|
|
|
access filter
An access filter is a filter that the Administrator can set to control what event data non-Administrator users or groups can view. For example, an access filter can restrict the data specified identities can view in a report. Access filters are automatically converted into obligation policies.
access policy
An access policy is a rule that grants or denies an identity (user or user group) access rights to an application resource. CA Enterprise Log Manager determines whether policies apply to the particular user by matching identities, resources, resource classes, and evaluating the filters.
account
An account is a global user who is also a CALM application user. A single person could have more than one account, each with a different user-defined role.
action alert
An action alert is a scheduled query job, which can be used to detect policy violations, usage trends, login patterns, and other event actions that require near-term attention. By default, when the alert queries return results, the results are displayed on the CA Enterprise Log Manager Alerts page and are also added to an RSS Feed. When you schedule an alert, you can specify additional destinations, including email, a CA IT PAM event/alert output process, and SNMP traps.
action query
An action query is a query that supports an Action Alert. It is run on a recurring schedule to test for the conditions outlined by the Action Alert to which it is attached.
Administrator role
The Administrator role grants users the ability to perform all valid actions on all CA Enterprise Log Manager resources. Only Administrators are permitted to configure log collection and services or manage users, access policies, and access filters.
agent
An agent is a generic service configured with connectors, each of which collects raw events from a single event source and then sends them to a CA Enterprise Log Manager for processing. Each CA Enterprise Log Manager has an onboard agent. Additionally, you can install an agent on a remote collection point and collect events on hosts where agents cannot be installed. You can also install an agent on the host where event sources are running and benefit from the ability to apply suppression rules and encrypt transmission to the CA Enterprise Log Manager.
agent explorer
The agent explorer is the store for agent configuration settings. (Agents can be installed on a collection point or on the endpoints where the event sources exist.)
agent group
An agent group is a tag that users can apply to selected agents that lets user apply an agent configuration to multiple agents at once and retrieve reports based on the groups. A given agent can belong to only one group at a time. Agent groups are based on user-defined criteria such as geographical region or importance.
agent management
Agent management is the software process that controls all agents associated with all federated CA Enterprise Log Managers. It authenticates agents that communicate with it.
alert server
The alert server is the store for action alerts and action alert jobs.
Analyst role
The Analyst role grants users the ability to create and edit custom reports and queries, edit and annotate reports, create tags, and schedule reports and action alerts. Analysts can also perform all Auditor tasks.
application group
An application group is a product-specific group that can be assigned to a global user. Predefined application groups for CA Enterprise Log Manager, or roles, are Administrator, Analyst and Auditor. These application groups are only available for CA Enterprise Log Manager users; they are not available for assignment to users of other products registered to the same CA EEM server. User-defined application groups must be added to the CALM Application Access default policy so that its users can access the CA Enterprise Log Manager.
application instance
An application instance is a common space in the CA EEM repository where all the authorization policies, users, groups, content, and configurations are stored. Typically, all CA Enterprise Log Manager servers in an enterprise use the same application instance (CAELM, by default). You can install CA Enterprise Log Manager servers with different application instances, but only severs that share the same application instance can be federated. Servers configured to use the same CA EEM server but with different application instances share only the user store, password policies, and global groups. Different CA products have different default application instances.
application resource
An application resource is any of the CA Enterprise Log Manager-specific resources to which CALM access policies grant or deny specified identities the ability to perform application-specific actions such as create, schedule and edit. Examples include report, alert, and integration. See also global resource.
application user
An application user is a global user that has been assigned application-level details. CA Enterprise Log Manager application user details include the user group and any restrictions on access. If the user store is the local repository, application user details also include the logon credentials and password policies.
AppObjects
The AppObjects, or Application Objects, are product-specific resources stored in CA EEM under the application instance for a given product. For the CAELM application instance, these resources include report and query content, scheduled jobs for reports and alerts, agent content and configurations, service, adapter, and integration configurations, data mapping and message parsing files, and suppression and summarization rules.
archive catalog
See catalog.
archive query
An archive query is a query of the catalog that is used to identify the cold databases that need to be restored and defrosted for querying. An archive query is different from a normal query in that it targets cold databases, whereas a normal query targets hot, warm, and defrosted databases. Administrators can issue an archive query from the Administration tab, Log Collection subtab, Archive Catalog Query option.
archived databases
The archived databases on a given CA Enterprise Log Manager server include all warm databases that are available for querying but need to be manually backed up before they expire, all cold databases that have been recorded as backed up, and all databases that have been recorded as restored from backup.
audit records
Audit records contain security events such as authentication attempts, file accesses, and changes to security policies, user accounts, or privileges. Administrators specify which types of events should be audited and what should be logged.
Auditor role
An Auditor role grants users access to reports and the data they contain. Auditors can view reports, the report template list, the scheduled report job list, the generated report list. Auditors can schedule and annotate reports. Auditors do not have access to the RSS (Rich Site Summary) feeds unless the configuration is set to require no authentication for viewing action alerts.
auto-archive
Auto-archive is a configurable process that automates the moving of archive databases from one server to another. In the first auto-archive phase, the collection server sends newly archived databases to the reporting server at the frequency you specify. In the second phase, the reporting server sends aging databases to the remote storage server for long-term storage, eliminating the need for a manual backup and move procedure. Auto-archiving requires you configure passwordless authentication from the source to the destination server.
CA adapters
The CA Adapters are a group of listeners that receive events from CA Audit components such as CA Audit clients, iRecorders, and SAPI recorders as well as sources that send events natively through iTechnology.
CA Enterprise Log Manager
CA Enterprise Log Manager is a solution that helps you collect logs from widely dispersed event sources of different types, check for compliance with queries and reports, and keep records of databases of compressed logs you have moved to external, long-term storage.
CA IT PAM
CA IT PAM is the short form for CA IT Process Automation Manager. This CA product automates processes you define. CA Enterprise Log Manager uses two processes--the process of creating an event/alert output process for a local product, such as CA Service Desk, and the process of dynamically generating lists that can be imported as keyed values. Integration requires CA IT PAM r2.1.
CA Spectrum
CA Spectrum is a network fault management product that can be integrated with CA Enterprise Log Manager for use as a destination for alerts sent in the form of SNMP traps.
CA Subscription Server
The CA Subscription Server is the source for subscription updates from CA.
CAELM
CAELM is the application instance name that CA EEM uses for CA Enterprise Log Manager. To access CA Enterprise Log Manager functionality in CA Embedded Entitlements Manager, enter the URL, https://<ip_address>:5250/spin/eiam/eiam.csp, select CAELM as the application name and enter the password of the EiamAdmin user.
caelmadmin
The caelmadmin user name and password are credentials required to access the operating system of the soft appliance. The caelmadmin user ID is created during the installation of this operating system. During installation of the software component, the installer must specify the password for the CA EEM superuser account, EiamAdmin. The caelmadmin account is assigned this same password. We recommend that the server administrator ssh in as the caelmadmin user and change this default password. Although the administrator cannot ssh in as root, the administrator can switch users to root (su root) if needed.
caelmservice
The caelmservice is a service account that allows iGateway and the local CA EEM services to run as a non-root user. The caelmservice account is used for installing operating system updates downloaded with subscription updates.
calendar
A calendar is a means of limiting the times that an access policy is effective. A policy allows specified identities to perform specified actions against a specified resource during a specified time.
CALM
CALM is a predefined resource class that includes the following CA Enterprise Log Manager resources: Alert, ArchiveQuery, calmTag, Data, EventGrouping, Integration, and Report. Actions permitted on this resource class are Annotate (Reports), Create (Alert, calmTag, EventGrouping, Integration, and Report), Dataaccess (Data), Run (ArchiveQuery), and Schedule (Alert, Report).
CALM Application Access policy
The CALM Application Access policy is an access control list type of scoping policy that defines who can log into the CA Enterprise Log Manager. By default, the [Group] Administrator, [Group] Analyst and [Group] Auditor are granted logon access.
calmTag
The calmTag is a named attribute on the AppObject used when creating a scoping policy to limit the users to reports and queries belonging to certain Tags. All reports and queries are AppObjects and have calmTag as an attribute. (This is not to be confused with the resource Tag.)
catalog
The catalog is the database on each CA Enterprise Log Manager that maintains the state of archived databases as well as acting like a high level index across all databases. State information (warm, cold, or defrosted) is maintained for all databases that have ever been on this CA Enterprise Log Manager and any database that has been restored to this CA Enterprise Log Manager as a defrosted database. Indexing ability extends to all hot and warm databases in the event log store on this CA Enterprise Log Manager.
CEG fields
CEG fields are labels used to standardize the presentation of raw event fields from disparate event sources. During event refinement, CA Enterprise Log Manager parses raw event messages into a series of name/value pairs, then maps the raw event names to standard CEG fields. This refinement creates name/value pairs consisting of CEG fields and values from the raw event. That is, different labels used in raw events for the same data object or network element are converted to the same CEG field name when raw events are refined. CEG fields are mapped to OIDs in the MIB used for SNMP traps.
certificates
The predefined certificates used by CA Enterprise Log Manager are CAELMCert.cer and CAELM_AgentCert.cer. All CA Enterprise Log Manager services use CAELMCert.cer to communicate with the management server. All agents use CAELM_AgentCert.cer to communicate with their collection server.
cold database state
A cold database state is applied to a warm database when an Administrator runs the LMArchive utility to notify CA Enterprise Log Manager that the database has been backed up. Administrators must back up warm databases and run this utility before they are deleted. A warm database is automatically deleted when its age exceeds the Max Archive Days or when the configured Archive Disk Space threshold is reached, whichever comes first. You can query the archive database to identify databases in the warm and cold states.
collection point
A collection point is a server on which an agent is installed, where the server has network proximity to all of the servers with event sources associated with its agent's connectors.
collection server
A collection server is a role performed by a CA Enterprise Log Manager server. A collection server refines incoming event logs, inserts them into the hot database, compresses the hot database, and auto-archives, or copies, it to the related reporting server. The collection server compresses the hot database when it reaches the configured size and auto-archives it on the configured schedule.
Common Event Grammar (CEG)
Common Event Grammar (CEG) is the schema that provides a standard format to which CA Enterprise Log Manager converts events using parsing and mapping files, before storing them in the Event Log Store. The CEG uses common, normalized fields to define security events from different platforms and products. Events that cannot be parsed or mapped are stored as raw events.
computer security log management
Computer Security Log Management is defined by NIST as "the process for generating, transmitting, storing, analyzing, and disposing of computer security log data."
connector
A connector is an integration for a particular event source that is configured on a given agent. An agent can load multiple connectors of similar or dissimilar types into memory. The connector enables raw event collection from an event source and rule-based transmission of converted events to an event log store, where they are inserted into the hot database. Out-of-the-box integrations provide optimized collection from a wide range of event sources, including operating systems, databases, web servers, firewalls, and many types of security applications. You can define a connector for a homegrown event source from scratch or using an integration as a template.
content updates
Content updates are the non-binary portion of subscription updates that are saved in the CA Enterprise Log Manager management server. Content updates include content such as XMP files, DM files, configuration updates for CA Enterprise Log Manager modules, and public key updates.
data access
Data access is a type of authorization granted to all CA Enterprise Log Managers through the Default Data Access policy on the CALM resource class. All users have access to all of the data except where restricted by data access filters.
data mapping (DM)
Data mapping is the process of mapping the key value pairs into the CEG. Data mapping is driven by a DM file.
data mapping (DM) files
Data mapping (DM) files are XML files that use the CA Common Event Grammar (CEG) to transform events from the source format into a CEG-compliant form that can be stored for reporting and analysis in the Event Log Store. One DM file is required for each log name before the event data can be stored. Users can modify a copy of a DM file and apply it to a specified connector.
database states
The database states include hot for the uncompressed database of new events, warm for a database of compressed events, cold for a backed up database, and defrosted for a database restored to the event log store where it was backed up. You can query hot, warm, and defrosted databases. An archive query displays information on cold databases.
default agent
The default agent is the onboard agent that is installed with the CA Enterprise Log Manager server. It can be configured for direct collection of syslog events as well as events from various non-syslog event sources such as CA Access Control r12 SP1, Microsoft Active Directory Certificate Service, and Oracle9i databases.
defrosted database state
A defrosted database state is the state applied to a database that has been restored to the archive directory after the Administrator runs the LMArchive utility to notify CA Enterprise Log Manager that it has been restored. Defrosted databases are retained for the number of hours configured for the Export Policy. You can query for event logs in databases that are in the hot, warm, and defrosted states.
defrosting
Defrosting is the process of changing the state of a database from cold to defrosted. This process is performed by CA Enterprise Log Manager when notified by the LMArchive utility that a known cold database has been restored. (If the cold database is not restored to its original CA Enterprise Log Manager, the LMArchive utility is not used and defrosting is not required; recataloging adds the restored database as a warm database.)
delegation policy
A delegation policy is an access policy that lets a user delegate their authority to another user, application group, global group, or dynamic group. You must explicitly delete the delegation policies created by the deleted or disabled user.
direct log collection
Direct log collection is the log collection technique where there is no intermediate agent between the event source and the CA Enterprise Log Manager software.
dynamic user group
A dynamic user group is composed of global users that share one or more common attributes. A dynamic user group is created through a special dynamic user group policy where the resource name is the dynamic user group name and membership is based on a set of filters configured on user and group attributes.
dynamic values process
A dynamic values process is a CA IT PAM process that you can invoke to populate or update the values list for a selected key that is used in reports or alerts. You provide the path to the Dynamic Values Process as part of IT PAM configuration on the Report Server Service List under the Administration tab. You click Import Dynamic Values list on the Values section associated with Key Values on this same UI page. Invoking the dynamic values process is one of three ways you can add values to your keys.
EEM User
The EEM User, configured in the Auto-Archiving section of the Event Log Store, specifies the user who can perform an archive query, recatalog the archive database, run the LMArchive utility, and run the restore-ca-elm shell script to restore archive databases for examination. This user must be assigned the predefined role of Administrator or a custom role associated with a custom policy that permits the edit action on the Database resource.
EiamAdmin user name
EiamAdmin is the default superuser name assigned to the installer of the CA Enterprise Log Manager servers. While installing the first CA Enterprise Log Manager software, the installer creates a password for this superuser account, unless a remote CA EEM server already exists. In that case, the installer must enter the existing password. After installing the soft appliance, the installer opens a browser from a workstation, enters the URL for CA Enterprise Log Manager and logs in as EiamAdmin with the associated password. This first user sets the user store, creates password policies, and creates the first user account with an Administrator role. Optionally, the EiamAdmin user can perform any operation controlled by the CA EEM.
entitlement management
Entitlement management is the means of controlling what users are allowed to do once they are authenticated and logged on to the CA Enterprise Log Manager interface. This is achieved with access policies associated with roles assigned to users. Roles, or application user groups, and access policies can be predefined or user-defined. Entitlement management is handled by the CA Enterprise Log Manager internal user store.
EPHI-related reports
The EPHI-related reports, are reports that focus on HIPAA security, where EPHI stands for Electronic Protected Health Information. These reports can help you demonstrate that all individually identifiable health information related to patients this is created, maintained, or transmitted electronically is protected.
event aggregation
Event aggregation is the process by which similar log entries are consolidated into a single entry containing a count of the number of occurrences of the event. Summarization rules define how events are aggregated.
event categories
Event categories are the tags used by the CA Enterprise Log Manager to classify events by their function before inserting them into the event store.
event collection
Event collection is the process of reading the raw event string from an event source and sending it to the configured CA Enterprise Log Manager. Event collection is followed by event refinement.
event filtering
Event filtering is the process of dropping events based on CEG filters.
event forwarding rules
Event forwarding rules specify that selected events are to be forwarded to third-party products, such as those that correlate events, after being saved in the event log store.
event log storage
Event log storage is the result of the archiving process, where the user backs up a warm database, notifies CA Enterprise Log Manager by running the LMArchive utility, and moves the backed up database from the event log store to long term storage.
event log store
The event log store is a component on the CA Enterprise Log Manager server where incoming events are stored in databases. The databases in the event log store must be manually backed up and moved to a remote log storage solution before the time configured for deletion. Archived databases can be restored to an event log store.
event refinement
Event refinement is the process where a collected raw event string is parsed into constituent event fields and mapped to CEG fields. Users can run queries to display the resulting refined event data. Event refinement follows event collection and precedes event storage.
event refinement library
The event refinement library is the store for predefined and user-defined integrations, mapping and parsing files, as well as suppression and summarization rules.
event source
An event source is the host from which a connector collects raw events. An event source can contain multiple log stores, each accessed by a separate connector. Deploying a new connector typically involves configuring the event source so that the agent can access it and read raw events from one of its log stores. Raw events for the operating system, different databases, and various security applications are stored separately on the event source.
event/alert output process
The event/alert output process is the CA IT PAM process that invokes a third-party product to respond to alert data configured in CA Enterprise Log Manager. You can select CA IT PAM Process as a destination when you schedule an alert job. When an alert runs the CA IT PAM process, CA Enterprise Log Manager sends CA IT PAM alert data and CA IT PAM forwards it along with its own processing parameters to the third party product as part of the event/alert output process.
event_action
The event_action is the fourth-level event-specific field in event normalization used by the CEG. It describes common actions. Examples of types of event actions include Process Start, Process Stop, and Application Error.
event_category
The event_category is the second-level event-specific field in event normalization used by the CEG. It provides a further classification of events with a specific ideal_model. Event category types include Operational Security, Identity Management, Configuration Management, Resource Access, and System Access.
event_class
The event_class is the third-level event-specific field in event normalization used by the CEG. It provides a further classification of events within a specific event_category.
events
Events in CA Enterprise Log Manager are the log records generated by each specified event source.
federation servers
Federation servers are CA Enterprise Log Manager servers connected to one another in a network for the purpose of distributing the collection of log data but aggregating the collected data for reporting. Federation servers can be connected in a hierarchical or meshed topology. Reports of federated data include that from the target server as well as that from children or peers of that server, if any.
filter
A filter is a means by which you can restrict an event log store query.
folder
A folder is a directory path location that CA Enterprise Log Manager management server uses to store the CA Enterprise Log Manager object types. You reference folders in scoping policies to grant or deny users the right to access a specified object type.
function mappings
Function mappings are an optional part of a Data Mapping file for a product integration. A function mapping is used to populate a CEG field when the needed value cannot be retrieved directly from the source event. All function mappings consist of a CEG field name, a pre-defined or class field value and the function used to obtain or calculate the value.
global configuration
The global configuration is a series of settings that apply to all CA Enterprise Log Manager servers that use the same management server.
global filter
A global filter is a set of criteria you can specify that limits what is presented in all reports. For example, a global filter of the last 7 days reports events generated in the last seven days.
global group
A global group is a group that is shared across application instances registered to the same CA Enterprise Log Manager management server. Any user can be assigned to one of more global groups. Access policies can be defined with global groups as Identities granted or denied the ability to perform selected actions on selected resources.
global resource
A global resource for the CA Enterprise Log Manager product is a resource shared with other CA applications. You can create scoping policies with global resources. Examples include user, policy, and calendar. See also application resource.
global user
A global user is the user account information that excludes application-specific details. The global user details and global group memberships are shared across all CA applications that integrate with the default user store. Global user details can be stored in the embedded repository or in an external directory.
hierarchical federation
A hierarchical federation of CA Enterprise Log Manager servers is a topology that establishes a hierarchical relationship between servers. In its simplest form, server 2 is a child of server 1 but server 1 is not a child of server 2. That is, the relationship is one-way only. A hierarchical federation can have multiple levels of parent-child relationships and a single parent server can have many child servers. A federated query return results from the selected server and its children.
hot database state
A hot database state is the state of the database in the event log store where new events are inserted. When the hot database reaches a configurable size on the collection server, the database is compressed, cataloged, and moved to warm storage on the reporting server. Additionally, all servers store new self-monitoring events in a hot database.
HTTP proxy server
An HTTP proxy server is a proxy server that acts like a firewall and prevents Internet traffic from entering or leaving the enterprise except through the proxy. Outgoing traffic can specify an ID and password to bypass the proxy server. The use of a local HTTP proxy server in subscription management is configurable.
ideal_model
ideal_model represents the technology expressing the event. This is the first CEG field in a hierarchy of fields used for event classification and normalization. Examples of an ideal model include antivirus, DBMS, firewall, operating system, and web server. Check Point, Cisco PIX and Netscreen/Juniper firewall products could be normalized with a value of "Firewall" in the field ideal_model.
identity
An identity in CA Enterprise Log Manager is a user or group that is allowed access to the CAELM application instance and its resources. An identity for any CA product can be a global user, an application user, a global group, an application group, or a dynamic group.
identity access control list
An identity access control list lets you specify different actions each selected identity can take on the selected resources. For example, with an identity access control list, you can specify that one identity can create reports and another can schedule and annotate reports. An identity access control list differs from an access control list in that it is identity-centric rather than resource-centric.
installer
The installer is the individual who installs the soft appliance and the agents. During the installation process, the caelmadmin and EiamAdmin user names are created and the password specified for EiamAdmin is assigned to caelmadmin. These caelmadmin credentials are required for the first access to the operating system; the EiamAdmin credentials are required for the first access to the CA Enterprise Log Manager software and for installing agents.
integration
Integration is the means by which unclassified events are processed into refined events so that they can be displayed in queries and reports. Integration is implemented with a set of elements that enables a given agent and connector to collect events from one of more types of event sources and send them to CA Enterprise Log Manager. The set of elements includes the log sensor and the XMP and DM files that are designed to read from a specific product. Examples of predefined integrations include those for processing syslog events and WMI events. You can create custom integrations to enable the processing of unclassified events.
integration elements
Integration elements include a sensor, a configuration helper, a data access file, one or more XMP message parsing (XMP) files, and one or more data mapping files.
iTech event plugin
The iTech event plugin is a CA adapter that an Administrator can configure with selected mapping files. It receives events from remote iRecorders, CA EEM, iTechnology itself, or any product that sends events through iTechnology.
key values
Key values are user-defined values assigned to a user-defined list (key group). When a query uses a key group, the search results include matches to any of the key values in the key group. There are several predefined key groups, some of which contain predefined key values, which are used in predefined queries and reports.
LMArchive utility
The LMArchive utility is the command line utility that tracks the backup and restoration of archive databases to the event log store on a CA Enterprise Log Manager server. Use LMArchive to query for the list of warm database files that are ready for archiving. After backing up the listed database and moving it to long-term (cold) storage, use LMArchive to create a record on CA Enterprise Log Manager that this database was backed up. After restoring a cold database to its original CA Enterprise Log Manager, use LMArchive to notify CA Enterprise Log Manager, which in turn changes the database files to a defrosted state that can be queried.
LMSEOSImport utility
The LMSEOSImport utility is a command line utility used to import SEOSDATA, or existing events, into CA Enterprise Log Manager as part of the migration from Audit Reporter, Viewer, or Audit Collector. The utility is supported only on Microsoft Windows and Sun Solaris Sparc.
local event
A local event is an event that involves a single entity, where the source and the destination of the event is the same host machine. A local event is type 1 of the four event types used in the Common Event Grammar (CEG).
local filter
A local filter is a set of criteria you can establish while viewing a report to limit the displayed data for the current report.
log
A log is an audit record, or recorded message, of an event or a collection of events. A log may be an audit log, a transaction log, an intrusion log, a connection log, a system performance record, a user activity log, or an alert.
log analysis
Log analysis is the study of log entries to identify events of interest. If logs are not analyzed in a timely manner, their value is significantly reduced.
log archiving
Log archiving is the process of that occurs when the hot database reaches its maximum size, where row-level compression is done and the state is changed from hot to warm. Administrators must manually back up the warm databases before the threshold for deletion is reached and run the LMArchive utility to record the name of the backups. This information then becomes available for viewing through the Archive Query.
log entry
A log entry is an entry in a log that contains information on a specific event that occurred on a system or within a network.
log parsing
Log parsing is the process of extracting data from a log so that the parsed values can be used in a subsequent stage of log management.
log record
A log record is an individual audit record.
log sensor
A log sensor is an integration component designed to read from a specific log type such as a database, syslog, file, or SNMP. Log sensors are reused. Typically, users do not create custom log sensors.
management server
The management server is a role assigned to the first CA Enterprise Log Manager server installed. This CA Enterprise Log Manager server contains the repository that stores shared content, such as policies, for all its CA Enterprise Log Managers. This server is typically the default subscription proxy. While not recommended for most production environments, the management server can perform all roles.
mapping analysis
A mapping analysis is a step in the Mapping File wizard that lets you test and make changes to a data mapping (DM) file. Sample events are tested against the DM file and results are validated with the CEG.
meshed federation
A meshed federation of CA Enterprise Log Manager servers is a topology that establishes a peer relationship between servers. In its simplest form, server 2 is a child of server 1 and server 1 is a child of server 2. A meshed pair of servers has a two-way relationship. A meshed federation can be defined such that many servers are all peers of one another. A federated query returns results from the selected server and all its peers.
message parsing
Message parsing is the process of applying rules to the analysis of a raw event log to get relevant information such as timestamp, IP address, and user name. Parsing rules use character matching to locate specific event text and link it with selected values.
message parsing file (XMP)
A message parsing file (XMP) is an XML file associated with a specific event source type that applies parsing rules. Parsing rules break out relevant data in a collected raw event into name/value pairs, which are passed to the data mapping file for further processing. This file type is used in all integrations, and in connectors, which are based on integrations. In the case of CA Adapters, XMP files can also be applied at the CA Enterprise Log Manager server.
message parsing library
The message parsing library is a library that accepts events from the listener queues and uses regular expressions to tokenize strings into name/value pairs.
message parsing token (ELM)
A message parsing token is a re-usable template for building the regular expression syntax used in CA Enterprise Log Manager message parsing. A token has a name, a type, and a corresponding regular expression string.
MIB (management information base)
The MIB (management information base) for CA Enterprise Log Manager, CA-ELM.MIB, must be imported and compiled by each product that is to receive alerts in the form of SNMP traps from CA Enterprise Log Manager. The MIB shows the origin of each numeric object identifier (OID) used in an SNMP trap message with a description of that data object or network element. In the MIB for SNMP traps sent by CA Enterprise Log Manager, the textual description of each data object is for the associated CEG field. The MIB helps ensure that all name/value pairs sent in an SNMP trap are correctly interpreted at the destination.
module (to download)
A module is a logical grouping of component updates that is made available for download through subscription. A module can contain binary updates, content updates, or both. For example, all reports make up one module, all sponsor binary updates make up another module. CA defines what makes up each module.
native event
A native event is the state or action that triggers a raw event. Native events are received and parsed/mapped as appropriate, then transmitted as raw or refined events. A failed authentication is a native event.
NIST
The National Institute of Standards and Technology (NIST) is the federal technology agency that provides recommendations in its Special Publication 800-92 Guide to Computer Security Log Management that were used as the basis for the CA Enterprise Log Manager.
obligation policy
An obligation policy is a policy that is created automatically when you create an access filter. You should not attempt to create, edit, or delete an obligation policy directly. Instead, create, edit or delete the access filter.
observed event
An observed event is an event that involves a source, a destination, and an agent, where the event is observed and recorded by an event-collection agent.
ODBC and JDBC access
ODBC and JDBC access to CA Enterprise Log Manager event log stores supports your use of event data with a variety of third-party products, including custom event reporting with third-party reporting tools, event correlation with correlation engines, and event evaluation by intrusion and malware detections products. Systems with Windows operating systems use ODBC access; those with UNIX and Linux operating systems use JDBC access.
ODBC server
The ODBC server is the configured service that sets the port used for communications between the ODBC or JDBC client and the CA Enterprise Log Manager server and specifies whether to use SSL encryption.
OID (object identifier)
An OID (object identifier) is a unique numeric identifier for a data object that is paired with a value in an SNMP trap message. Each OID used in an SNMP trap sent by CA Enterprise Log Manager is mapped to a textual CEG field in the MIB. Each OID that is mapped to a CEG field has this syntax: 1.3.6.1.4.1.791.9845.x.x.x, where 791 is the enterprise number for CA and 9845 is the product identifier for CA Enterprise Log Manager.
parsing
Parsing, also called message parsing (MP), is the process of taking raw device data and turning it into key-value pairs. Parsing is driven by an XMP file. Parsing, which precedes data mapping, is one step of the integration process that turns the raw event collected from an event source into a refined event you can view.
parsing file wizard
The parsing file wizard is a CA Enterprise Log Manager feature that Administrators use to create, edit, and analyze eXtensible Message Parsing (XMP) files stored in the CA Enterprise Log Manager management server. Customizing the parsing of incoming event data involves editing the pre-matched strings and filters. New and edited files are displayed in the Log Collection Explorer, Event Refinement Library, Parsing Files, User folder.
pozFolder
The pozFolder is an attribute of the AppObject, where the value is the parent path of the AppObject. The pozFolder attribute and value is used in the filters for access policies that restrict access to resources such as reports, queries, and configurations.
profile
A profile is an optional, configurable, set of tag and data filters that can be product-specific, technology-specific or confined to a selected category. A tag filter for a product, for example, limits the listed tags to the selected product tag. Data filters for a product display only data for the specified product in the reports you generate, the alerts you schedule, and the query results you view. After you create the profile you need, you can set that profile to be in effect whenever you log in. If you create several profiles, you can apply different profiles, one at a time, to your activities during a session. Predefined filters are delivered with subscription updates.
prompt
A prompt is a special type of query that displays results based on the value you enter and the CEG fields you select. Rows are returned only for events where the value you enter appears in one or more of the selected CEG fields.
query
A query is a set of criteria used to search the Event Log Stores of the active CA Enterprise Log Manager server and, if specified, its federated servers. A query targets hot, warm, or defrosted databases specified in the where clause of the query. For example, if the where clause limits the query to events with source_username="myname" in a certain time frame and only ten of the 1000 databases contain records meeting this criteria based on information contained in the catalog database, the query will run against only those ten databases. A query can return a maximum of 5000 rows of data. Any user with a predefined role can run a query. Only Analysts and Administrators can schedule a query to distribute an action alert, create a report by selecting the queries to include, or create a custom query using the Query Design wizard. See also archive query.
query library
The query library is the library that stores all predefined and user-defined queries, query tags, and prompt filters.
raw event
A raw event is the information triggered by a native event that is sent by a monitoring agent to the Log Manager collector. The raw event is often formatted as a syslog string or name-value pair. It is possible to review an event in its raw form in CA Enterprise Log Manager.
recataloging
A recataloging is a forced rebuild of the catalog. A recatalog is required only when restoring data to an event log store on a different server than the one on which it was generated. For example, if you designated one CA Enterprise Log Manager to act as a restore point for investigations on cold data, you would then need to force a recatalog of the database after restoring it to the designated restore point. A recatalog is automatically performed when iGateway is restarted, if needed. Recataloging a single database file can take several hours.
recorded event
A recorded event is the raw or refined event information after it is inserted into the database. Raw events are always recorded unless suppressed or summarized, as are refined events. This information is stored and searchable.
refined event
A refined event is mapped or parsed event information derived from raw or summarized events. CA Enterprise Log Manager performs the mapping and parsing so that the stored information is searchable.
remote event
A remote event is an event that involves two different host machines, the source and the destination. A remote event is type 2 of the four event types used in the Common Event Grammar (CEG).
remote storage server
A remote storage server is a role assigned to a server that receives auto-archived databases from one or more reporting servers. A remote storage server stores cold databases for the required number of years. The remote host used for storage typically does not have CA Enterprise Log Manager or any other product installed. For auto-archiving, configure non-interactive authentication.
report
A report is a graphical or tabular display of event log data that is generated by executing predefined or custom queries with filters. The data can be from hot, warm, and defrosted databases in the event log store of the selected server and, if requested, its federated servers.
report library
The report library is the library that stores all predefined and user-defined reports, report tags, generated reports and scheduled report jobs.
report server
The report server is the service that stores configuration information such as the email server to use when emailing alerts, the appearance of reports that are saved to PDF format, and the retention of policies for reports saved to the Report Server and alerts sent to the RSS feed.
reporting server
A reporting server is a role performed by a CA Enterprise Log Manager server. A reporting server receives auto-archived warm databases from one or more collection servers. A reporting server handles queries, reports, scheduled alerts, and scheduled reports.
restore point server
A restore point server is a role performed by a CA Enterprise Log Manager server. To investigate "cold" events, you can move databases from the remote storage server to the restore point server with a utility, add the databases to the catalog, and then conduct queries. Moving cold databases to a dedicated restore point is an alternative to moving them back to their original reporting server for investigation.
RSS event
An RSS event is an event generated by CA Enterprise Log Manager to convey an Action Alert to third-party products and users. The event is a summary of each Action Alert result and a link to the result file. The duration for a given RSS feed item is configurable.
RSS feed URL for action alerts
The RSS feed URL for action alerts is: https://{elmhostname}:5250/spin/calm/getActionQueryRssFeeds.csp. From this URL, you can view action alerts subject to the configuration for maximum age and quantity.
RSS feed URL for subscription
The RSS feed URL for subscription is a preconfigured link used by online subscription proxy servers in the process of retrieving subscription updates. This URL is for the CA Subscription Server.
SafeObject
SafeObject is a predefined resource class in CA EEM. It is the resource class to which AppObjects, stored under the scope of Application, belong. Users who define policies and filters for granting access to AppObjects refer to this resource class.
SAPI collector
The SAPI collector is a CA adapter that receives events from CA Audit Clients. CA Audit Clients send with the Collector action that provides build-in failover. Administrators configure the CA Audit SAPI Collector with, for example, selected ciphers and DM files.
SAPI recorder
A SAPI recorder was the technology used to send information to CA Audit before iTechnology. SAPI stands for Submit API (Application Programming Interface). CA Audit recorders for CA ACF2, CA Top Secret, RACF, Oracle, Sybase, and DB2 are examples of SAPI recorders.
SAPI router
The SAPI router is a CA adapter that receives events from integrations, such as Mainframe, and sends them to a CA Audit router.
saved configuration
A saved configuration is a stored configuration with the values for the data access attributes of an integration that can be used as a template when creating a new integration.
scoping policy
A scoping policy is a type of access policy that grants or denies access to resources stored in the management server, such as AppObjects, users, groups, folders, and policies. A scoping policy defines the identities that can access the specified resources.
scp utility
The scp secure copy (remote file copy program) is a UNIX utility that transfers files between UNIX computers on a network. This utility is made available at CA Enterprise Log Manager installation for you to use to transfer subscription update files from the online subscription proxy to the offline subscription proxy.
self-monitoring event
A self-monitoring event is an event that is logged by CA Enterprise Log Manager. Such events are automatically generated by acts performed by logged in users and by functions performed by various modules such as services and listeners. The SIM Operations Self Monitoring Events Details report can be viewed by selecting a report server and opening the Self Monitoring events tab.
services
The CA Enterprise Log Manager services are event log store, report server, and subscription. Administrators configure these services at a global level, where all settings apply to all CA Enterprise Log Managers by default. Most global settings for services can be overridden at the local level, that is, for any specified CA Enterprise Log Manager.
SNMP
SNMP is the acronym for Simple Network Management Protocol, an open standard for sending alert messages in the form of SNMP traps from an agent system to one or more management systems.
SNMP trap contents
An SNMP trap consists of name/value pairs, where each name is an OID (object identifier) and each value is one returned from the scheduled alert. Query results returned by an action alert consist of CEG fields and their values. The SNMP trap is populated by substituting an OID for each CEG field used for the name of the name/value pair. The mapping of each CEG field to an OID is stored in the MIB. The SNMP trap only includes name/value pairs for the fields you select when you configure the alert.
SNMP trap destinations
One or more SNMP trap destinations can be added when you schedule an action alert. Each SNMP trap destination is configured with an IP address and port. The destination is typically a NOC or a management server such as CA Spectrum or CA NSM. An SNMP trap is sent to configured destinations when queries for a scheduled alert job returns results.
soft appliance
The soft appliance includes an operating system component and the CA Enterprise Log Manager software component.
subscription client
A subscription client is a CA Enterprise Log Manager server that gets content updates from another CA Enterprise Log Manager server called a subscription proxy server. Subscription clients poll the configured subscription proxy server on a regular schedule and retrieve new updates when available. After retrieving updates, the client installs the downloaded components.
subscription module
The subscription module is the service that enables subscription updates from the CA Subscription Server to be automatically downloaded and distributed to all CA Enterprise Log Manager servers, and all agents. Global settings apply to local CA Enterprise Log Manager servers; local settings include whether the server is an offline proxy, an online proxy, or a subscription client.
subscription proxies (for client)
The subscription proxies for client make up the subscription proxy list that the client contacts in a round robin fashion to get CA Enterprise Log Manager software and operating system updates. If one proxy is busy, the next one in the list is contacted. If all are unavailable and the client is online, the default subscription proxy is used.
subscription proxies (for content updates)
Subscription proxies for content updates are the subscription proxies selected to update the CA Enterprise Log Manager management server with content updates that are downloaded from the CA Subscription Server. Configuring multiple proxies for redundancy is a good practice.
subscription proxy (default)
The default subscription proxy is typically the CA Enterprise Log Manager server that is installed first and may also be the Primary CA Enterprise Log Manager. The default subscription proxy is also an online subscription proxy and, therefore, must have Internet access. If no other online subscription proxies are defined, this server gets subscription updates from the CA Subscription server, downloads binary updates to all clients, and pushes content updates to CA EEM. If other proxies are defined, this server still gets subscription updates, but is contacted by clients for updates only when no subscription proxy list is configured or when the configured list is exhausted.
subscription proxy (offline)
An offline subscription proxy is a CA Enterprise Log Manager server that gets subscription updates through a manual directory copy (using scp) from an online subscription proxy. Offline subscription proxies can be configured to download binary updates to clients that request them and to push the latest version of content updates to the management server if it has not yet received them. Offline subscription proxies do not need Internet access.
subscription proxy (online)
An online subscription proxy is a CA Enterprise Log Manager with Internet access that gets subscription updates from the CA Subscription server on a recurring schedule. A given online subscription proxy can be included in the proxy list for one or more clients, who contact listed proxies in round-robin fashion to request the binary updates. A given online proxy, if so configured, pushes new content and configuration updates to management server unless already pushed by another proxy. The subscription update directory of a selected online proxy is used as the source for copying updates to offline subscription proxies.
subscription updates
Subscription updates refer to the binary and non-binary files that are made available by CA Subscription server. Binary files are product module updates that are typically installed on the CA Enterprise Log Managers. Non-binary files, or content updates, are saved to the management server.
summarization rules
Summarization rules are rules that combine certain native events of a common type into one refined event. For example, a summarization rule can be configured to replace up to 1000 duplicate events with the same source and destination IP addresses and ports with a single summarization event. Such rules simplify event analysis and reduce log traffic.
suppression
Suppression is the process of dropping events based on CEG filters. Suppression is driven by SUP files.
suppression rules
Suppression rules are rules you configure to prevent certain refined events from appearing in your reports. You can create permanent suppression rules to suppress routine events of no security concern and you can create temporary rules to suppress the logging of planned events such as the creation of many new users.
tag
A tag is a term or key phrase that is used to identify queries or reports that belong to the same business-relevant grouping. Tags enable searches based on business-relevant groupings. Tag is also the resource name used in any policy that grants users the ability to create a tag.
URL for CA Embedded Entitlements Manager
The URL for CA Embedded Entitlements Manager (CA EEM) is: https://<ip_address>:5250/spin/eiam. To log in, select CAELM as the application and enter the password associated with the EiamAdmin user name.
URL for CA Enterprise Log Manager
The URL for CA Enterprise Log Manager is: https://<ip_address>:5250/spin/calm. To log in, enter the user name defined for your account by the Administrator and the associated password. Or, enter the EiamAdmin, the default superuser name, with the associated password.
user group
A user group can be an application group, a global group, or a dynamic group. Predefined CA Enterprise Log Manager application groups are Administrator, Analyst, and Auditor. CA Enterprise Log Manager users may belong to global groups through memberships apart from CA Enterprise Log Manager. Dynamic groups are user-defined and created through a dynamic group policy.
user role
A user role can be a predefined application user group or a user-defined application group. Custom user roles are needed when the predefined application groups (Administrator, Analyst, and Auditor) are not sufficiently fine-grained to reflect work assignments. Custom user roles require custom access policies and modification of predefined policies to include the new role.
user store
A user store is the repository for global user information and password policies. The CA Enterprise Log Manager user store is the local repository, by default, but can be configured to reference CA SiteMinder or a supported LDAP directory such as Microsoft Active Directory, Sun One, or Novell eDirectory. No matter how the user store is configured, the local repository on the management server contains application-specific information about users, such as their user role and associated access policies.
visualization components
Visualization components are available options for displaying report data including a table, a chart (line graph, bar graph, column graph, pie chart), or an event viewer.
warm database state
The warm database state is the state that a hot database of event logs is moved into when the size (Maximum Rows) of the hot database is exceeded or when a recatalog is performed after restoring a cold database to a new event log store. Warm databases are compressed and retained in the event log store until their age in days exceeds the configured value for Max Archive Days. You can query for event logs in databases that are in the hot, warm, and defrosted states.
XMP file analysis
XMP file analysis is the process performed by the Message Parsing utility to find all events containing each pre-match string and, for each matched event, parse the event into tokens using the first filter found that uses the same pre-match string.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |