Previous Topic: SubscriptionNext Topic: Queries and Reports

Administration GuideFilters and Profiles

Filters and Profiles

This section contains the following topics:

Global and Local Filters

How to Create a Profile

Import a Profile

Export a Profile

Set a Profile

Create a Global Filter

Configure Global Query Settings

Edit a Global Filter

Remove a Global Filter

Create a Local Filter

Edit a Local Filter

Remove a Local Filter

Global and Local Filters

You can set or edit filters to refine the displayed event or incident information. You can access the global filter dialog from the main CA User Activity Reporting Module window. You can add local filters from within an individual query or report display, or from the Incidents area. You can also use the Global filter interface to set application-wide query settings.

Both filters have their own creation dialog. A unique button launches each dialog:

Global Filter Global Filter creation button

Applies to all internal reports, queries you view in the current session only. Global filters do not apply to external ODBC queries or reports. The Global Filter button appears at the top of the main CA User Activity Reporting Module window beside the Log Manager Server menu. You can use a global filter to view all events received in the last week, or from a certain host, for example. You can also set global filters for Incidents, which are constructed in the same way as event filters. Incident filters only apply to incidents and their component event information.

Note: A global filter returning the last six hours of data is the default setting.

Local Filter Local Filter creation button

Applies only to the current report, query, or incident view. The Local Filter button appears at the top of the details pane in query or report displays, and at the top of the Incidents pane. The local filter is not applied or saved when you change reports, unless you save the report as a favorite with that filter set. Local filters let you narrow a current view, to see only one host in a multihost report view, for example, without changing other report views.

Note: You can only set advanced filters from the local filter dialog if your query is an ODBC query.

About Simple Filters

Before your first use of the Query Design wizard or the Profile Design wizard, become familiar with the simple filter types.

Examples of Simple Filters

An example of each type of simple filter follows:

Filter type

Value

Description

Ideal Model

Antivirus

Displays only event data that products such as the following generate:

  • CA Anti-Virus
  • McAfee VirusScan
  • Symantec Antivirus Corporate Edition
  • TrendMicro OfficeScan

Event Category/

Event Class

System Access/ login activity

Displays only event data related to users logging in to a system.

Event Log Name

Cisco PIX Firewall

Displays only event data that Cisco PIX Firewall devices generate.

With the exception of Event Log Name, the filter types are based on the Common Event Grammar (CEG).

Find these lists in the online help under the "Common Event Grammar" section.

Set a Simple Filter

You can set simple filters to establish criteria for the event data you want displayed or reported. When set in the Query Design wizard, simple filters let you limit the event data returned by a query used in a report or alert. When set in the Profile Design wizard, simple filters limit the data displayed in the report or query results when the profile is applied.

  1. Open the wizard.
  2. Determine the type of simple filter to set:
  3. To set a technology-based filter, click the Ideal Model is check box and then select a value from the Ideal Model drop-down list.
  4. To set a filter based on a security event category, category and class, or category, class, and action, do the following:
    1. Click the Event Category is check box and then select a value from the associated drop-down list.
    2. (Optional). Click the Event Class is check box and then select a value from the drop-down list.
    3. (Optional). If you selected Event Class, click the Event Action is check box, and then select a value from the drop-down list.

    Note: You can also set this type filter under a technology-based filter.

  5. To set a product-based filter, click the Event Log Name is check box and then select a value from the drop-down list.
  6. Complete the wizard.

About Profile Filters

A profile is a set of filters. You can create a profile with tag filters, data filters, or a combination. The query tag filter limits the queries displayed for selection; the report tag filter limits the reports displayed for selection. The data filters limit the data displayed in a report or in query results. The profile filters apply to queries, reports, scheduled alerts, and scheduled reports.

You can select tag filters for reports and queries separately. Tag filters include, but are not limited to, the following:

You can select a simple data filter or you can create an advanced data filter. A brief description of each follows:

How to Create a Profile

You can create profiles, which allow users to narrow their CA User Activity Reporting Module views, according to your environmental needs. For example, you could create a CA Access Control profile that would show only reports, queries and events relevant to Access Control.

The process of creating a profile, using the profile wizard, has the following steps:

  1. Opening the profile wizard
  2. Naming the profile and entering description information
  3. Identifying the information shown using simple and advanced filters
  4. Selecting which queries and reports are displaying using tag filters

More information:

Add Profile Details

Create Data Filters

Create Tag Filters

Open the Profile Wizard

To create a new profile, or edit an existing one, you must open the profile wizard.

To open the profile wizard

  1. Click the Administration tab, and then the Library subtab.

    The Library folder list appears.

  2. Select the Profiles folder.

    The Profiles buttons appear in the details pane.

  3. Click New Profile:New Summarization Rule Button

    The Profile Wizard opens.

    When using the wizard:

Add Profile Details

You must name a profile. You can also enter optional description information for reference.

To name a profile

  1. Open the profile wizard.
  2. Type a name for the new profile. The name may be up to 80 characters long, and may include special characters.
  3. (Optional) Type description information.
  4. Advance to the Data Filters step.

Create Data Filters

You filter the information shown by your profile using simple or advanced filters. Each profile must have at least one filter.

To set profile data filters

  1. Open the profile wizard.
  2. Enter the profile name, if not already specified, then advance to the Data Filters step.

    The filters dialog appears, displaying the Simple Filters Tab.

  3. Create any simple filters you want, to search for stated CEG field values. For example, you could select the Event Log Name check box, and enter "CA Access Control" to search for CA Access Control events.
  4. (Optional) Click the Advanced Filters tab.

    The advanced filters dialog appears.

  5. Create advanced filters as needed.
  6. Click the appropriate arrow to advance to the profile wizard step you want to complete next, or click Save and Close.

    If you click Save and Close, the new profile appears in the list, otherwise the wizard step you choose appears.

More information:

Using Advanced Filters

Create an Advanced Event Filter

Create a Simple Event Filter

Create Tag Filters

You can create tag filters for your profile, controlling which queries or report category tags appear in the CA User Activity Reporting Module interface when a user applies the profile. For example, if you create a tag filter for CA SiteMinder, the CA User Activity Reporting Module interface displays only those reports and queries with the CA SiteMinder tag.

To create a tag filter

  1. Open the profile wizard.
  2. Enter the profile name, if not already specified, then advance to the Tag Filters step.

    The filters dialog appears, displaying the Report Tag Filters subtab.

  3. Click New Event Filter.

    The first row of the tag filter table becomes active.

  4. Click the Tag cell and select or type the query or report tag name you want to display. If you type, the display narrows available tag names as you type.
  5. (Optional) Click New Event Filter again to add additional filters.

    The second row of the tag filter table becomes active, displaying AND in the logic column.

  6. (Optional) Click the logic cell to select either an AND or OR operator.
  7. (Optional) Click the Tag cell and select or type the tag name you want to display. If you type, the display narrows available tag names as you type.
  8. (Optional) Click the open and closed parentheses cells and enter the number of parentheses you need.
  9. (Optional) Click the Query Tag Filters subtab, and repeat steps 3 through 8 to create any query tag filters that you need.
  10. Click Save when you have entered all the filter statements you want.

More information:

Create Data Filters

Import a Profile

You can import a profile, allowing you to move profiles from one environment to another. For example you could import a profile created in a test environment to your live environment.

To import a profile

  1. Click the Administration tab, and then the Library subtab.

    The Library folder list appears.

  2. Click the arrow beside the Profiles folder to expand it.

    The profiles buttons appear in the details pane.

  3. Click Import Profile.

    The import file dialog appears.

  4. Browse to find the file you want to import, and click OK.

    The profile wizard appears, displaying the details of the profile you selected.

  5. Make any changes you want, and click Save and Close. If the imported profile shares a name with one already in your management database, you are prompted to change the name.

    The imported profile appears in the appropriate folder.

Export a Profile

You can export a profile. This lets you share profiles between environments. For example, you could export a profile created in a test environment to your live environment.

To export a profile

  1. Click the Administration tab, and then the Library subtab.

    The Library folder list appears.

  2. Click the arrow beside the Profiles folder to expand it.

    The profiles folders appear.

  3. Click the folder which contains the profile you want to export.

    The folder expands, showing the individual files.

  4. Select the profile you want to export, and then click Export Profile.

    An export location dialog appears.

  5. Enter or browse to the location where you want to store the exported profile, and click Save.

    An export successful confirmation dialog appears.

  6. Click OK.

    The profile is exported.

Set a Profile

You can select any available profile to apply to your environment, restricting the queries and reports available, depending on the terms of the profile. To set a profile, select the profile you want from the Profiles drop-down menu at the top of the main CA User Activity Reporting Module window.

Note: To set the selected profile as a default profile of your environment, click the Set as default profile option at the top of the main CA User Activity Reporting Module window. The selected profile is set as the default profile of the logged in user.

Create a Global Filter

You can create a global filter. Global filters let you view all queries and reports, or all incidents using the same qualifying factors. When you create a global filter you choose whether it applies to events or to incidents. A single global filter cannot apply to both. You can also use the Global filter interface to set application-wide query settings.

To create a global filter

  1. Click the Global Filters button at the top of the main window.

    The Global Filters and Settings dialog appears.

  2. Click the Events tab or the Incidents tab to select where you want the global filter applied.
  3. Specify the time period you want your filter to search, using the Time Range drop-down list.
  4. Select the Match check box to enter a specific value by which you want to filter all available raw events.

    Note: You can search for multiple values, phrases, or partial values in the raw events by using the specialized Match syntax.

  5. Click Add Filter to specify event fields that you want to include in the filter.

    The Column drop-down menu and Value entry field appear.

  6. Choose the event field you want to include in the filter, and type the value that the field must have to be displayed in the filtered reports. You can enter multiple event field names and values by clicking Add Filter again. Selecting the Exclude button includes every value but the one you enter for the chosen event field name.

    Note: If you create a global filter on a string-type field, it is added to the Quick filters list. If you create a filter on a numeric or time field, it is added to the Advanced filters list.

  7. (Optional) Click the Advanced Filters tab to add additional complex qualifiers.
  8. (Optional) Click the Settings tab to choose and global settings. These setting are applied to the whole application.
  9. (Optional) Select Set as Default at the bottom of the dialog to retain the filter settings for any future sessions, as long as you are logged in as the same user.
  10. Click Save.

    The Global Filters and Settings dialog closes, and the new filter is applied to reports.

More information:

Using Advanced Filters

Configure Global Query Settings

Using the Global Filter dialog, you can set application-wide conditions that apply to all reports and queries in your environment. Global settings apply throughout the current session unless you set them as a default.

To configure global query settings

  1. Click the Global Filters button at the top of the main window.

    The Global Filters and Settings dialog appears, displaying the Quick Filters tab.

  2. Click the Settings tab

    The tab opens, displaying the following values.

    Local Time Zone

    Controls the time zone for all date/time fields in reports and queries. Your reports and queries adopt the time zone you select from the drop-down list rather than using the CA User Activity Reporting Module server time zone.

    Execute queries on federated data

    Allows the query to be applied to all available federated servers. This setting is enabled by default. Disabling this setting confines queries to only the event data stored in the local event log store. This improves query speed when all the target events are stored locally.

    Note: The federated data setting does not apply to external ODBC queries.

    Enable auto refresh for queries

    Allows the display to refresh automatically at the set interval for each query.

  3. (Optional) Select Set as Default at the bottom of the dialog to preserve the settings as defaults that are retained after the current session.
  4. Make any changes you want, and click Save.

    The Global Filters and Settings dialog closes, and the new filter is applied.

Edit a Global Filter

You can edit an existing global filter.

To edit a global filter

  1. Click the Global Filters button at the top of the main window.

    The Global Filters and Settings dialog appears, displaying the Quick Filters tab.

  2. Change or add parameters as needed. You can remove an individual quick filter parameter by clicking the Delete icon beside it.
  3. Click Save.

    The Global Filters and Settings dialog closes, and the edited filter is applied.

Remove a Global Filter

You can remove a global filter, returning all reports to their default state.

To remove a global filter, click Clear Global Filters at the top of the main CA User Activity Reporting Module window: Remove Global Filter Button

Create a Local Filter

You can create a local filter to narrow the scope of the query or report you are viewing, or the incidents displayed in the Incidents area.

To create a local filter

  1. Open the query or report you want to filter, or click the Incidents tab, and click the Local Filters button at the top of the pane.

    The Local Filters dialog appears, displaying the Quick Filters tab.

  2. (Optional) Click the Incidents tab if you want to filter displayed incidents rather than events.
  3. (Optional) Select the Match check box to type a specific value by which you want to search events or incidents.

    Note: You can search for multiple values, phrases, or partial values by using the specialized Match syntax.

  4. Click Add Filter.
  5. Choose the event field you want to include in the filter, and type the value that the field must have to be displayed in the filtered reports. You can enter multiple column values by clicking Add Filter again. Selecting the Exclude button includes every value but the one you enter for the chosen event field name.
  6. (Optional) Click the Advanced Filters tab to add additional qualifiers.
  7. Click Save.

    The filter is applied to the display. You can save the report view by setting it as a Favorite.

More information:

Using Advanced Filters

Edit a Local Filter

You can edit an existing local filter.

To edit a local filter

  1. Click the Local Filters button at the top of the query or report pane, or at the top of the Incidents view.

    The Local Filters dialog appears, displaying the Quick Filters tab.

  2. Change or add values as needed. You can remove individual filter settings by clicking the Delete icon beside each one, or remove a Match value by clearing the check box.
  3. Click Save.

    The edited filter is applied to the display.

Remove a Local Filter

You can remove a local filter, returning a query, report, or incident view to its previous state.

To remove a local filter, click the Clear Local Filter button at the top of the query, report or incident display you are viewing: Remove Local Filter Button