Quick Start Deployment

This section contains the following topics:

Quick Start Overview

Install a Single-Server System

Update Your Windows Hosts File

Configure the First Administrator

Configure Syslog Event Sources

Edit the Syslog Connector

View Syslog Events

Quick Start Overview

You can achieve a simple, functioning CA User Activity Reporting Module deployment with one soft appliance. The predefined syslog connector makes it possible for the default agent to receive generated syslog events. All you need to do is configure your syslog sources to push syslog events to CA User Activity Reporting Module and edit the syslog connector configuration to identify the syslog targets. What is received depends on the bandwidth between the server and the syslog sources and latency.

Log sensors, including WinRM and ODBC, support direct log collection from over twenty non-syslog event sources. The WinRM log sensor lets you collect events directly from servers running Windows operating systems, such as Forefront Security for Exchange server, Forefront Security for SharePoint Server, Microsoft Office Communication Server, and Hyper-V virtual server and services such as Active Directory Certificate Services. The ODBC log sensor lets you capture events generated by Oracle9i or SQL Server 2005 databases. For details, see the CA Enterprise Log Manager Product Integration Matrix.

You need EiamAdmin credentials to install CA User Activity Reporting Module. As the EiamAdmin superuser, you configure an Administrator account which you use to do the configuration. If you log on with the Administrator credentials, you can verify that the setup is functioning by viewing self-monitoring events.

More information:

Extended Direct Log Collection by Default Agent

Install a Single-Server System

The simplest deployment that lets you view queried events is a single-server system. Be sure to select a machine that meets or exceeds the minimum hardware requirements for a CA User Activity Reporting Module soft appliance.

Note: See the Release Notes for the certified hardware list, operating system support, and system software and service requirements.

To install a CA User Activity Reporting Module for a single-server system

Have the following information at hand:
- A password to be used as the root password
- Host name for your appliance
- If not using DHCP, the static IP address, subnet mask, and default gateway for your appliance
- Domain for the appliance
  Note: The domain must be registered with the DNS Servers in your network for the installation to complete.
- IP addresses of the DNS servers
- (Optional) IP address of your NTP time server
- A password for the default installation superuser name, EiamAdmin
- CAELM.
  This is the default application name for the CA User Activity Reporting Module application.
Install the preconfigured operating system using the media you created from the CA User Activity Reporting Module download package. During the operating system installation, do the following:
1. Choose a keyboard type. The default is U.S.
2. Choose a time zone, for example, America/New York and select OK.
1. Type the password to be used as the root password, then retype it to confirm. Select OK.
Installation progress information appears.
1. Remove the operating system installation disc and press Enter to reboot the system.
The system reboots and enters non-interactive startup. It displays messages describing installation progress. Detailed information about this installation is saved in the following file: /tmp/pre-install_ca-elm.log.

The following prompt appears:
```
Please insert the CA Enterprise Log Manager r12 - Application Install disk and press enter.
```
Insert the CA User Activity Reporting Module Application disc. Press Enter.
Your system is reviewed for whether it meets the minimum recommended specifications for optimal performance. If it does not, a prompt appears asking whether you want to stop the installation process.

The following prompt appears:
```
Please enter a new hostname :
```
Enter the host name for this CA User Activity Reporting Module soft appliance. For example, enter CALM1.
Accept the default device, eth0. Press Enter to go to the next screen.
Do one of the following and then select OK.
- Select Use DHCP, an acceptable option only for a standalone test system.
- Enter the static IP address, subnet mask, and default gateway IP address to be associated with the hostname you entered.
The network services are restarted with the new settings, which are displayed.

The following message appears:
```
Do you want to change the network configuration? (n): 
```
Review the network settings. If satisfactory, type n, or press Enter, when the message appears allowing you to change the network settings.
The following message appears:
```
Please enter the domain name for this system :
```
Enter your domain name, such as <yourcompany>.com.
The following message appears:
```
Please enter a comma separated list of DNS servers to use:
```
Enter the IP addresses of your internal DNS servers separated by commas with no spaces.
Your system date and time is displayed with the following message:
```
Do you want to change the system date and time? (n)
```
Review the displayed system date and time. If satisfactory, type n or press Enter.
The following message appears:
```
Do you want to configure the system to update the time through NTP?
```
If you want to use a Network Time Protocol (NTP) server, continue as follows. Otherwise, specify no and continue with the next step.
1. Respond yes to the message.
  If you specify yes, the following message appears:
```
Please enter the NTP Server name or IP Address
```
2. Enter the host name or the IP address of the NTP server.
  A confirmation message similar to the following appears: "Your system has been configured to update the time at midnight using the NTP server located at <yourntpserver>."
Read the end user license agreements (EULAs) presented and respond as follows:
1. Read the EULA for the Sun Java Development Kit (JDK).
  At the end of the EULA, the following message appears:
```
Do you agree to the above license terms? [yes or no]
```
2. Type yes if you agree to the terms.
  Product registration information is displayed followed by this message:
```
Press Enter to continue.....
```
3. Press Enter.
  Messages state that in preparation for CA User Activity Reporting Module installation, the system settings are being configured. The CA end user license agreement displays.
4. Read the CA EULA.
  At the end of the license, the following message appears:
```
Do you agree to the above license terms? [Yes or no]:
```
5. Type Yes if you agree to the license terms.
  CA EEM server information appears.
Respond to the following prompts to configure CA EEM.
```
Do you use a local or remote EEM server?
Enter l (local) or r (remote) :
```
1. To create a standalone test system, enter l for local.
```
Enter the password for the EEM server EiamAdmin user :
Confirm the password for the EEM server EiamAdmin user :
```
2. Type the password you want to assign to the EiamAdmin default superuser; type it again.
```
Enter an application name for this CAELM server (CAELM):
```
3. Press Enter to accept CAELM, the default application name for CA User Activity Reporting Module.
  The EEM Server information you entered so far appears with a message that asks if you want to make changes.
1. Press Enter or enter n for no to accept the CA EEM server information you entered.
The installation process begins. Messages appear showing the progress as each CA User Activity Reporting Module component is successfully installed, registrations completed, certificates acquired, files imported, and components configured. The message CA ELM Installation succeeded appears. When the installation completes, the system displays the console logon address.
Respond to the following prompt:
```
Do you want to run CAELM Server in FIPS mode?
Enter Yes or No
```
If you enter y, the CA User Activity Reporting Module server will start up in FIPS mode. If you enter n, it will start up in non-FIPS mode.
Make note of this address. This is the address you enter in a browser to access this CA User Activity Reporting Module server. That is, https://<hostname>:5250/spin/calm.
A <hostname> login prompt appears. You can ignore this.

Note: If, for any reason, you want to display the operating system prompt from this login prompt, you can do so by entering caelmadmin and the default password, which is the password you assigned to the EiamAdmin user account. You use the caelmadmin account to log in to the appliance on the console or through SSH.
Continue as follows:
- If you configured a static IP address, be sure to register this IP address with the DNS servers specified in step 9.
- If you configured DHCP, update your hosts file on the machine from which you intend to browse to this server.
- Browse to the URL you made note of in step 14 and configure the first Administrator.

Update Your Windows Hosts File

During CA User Activity Reporting Module installation, you can identify one or more DNS servers or select Use DHCP. If you selected DHCP, you must update your Windows hosts file on the computer from which you plan to access the CA User Activity Reporting Module with your browser.

To update your hosts file on the host with your browser

Open Windows Explorer and navigate to C:\WINDOWS\system32\drivers\etc.
Open the hosts file with an editor, for example, Notepad.
Add an entry with the IP address of the CA User Activity Reporting Module server and the corresponding hostname.
Select Save from the File menu, then close the file.

Configure the First Administrator

After installing a single-server CA User Activity Reporting Module, you prepare for configuration by browsing to the URL of the CA User Activity Reporting Module from a remote workstation, logging on, and creating an Administrator account you can use to perform the configuration.

Note: For the purpose of this Quick Start deployment, we accept the default user store, and the default password policies. Typically, these are configured before adding the first Administrator.

To configure the first Administrator

Connect to the following URL from your browser, where hostname is either the host name or IP address of the server where you installed the CA User Activity Reporting Module.
```
https://<hostname>:5250/spin/calm
```
If a security alert appears, do the following:
1. Click View Certificate.
2. Click Install Certificate, accept the defaults, and finish the import wizard.
  A security warning appears stating you are about to install a certificate claiming to represent the host name of the CA User Activity Reporting Module server.
3. Click Yes.
  The root certificate is installed and a successful import message appears.
4. Click OK.
  The trusted certificate dialog appears.
5. (Optional) Click the Certification Path and verify the certificate status says this certificate is OK.
6. Click OK, and then click Yes.
  The logon page appears.
Log on with the EiamAdmin user name and the password you creating when you used to install the software. Click Log In.

The application opens with only the Administrator tab and the User and Access Management subtab active.
Click Users.
Click Add New User.
Enter your name in the Name field and click Add Application User Details.
Select Administrator and move it to the Selected User Groups list.
Under Authentication, enter a password for this new account in the two fields for entry and confirmation.
Click Save and then click Close. Click Close.
Click the Log out link on the toolbar.
The logon page appears.
Log back into CA User Activity Reporting Module with the Administrator credentials you just defined.
CA User Activity Reporting Module opens with all functionality enabled. The Queries and Reports tab and Queries subtab is displayed.
(Optional) View your login attempts as follows:
1. Select the System Access from the query tag list.
2. Select System Access Detail from the query list.
The query results show your two login attempts, first as EiamAdmin, then with your Administrator name where the login attempts are marked with S for successful.

Configure Syslog Event Sources

To enable direct collection of syslog events by the default agent that exists on each CA User Activity Reporting Module server, you begin by identifying the syslog event sources from which you want to collect events and determining the associated integration. Then you do the following two things in either order.

Configure the syslog event sources. Log on to each host where a syslog event source is running and configure it as documented in the connector guide for that syslog integration.
Configure the syslog connector on the default agent to add the target syslog integrations associated with the configured event sources.

As soon as you complete this two-step configuration, event collection and refinement begins. Then, you can use CA User Activity Reporting Module to view or report on events you care about in a standardized format. You can also generate alerts when specific events occur.

To configure a selected syslog event source

Log on to the host with a target syslog event source.
Launch CA User Activity Reporting Module from a browser on this host.
Click the Administration tab and Log Collection subtab.
The Log Collection Explorer appears.
Expand Event Refinement Library, Integrations, Subscription.
The list of predefined integrations displays. An abbreviated example follows:
Select the integration for the event source you need to configure. For example, if you wanted to collect syslogs generated by an AIX operating system, you would select AIX_Syslog.
The integration details appears.
Click the Help button located just above the Integration name on the right hand pane.
The connector guide for the selected integration appears.
Click the section on the event source configuration requirements. In this example, the documentation describes how to configuring the AIX operating system event source to send its syslogs to CA User Activity Reporting Module.

Example--Alternative Source for Connector Guides: Support Online

You can open a selected connector guide from within the CA User Activity Reporting Module user interface or from CA Support Online. Following is an example that shows how to open a connector guide from this alternative source.

Log on to CA Support Online.
Select CA Enterprise Log Manager from the Select a Product page drop-down list.
Scroll to Product Status and select CA Enterprise Log Manager Certification Matrix.
Select Product Integration Matrix.
Find the category for the integration associated with the event source you are configuring. For example, if the event source is the AIX operating system, scroll to the Operating Systems category and click the AIX link.

Edit the Syslog Connector

Each CA User Activity Reporting Module has a default agent. When a CA User Activity Reporting Module is installed, its default agent has a partially configured connector called Syslog_Connector, which is based on the listener, Syslog. This listener receives raw syslog events on the default ports as soon as you configure the event sources to send syslogs to CA User Activity Reporting Module. However, for CA User Activity Reporting Module to refine these raw events, you must edit this Syslog_Connector. Certain edits are mandatory; others are optional.

You must identify the syslog targets when you edit this connector. You select as syslog targets each integration that corresponds to one or more event sources you have configured or plan to configure. Your identification of syslog targets enables CA User Activity Reporting Module to properly refine the events.
Optionally, you can apply suppression rules, limit the acceptance of syslogs to trusted hosts, specify ports to listen on other than 514, the well-known syslog UDP port, and 1468, the default TCP port, and/or add a new time zone for a trusted host.

To edit the syslog connector for a default agent

Click the Administration tab.
The Log Collection subtab is displayed.
Expand Agent Explorer and then expand the Default Agent Group or the user-defined group with the CA User Activity Reporting Module to be configured.
Select the name of a CA User Activity Reporting Module server.
The connector named Syslog_Connector is displayed.
Click Edit.
The Edit Connector wizard appears with the Connector Details step selected.
(Optional) Click Apply Suppression Rules. If there is any syslog event type that you want suppressed, that is, not collected, move that event type from the available list to the selected listed. Select the event to move and click the move button.
Click the Connector Configuration step.
All available integrations are selected by default.
Select syslog targets by moving the syslog integrations to target from the available list to the selected list.
For example, if you have configured the AIX operating system on a host in your network, you would move the syslog target, AIX_Syslog, from the available list to the selected list.
(Optional) Identify the trusted hosts from which the syslog connector is to accept incoming events. Enter the IP address in the entry field and click Add. Repeat for each trusted host. Then, when an event is received from a host not configured as trusted, that event is rejected.
Note: It is a good practice to configure trusted hosts. Typically, you configure all the hosts on which you have configured event sources to send syslogs to CA User Activity Reporting Module. Specifying trusted hosts ensures the default agent does not accept events from rogue systems that an attacker has configured to send events to the syslog listener.
(Optional) Add ports.
You can typically accept the default UPD and TCP ports for the default agent.

Note: You can gain performance improvements by defining a syslog connector for different event types and specifying different ports for each. Be sure to select unused ports when making new port assignments.
(Optional) Add a time zone only if collecting syslogs from machines in a different time zone from the soft appliance.
1. Click Create Folder and expand the folder.
2. Highlight the blank entry under the folder. Enter the IP address of either a trusted host you configured for this connector or the NTP time server you specified at installation of the CA User Activity Reporting Module.
Click Save and Close.
View the status.
1. Click Status and Command
View Status of Agents is selected. The host name of the server you installed appears in the Agent column, since the default agent is on this server. The status is shown as running.
1. Click the Running link to view details.
2. Click the Connectors button to view the status of connectors.
3. Click the Running link.
  The percentage CPU, memory usage, average events per second (EPS), and filtered event count appear.

More information:

Configuring the Default Agent

View Syslog Events

One of the quickest ways to view query results on events collected by a syslog listener is to use the Prompt for Host.

To view syslog events

Select the Queries and Reports tab.
The Queries subtab displays.
Expand Prompts under Query List and select Host.
Submit a query for events collected by the default agent.
1. Enter the default agent host name in the Host field, which is also the name of the CA User Activity Reporting Module on which it resides.
2. Select agent_hostname.
3. Click Go.
Display the results to examine.
1. Click the Results column to sort by results.
2. Scroll to the first result of F for failure. Assume it is a configuration warning in the category Configuration Management.
3. Double-click to select the row to view in detail.
The Event Viewer appears.
Scroll to the area where the Result is displayed. In the example, the error is a warning that you need to configure the subscription module. This is a warning you should ignore until you have finished installing all of the CA User Activity Reporting Module servers you plan to install.