Previous Topic: Distributed Log Collection with Federated Search CapabilityNext Topic: Custom Report Creation


Custom Log Collection

Custom Log Collection with Syslog

Problem:

The organization needs to collect and report on events from a firewall that uses syslog for submitting events, but there is no predefined integration for this particular firewall product.

Solution:

The Administrator creates the integration, deploys the integration, and generates the reports as follows: The Administrator configures the default agent to listen for syslog and points the firewall to send events to this CA User Activity Reporting Module. Using the raw events stored in the event log store, the Administrator creates parsing and mapping rules for the firewall events and then creates an integration called FW-1 based on these parsing and mapping files. After deploying the FW-1 integration on the default agent, events from the firewall are collected and processed. The manager then runs the predefined Firewall Activity by Firewall report and the Firewall Configuration Changes report.

Procedure

More Information

How to Create a Syslog Listener

Configuring Agent Management

Add a syslog Time Zone

 

Custom Log Collection with a Flat File

You can import integration definition XML files for use in the local management server.

Problem:

The organization needs to collect events from a homegrown application, MyApp, that logs events onto Syslog log file. The homegrown application, MyApp, does access management on a host.

Solution:

The Administrator reviews the raw data from the log file, creates custom parsing rules and mapping rules for MyApp's events, creates a custom integration called MyApp-1 based on the parsing and mapping files, installs an agent on the host with MyApp, and deploys MyApp-1 on that agent. The Administrator then runs reports that show system access by account to review access management details logged by MyApp.

Procedure

More Information

 

Event Log Store Considerations

Custom Log Collection Based on a Predefined Integration

You can create custom files from a copies of predefined files.

Problem:

The organization uses CA Access Control for host access control and wants to use the CA User Activity Reporting Module predefined integration with CA Access Control, but requires the collection of specific types of events not covered by the predefined integration.

Solution:

The Administrator copies the predefined CA Access Control XMP and DM files, modifies them, and creates a user-defined integration called CA-CA-1. The Administrator then deploys this integration and is able to collect events that include the specific types of interest. To review these events, the Administrator runs reports that show system access by account and system access by business critical hosts.

Procedure

More Information

Mapping and Parsing Rules

Creating a Data Mapping File

Creating a Message Parsing File

How to Create an Integration

Add Integration Components

Mapping and Parsing Files