Previous Topic: Custom Report CreationNext Topic: API Access


Agent Management

Connector Configuration on an Agent

A connector is a collection process that runs under the control of an agent and collects and processes events from a single log source. A connector, which connects with a specific device, uses an integration that provides the rules for connecting with that specific type of device.

Problem:

You need to know who has accessed the SQL Server 2005 and Oracle 11g databases within the last week.

Solution:

Install an agent. For that agent, create one SQL Server connector and one Oracle connector using the SQL Server 2005 and Oracle 11g predefined integrations. After receiving events, run a report to find out who has accessed these databases within the last week.

Procedure

More Information

Agent Management Tasks

Configure the Syslog Connector for the Default Agent

Configure a Windows Connector for the Agent

View Logs from Windows Event Sources

Event Filtering with Suppression Rules

Suppression rules are rules you configure to prevent certain raw events from appearing in your reports. You can create permanent suppression rules to suppress routine events of no security concern and you can create temporary rules to suppress the logging of planned events such as the creation of many new users.

Problem:

Systems generate volumes of logs that are not required for reporting or alerting. It is difficult and time-consuming to distinguish important events from the noise because event log sources generate high volumes of data irrelevant to security. These logs also needlessly consume critical online and archive storage space.

The security analyst is an expert in Windows Server 2003 auditing, and knows that Windows writes duplicate events when performing object access auditing -- Event ID 560 and 562.

Solution:

Since only Event ID 562 is needed for Resource Access reports, you can suppress Event ID 560. An Administrator configures a CA User Activity Reporting Module suppression rule to filter out this event.

Procedure

More Information

Creating a Suppression Rule

How to Apply Suppression and Summarization on Agent Components

Suppression Rule Effects

Event Summarization with Summarization Rules

Summarization rules are rules that combine certain native events of a common type into one refined event. For example, a summarization rule can be configured to replace up to 1000 duplicate events that have the same source and destination IP addresses and ports with a single summarization event. Such rules simplify event analysis and reduce log traffic.

Problem:

Some log events may be repeated hundreds or thousands of times, consuming disk space and making it difficult to determine the important events from the noise. These logs also needlessly consume critical online and archive storage space.

The system administrator's organization has several Cisco ASA firewalls that generate hundreds of events per second. They do not need every event.

Solution:

An Administrator configures CA User Activity Reporting Module to summarize and count firewall logs that have the following fields in common: source_address, dest_address, dest_port, event_action, event_result.

Procedure

More Information

Creating a Summarization Rule

 

Group-based Node Organization

An agent group allows agents to be associated together for management purposes. Agents can belong to only one group. Agents that are not assigned to a group belong to the Default Group.

Problem:

The organization's New York data center has two agents and the Chicago data center has three agents. For management purposes, these agents need to be grouped by data center.

Solution:

An Administrator creates a New York agent group and a Chicago agent group and assigns the agents to their respective groups.

Procedure

More Information

Creating an Agent Group

Configuring Agent Management

About Agent Groups