Palo Alto Networks Knowledgebase: How to Troubleshoot User Activity Reports

How to Troubleshoot User Activity Reports

6982
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:01 AM
Reporting and Logging
Resolution

Overview

The User Activity Report contains information related to user activities.  The report contains four sections displaying data from different log databases:

  • Application Usage (Traffic summary database)
  • Browsing Summary by Category (Traffic summary database)
  • Browsing Summary by Website (URL database)
  • Detailed Web Browsing Activity (URL database)

The first two report sections (Application Usage and Browsing Summary by Category) are based on summarized log data.  The data in these two sections may yield different results from a custom report based on the full traffic (non-summarized) database.

The last two report sections (Browsing Summary by Website and Detailed Web Browsing Activity) are based on the URL database.  This database contains non-summarized data and can be used for detailed reporting.

Issues

  1. The User Activity Report does not display all of the users' web browsing activities.
    • For the report to display the last three sections (Browsing Summary by Category, Browsing Summary by Website and Detailed Web Browsing Activity), a URL filtering Profile must be created using the alert Category Action in the required categories. This URL filtering profile is applied to the security policy for the user.
    • User Activity Reports are generated based on the Traffic logs and the URL logs.  A URL filtering profile may be set to take different action based on the URL category.
    • For example, alert might be set when a user visits a social networking web site and the allow option might be set for financial-services websites,  If the user visits facebook.com, which alerts as a social networking site, it shows up in the URL logs and appears in the User Activity Report.  Since bankofamerica.com is a financial-services site set to allow, it will not appear in the logs nor in the User Activity Report.
  2. The User Activity Report report, in the Application Usage and Browsing Summary by Category sections, does not return all logged user activity.
    • The Application Usage and Browsing Summary by Category sections of the User Activity Report run against the traffic summary database.  Results in these report sections will reflect summarized data.
    • To report on all user activity of this type our recommendation is to run a custom report using the same reporting parameters against the non-summary Traffic database.

owners: sdurga/bvandivier



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZxCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language