Re: WSA accesslog shows incorrect username

bobmc859 · ‎03-07-2019

I have two WSAs and on #1 when I view the access logs using the grep command within shell for my machine IP I see a different username than mine. If I run the same accesslog report on #2 I see my username. The username that shows up for #1 is that of an old employee that no longer works with the company, however he did have direct access to the WSAs. When I run the same test on #1 with a co-worker his username shows up as expected. When I go to a blocked site the and WSA received the notification in the browser, it shows my username and within the WSA GUI I see my username as well, no sign of this other user, other then in the accesslog report. Any thoughts on why this would happen?

From WSA1:

1532546707.470 1215 x.x.x.125 TCP_MISS/200 7 TCP_CONNECT 205.254.131.119:443 "Domain\Not-Bob@Sufix" DIRECT/205.254.131.119 - PASSTHRU_CUSTOMCAT_7-Decryption_Passthrough-Websites_to_bypass_decryption-DefaultGroup-NONE-NONE-DefaultGroup <C_DUF0,-3.5,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",0.05,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -

From WSA2:

1551924501.283 233 x.x.x.125 TCP_MISS_SSL/200 0 TCP_CONNECT 216.58.192.238:443 "Domain\Bob@Sufix" DIRECT/clients1.google.com - DECRYPT_WEBCAT_7-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup <IW_srch,3.4,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","Encrypted","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -

balaji.bandi · ‎03-07-2019

If you look at the Logs there is a difference in the logs. there may be some access/identity rules associated with the IP /or user.

Questions :

How are you managing this 2 Kits, Centrally Policy Push with SMA ?

how the user redirected to proxy ? WCCP or Explicit ?

From WSA1:

1532546707.470 1215 x.x.x.125 TCP_MISS/200 7 TCP_CONNECT 205.254.131.119:443 "Domain\Not-Bob@Sufix" DIRECT/205.254.131.119 - PASSTHRU_CUSTOMCAT_7-Decryption_Passthrough-Websites_to_bypass_decryption-DefaultGroup-NONE-NONE-DefaultGroup <C_DUF0,-3.5,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",0.05,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -

From WSA2:

1551924501.283 233 x.x.x.125 TCP_MISS_SSL/200 0 TCP_CONNECT 216.58.192.238:443 "Domain\Bob@Sufix" DIRECT/clients1.google.com - DECRYPT_WEBCAT_7-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup <IW_srch,3.4,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_srch,-,"-","-","Google","Search Engine","Encrypted","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bobmc859 · ‎03-07-2019

Thanks Balaji, We do use centrally policy push with SMA and use WCCP. Where should I look for the access/identity rules to see if this IP is associated to him?

sadik.sener1 · ‎03-18-2019

Hi Balaji,

I suspect your problem is , one of your WSA has not been receiving traffic for a while. (You can check that via ftp, when your access logs files has rolled.)
So on that "idle" WSA, when you grep, you grep old logs.

I went ahead and converted the unix timestamps on your logs.

One is significantly old.

1532546707.470 GMT: Wednesday, 25 July 2018 19:25:07.470
1551924501.283 GMT: Thursday, 7 March 2019 02:08:21.283

Kind regards

Sadik