Implementation GuideConsiderations for CA Access Control UsersHow to Modify CA Audit Policies to Send Events to CA Enterprise Log Manager › Modify an Existing CA Audit Policy to Send Events to CA Enterprise Log Manager

Previous Topic: Configure the SAPI Collector Adapter to Receive CA Access Control Events

Next Topic: Check and Activate the Changed Policy

Modify an Existing CA Audit Policy to Send Events to CA Enterprise Log Manager

Use this procedure to enable a CA Audit client to send events to both CA Enterprise Log Manager and the CA Audit collector database. By adding a new target to the Route or Collector actions on an existing rule, you can send collected events to both systems. As an alternative, you can also modify specific policies or rules to send events only to the CA Enterprise Log Manager server.

CA Enterprise Log Manager collects events from CA Audit clients using the CA Audit SAPI Router and CA Audit SAPI Collector listeners. (CA Enterprise Log Manager can also collect events using the iTech plugin directly, if you configured any iRecorders to send directly to the CA Enterprise Log Manager server.) Collected events are stored in the CA Enterprise Log Manager event log store only after you push the policy to the clients and it becomes active.

Important: Configure the CA Enterprise Log Manager listeners to receive events before you modify and activate the policy. If you do not do this configuration first, you can incorrectly map events between the time that the policy becomes active and the listeners can correctly map the events.

To modify an existing policy rule action to send events to CA Enterprise Log Manager

  1. Log into the Policy Manager server and access the My Policies tab in the left pane.
  2. Expand the policy folder until you can see the desired policy.

    The CA Audit policy manager pane, showing the My Policies tab with the Suspicious Events policy selected.

  3. Click the policy to display its basic information in the Details pane to the right.

    The Details pane shows that the Suspicious Events policy is selected, and offers a New Rule button at the top.

  4. Click Edit in the Details pane to add to the policy rules.

    The rule wizard starts:

    This picture shows the first page of the Edit a Rule wizard.

  5. Click Edit Actions next to the arrow for the step 3.

    The rule actions page displays:

    This picture shows the Edit a Rule wizard's edit action page with a list of actions in a separate pane on the left.

  6. Click the Collector action in the Browse Actions pane to display the Action List to the right.

    This picture shows the Action List that displays when you select the Collector action from the list.

    You could also use the Route action, but the collector action offers the additional benefit of an alternate host name for basic failover processing.

  7. Click New to add a new rule.
  8. Enter the IP address or host name of the collection CA Enterprise Log Manager server.

    This picture shows the completed collector action record just before you click the Add button.

    For a CA Enterprise Log Manager implementation with two or more servers, you can enter a different CA Enterprise Log Manager host name or IP address in the Alternate Host Name field. This takes advantage of CA Audit's automatic failover feature. If the first CA Enterprise Log Manager server is not available, CA Audit automatically sends events to the server named in the Alternate Host Name field.

  9. Enter the name of the management CA Enterprise Log Manager server in the Alternate Host Name field, and then create a description for this new rule action.
  10. Clear the check box, Perform this action on remote server, if it is checked.
  11. Click Add to save the new rule action and then click Finish in the wizard window.

    Note: Next you check and activate the policy, so do not log out of the CA Audit Policy Manager.

More information:

Modify an Existing r8SP2 Policy to Send Events to CA Enterprise Log Manager