Previous Topic: Configure the SAPI Collector Adapter to Receive CA Access Control EventsNext Topic: Check and Activate the Changed Policy


Modify an Existing CA Audit Policy to Send Events to CA User Activity Reporting Module

Use this procedure to enable a CA Audit client to send events to both CA User Activity Reporting Module and the CA Audit collector database. By adding a new target to the Route or Collector actions on an existing rule, you can send collected events to both systems. As an alternative, you can also modify specific policies or rules to send events only to the CA User Activity Reporting Module server.

CA User Activity Reporting Module collects events from CA Audit clients using the CA Audit SAPI Router and CA Audit SAPI Collector listeners. (CA User Activity Reporting Module can also collect events using the iTech plugin directly, if you configured any iRecorders to send directly to the CA User Activity Reporting Module server.) Collected events are stored in the CA User Activity Reporting Module event log store only after you push the policy to the clients and it becomes active.

Important: Configure the CA User Activity Reporting Module listeners to receive events before you modify and activate the policy. If you do not do this configuration first, you can incorrectly map events between the time that the policy becomes active and the listeners can correctly map the events.

To modify an existing policy rule action to send events to CA User Activity Reporting Module

  1. Log into the Policy Manager server and access the My Policies tab in the left pane.
  2. Expand the policy folder until you can see the desired policy.

    The CA Audit policy manager pane, showing the My Policies tab with the Suspicious Events policy selected.

  3. Click the policy to display its basic information in the Details pane to the right.

    The Details pane shows that the Suspicious Events policy is selected, and offers a New Rule button at the top.

  4. Click Edit in the Details pane to add to the policy rules.

    The rule wizard starts:

    This picture shows the first page of the Edit a Rule wizard.

  5. Click Edit Actions next to the arrow for the step 3.

    The rule actions page displays:

    This picture shows the Edit a Rule wizard's edit action page with a list of actions in a separate pane on the left.

  6. Click the Collector action in the Browse Actions pane to display the Action List to the right.

    This picture shows the Action List that displays when you select the Collector action from the list.

    You could also use the Route action, but the collector action offers the additional benefit of an alternate host name for basic failover processing.

  7. Click New to add a new rule.
  8. Enter the IP address or host name of the collection CA User Activity Reporting Module server.

    This picture shows the completed collector action record just before you click the Add button.

    For a CA User Activity Reporting Module implementation with two or more servers, you can enter a different CA User Activity Reporting Module host name or IP address in the Alternate Host Name field. This takes advantage of CA Audit's automatic failover feature. If the first CA User Activity Reporting Module server is not available, CA Audit automatically sends events to the server named in the Alternate Host Name field.

  9. Enter the name of the management CA User Activity Reporting Module server in the Alternate Host Name field, and then create a description for this new rule action.
  10. Clear the check box, Perform this action on remote server, if it is checked.
  11. Click Add to save the new rule action and then click Finish in the wizard window.

    Note: Next you check and activate the policy, so do not log out of the CA Audit Policy Manager.

More information:

Modify an Existing r8SP2 Policy to Send Events to CA User Activity Reporting Module