Administration Guide › Queries and Reports › Prompts › Use the IP Prompt

Use the IP Prompt

The IP prompt queries for events where the IP address you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG IP addresses. Consider this scenario:

1. The event initiator on source_address attempts an act, event_action, on a target residing on dest_address.

   Note: Source_address and dest_address can be different or the same.

2. This event is recorded in a repository on event_source_address.

   Note: Event_source_address can be different from either source_address or dest_address or can be the same as one or both.

3. A CA Enterprise Log Manager agent installed on agent_address makes a copy of the event recorded on event_source_address

   Note: Agent_address is the same as event_source_address in agent-based log collection but is different in agentless and direct log collection.

4. The agent on agent_address transmits the copy of the event in event_logname to a CA Enterprise Log Manager collection server.

To use the IP prompt

1. Select Queries and Reports.

   The Query List displays the Prompts folder and one or more folders for other queries.

2. Expand Prompts and select Host.

   The IP prompt appears.

3. Enter the IP address on which to base this query.
4. Select one or more of the following fields to query for data matching your IP address entry.
   • source_address

     Is the IP address of the host where the action was initiated.

   • dest_address

     Is the IP address of a host that is the destination or target of the action.

   • event_source_address

     Is the IP address of a host that records the raw event when the event occurs.

     For example, you can deploy a connector based on WinRM to collect events from the Event Viewer on a Windows Server 2008 host. To select events retrieved from a given Windows Server 2008 host, enter the IP address of that server and select this field.

   • receiver_hostaddress

     Is the same as agent_address.

   • agent_address

     Is the IP address of a host where a CA Enterprise Log Manager agent is deployed.

5. Click Go.

   Results of the IP prompt query appear.

6. Use the following descriptions to interpret the query results:
   • CA Severity

     Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

   • Date

     Indicates when the event occurred.

   • Result

     Provides a code for the result of the corresponding action, where the displayed letter has the following meaning: S for success, F for failure, A for Accepted, D for Dropped, R for Rejected, and U for Unknown.

   • Destination Port

     Identifies the communication port on the destination host, the target of the event action.

   • Source IP

     Identifies the IP address from which the event action was initiated.

   • Destination IP

     Identifies the IP address of the host that was the target of the event action.

   • Event Source IP

     Identifies the IP address of the host with the repository where the event was originally recorded.

   • Agent IP

     Identifies the name of the host with the CA Enterprise Log Manager agent responsible for the collection of events from the event source.

   • Receiver IP

     The same as Agent IP.

   • Category

     Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

   • Action

     Identifies the event action.

   • Log Name

     Identifies the log name used by the connector that collected the event