Administration Guide › Queries and Reports › Prompts › Use the Host Prompt

Use the Host Prompt

The host prompt queries for events where the hostname you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG host names. Consider this scenario:

1. The event initiator on source_hostname attempts an act, event_action, on a target residing on dest_hostname.

   Note: Source_hostname and dest_hostname can be different hosts or the same host.

2. This event is recorded in a repository on event_source_hostname.

   Note: Event_source_name can be a different host than either source_hostname or dest_hostname or can be colocated.

3. A CA Enterprise Log Manager agent installed on agent_hostname makes a copy of the event recorded on event_source_hostname.

   Note: Agent_hostname is the same as event_source_name in agent-based log collection but is different in agentless and direct log collection.

4. The CA Enterprise Log Manager agent on agent_hostname transmits the copy of the event in event_logname to a CA Enterprise Log Manager collection server.

To use the Host prompt

1. Select Queries and Reports.

   The Query List displays the Prompts folder and one or more folders for other queries.

2. Expand Prompts and select Host.

   The Host prompt appears.

3. Enter the name of the host on which to base this query.
4. Select the fields on which to query for data matching your host name entry.

   source_hostname

   Is the name of the host where the event action was initiated.

   dest_hostname

   Is the name of a host that is the destination or target of the action.

   event_source_hostname

   Is the name of a host that records the event when the event occurs.

   For example, you can deploy a connector based on WinRM to collect events from the Event Viewer on a Windows Server 2008 host. To select events retrieved from a given Windows Server 2008 host, enter the hostname of that server and select this field.

   receiver_hostname

   Is the same as agent_hostname.

   agent_hostname

   Is the name of the host where a CA Enterprise Log Manager agent is deployed.

5. Click Go.

   Results of the host prompt query appear.

6. Use the following descriptions to interpret the query results:

   CA Severity

   Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

   Date

   Indicates when the event occurred.

   Source User

   Identifies the name of the user on source_hostname who initiated the event action.

   Result

   Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

   Agent Host

   Identifies the name of the host where the CA Enterprise Log Manager agent who collected the event is installed.

   Receiver Host

   The same as agent host.

   Category

   Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

   Action

   Identifies the event action performed by the source user.

   Log Name

   Identifies the log name used by the connector that collected the event. All connectors based on the same integration transmit events in a log file with the same log name.