Administration Guide › Queries and Reports › Prompts › Use the Log Name Prompt

Use the Log Name Prompt

Each connector that is based on the same integration returns event logs collected from the event source to the CA Enterprise Log Manager collection server in a log file with a predefined name.The log name prompt queries for events involving the log name you specify.

Use the log name prompt to query for events transferred in a log file with the specified name. Each connector is based on an integration. Each integration uses a predefined log name. A query for a given log name returns results of events collected by different agents that use connectors based on the same integration or similar integrations.

A variety of conventions are used for naming logs:

• Integration name. CA Federation is the log name for the CA_Federation_Manager integration.
• Product name. McAfee Vulnerability Manager is the log name for both McAfee_VM and McAfee_VM_CM. MS AD Rights Management Services is the log name for both Microsoft_Active_Directory_RMS and Microsoft_Active_Directory_RMS_ODBC.
• Vendor name: Oracle is the log name for Oracl10g, Oracle9i, Oracle_AppLog, and Oracle_Syslog.
• Log type: Unix is the log name for the following integrations:AIX_Syslog, HPUX_Syslog, Linux_Syslog, SLES_Syslog, and Solaris_Syslog.

Some log names are reused as new releases or platforms are added. For example, NT-Security is the log name for security logs for the following integrations: NTEventLog, Windows2k8, and WinRM.

To use the Log Name prompt

1. Select Queries and Reports.

   The Query List displays the Prompts folder and one or more folders for other queries.

2. Expand Prompts and select Log name.

   The Log name prompt filter appears with the following field:

   event_logname

   Is the name of a log file associated with a specific integration.

3. Select the log name used to transmit events you want to view and click Go.

   Results of the log name prompt query appear.

4. Use the following descriptions to interpret the query results:

   CA Severity

   Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

   Date

   Indicates when the event occurred.

   Category

   Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

   Action

   Identifies the event action performed by the corresponding performer.

   Host

   Identifies the event source host from which the connector is collecting events.

   Performer

   Identifies the source actor of the event, that is, the identity that initiated the action. The performer can be expressed as the source username or source process name.

   Account

   Identifies the username of the account used for authentication. When the connector attempts a connection to the event source, authentication occurs. Authentication typically uses a low-privileged account. During connector deployment, the administrator configures credentials for this account on the event source and then identifies this account on the log sensor.

   Result

   Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

   Log Name

   The log name entered in the prompt filter field.