Implementation Guide › Considerations for CA Audit Users › Sending CA Audit Events to CA Enterprise Log Manager › Modify an Existing r8SP2 Policy to Send Events to CA Enterprise Log Manager

Modify an Existing r8SP2 Policy to Send Events to CA Enterprise Log Manager

Use this procedure to enable an r8 SP2 CA Audit client to send events to both CA Enterprise Log Manager and the CA Audit collector database. By adding a new target to the Route or Collector actions on an existing rule, you can send collected events to both systems. As an alternative, you can also modify specific policies or rules to send events only to the CA Enterprise Log Manager server.

More information on working with policies is available in the CA Audit r8 SP2 Implementation Guide. Refer to that resource for details on performing the steps in the procedure that follows.

CA Enterprise Log Manager collects events from CA Audit clients using the CA Audit SAPI Router and CA Audit SAPI Collector listeners. Collected events are stored in the CA Enterprise Log Manager event log store only after you push the policy to the clients and it becomes active.

Important: You must configure the CA Enterprise Log Manager listeners to receive events before you modify and activate the policy. If you do not do this configuration first, you may have incorrectly mapped events between the time that the policy becomes active and the listeners can correctly map the events.

To modify an existing r8 SP2 policy rule's action to send events to CA Enterprise Log Manager

1. Log into the Policy Manager server as a user with the Maker role.
2. Access the rule you want to edit by expanding its folder in the Policies pane and choosing the appropriate policy.

   The policy appears in the Details pane, displaying its rules.

3. Click the rule you want to edit.

   The rule appears, with its actions displayed, in the Details pane.

4. Click Edit.

   The Edit Rule wizard appears.

5. Use the Edit Rule wizard to change the rule so that it sends events to the CA Enterprise Log Manager server, either in addition to or in place of the current destinations, and click Finish when done.
6. Check and commit the policy as the Maker user so that it can be approved by a user with the Checker role.
7. Log out, and then log back into the Policy Manager server as a user with the Checker role, if your enterprise uses the segregation of duties feature.
8. Review and approve the policy folder that contains the changed policy and rule.

   After the policy is approved, the Policy Manager Distribution Server's settings determine when the new policy is distributed to the audit nodes. You can review the activation log to check on a policy's activation status.

9. Repeat this procedure for each rule and policy with collected events you want to send to CA Enterprise Log Manager.