Administration Guide › Queries and Reports › Prompts › Use the Port Prompt

Use the Port Prompt

The port prompt queries for events where the port you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG port numbers. Consider this scenario:

1. The event initiator on the source host uses the outbound source_port communication port for initiating the event action on a target residing on the destination host through the inbound dest_port communications port.

   Note: Source_port and dest_port are the same for local events. Otherwise, they are host-specific.

2. This event is recorded in a repository on the event source.
3. A CA Enterprise Log Manager agent makes a copy of the event recorded on the event source.
4. The agent transmits the copy of the event through the outbound port, receiver_port, to a CA Enterprise Log Manager collection server.

   Note: The agent uses port 17001, by default, to secure communications to the CA Enterprise Log Manager collection server.

To use the Port prompt

1. Select Queries and Reports.

   The Query List displays the Prompts folder and one or more folders for other queries.

2. Expand Prompts and select Port.

   The Port prompt appears.

3. Enter the port number on which to base this query.
4. Select the fields on which to query for data matching your port number entry:

   source_port

   Is the communications port used for initiating the action.

   dest_port

   Is the communication port on the destination host that is the target of the action.

   receiver_port

   Is the port that the agent uses to communicate with the CA Enterprise Log Manager collection server.

5. Click Go.

   Results of the port prompt query appear.

6. Use the following descriptions to interpret the query results:

   CA Severity

   Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

   Date

   Indicates when the event occurred.

   Source IP

   Identifies the IP address of the host from which the event action was initiated.

   Result

   Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

   Source Port

   Identifies the outbound port used for initiating the action.

   Destination Port

   Identifies the inbound port on the destination host.

   Receiver Host

   Identifies the outbound port on the agent used to send event logs to the CA Enterprise Log Manager server.

   Category

   Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

   Action

   Identifies the event action.

   Log Name

   Identifies the log name used by the connector that collected the event.