Previous Topic: Use the Host PromptNext Topic: Use the Log Name Prompt

Administration GuideQueries and ReportsPromptsUse the IP Prompt

Use the IP Prompt

The IP prompt queries for events where the IP address you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG IP addresses. Consider this scenario:

  1. The event initiator on source_address attempts an act, event_action, on a target residing on dest_address.

    Note: Source_address and dest_address can be different or the same.

  2. This event is recorded in a repository on event_source_address.

    Note: Event_source_address can be different from either source_address or dest_address or can be the same as one or both.

  3. A CA User Activity Reporting Module agent installed on agent_address makes a copy of the event recorded on event_source_address

    Note: Agent_address is the same as event_source_address in agent-based log collection but is different in agentless and direct log collection.

  4. The agent on agent_address transmits the copy of the event in event_logname to a CA User Activity Reporting Module collection server.

To use the IP prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select Host.

    The IP prompt appears.

  3. Enter the IP address on which to base this query.
  4. Select one or more of the following fields to query for data matching your IP address entry.
    source_address

    Is the IP address of the host where the action was initiated.

    dest_address

    Is the IP address of a host that is the destination or target of the action.

    event_source_address

    Is the IP address of a host that records the raw event when the event occurs.

    For example, you can deploy a connector based on WinRM to collect events from the Event Viewer on a Windows Server 2008 host. To select events retrieved from a given Windows Server 2008 host, enter the IP address of that server and select this field.

    receiver_hostaddress

    Is the same as agent_address.

    agent_address

    Is the IP address of a host where a CA User Activity Reporting Module agent is deployed.

  5. Click Go.

    Results of the IP prompt query appear.

  6. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Result

    Provides a code for the result of the corresponding action, where the displayed letter has the following meaning: S for success, F for failure, A for Accepted, D for Dropped, R for Rejected, and U for Unknown.

    Destination Port

    Identifies the communication port on the destination host, the target of the event action.

    Source IP

    Identifies the IP address from which the event action was initiated.

    Destination IP

    Identifies the IP address of the host that was the target of the event action.

    Event Source IP

    Identifies the IP address of the host with the repository where the event was originally recorded.

    Agent IP

    Identifies the name of the host with the CA User Activity Reporting Module agent responsible for the collection of events from the event source.

    Receiver IP

    The same as Agent IP.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action.

    Log Name

    Identifies the log name used by the connector that collected the event