Working With Reports

This chapter contains the following sections:

Ways to View Reporting Data

Table 1. Ways To View Reporting Data

To

See

View and customize web-based interactive report pages

Automatically generate recurring PDF or CSV reports

Generate a PDF or CSV report on demand

Export raw data as a CSV (Comma-separated values) file

Generate a PDF of report data

Exporting Reporting and Tracking Data

Email report information to yourself and other people

Find information about specific transactions

Viewing Details of Messages or Transactions Included in Reports

Note
For differences between logging and reporting, see Logging Versus Reporting.

How the Security Management Appliance Gathers Data for Reports

The Security Management appliance pulls data for all reports from all managed appliances approximately every 15 minutes and aggregates the data from these appliances. Depending on your appliance, it may take awhile for a particular message to be included in the reporting data on the Security Management appliance. Check the System Status page for information on your data.

Reporting Data includes transactions involving both IPv4 and IPv6.


Note
When gathering data for reports, the Security Management appliance applies the timestamp from the information that was set when you configured the time settings on the Security Management appliance. For information on setting the time on your Security Management appliance, see the Configuring the System Time.

How Reporting Data is Stored

All of the appliances store reporting data. The following table shows what time periods that each appliance stores data.

Table 2. Reporting Data Storage on the Email and Web Security Appliances

Minute

Hourly

Daily

Weekly

Monthly

Yearly

Local Reporting onEmail Security appliance or Web Security appliance

Centralized Reporting on Email Security appliance or Web Security appliance

Security Management appliance

About Reporting and Upgrades

New reporting features may not apply to transactions that occurred before upgrade, because the required data may not have been retained for those transactions. For possible limitations related to reporting data and upgrades, see the Release Notes for your release.

Customizing Your View of Report Data

When viewing report data in the web interface, you can customize your view.

To

Do This

View data per appliance or reporting group

Viewing Reporting Data for an Appliance or Reporting Group

Specify a time range

Choosing a Time Range for Reports

(For Web reports) Choose which data to chart

(Web Reports Only) Choosing Which Data to Chart

Customize tables

See Customizing Tables on Report Pages

Search for specific information or a subset of data to view

Specify report-related preferences

See Setting Preferences

Create a custom report with only the charts and tables you want

See Custom Reports.


Note
Not all customization features are available for every report.

Viewing Reporting Data for an Appliance or Reporting Group

For Mail Flow Summary and System Capacity reports for Email, you can view data from all appliances, or from any one centrally-managed appliance.

For Email reports, if you have created groups of Email Security appliances as described in Creating Email Reporting Groups, you can view the data for each reporting group.

To specify the view, select an appliance or group from the View Data For list on supported pages.

If you are viewing report data on the Security Management appliance to which you have recently taken backup from another Security Management appliance, you must first add (but do not establish a connection to) each appliance in > Management Appliance > Centralized Services > Security Appliances.

Choosing a Time Range for Reports

Most predefined report pages allow you to choose a Time Range for the data to include. The time range that you select is used for all of the report pages until you select a different value in the Time Range menu.

Available Time Range options differ by appliance and differ for Email and Web reporting on the Security Management appliance:


Note
Time ranges on report pages are displayed as a Greenwich Mean Time (GMT) offset. For example, Pacific time is GMT + 7 hours (GMT + 07:00).

Note
All reports display date and time information based on the systems configured time zone, shown as a Greenwich Mean Time (GMT) offset. However, data exports display the time in GMT to accommodate multiple systems in multiple time zones around the world.

Tip

You can specify a default time range that will always display each time you log in. For information, see Setting Preferences.

(Web Reports Only) Choosing Which Data to Chart

The default charts on each Web Reporting page display commonly-referenced data, but you can choose to chart different data instead. If a page has multiple charts, you can change each chart.

Generally, the chart options are the same as the columns of the table in the report. However, some columns cannot be charted.

Charts reflect all available data in a table column, regardless of the number of items (rows) you choose to display in the associated table.

Procedure

Step 1

Click the Chart Options link below a chart.

Step 2

Choose the data to display.

Step 3

Click Done.

Customizing Tables on Report Pages

Table 3. Customizing Tables on Web Report Pages

To

Do This

More Information

  • Show additional columns

  • Hide visible columns

  • Determine available columns for a table

Click the Columns link below the table, select the columns to display, then click Done.

For most tables, some columns are hidden by default.

Each each report page offers different columns.

See also Table Column Descriptions for Email Reporting Pages.

Reorder table columns

Drag a column heading to the desired new position

Sort the table by the heading of your choice.

Click a column heading.

Display more or fewer rows of data

From the Items Displayed drop-down list at the top right of a table, choose a number of rows to display.

For Web reports, you can also set a preference for a default number of rows to display; see Setting Preferences.

View details about a table entry, where available

Click a blue entry in the table

See also Viewing Details of Messages or Transactions Included in Reports.

Narrow the pool of data to a specific subset

Choose or enter a value in the filter setting below the table, where available

For Web reports, available filters are discussed on each individual report page description. See Web Reporting Page Descriptions.

Custom Reports

You can create a custom email security report page by assembling charts (graphs) and tables from existing report pages.


Note
On Email Security appliances, starting in release 9.6, “My Reports” is called “My Dashboard”.

To

Do This

Add modules to your custom report page

See:

View your custom report page

  1. Choose Email > Reporting > My Reports.

  2. Select the time range to view. The time range selected applies to all reports, including all modules on the My Reports page.

Newly-added modules appear at the top of the custom report.

Rearrange modules on your custom report page

Drag and drop modules into the desired location.

Delete modules from your custom report page

Click the [X] in the top right corner of the module.

Generate a CSV version of your custom report

See:

Periodically generate a CSV version of your custom report

See:

Modules That Cannot Be Added to Custom Reports

  • All modules on the Management Appliance > Centralized Services > System Status page

  • All modules on the Email > Reporting > Reporting Data Availability page

  • All modules on the Email > Message Tracking > Message Tracking Data Availability page

  • The following per-domain modules from the Sender Profile detail report page: Current Information from SenderBase, Sender Group Information, and Network Information

  • The Past Year Virus Outbreak Summary chart and Past Year Virus Outbreaks table on the Outbreak Filters report page

Creating Your Custom Report Page

Before you begin
Procedure
Step 1

Use one of the following methods to add a module to your custom report page:

Note 
Some modules are available only using one of these methods. If you cannot add a module using one method, try another method.

  • Navigate to the report page under the Email tab that has the module that you want to add, then click the [+] button at the top of the module.

  • Go to Email > Reporting > My Reports and click on the [+] Report Module button at the top of one of the sections, then select the report module that you want to add You may need to click the + button in each section on the My Reports page in order to find the module that you are looking for.

You can add each module only once; if you have already added a particular module to your report, the option to add it will not be available.

Step 2

If you add a module that you have customized (for example, by adding, deleting, or reordering columns , or by displaying non-default data in the chart), customize the modules on the My Reports page.

Modules are added with default settings. Time range of the original module is not maintained.

Step 3

If you add a chart that includes a separate legend (for example, a graph from the Overview page), add the legend separately. If necessary, drag and drop it into position beside the data it describes.

Viewing Details of Messages or Transactions Included in Reports

Procedure

Step 1

Click any blue number in a table on a report page.

(Not all tables have these links.)

The messages or transactions included in that number are displayed in Message Tracking or Web Tracking, respectively.

Step 2

Scroll down to see the list of messages or transactions.

What to do next

Improving Performance of Email Reports

If the performance of aggregated reporting decreases due to a large number of unique entries over the course of a month, use reporting filters to restrict the aggregation of data in reports that cover the previous year (Last Year reports). These filters can restrict detailed, individual IP, domain, or user data in reports. Overview reports and summary information remain available for all reports.

You can enable one or more of the reporting filters using the reportingconfig > filters menu in the CLI. The changes must be committed to take effect.

  • IP Connection Level Detail. Enabling this filter prevents the Security Management appliance from recording information about individual IP addresses. This filter is appropriate for systems that process a large number of incoming IP addresses due to attacks.

    This filter affects the following Last Year reports:

    • Sender Profile for Incoming Mail
    • IP Addresses for Incoming Mail
    • IP Addresses for Outgoing Senders

  • User Detail. Enabling this filter prevents the Security Management appliance from recording information about individual users sending and receiving mail and the content filters that are applied to the users’ mail. This filter is appropriate for appliances that process mail for millions of internal users or if the system does not validate recipient addresses.

    This filter affects the following Last Year reports:

    • Internal Users
    • Internal User Details
    • IP Addresses for Outgoing Senders
    • Content Filters

  • Mail Traffic Detail. Enabling this filter prevents the Security Management appliance from recording information about individual domains and networks that the appliances monitor. This filter is appropriate when the number of valid incoming or outgoing domains is measured in the tens of millions.

    This filter affects the following Last Year reports:

    • Domains for Incoming Mail
    • Sender Profile for Incoming Mail
    • Internal User Details
    • Domains for Outgoing Senders

Note
To view up-to-the-minute reporting data for the preceding hour, you must log in to an individual appliance and view the data there.

Exporting Reporting and Tracking Data

Table 4. Exporting Reporting and Tracking Data on the New Web Interface

To Get This

CSV

Do This

Notes

Raw data

See also Exporting Report Data as a Comma Separated Values (CSV) File

  1. Click Export link on the top of a report page.

  2. Select CSV as the required format.

  3. Select the required report module that you want to export and click Download.

The CSV file contains all applicable data, including the data visible in the chart or table.

Create a scheduled or on-demand report. See:

Each CSV file may contain up to 100 rows.

If a report contains more than one table, a separate CSV file is created for each table.

Some extended reports are not available in CSV format.

A PDF of an interactive report page

  1. Click Export link on the top of a report page.

  2. Select PDF as the required format.

  3. Select the required report module that you want to export and click Download.

The PDF reflects the customizations that you are currently viewing.

PDFs are formatted to be printer-friendly.

A PDF of report data

Create a scheduled or on-demand report. See:

-

(Web Security) A custom subset of report data, for example data for a particular user.

  1. Select Web from the Product drop-down and choose Tracking > Web Tracking.

  2. Perform a search and click the Export link or Export All link above the search results

CSV files include all raw data matching the search criteria.

(Email Security) A custom subset of data, for example data for a particular user.

  1. Select Email from the Product drop-down and choose Tracking > Message Tracking.

  2. Perform a search and click the Export link or Export All link above the search results

The Export link downloads a CSV file with the displayed search results, up to the limit you specified in your search criteria.

The Export All link downloads a CSV file with up to 50,000 messages that match your search criteria.

Tip: If you need to export more than 50,000 messages, perform a series of exports for a set of shorter time ranges.

Exporting Report Data as a Comma Separated Values (CSV) File

You can export raw data to a comma-separated values (CSV) file, which you can access and manipulate using database applications such as Microsoft Excel. For different ways to export data, see Exporting Reporting and Tracking Data.

Because CSV exports include only raw data, exported data from a web-based report page may not include calculated data such as percentages, even if that data appears in the web-based report.

For email message tracking and reporting data, the exported CSV data will display all data in GMT regardless of what is set on the Security Management appliance. This simplifies using data independently from the appliance, particularly when referencing data from appliances in multiple time zones.

The following example is an entry from a raw data export of the Anti-Malware category report, where Pacific Daylight Time (PDT) is displayed as GMT - 7 hours:

Begin Timestamp, End Timestamp, Begin Date, End Date, Name, Transactions Monitored, Transactions Blocked, Transactions Detected

1159772400.0, 1159858799.0, 2006-10-02 07:00 GMT, 2006-10-03 06:59 GMT, Adware, 525, 2100, 2625

Table 5. Viewing Raw Data Entries

Category Header

Value

Description

Begin Timestamp

1159772400.0

Query start time in number of seconds from epoch.

End Timestamp

1159858799.0

Query end time in number of seconds from epoch.

Begin Date

2006-10-02 07:00 GMT

Date the query began.

End Date

2006-10-03 06:59 GMT

Date the query ended.

Name

Adware

Name of the malware category.

Transactions Monitored

525

Number of transactions monitored.

Transactions Blocked

2100

Number of transactions blocked.

Transactions Detected

2625

Total number of transactions:

Number of transactions detected + Number of transactions blocked.


Note
Category headers are different for each type of report.If you export localized CSV data, the headings may not be rendered properly in some browsers. This occurs because some browsers may not use the proper character set for the localized text. To work around this problem, you can save the file to your local machine, and open the file on any web browser using File > Open. When you open the file, select the character set to display the localized text.

Subdomains vs. Second Level Domains in Reporting and Tracking

In reporting and tracking searches, second-level domains (regional domains listed at http://george.surbl.org/two-level-tlds) are treated differently from subdomains, even though the two domain types may appear to be the same. For example:

  • Reports will not include results for a two-level domain such as co.uk , but will include results for foo.co.uk . Reports include subdomains under the main corporate domain, such as cisco.com .
  • Tracking search results for the regional domain co.uk will not include domains such as foo.co.uk , while search results for cisco.com will include subdomains such as subdomain.cisco.com .

Troubleshooting All Reports

Unable to View Report Data on Backup Security Management Appliance

Problem

You are unable to select a single Email Security appliance for which to view report data. The View Data For option does not appear on the reporting page.

Solution

See also Availability of Services During Backups.

Reporting Is Disabled

Problem

Canceling a backup in progress can disable reporting.

Solution

Reporting functionality will be restored after a backup is completed.