So I have a WSA S380 that does URL filtering and I have done WEB trackings for individual IP addresses from time to time.
Management is asking me for an Investigation of a specfic workstation name, to find out the Internet websites that workstation
has visited over the past month. We are running DHCP. Does the WSA access-logs contain the hostname and or the user name
in the file?
1. The WSA access logs contains the username in almost all cases, because the user attempts to access the URL after logging to to system. When integrated with AD and ntlm or kerberos being used, all access requests will reach WSA with username.
2. In rare occurrences when the client machine attempts to reach out to internet before the user could login, only then will the request have machine name.
3. WSA will attempt to authenticate whatever came to it first (user or machine).
So the probability of seeing machine name in the access logs is rare.
*** Rate All Helpful Responses ***
For investigating a user's activity over the past month with the user ID, you can got to Reporting --> Users. Put in the user ID under the section "Users" , Click on "Find User ID or client IP" . Click on the userID and this should give you the URL categories that the user transaction matched and the Domains matched. Remember to Select the Time range as "30 days" on the top left.