What is the best way to evaluate web filtering logs to evaluate whether employees are outside "Acceptable Use" policy. For example, is the employee spending time on Facebook, going to sites that have icons for "Follow us on Facebook" (without clicking on the link), or going to sites that support OAuth logins using Facebook. (In parallel, I am also trying to permit OAuth logins to Facebook without allowing usage of Facebook.)
For employee counseling about "Acceptable Use", I need to be able to distinguish between things the user "chose" (by typed entry or clicked link) and things that happened without his knowledge, either as part of browser overhead or embedded content elements.
I already parse my logs into a SQL database so that I can select all records on a single user on a specific date range, and I find adjacent items with the same request#, on the theory that the first entry is relevant, but any items after the first are user-selected. I am also trying to understand how to use Refer-From to evaluate the data correctly. But think I am still seeing a lot of clutter for which the user is not accountable.
Since Chrome 58, I also have been running without HTTPS inspection, and it is clear that the logs become much less useful with it disabled -- only the connect action is logged, and only the FQDN of the server is identified.
Today, I started looking for a way to track time by application, but the Application Control feature only provides allow/block, not quota. The quota feature only shows total quota time used. I would need quota time by application or FQDN for this purpose.
Has anyone solved this?
This thread was automatically locked due to age.