Given the appropriate security policies, disclaimers, etc. by the employer, admins typically need tools to record and report on how the internet connection is being used by its employees.
In the past, I've relied on my firewall appliance to log the most viewed domain names. Very rudimentary stuff. It was difficult to track down who visited siteAbc123.com in a domain of 50+ computers. The egregious traffic was really what we were after.
If the requirements are to provide a report, on a per user basis:
- bandwidth used
- sites/pages visited + hitcount
- protocols used (i.e. streaming radio)
Can you suggest any free or low cost tools that would help gather and create reports on this information for a small-medium business in a Windows environment?
squid deployed as a transparent proxy (everything outoging TCP/80 redirected through it) without an on-disk cache (usually pointless on today's bandwidth, but you can use it if you want), with access logging turned on, then periodically run SARG from a cron job on the log files. Haven't had complaints from management about the solution.
Edit: Ah, didn't notice "Windows environment." Sorry. Still, this is definitely an option - all you need is some unused older machine, a couple of hundred megabytes space for the operating system, and as much space as you want for the log files and the produced reports (should be around 2 GB/day for reasonably webbrowsy 50 employees.) Probably not feasible if your organization doesn't have Unixy expertise, of course.
There are plenty of good reporting tools that can be used with squid.
Lightsquid is pretty lightweight and will do what you want. It also has an online demo.
A mixture of ntop and squid should work for you. But both would require that you setup a couple of Linux servers or virtual machines, neither of these tools are complicated to setup.
I would place your ntop box as a transparent gateway between your hosts and the internet so you can track protocols and bandwidth consumption.
As far as monitoring the actual web usage, I would transparently route you HTTP packets to a squid server to get some very good tracking functionality. If your networking hardware won't support routing based on protocol you can place squid as a transparent proxy for your hosts.
I never suggest setting up a proxy server in a corporate environment that requires that the browsers get configured with the proxy server information. It is very easy to circumvent that method. Transparent proxies are the way to go.
It might be worth running everyone though a squid proxy in order to provide better logs of most requests than most firewalls provide.
I'm afraid that free solutions are limited. I would recommend: