This section contains the following topics:
Standardized Presentation of Logs
The CA User Activity Reporting Module server can be set up to collect logs using one or more supported techniques. The techniques differ in the type and location of the component that listens for and collects the logs. These components are configured on agents.
The following illustration depicts a single-server system, where agent locations are indicated with a dark (green) circle.
The numbers on the illustration refer to these steps:
Note: Traffic from the agent to the destination CA User Activity Reporting Module server is always encrypted.
Consider the following advantages of each log collection technique:
With direct log collection, you configure the syslog listener on the default agent to receive events from the trusted sources you specify. You can also configure other connectors to collect events from any event source that is compatible with the soft appliance operating environment.
Advantage: You do not need to install an agent to collect logs from event sources that are in close network proximity to the CA User Activity Reporting Module server.
With agentless collection, there is no local agent on the event sources. Rather, an agent is installed on a dedicated collection point. Connectors for each target event source are configured on that agent.
Advantage: You can collect logs from event sources running on servers where you cannot install agents, such as severs where corporate policy prohibits agents. Delivery is guaranteed, for example, when ODBC log collection is configured properly.
With agent-based collection, an agent is installed where one or more event sources are running and a connector is configured for each event source.
Advantage: You can gather logs from a source where the network bandwidth between that source and the CA User Activity Reporting Module is not good enough to support direct log collection. You can use the agent to filter the events and reduce the traffic sent across the network. Event delivery is guaranteed.
CA User Activity Reporting Module provides managed embedded log storage for recently archived databases. Events collected by agents from event sources go through a storage lifecycle as illustrated by the following diagram.
The numbers on the illustration refer to these steps:
Logs generated by applications, operating systems, and devices all use their own formats. CA User Activity Reporting Module refines the collected logs to standardize the way the data is reported. The standard format makes it easier for auditors and upper management to compare data collected from different sources. Technically, the CA Common Event Grammar (CEG) helps implement event normalization and classification.
The CEG provides several fields which are used to normalize various aspects of the event, including the following:
CA User Activity Reporting Module lets you gather and process security-relevant data and turn it into reports suitable for internal or external auditors. You can interact with queries and reports for investigations. You can automate the reporting process by scheduling report jobs.
The system provides:
Its focus is on compliance reporting rather than real-time correlation of events and alerts. Regulations demand reporting that demonstrates compliance with industry-related controls. CA User Activity Reporting Module provides reports with the following tags for easy identification:
You can review predefined log reports or perform searches based on criteria you specify. New reports are provided with subscription updates.
Log view capabilities are supported by the following:
CA User Activity Reporting Module lets you automate the sending of an alert when an event occurs that requires near-term attention. You can also monitor action alerts from CA User Activity Reporting Module at any time by specifying a time interval, such as from the last five minutes to the last 30 days. Alerts are automatically sent to an RSS feed that can be accessed from a web browser. Optionally, you can specify other destinations, including email addresses, a CA IT PAM process such as one that generates help desk tickets, and one or more SNMP trap destination IP addresses.
To help you get started, many predefined queries are available for scheduling as action alerts, as is. Examples include:
Some queries use keyed lists, where you supply the values used in the query. Some keyed lists include predefined values that you can supplement. Examples include default accounts and privileged groups. Other keyed lists, such as that for business critical resources, have no default values. After you configure them, alerts can be scheduled for predefined queries such as:
Keyed lists can be updated manually, by importing a file, or by running a CA IT PAM dynamic values process.
When you configure the user store, you choose whether to use the default user store on the CA User Activity Reporting Module for setting up user accounts or reference an external user store where user accounts are already defined. The underlying database is exclusive to CA User Activity Reporting Module and does not use a commercial DBMS.
Supported external user stores include CA SiteMinder and LDAP directories such as Microsoft Active Directory, Sun One, and Novell eDirectory. If you reference an external user store, user account information is automatically loaded in read-only format as shown by the arrow in the following diagram. You define only application-specific details to selected accounts. No data is moved from the internal user store to the referenced external user store.
The numbers on the illustration refer to these steps:
Note: See the CA User Activity Reporting Module Implementation Guide for details on configuring basic user access. See the CA User Activity Reporting Module Administration Guide for details on policies supporting predefined roles, creating user accounts, and assigning roles.
CA User Activity Reporting Module provides three predefined application groups or roles. Administrators assign the following roles to users to specify their access rights to CA User Activity Reporting Module features:
The Auditor has access to few features. The Analyst has access to all Auditor features plus more. The Administrator has access to all features. You can define a custom role with associated policies that limit user access to resources in the way that suits your business needs.
Administrators can customize access to any resource by creating a custom application group with associated policies and assigning that application group, or role, to user accounts.
The subscription module is the service that enables subscription updates from the CA Technologies Subscription Server to be automatically downloaded on a scheduled basis and distributed to CA User Activity Reporting Module servers. When a subscription update includes the module for agents, users initiate the deployment of these updates to agents. Subscription updates are updates to CA User Activity Reporting Module software components and operating system updates, patches, and content updates such as reports.
The following illustration depicts the simplest direct Internet connection scenario:
The numbers on the illustration refer to these steps:
CA User Activity Reporting Module includes predefined content that you can begin using as soon as you install and configure the product. The subscription process regularly adds new content and updates existing content.
Categories of predefined content include:
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|