Suppress Personal Information From Access Logs
You can configure the
Web Security Serviceto suppress some or all user identification information from the Access Logs on the devices in the
Symantecdata centers. Currently,
WSSallows you to suppress the following data types from the logs:
- User and Group Names and Device Information
- User and Group Names, Device Information, Client IP Addresses, Geolocations
- All Data (Do not log any information)
To suppress these data types from the access logs, the portal provides two control types:
- Default—Applies to all traffic.
- Granular—Suppress any of the preceding data types for specific users, groups, and locations.Granular controls override the default settings.
- You want to suppress guest user names from your guests who access your WiFi network while they wait in the lobby. TheDefaultsetting isLog all traffic normally(no suppression) and theGranularsetting isDo not log user/group name and client IPfor theHQLobbyGuestWiFi(example name) location.
- You need to suppress some user and group names from the employee-generated logs. Additionally, you want to prevent the recording of all PII data from the Executive Staff. TheDefaultsetting isDo not log user/group nameand theGranularsetting isDo not log any datafor theEStaffgroup list (this is anObject Librarygroup list created for this example).
- You might have a set of employees that require identity suppression because of their geolocation or particular job duties. You can suppress user identities based on access method locations that you have added to theWSSportal.Geolocation can only be suppressed when your portal account has the Advanced Web Security with Risk Controls and Web Applications add-on license. If the license is not present, Geolocation is not collected. See About Geolocation Policies.
- In the case of multiple privacy level matches,WSSapplies the strictest level. For example, you have a user that exists inWestCoastandLegal. The policy forWestCoastisLog all traffic normallyand the policy forLegalisDo not log any data. The user identity information is not logged, thus it is not visible in reporting.
If your portal is deployed in Universal Policy Enforcement (UPE) mode, refer to the Suppress Information in UPE Deployments section located after the procedure.
- Verify and/complete the following prerequisites:
- Verify that yourWSSaccount connects to your Active Directory through theAuth Connectorand integrates with your SAML implementation to provide the user and group names. Navigate toIdentity > Users & Groups.
- If necessary and to allow for more efficient policy, use thePolicy > Object Libraryto create custom user, group, and locations lists.
- Navigate toAccount Configuration > Data Retention and Privacy.
- Expand theEnd User Privacyarea.
- Select theDefault Privacy Setting.The default value isLog all traffic normally, which means no log data is suppressed from logs. From theFor all trafficdrop-down list, select a suppression option that applies to all users whose traffic routes throughWSS.
- If necessary, apply moreGranular Log Controls. ClickAdd. The service displays the Add Granular Privacy Controls dialog.
- Select a suppression option that applies to specific user, group, or location.
- SelectAvailable Items(users, groups, and locations; Shift+Left-mouse-click to select multiple objects).
- The portal places the object in its correct table.If youChange the Privacy Levelfor any object,WSSmoves the object to the correct policy table/column. If the same object already exists in that policy,WSSmerges the objects. Name duplication does not occur.
Suppress Information in UPE Deployments
WSSis deployed in UPE mode, the
Log All Traffic Normallyoption is enabled by default. To suppress personal information, add the following proxy CPL code to the policy that Management Center pushes up to
<proxy> log.rewrite.cs-userdn("Suppressed") log.rewrite.cs-user("Suppressed") log.rewrite.cs-auth-groups("Suppressed") log.rewrite.cs-auth-group("Suppressed") log.rewrite.c-ip("0.0.0.0")
You can removed specific constructs as necessary. For example, remove the
log.rewrite.c-ip("0.0.0.0")construct if you do not want the Client IP Address to be suppressed.
As Technical Support might continue to edit best practices in the following KB aricle:
After you know that some relevant traffic has passed, generate the
Reports > Report Center > Full Log Detailsreport.