Previous Topic: Use the Log Name PromptNext Topic: Use the User Prompt

Administration GuideQueries and ReportsPromptsUse the Port Prompt

Use the Port Prompt

The port prompt queries for events where the port you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG port numbers. Consider this scenario:

  1. The event initiator on the source host uses the outbound source_port communication port for initiating the event action on a target residing on the destination host through the inbound dest_port communications port.

    Note: Source_port and dest_port are the same for local events. Otherwise, they are host-specific.

  2. This event is recorded in a repository on the event source.
  3. A CA User Activity Reporting Module agent makes a copy of the event recorded on the event source.
  4. The agent transmits the copy of the event through the outbound port, receiver_port, to a CA User Activity Reporting Module collection server.

    Note: The agent uses port 17001, by default, to secure communications to the CA User Activity Reporting Module collection server.

To use the Port prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select Port.

    The Port prompt appears.

  3. Enter the port number on which to base this query.
  4. Select the fields on which to query for data matching your port number entry:
    source_port

    Is the communications port used for initiating the action.

    dest_port

    Is the communication port on the destination host that is the target of the action.

    receiver_port

    Is the port that the agent uses to communicate with the CA User Activity Reporting Module collection server.

  5. Click Go.

    Results of the port prompt query appear.

  6. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Source IP

    Identifies the IP address of the host from which the event action was initiated.

    Result

    Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

    Source Port

    Identifies the outbound port used for initiating the action.

    Destination Port

    Identifies the inbound port on the destination host.

    Receiver Host

    Identifies the outbound port on the agent used to send event logs to the CA User Activity Reporting Module server.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action.

    Log Name

    Identifies the log name used by the connector that collected the event.