Connector Configuration on an Agent
A connector is a collection process that runs under the control of an agent and collects and processes events from a single log source. A connector, which connects with a specific device, uses an integration that provides the rules for connecting with that specific type of device.
You need to know who has accessed the SQL Server 2005 and Oracle 11g databases within the last week.
Install an agent. For that agent, create one SQL Server connector and one Oracle connector using the SQL Server 2005 and Oracle 11g predefined integrations. After receiving events, run a report to find out who has accessed these databases within the last week.
Procedure |
More Information |
---|---|
Configure the Syslog Connector for the Default Agent |
Event Filtering with Suppression Rules
Suppression rules are rules you configure to prevent certain raw events from appearing in your reports. You can create permanent suppression rules to suppress routine events of no security concern and you can create temporary rules to suppress the logging of planned events such as the creation of many new users.
Systems generate volumes of logs that are not required for reporting or alerting. It is difficult and time-consuming to distinguish important events from the noise because event log sources generate high volumes of data irrelevant to security. These logs also needlessly consume critical online and archive storage space.
The security analyst is an expert in Windows Server 2003 auditing, and knows that Windows writes duplicate events when performing object access auditing -- Event ID 560 and 562.
Since only Event ID 562 is needed for Resource Access reports, you can suppress Event ID 560. An Administrator configures a CA User Activity Reporting Module suppression rule to filter out this event.
Procedure |
More Information |
---|---|
How to Apply Suppression and Summarization on Agent Components |
Event Summarization with Summarization Rules
Summarization rules are rules that combine certain native events of a common type into one refined event. For example, a summarization rule can be configured to replace up to 1000 duplicate events that have the same source and destination IP addresses and ports with a single summarization event. Such rules simplify event analysis and reduce log traffic.
Some log events may be repeated hundreds or thousands of times, consuming disk space and making it difficult to determine the important events from the noise. These logs also needlessly consume critical online and archive storage space.
The system administrator's organization has several Cisco ASA firewalls that generate hundreds of events per second. They do not need every event.
An Administrator configures CA User Activity Reporting Module to summarize and count firewall logs that have the following fields in common: source_address, dest_address, dest_port, event_action, event_result.
Procedure |
More Information |
---|---|
|
Group-based Node Organization
An agent group allows agents to be associated together for management purposes. Agents can belong to only one group. Agents that are not assigned to a group belong to the Default Group.
The organization's New York data center has two agents and the Chicago data center has three agents. For management purposes, these agents need to be grouped by data center.
An Administrator creates a New York agent group and a Chicago agent group and assigns the agents to their respective groups.
Procedure |
More Information |
---|---|
Copyright © 2013 CA.
All rights reserved.
|
|