Previous Topic: Modify an Existing CA Audit Policy to Send Events to CA User Activity Reporting ModuleNext Topic: When to Import Events


Modify an Existing r8SP2 Policy to Send Events to CA User Activity Reporting Module

Use this procedure to enable an r8 SP2 CA Audit client to send events to both CA User Activity Reporting Module and the CA Audit collector database. By adding a new target to the Route or Collector actions on an existing rule, you can send collected events to both systems. As an alternative, you can also modify specific policies or rules to send events only to the CA User Activity Reporting Module server.

More information on working with policies is available in the CA Audit r8 SP2 Implementation Guide. Refer to that resource for details on performing the steps in the procedure that follows.

CA User Activity Reporting Module collects events from CA Audit clients using the CA Audit SAPI Router and CA Audit SAPI Collector listeners. Collected events are stored in the CA User Activity Reporting Module event log store only after you push the policy to the clients and it becomes active.

Important: You must configure the CA User Activity Reporting Module listeners to receive events before you modify and activate the policy. If you do not do this configuration first, you may have incorrectly mapped events between the time that the policy becomes active and the listeners can correctly map the events.

To modify an existing r8 SP2 policy rule's action to send events to CA User Activity Reporting Module

  1. Log into the Policy Manager server as a user with the Maker role.
  2. Access the rule you want to edit by expanding its folder in the Policies pane and choosing the appropriate policy.

    The policy appears in the Details pane, displaying its rules.

  3. Click the rule you want to edit.

    The rule appears, with its actions displayed, in the Details pane.

  4. Click Edit.

    The Edit Rule wizard appears.

  5. Use the Edit Rule wizard to change the rule so that it sends events to the CA User Activity Reporting Module server, either in addition to or in place of the current destinations, and click Finish when done.
  6. Check and commit the policy as the Maker user so that it can be approved by a user with the Checker role.
  7. Log out, and then log back into the Policy Manager server as a user with the Checker role, if your enterprise uses the segregation of duties feature.
  8. Review and approve the policy folder that contains the changed policy and rule.

    After the policy is approved, the Policy Manager Distribution Server's settings determine when the new policy is distributed to the audit nodes. You can review the activation log to check on a policy's activation status.

  9. Repeat this procedure for each rule and policy with collected events you want to send to CA User Activity Reporting Module.