailed. Reports are emailed on a daily basis, usually at around 6 am.

• If you have been using the Untangle Server for more than 24 hours, verify that you configured the Untangle Server with your outgoing mail server. Go to Configuring Server Email Traffic.

Top

Reports FAQs

All Untangle FAQs

Why am I not receiving Untangle Reports?

• In order to receive reports, you must have Software Products installed in the virtual rack and turned on. Go to Turning On and Off Software Products.

• If your Untangle Server is turned on, its possible that the reports have not yet been sent. Reports are emailed on a daily basis. Wait up to 24 hours to receive your first report email. Go to Specifying When Untangle Server Generates Untangle Reports.

• If you have been using the Untangle Server for more than 24 hours, verify that you configured the Untangle Server with your outgoing mail server settings. Go to Configuring Server Email Traffic.

Why am I not receiving the Detailed Report through email?

Beginning with Untangle 7.0, a new report engine is being used. The reports are more detailed than they have been in the past, but you can only receive maximum detail by using online reports.

What is the difference between event logs and Untangle Reports?

Event logs contain the underlying data from which the Untangle Server generates Untangle Reports. However, there are a few differences. Event logs provide real-time information whereas Untangle Reports provide next-day information. Moreover, the event logs show activity by IP address; Untangle Reports are more user-friendly because they show activity by user.

Can I send Untangle Reports to anyone?

Yes, as outlined in Emailing Recipients Untangle Reports, you can email reports to anyone. That user does not need administrator privileges. There is no limit on the number of users that receive the Untangle Reports.

I just upgraded my Untangle box. My reports are missing. Why?

The next time that scheduled reports are run, the top-level report index gets rebuilt according to the new standard. If you run reports daily, please allow 24 hours before reports are available. If you only run weekly or monthly reports (and not daily), please allow one reporting cycle.

The key statistics does not appear to match the data in the graph. Why?

The 24-hour graphs show an average of all days covered by the reports. In other words, it shows what a "typical" day looks like. The actual max and avg of any given day could be far greater or less than the "typical" day.

The spam/phishing stats don't seem to add up. Why?

You may notice that some reports may report a certain number of phish/spam email, but the event log and CSVs show a different number. This is because the graphs show the actual number of emails, but the event log and CSVs treat each recipient as an individual email so per-user/host reports are correct. So, for example, if a single spam email is sent to two users it will only be counted as one in the reports, but two in the event log/CSV file.

Timestamp ( date ) column is not displayed properly after I export reports to CSV file. Why?

If you are using MS Excel to view the exported CSV file, you can change the format of the cell ( first column) to a Date format.