This section contains the following topics:
Event Refinement Component Versions
Suppression and Summarization Rules Tasks
Create a Windows Event 560 Suppression Rule
CA User Activity Reporting Module retains earlier versions of certain custom event refinement components as you create and edit them. This allows you to refer back to earlier versions. You can view or copy versions of the following components:
Each time you create a new custom component, it is designated Version 1.0. When you edit and save a new version of the same object, it is designated Version 2.0. Both versions appear in the appropriate interface area for selection and application.
For example, if you create a custom suppression rule called "NewRule" it appears as NewRule Version 1.0 in the Event Log Store interface list for application. If you then edit that file, it appears as NewRule Version 2.0 in the Event Log Store list.
You can view older versions of event refinement components in the appropriate list. They are read-only and cannot be edited. You can copy an old version and edit it, making it a new version in turn. For example, using the previous example, you could not edit NewRule Version 1.0 once 2.0 exists. You would have to copy Version 1.0 and edit it. Saving those edits creates Version 3.0.
Suppression and summarization rules let you control your event flow and manage event log store size by eliminating or combining certain events. Suppression rules prevent native events that match their qualifications from being recorded at all. Summarization rules combine multiple native events into a single refined event, which appears instead of the original component events.
Important! You should create and use suppression and summarization rules cautiously since they can prevent the recording and appearance of certain native events. We recommend testing custom suppression and summarization rules in a test environment before deploying them.
Suppression and summarization tasks can all be carried out from the Log Collection area of the interface. You can create, edit and delete custom suppression and summarization rules.
During planning, you may want to consider the effect of suppression rules, which prevent events either from being inserted into the event log store or collected by a connector. Suppression rules are always attached to a connector. You can apply suppression rules at either the agent or group level, or at the CA User Activity Reporting Module server itself. The placement locations have different effects:
There are potential performance considerations in applying suppression rules to events after they arrive at the CA User Activity Reporting Module server, especially if you create multiple suppression rules or the event flow rate is high.
For example, you might want to suppress some of the events from a firewall or from some Windows servers that produce duplicate events for the same action. Not collecting these events can speed up the transport of the event logs you do want to keep, and saves processing time on the CA User Activity Reporting Module server. In such cases, you would apply one or more appropriate suppression rules on agent components.
If you want to suppress all events of a certain type from multiple platforms or across your entire environment, you would apply one or more appropriate suppression rules at the CA User Activity Reporting Module server. Evaluation of events with regard to suppression occurs when events arrive at the CA User Activity Reporting Module server. Applying a large number of suppression rules at the server may lead to slower performance as the server must apply suppression rules in addition to inserting events into the event log store.
For smaller implementations, you can perform suppression at the CA User Activity Reporting Module server. You may also choose to apply suppression at the server for deployments where summarization (aggregation) is in use. If you are only inserting a few of the events from an event source that generates large amounts of event information, you may still choose to suppress unwanted events at the agent or agent group level to save processing time on the CA User Activity Reporting Module server.
You can use suppression rules to prevent large numbers of routine or known and predicted transactions from inflating your event log store and muddling the image of your environment. For example, you might use a suppression rule to eliminate unnecessary syslog information events, particularly in cases where you cannot configure the event source to send only the required set.
The process of creating a suppression rule, using the suppression rule wizard, has the following steps:
Note: Once you have created a suppression rule, you must apply it, making it available for use in your environment.
To create a new suppression rule, or edit an existing one, open the suppression wizard.
To open the suppression wizard
The Log Collection folder list appears.
The Suppression and Summarization buttons appear in the details pane.
The Suppression Wizard opens.
When using the wizard:
You must name a suppression rule. You can also enter optional description information for reference.
To name a suppression rule
You must specify the native event that you want the rule to suppress by setting a simple filter for the CEG event normalization fields. These four fields, which are part of the event-specific class, are provided for all events expressed in the CEG, allowing you to identify a native event precisely.
You can specify the combination of event normalization fields you want using the Simple Filters tab. You can also use advanced filters for further detail in event identification. You must specify at least one simple filter for a suppression rule.
To select a suppression rule event
Describes the broad class of technology involved in the event, for example, Firewall or Network Device.
Describes broad categories of events within the Ideal Model. For example, all account, user group, and role-related events are recorded under the "Identity Management" Event Category. Each Event Category has one or more classes (sub-categories), so any choice you make changes the available selections in Event Class menu.
Provides a more detailed classification of events in a specific event category. For example, Identity Management events are divided into one of three classes: account, group or identity. Each Event Class has one or more associated actions, so any choice you make changes the available selections in Event Action menu.
Describes common actions for each Event Category and Class. For example, Account Management, a class of the Identity Management category, contains account creation, deletion, and modification actions.
If you click Save and Close, the new rule appears in the list, otherwise the step you choose appears.
When you create a new rule, it is saved as version 1.0. If you later edit the rule, a separate copy of the rule is stored as a new version. You can view earlier versions, and apply or copy them as needed.
You can use advanced filters to qualify any suppression or summarization-related queries of the event log store. The Advanced Filters interface helps you create the appropriate filter syntax by providing a form for entering logic columns, operators and values according to your suppression or summarization rule requirements.
Note: This section contains a brief overview of the terms used in advanced filters for suppression rules and summarization rules. To use advanced filters to their full potential you need a thorough understanding of the filter terms and the Common Event Grammar.
The following terms join multiple filter statements:
Displays the event information if all the joined terms are true.
Displays the event information if any of the joined terms are true.
The following SQL operators are used by advanced filters to create the basic conditions for summarization or suppression:
Includes any event information that matches one or more of the characters in the alphanumeric string that you enter, allowing you to search for key words. This search is case-sensitive.
Includes any event information that matches one or more of the characters in the alphanumeric string that you enter, allowing you to search for key words. This search is not case-sensitive.
Includes any event information that does not match one or more of the characters in the alphanumeric string that you enter. This search is case-sensitive.
Includes any event information that does not match one or more of the characters in the alphanumeric string that you enter. This search is not case-sensitive.
Includes any event information that matches one or more of the regular expression characters that you enter. This can be used to search in a multibyte environment, and to search using wildcards.
Includes any event information that does not match one or more of the regular expression characters that you enter. This can be used to search in a multibyte environment, and to search using wildcards.
Include the event information if the column bears the appropriate relation to the value you enter. The following relational operators are available:
For example, using Greater than would include the event information from your chosen column if its value is greater than the value you set.
All of these operators locate only numbers; to search for other characters, select one the "match" operators, as appropriate.
You can use summarization rules to combine certain native events of a common type into one refined event. This lets you save space in your event log store and simplifies event analysis.
For example, you might create a summarization rule that records a single refined event for every three failed login attempts by a single user. This means that your event log store records only one event rather than three.
The process of creating or editing a summarization rule using the summarization rule wizard has the following main steps:
Note: Once you have created a summarization rule, you must apply it to make it available for use in your environment.
To create a new summarization rule, or edit an existing one, open the summarization wizard.
To open the suppression wizard
The Log Collection folder list appears.
The Suppression and Summarization buttons appear in the details pane.
The Summarization Wizard opens.
When using the wizard:
To create or edit a summarization rule, enter general information, and set summarization thresholds. Thresholds are either a number of events, a frequency of occurrence, or a combination of the two, that trigger the creation of a summarized event.
To set summarization thresholds
Controls whether or not the rule uses an event threshold. The event threshold must be greater than one. Selecting this box sets a maximum events value. If this box is cleared, and the event timeout period is enabled, only the time period is considered in summarizing events. If both are enabled, a summarized event is created at every specified time period, as long as at least one qualified raw event occurs.
Defines the number of native events that trigger a summarized event. When the number of native events you specify occurs, a summarized event is created.
Minimum: 2
Maximum: 5000
Controls whether or not the rule uses a time period threshold. Selecting this box sets a time period value. If this box is cleared, a summarized event occurs only when the event count threshold is reached.
Defines the time, in seconds, that elapses to trigger a summarized event, if any events of the specified type have occurred. When this threshold is reached, a summarized event is created, as long as at least one qualified native event has occurred. You can set the Time Period to zero, which will result in a summarized event only when the maximum events threshold is reached.
Minimum: 0
Maximum: 86400
For example, in the case of a rule summarizing failed login attempts, selecting 3 in the Maximum Events menu and 10 in the Time Period menu results in a summarized event after three failed login attempts, or every 10 seconds as long as at least 1 failed login occurs.
If you click Save and Close, the new rule appears in the list, otherwise the step you choose appears.
Specify the native event that you want the rule to summarize by setting a simple filter for the CEG event normalization fields. These four fields, which are part of the event-specific class, are provided for all events expressed in the CEG, allowing you to identify an event.
You can specify the combination of event normalization fields you want using the Simple Filters tab. You can also use advanced filters for further detail in event identification. Specify at least one simple filter for a suppression rule.
To select a summarization rule event
Describes the broad class of technology involved in the event. For example, Firewall and Network Device are idea models.
Describes broad categories of events. For example, all account, user group, and role-related events are recorded under the "Identity Management" Event Category. Each Event Category has one or more classes (subcategories), so any choice changes the available selections in Event Class menu.
Provides a more detailed classification of events in a specific event category. For example, Identity Management events are divided into one of three classes: account, group, or identity. Each Event Class has one or more associated actions, so any choice changes the available selections in Event Action menu.
Describes common actions for each Event Category and Class. For example, Account Management, a class of the Identity Management category, contains account creation, deletion, and modification actions.
If you click Save and Close, the new rule appears in the list, otherwise the step you select appears.
Summarization rules control how native events are displayed in the refined event. You configure a summarization display by selecting Summarized by fields and Aggregated fields.
To configure a summarization rule display
Controls the field or fields by which the summarized information is grouped. For example, in the case of a rule summarizing failed logins, select source_username to display the number of qualified failed login events for each unique user. You must select one or more Summarized By fields to complete the rule.
Controls the field or fields by which the summarized information is subdivided, depending on the Summarized By field. For example, in the case of a rule summarizing failed logins, select source_username as a Summarized By field, and dest_hostname as an Aggregated field. This displays the number of qualified failed login events for each unique user, subdivided by the host that the user attempted to log into.
The aggregated fields' information is retained in the summarized events' raw event field. In the preceding example each unique host on which the user attempted the log on will be stored along with the number of occurrences, in the following format: hostname1:2,hostname2:5. This example shows 2 logon attempts from host 1 and 5 attempts from host 2.
Aggregated fields are optional - you do not have to select an Aggregated field to complete the rule.
If you click Save and Close, the new rule appears in the list, otherwise the step you choose appears.
When you create a new rule, it is saved as version 1.0. If you later edit the rule, a separate copy of the rule is stored as a new version. You can view earlier versions, and apply or copy them as needed.
Once you have created a suppression or summarization rule, you must apply it to make it available for use in your environment. This feature helps prevent the application of suppression or summarization rules without proper testing and approval.
To apply a suppression or summarization rule
The Service List appears.
The Event Log Store configuration pane appears.
A confirmation message appears on successful application of the rule.
You can assign suppression rules, summarization rules, or both to agent groups, agents, or connectors in your environment. These rules can replace or supplement any suppression or summarization rules applied at the CA User Activity Reporting Module server. Therefore, you streamline the event transmission/reception process by controlling where event refinement takes place.
For example, if you have a Windows agent group, you can associate a suppression rule that eliminates unnecessary Windows events to the agents in the group. You eliminate the need for all incoming events to undergo a Windows-specific check at the CA User Activity Reporting Module server.
You can apply suppression or summarization rules at different levels of the agent folder hierarchy:
The process of applying suppression or summarization rules on the agent components has the following steps:
You can also remove suppression or summarization rules from multiple agent groups, agents, or connectors using the manage rules wizard.
To apply suppression or summarization rules to agent groups, or individual agents or collectors, you can use the manage rules wizard.
To open the manage rules wizard
The Log Collection folder list appears.
The manage rules wizard appears.
When using the wizard:
To apply suppression or summarization rules to agent components, select targets for the rules.
To select targets
Note: You can search for agent or connector names. If no agents or connectors appear in the available list, click Search to display all available agents or connectors.
To finish assigning suppression rules to an agent group, agent, or connector, select which rules to apply.
To choose suppression rules
Note: You can search for suppression rules using the Suppression Rules Pattern field.
The rules you select are applied to the chosen targets. If you selected Delete in the Select Targets step, the rules you choose are deleted.
To finish assigning summarization rules to an agent group, agent, or connector, select which rules to apply.
To select summarization rules
Note: You can search for summarization rules using the Summarization Rules Pattern field.
You can copy a suppression or summarization rule, allowing you to create a new rule based on an existing one.
To copy a suppression or summarization rule
The Log Collection folder list appears.
The suppression and summarization buttons appear in the details pane.
The folder opens, displaying the rules.
The suppression or summarization wizard opens, displaying the rule.
The rule appears in the appropriate list.
You can edit a suppression or summarization rule.
To edit a suppression or summarization rule
The Log Collection folder list appears.
The suppression and summarization buttons appear in the details pane.
The Suppression wizard or the Summarization wizard appears, displaying your selected rule.
The rule appears in the appropriate list as new version of the edited rule.
You can delete an unneeded suppression or summarization rule.
To delete a suppression or summarization rule
The Log Collection folder list appears.
The suppression and summarization buttons appear in the details pane.
A confirmation dialog appears. If you have applied the rule to an integration, a warning appears. Deleting the rule also removes it from the integration.
The deleted rule is removed from the appropriate list.
You can import a suppression or summarization rule, allowing you to move rules from one environment to another. For example you could import rules created in a test environment to your live environment.
To import a suppression or summarization rule
The Log Collection folder list appears.
The Import Suppression and Summarization Rule and Export Suppression or Summarization Rule buttons appear in the details pane.
The import file dialog appears.
The Suppression or Summarization Wizard appears, displaying the details of the rule you selected.
The imported rule appears in the appropriate suppression or summarization folder.
You can export a suppression or summarization rule. This lets you share rules between environments. For example, you could export rules created in a test environment to your live environment.
To export a suppression or summarization rule
The Log Collection folder list appears.
The Export Suppression or Summarization Rule button appears in the details pane.
The folder expands, showing the individual files.
An export location dialog appears.
An export successful confirmation dialog appears.
The rule is exported.
Enabling object access auditing on a Windows server creates a significant volume of event traffic, some of which you may wish to eliminate. For example, Windows generates two events each time an administrator opens the Microsoft Management Console (mmc.exe). These events have ID values of 560 and 562.
In this example, you create a new rule that suppresses Windows events with an event_id of 560. Completing the steps in the following procedure gives you an actual suppression rule you can use in your network environment as well as demonstrating how to use the wizard.
To get started with this example, you must log in to a CA User Activity Reporting Module server as a user with the Administrative role and privileges. You cannot create or edit suppression rules while logged in as the EiamAdmin user.
To create a suppression rule for Windows 560 events
A new filter line appears in the table. You can click a value or the empty space in each table cell to select or enter a new value.
The Logic operator field defaults to the value, AND. If you have several different types of events that you wanted to suppress, you can enter their event IDs with new lines that use the OR logical operator.
The wizard automatically creates a User folder to contain your suppression rules. You can see this folder by expanding the Suppression Rules folder.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|