Previous Topic: Filters and ProfilesNext Topic: Action Alerts

Administration GuideQueries and Reports

Queries and Reports

This section contains the following topics:

About Queries and Reports

Tag Tasks

Datetime Format

View a Query

View a Report

Disable Show Selected Report

Example: Run PCI Reports

Prompts

How to Create a Query

Edit a Query

Delete a Custom Query

Disable Show Selected Query

Exporting and Importing Query Definitions

How to Create a Report

Example: Create a Report from Existing Queries

Example: Set Up Federation and Federated Reports

Edit a Report

Delete a Custom Report

Export Report Definitions

Import Report Definitions

Preparing to Use Reports with Keyed Lists

View a Report Using a Keyed List

About Queries and Reports

You can use queries in the following ways:

There are two types of queries and reports:

CA User Activity Reporting Module offers a comprehensive list of queries and reports by subscription. If you are assigned a role of Auditor, Analyst, or Administrator, you can view all Subscription queries and reports. In addition, you can take the following actions on any subscription query or report you are viewing:

Only users who are assigned a role of Analyst or Administrator can take the following actions:

Example of Queries and Related Report

Consider the query tag Firewall Activity by DMZ. Notice that it is associated with six separate queries on this topic.

Query List - showing Firewall Activity tag selected

The queries you view on the query list are used in reports. From the Reports tab, you can display a report called Firewall Activity By DMZ.

Report List detail - showing Firewall Activity by DMZ report

The following illustration shows just the names. Notice that each name reflects one of the six queries in the report. Most reports include query results for summary, trend, and detail.

Report Display - showing included queries

Tag Tasks

Tags let you attach your reports and queries to categories for easy reference, and provide an organizational framework for reporting on your environment. Category tags also allow simple division of labor by role or type of event.

You can use the pre-defined tags or create your own custom tags for reports or queries. For example, you can create a "Monthly" tag to add to any reports you want to schedule every month for easy reference and viewing. This lets you add or remove reports from the report jobs without editing the jobs themselves, by simply adding the Monthly tag to a new job, or removing it from an old one.

You can add custom tags for individual queries or reports as part of the query or report creation or editing process. Once you create a new tag, its title appears in the tag list, and you can select it to add it to other reports or queries.

You can rename or delete custom tags. You can remove custom tags from reports or queries that include them by editing the report or query.

Datetime Format

CA User Activity Reporting Module uses different locale properties files to display UI content of a locale. CA User Activity Reporting Module provides the following locale files in the /opt/CA/LogManager/locale directory:

These locale properties files are updated through releases, service packs, and subscriptions. You can use these locale properties files to change the default datetime format to a datetime format of your choice. The configured datetime format is displayed on the UI, query and report results.

Supported Datetime Formats

CA User Activity Reporting Module supports the following datetime formats:

Pattern Letter

Description

Y

Indicates a year. The following are the possible values:

  • Two
  • Four

If the pattern letter number is two, the value is interpreted as two digits. For example, YY=11 for the year 2011.

If the pattern letter number is four, the value is interpreted as four digits. For example, YYYY=2011.

M

Indicates a month in the year. The following are the possible values:

  • One
  • Two
  • Three
  • Four

If the pattern letter number is one, the value is interpreted as one or two digits. For example, M=1 or 11.

If the pattern letter number is two, the value is interpreted as two digits. For example, MM=01.

If the pattern letter number is three, the value is interpreted as three letters. For example, MMM=Jan.

If the pattern letter number is four, the value is interpreted as full text. For example, MMMM=January.

D

Indicates a day in the month. The following are the possible values:

  • One
  • Two

If the pattern letter number is one, the value is interpreted as one or two digits. For example, D=1 or 11.

If the pattern letter number is two, the value is interpreted as two digits. For example, DD=01 or 11.

E

Indicates a day in a week. The following are the possible values:

  • Three
  • Four

If the pattern letter number is three, the value is interpreted as three letters. For example, EEE=Mon.

If the pattern letter number is four, the value is interpreted as full text. For example, EEEE=Monday.

A

Indicates a time format. The following are the possible values:

  • AM
  • PM

J

Indicates the hour on a 24-hour clock in the range 0–23.

H

Indicates the hour on a 24-hour clock in the range 1–24.

K

Indicates the hour on a 12-hour clock in the range 0–11.

L

Indicates the hour on a 12-hour clock in the range 1–12.

N

Indicates a minute in the hour. The following are the possible values:

  • One
  • Two

If the pattern letter number is one, the value is interpreted as one or two digits. For example, N=1 or 11.

If the pattern letter number is two, the value is interpreted as two digits. For example, NN=01 or 11.

S

Indicates a second in the minute. The following is the possible value:

  • Two

If the pattern letter number is two, the value is interpreted as two digits. For example, SS=01 or 11.

Q

Indicates a millisecond in the second. The following are the possible values:

  • Two
  • Three

If the pattern letter number is two, the value is interpreted as two digits. For example, QQ=01 or 11.

If the pattern letter number is three, the value is interpreted as three digits. For example, QQQ=001.

For example, if the current date is February 11, 2011 and the current time is 14.20.12 PM on a 24-hour clock, the datetime can be of the following formats:

How to Change the Datetime Format

You can perform the following steps to change the datetime format:

  1. Create a locale properties file. For example, if your browser language is English and you want to use the datetime format of Great Britain, create a locale properties file named en-GB_ui.properties.

    Note: The name of a locale properties file must match the language name displayed in the browser language settings.

  2. Copy the content of the en_ui.properties locale properties file into the en-GB_ui.properties locale properties file.
  3. Open the en-GB_ui.properties locale properties file, and edit the dateFormat and formatString properties.
  4. Save the changes.
  5. Restart the iGateway.

Note: You must update a locale properties file that you created with the latest content of the corresponding locale properties file provided by CA User Activity Reporting Module. You can customize the file after the update.

More information:

Supported Datetime Formats

View a Query

All users who are assigned a role of Auditor, Analyst, or Administrator can view all queries. Predefined queries are listed under the Subscription folder. When the first custom query is defined, a User folder is added to the query list to hold the custom query. After that, all custom queries are added to this User folder.

To view a query

  1. Click the Queries and Reports tab, then the Queries subtab.

    The Query Tag Filter maximize button, the Query List, and Options menu and a Search text box appear in the left pane.

  2. Select the query to view in any of the following ways:

    The selected query appears in the details pane in table format. The most recent results appear first in the results table. To view additional results, click the arrow keys or select a range of rows from the list.

    Note: If the query results are not grouped, the list displays the row ranges you have viewed, and the next sequential range available. If the query results have been grouped, the list displays all rows ranges available in the entire results set.

  3. (Optional) Take any of the following actions:
  4. Click Close to close the displayed query.

View a Report

All users who are assigned a role of Auditor, Analyst, or Administrator can view all reports. Predefined reports are listed under the Subscription folder. When the first custom report is defined, a User folder is added to the report list to hold the custom report. After that, all custom reports are added to this User folder.

Selecting a report from the report list runs the queries that make up the report on log records currently residing in the internal event log stores. The report results, displayed on the right pane, are from the event log stores of the active CA User Activity Reporting Module server and its child servers.

To view a report

  1. Click the Queries and Reports tab, then the Reports subtab.

    The Report Tag Filter maximize button, a Search entry field, the Report List, and the Options menu appear in the left pane.

  2. From the Options menu, select Show Selected Report, if not already selected.

    This lets you display any selected report in the right pane.

  3. Select the report to view in any of the following ways:

    The selected report displays in the main pane of the page.

  4. (Optional) Take any of the following actions:
  5. Click Close to close the displayed report.

Disable Show Selected Report

You can set your report list so that you can make changes without loading reports. Normally, selecting a report from the list displays it in the details window.

Disabling this default mode saves time by letting you select a report from the list and edit it immediately, without waiting for it to display. This is especially useful if you have multiple reports to edit and already know what changes you plan to make.

Since only users with the Administrator or Analyst mode can create or edit reports, only these users can disable the show selected report setting.

To disable show selected report

  1. Click Options at the top of the Report List.

    The Options menu appears.

  2. Clear the check beside Show Selected Report.

    Any report selected from the list is not displayed until Show Selected Report is re-enabled.

More information:

How to Create a Report

Edit a Report

Example: Run PCI Reports

The PCI Security Standards Council is an open global forum responsible for the development of the PCI Data Security Standard (PCI DSS) that includes requirements for security management, policies and procedures. Organizations that store, process or transmit cardholder data must comply with PCI DSS version 1.2, which details twelve requirements.

CA User Activity Reporting Module provides out-of-the-box PCI reports that you can view as soon as your system begins to collect and process event logs.

The examples in this section help you become familiar with the PCI reports and how to schedule and distribute them. The examples include references to the number associated with the PCI DDS Requirement that the report addresses.

More information:

View the List of Reports with the PCI Tag

Search for Reports for a Specific PCI DDS Control

View the List of Reports with the PCI Tag

You can begin your assessment of how to use CA User Activity Reporting Module reports to demonstrate PCI compliance by viewing the list of predefined reports that are tagged with the PCI tag.

To become familiar with reports with the PCI tag

  1. Click the Queries and Reports tab and the Reports subtab.

    The Report Tag Filter and Report List appear.

  2. Enter PCI in the Search field for the tag.

    The PCI tag appears.

    Report Tag list - showing PCI tag

  3. Review report list associated with the PCI tag.

    Report List - showing reports associated with PCI tag

Search for Reports for a Specific PCI DDS Control

You can search for predefined reports using keywords relevant to specific PCI DDS controls. The following procedure covers a few examples.

Note: The referenced numbers are the number associated with the PCI DDS Requirement that the report addresses.

To display the list of reports relevant to specific PCI DDS controls

  1. Click the Queries and Reports tab and the Reports subtab.
  2. To locate the report that address changes to the firewall configuration (1.1.1), enter Firewall as the Search criteria.

    A list of reports similar to the following appears. Notice the one titled Firewall Configuration Changes.

    Report List - showing search for Firewall reports

  3. To locate the report that addresses changes to router configurations after you have verified synchronization (1.3.6), enter Router as the search criteria.

    Report List - showing search for Router reports

  4. To locate reports that address password management (8.5), one of the strong access control measures, enter password as the Search criteria.

    Report List - showing search for Password reports

  5. To locate reports that address additions, modifications, and deletions to user accounts (12.5.4), one of the measures for maintaining an information security policy, enter account as the search criteria.

    Report List - showing search for Account reports

Work with a Single PCI Report

You can work with any report, including PCI reports, in the following ways:

To view or act on a selected report

  1. Click the Queries and Reports tab and the Reports subtab.
  2. Select Show Selected Report in the Options drop-down list under Report List, if not already selected.
  3. Select a report name from the report list.

    The resulting report displays the results of the underlying queries, which typically include a summary, the trend, and details, as well as report-specific queries.

  4. To disable the loading of particular queries, select Cancel.

    Loading Progress Dialog - showing Cancel button

  5. To print the displayed report, click Print Report in the right pane.

    When the Print dialog displays, select a printer and click Print.

  6. To schedule the report to be generated for later viewing, click Schedule Report.

    The Schedule Report wizard appears with the displayed report in the Selected Reports area.

  7. Enter a job name, for example, Resource Access by Host Report job.

    If you accept all defaults, the job is scheduled to run now with no recurrence, where the report is generated in PDF format with no email notification. The data is drawn from the current server, its federated peers and its federated descendants.

  8. Click Save and Close.
  9. View the scheduled job. Select the Scheduled Reports tab and then the Report Scheduling subtab.

    The job you just scheduled is shown.

    Scheduled Jobs Pane - showing new job

  10. View the generated report.
    1. Select the Scheduled Reports tab and then the Generated Reports subtab.
    2. (Optional) Limit the displayed rows by selecting a recurrence other than All, a format other than All, or a Time span of the last hour.
    3. (Optional) Click Refresh.
  11. After reviewing the generated report, you can modify the report job if you want to generate it on a recurring basis. Do the following:
    1. From the Reports Scheduling subtab, select the generated report, and click Edit.
    2. Select the Schedule Jobs step and select the option for the frequency of occurrence.
    3. Click Save and Close.

Prompts

A prompt is a special type of query that displays results based on the value you enter and the CEG fields you select. Rows are returned only for events where the value you enter appears in one or more of the selected CEG fields.

You can take any of the following actions on prompt query results:

Use the Connector Prompt

Each connector that is configured on an agent collects raw events from a specific event source and sends the events to the event log store on a CA User Activity Reporting Module collection server. The event refinement process converts raw events to refined events and archives them to the reporting CA User Activity Reporting Module server. The connector prompt queries for events on the reporting server that were collected as raw events by connectors with the name you specify. Connectors can have a default name or a user-defined name. You copy the name of the connector to use and paste it in the field of the connector prompt and click Go to display the prompt query results.

Use the connector prompt to:

To copy the name of an active connector

  1. Click the Administration tab.

    The Log Collection Explorer is displayed.

  2. Click Agent Explorer.

    The Agent Status Monitor appears, where one column lists connector names.

  3. Right-click the connector you want to use in the prompt query and select Copy Connector Name.

To use the Connector prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder, the Subscription folder, and possibly a Users folder.

  2. Expand Prompts and select Connector.

    The Connector prompt displays the Connector field and the following CEG field, which must remain selected for the prompt to function:

    agent_connector_name

    Is the name of a connector.

  3. Right-click in the Connector field and select Paste.

    The connector name you copied from the Agent Status Monitor appears in the Connector field.

  4. Click Go.

    Results of the connector prompt query appear.

  5. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the action, where possible actions are determined by the class of the event.

    Agent Name

    Identifies the agent on which the connector is running.

    Host

    Identifies the event source host from which the connector is collecting events.

    Performer

    Identifies the source actor of the event, that is, the identity that initiated the action. The performer can be expressed as the source username or source process name.

    Account

    Identifies the username of the account used for authentication when the connector attempts to connect to the host with the event source from which raw events are collected. This is typically a low-privileged account. The credentials for this account are configured on the event source and also on the log sensor of the connector.

    Result

    Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

    Connector Name

    The name of the connector entered in the prompt filter field.

  6. (Optional) Select Show raw events.

    The first event collected by a new connector is for the action System Startup and ends with: result_string=<connector name> Connector Started Successfully

Use the Host Prompt

The host prompt queries for events where the hostname you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG host names. Consider this scenario:

  1. The event initiator on source_hostname attempts an act, event_action, on a target residing on dest_hostname.

    Note: Source_hostname and dest_hostname can be different hosts or the same host.

  2. This event is recorded in a repository on event_source_hostname.

    Note: Event_source_name can be a different host than either source_hostname or dest_hostname or can be colocated.

  3. A CA User Activity Reporting Module agent installed on agent_hostname makes a copy of the event recorded on event_source_hostname.

    Note: Agent_hostname is the same as event_source_name in agent-based log collection but is different in agentless and direct log collection.

  4. The CA User Activity Reporting Module agent on agent_hostname transmits the copy of the event in event_logname to a CA User Activity Reporting Module collection server.

To use the Host prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select Host.

    The Host prompt appears.

  3. Enter the name of the host on which to base this query.
  4. Select the fields on which to query for data matching your host name entry.
    source_hostname

    Is the name of the host where the event action was initiated.

    dest_hostname

    Is the name of a host that is the destination or target of the action.

    event_source_hostname

    Is the name of a host that records the event when the event occurs.

    For example, you can deploy a connector based on WinRM to collect events from the Event Viewer on a Windows Server 2008 host. To select events retrieved from a given Windows Server 2008 host, enter the hostname of that server and select this field.

    receiver_hostname

    Is the same as agent_hostname.

    agent_hostname

    Is the name of the host where a CA User Activity Reporting Module agent is deployed.

  5. Click Go.

    Results of the host prompt query appear.

  6. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Source User

    Identifies the name of the user on source_hostname who initiated the event action.

    Result

    Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

    Agent Host

    Identifies the name of the host where the CA User Activity Reporting Module agent who collected the event is installed.

    Receiver Host

    The same as agent host.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action performed by the source user.

    Log Name

    Identifies the log name used by the connector that collected the event. All connectors based on the same integration transmit events in a log file with the same log name.

Use the IP Prompt

The IP prompt queries for events where the IP address you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG IP addresses. Consider this scenario:

  1. The event initiator on source_address attempts an act, event_action, on a target residing on dest_address.

    Note: Source_address and dest_address can be different or the same.

  2. This event is recorded in a repository on event_source_address.

    Note: Event_source_address can be different from either source_address or dest_address or can be the same as one or both.

  3. A CA User Activity Reporting Module agent installed on agent_address makes a copy of the event recorded on event_source_address

    Note: Agent_address is the same as event_source_address in agent-based log collection but is different in agentless and direct log collection.

  4. The agent on agent_address transmits the copy of the event in event_logname to a CA User Activity Reporting Module collection server.

To use the IP prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select Host.

    The IP prompt appears.

  3. Enter the IP address on which to base this query.
  4. Select one or more of the following fields to query for data matching your IP address entry.
    source_address

    Is the IP address of the host where the action was initiated.

    dest_address

    Is the IP address of a host that is the destination or target of the action.

    event_source_address

    Is the IP address of a host that records the raw event when the event occurs.

    For example, you can deploy a connector based on WinRM to collect events from the Event Viewer on a Windows Server 2008 host. To select events retrieved from a given Windows Server 2008 host, enter the IP address of that server and select this field.

    receiver_hostaddress

    Is the same as agent_address.

    agent_address

    Is the IP address of a host where a CA User Activity Reporting Module agent is deployed.

  5. Click Go.

    Results of the IP prompt query appear.

  6. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Result

    Provides a code for the result of the corresponding action, where the displayed letter has the following meaning: S for success, F for failure, A for Accepted, D for Dropped, R for Rejected, and U for Unknown.

    Destination Port

    Identifies the communication port on the destination host, the target of the event action.

    Source IP

    Identifies the IP address from which the event action was initiated.

    Destination IP

    Identifies the IP address of the host that was the target of the event action.

    Event Source IP

    Identifies the IP address of the host with the repository where the event was originally recorded.

    Agent IP

    Identifies the name of the host with the CA User Activity Reporting Module agent responsible for the collection of events from the event source.

    Receiver IP

    The same as Agent IP.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action.

    Log Name

    Identifies the log name used by the connector that collected the event

Use the Log Name Prompt

Each connector that is based on the same integration returns event logs collected from the event source to the CA User Activity Reporting Module collection server in a log file with a predefined name.The log name prompt queries for events involving the log name you specify.

Use the log name prompt to query for events transferred in a log file with the specified name. Each connector is based on an integration. Each integration uses a predefined log name. A query for a given log name returns results of events collected by different agents that use connectors based on the same integration or similar integrations.

A variety of conventions are used for naming logs:

Some log names are reused as new releases or platforms are added. For example, NT-Security is the log name for security logs for the following integrations: NTEventLog, Windows2k8, and WinRM.

To use the Log Name prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select Log name.

    The Log name prompt filter appears with the following field:

    event_logname

    Is the name of a log file associated with a specific integration.

  3. Select the log name used to transmit events you want to view and click Go.

    Results of the log name prompt query appear.

  4. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action performed by the corresponding performer.

    Host

    Identifies the event source host from which the connector is collecting events.

    Performer

    Identifies the source actor of the event, that is, the identity that initiated the action. The performer can be expressed as the source username or source process name.

    Account

    Identifies the username of the account used for authentication. When the connector attempts a connection to the event source, authentication occurs. Authentication typically uses a low-privileged account. During connector deployment, the administrator configures credentials for this account on the event source and then identifies this account on the log sensor.

    Result

    Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

    Log Name

    The log name entered in the prompt filter field.

Use the Port Prompt

The port prompt queries for events where the port you specify appears in the selected CEG fields of the refined event. When raw event data is refined, event details can include several different CEG port numbers. Consider this scenario:

  1. The event initiator on the source host uses the outbound source_port communication port for initiating the event action on a target residing on the destination host through the inbound dest_port communications port.

    Note: Source_port and dest_port are the same for local events. Otherwise, they are host-specific.

  2. This event is recorded in a repository on the event source.
  3. A CA User Activity Reporting Module agent makes a copy of the event recorded on the event source.
  4. The agent transmits the copy of the event through the outbound port, receiver_port, to a CA User Activity Reporting Module collection server.

    Note: The agent uses port 17001, by default, to secure communications to the CA User Activity Reporting Module collection server.

To use the Port prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select Port.

    The Port prompt appears.

  3. Enter the port number on which to base this query.
  4. Select the fields on which to query for data matching your port number entry:
    source_port

    Is the communications port used for initiating the action.

    dest_port

    Is the communication port on the destination host that is the target of the action.

    receiver_port

    Is the port that the agent uses to communicate with the CA User Activity Reporting Module collection server.

  5. Click Go.

    Results of the port prompt query appear.

  6. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Source IP

    Identifies the IP address of the host from which the event action was initiated.

    Result

    Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

    Source Port

    Identifies the outbound port used for initiating the action.

    Destination Port

    Identifies the inbound port on the destination host.

    Receiver Host

    Identifies the outbound port on the agent used to send event logs to the CA User Activity Reporting Module server.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action.

    Log Name

    Identifies the log name used by the connector that collected the event.

Use the User Prompt

Each event expresses information about two actors: the Source and the Destination.

The User prompt queries for events where the actor you specify appears in the selected CEG fields of the refined event. Consider this scenario:

  1. The source actor, source_username or source_processname attempts an action on the target actor, destination_username or a destination_objectname.
  2. This event is recorded in a repository on the event source.
  3. A CA User Activity Reporting Module agent makes a copy of the event recorded on the event source and transmits it to a CA User Activity Reporting Module server.

To use the User prompt

  1. Select Queries and Reports.

    The Query List displays the Prompts folder and one or more folders for other queries.

  2. Expand Prompts and select User.

    The User prompt appears.

  3. Enter the name of the user on which to base this query.
  4. Select the fields on which to query for data matching your user name entry.
    source_username

    Is the name of the user that initiated the event action.

    dest_username

    Is the name of user that is the target of the action.

    source_objectname

    Is the name of the object involved in the action referenced in event information.

    dest_objectname

    Is the name of the object that is the target of the action.

  5. Click Go.

    Results of the User prompt query appear.

  6. Use the following descriptions to interpret the query results:
    CA Severity

    Indicates the severity of the event, where the values in increasing order of severity include: Information, Warning, Minor Impact, Major Impact, Critical, and Fatal.

    Date

    Indicates when the event occurred.

    Destination Host

    Identifies the name of the host with the user who was the target of the event action.

    Result

    Specifies a code for the event result of the corresponding action, where S means Success, F means Failure, A means Accepted, D means Dropped, R means Rejected, and U means Unknown.

    Source User

    Identifies the user who initiated the event action.

    Source Object

    Identifies the object on the source host that was involved in the event action.

    Destination User

    Identifies the user who was the target of the event action.

    Destination Object

    Identifies the object on the destination host that was involved in the event action.

    Category

    Identifies the high-level category of the corresponding event action. For example, System Access is the category for the Authentication action.

    Action

    Identifies the event action.

    Log Name

    Identifies the log name used by the connector that collected the event.

How to Create a Query

You can create custom queries using the Query Design wizard. When you create a query you must choose whether it applies to the event database, the incident database, or to an external ODBC database. The event database stores information on all the events received by that server. The incident database stores information on incidents and elements of their component events as specified by correlation rules.

You can delete custom queries and export query information. You can also copy a subscription query to create a custom query and edit that query using the query design wizard. Only users with the Administrator or Analyst roles can create, delete, or edit queries.

Creating a query using the query design wizard involves the following steps:

  1. Opening the query design wizard.
  2. Adding identity and tag details, including specifying the target database.
  3. Selecting query columns.
  4. (Optional) Setting query conditions and filters.
  5. Setting date range and result conditions.
  6. (Optional) Choosing visualization options for the query display.
  7. (Optional) Adding drill-down values for the query.

More information:

Create a Query Display Visualization

Add a Drill Down Report

Open Query Design Wizard

Add Query Details

Add ODBC Query Columns

Add Query Columns

Set Query Filters

Open Query Design Wizard

To create a new custom query, create a copy of a query, or edit an existing query, you must open the query design wizard.

To open the query design wizard

  1. Click the Queries and Reports tab, then the Queries subtab.

    The Query List appears.

  2. Click Options and select New.

    The query design wizard appears.

    When using the wizard:

Add Query Details

The first step in creating a query is entering identifying information and setting any tags you want to include.

To add a new query

  1. Open the query design wizard.
  2. Type a required query name, and optional short name for use in reports. The short name appears in the individual query pane when the query is included in a report.
  3. Select the connection type you want. UARM Default appears in the drop-down list, along with the names of any ODBC connections set up in the Report Service area.
    UARM Default

    Targets your query to the internal event or incident databases.

    ODBC Connections

    Targets your query to an external ODBC table you select. The Table drop-down list is populated with any views in your target database.

  4. Select the table you want your query to apply to.

    If you selected UARM Default, select one of the following:

    Event

    Applies the query to the event database, which stores all raw and refined event information received by the current server, or available through federation.

    Incident

    Applies the query to the incident database, which stores incidents created by the event correlation system, and the event information used to create those incidents. Correlation rules control the specific components of an event that are used to create an incident.

    If you selected Custom Connection, choose the ODBC table you want. The list is populated with tables from the ODBC connection you selected.

  5. Type any design notes you want in the Description entry field.

    Note: We recommend using this field for information about the query structure. For example, it could contain an explanation of why the query contains certain fields and function.

  6. Select one or more tags that you want your query to be associated with using the Tags shuttle control.
  7. (Optional) To add a custom category tag, enter a tag name in the Add Custom Tag entry field, and click the Add Tag button.

    The custom Tag appears, already selected, in the Tags shuttle control.

  8. (Optional) To add a nested custom tag, select a tag or type the parent tag name, followed by a backslash, followed by the name of the child tag, then click Add Tag. For example, you could type: "Regulations\Industry Standards". You can add additional tags, maintaining the format: a\b\c, and so on.

    Note: If you delete one of the custom nested tags, all the custom tags in which it is nested are also deleted, including the parent tag. If you nest a custom tag inside a subscription tag, and then delete it, only the custom tags are deleted.

    When you complete the process, the new tags appear in the list, with the nested custom tags visible when you expand the parent tag.

  9. Click the appropriate arrow to advance to the query design step you want to complete next, or click Save and Close.

    If you click Save and Close, the new query appears in the Query List, otherwise the query design step you choose appears.

More information:

Tag Tasks

How to Create a Query

Add Query Columns

To create a query against the incident or event databases, write a SQL statement that retrieves the event information you want from the event log store. The query design wizard helps automate this process.

To create a query SQL statement

  1. Open the query design wizard.
  2. Enter the name and tag, if not already specified, then advance to the Query Columns step.
  3. (Optional) Select the Unique events only check box.
  4. Set the CEG columns you want to query by clicking the Add button at the top of the pane. Columns appear in the selected display in the order in which they are added. You can alter the order using the up/down buttons at the top of the pane.
  5. Select the settings you want for each column, including:
    Display Name

    Lets you enter a different name for the column, when it is displayed in Table or Event Viewer format. If you enter no Display Name, the native field name is used as the column name, "event_count" for example.

    Function

    Lets you apply one of the following SQL functions to the column values:

    • COUNT - returns the total number of events.
    • AVG - returns the average of the event_count values. This function is only available for event_count fields.
    • SUM - returns the sum of the event_count values. This function is only available for event_count fields.
    • TRIM - Removes any spaces in the queried text string.
    • TOLOWER - Converts the queried text string to lowercase.
    • TOUPPER - Converts the queried text string to uppercase.
    • MIN - returns the lowest event value.
    • MAX - returns the highest event value.
    • UNIQUECOUNT - returns the number of unique events.

    Each CEG field belongs to one of three types; string, integer, or datetime. When you add a CEG field to a query, CA User Activity Reporting Module makes functions that apply to its type available. For example, if you select ideal_model, only those functions that apply to string values appear.

    Group Order

    Sets the query display to show the selected columns grouped by the selected attribute. For example, you can set the query to group events by source name. You can control the order in which it is applied to various columns. If the first column values are identical, the second are applied. For example, you can group multiple events from the same source by username.

    Sort Order

    Controls the order in which the selected value is sorted. You can control the order in which it is applied to various columns. If the first column values are identical, the second are applied.

    Descending

    Sets the column values to display in descending order (highest to lowest value) rather than the default ascending order.

    Not Null

    Controls whether the row is displayed in a table or Event Viewer if it contains no value. Selecting the Not Null check box removes the row from the query result if it contains no displayable value.

    Visible

    Controls whether the column is visible in a table or Event Viewer format. You can use this setting to make the column data available in the details view without showing it in the display itself.

    Note: If you select a Function other than TRIM, TOLOWER, TOUPPER or a Group Order setting for a column, you must also select the same setting for other columns. Otherwise, CA User Activity Reporting Module displays error messages.

  6. (Optional) Use the up and down arrows at the top of the Selected Columns pane to change the column order as needed.
  7. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close, the new query appears in the Query List, otherwise the Query Design step you choose appears.

More information:

How to Create a Query

Add ODBC Query Columns

Add ODBC Query Columns

To create a query, write a statement that retrieves the event information you want from the target ODBC database. The query design wizard helps automate this process.

Follow these steps:

  1. Open the query design wizard.
  2. Enter the name and tag, if not already specified, then advance to the Query Columns step.
  3. (Optional) Select the Unique events only check box.
  4. Set the columns you want to query by clicking the Add button at the top of the pane. Columns appear in the selected display in the order in which they are added. You can alter the order using the up/down buttons at the top of the pane.
  5. Select the settings you want for each column, including:
    Display Name

    Lets you enter a different name for the column, when it is displayed in Table or Event Viewer format. If you enter no Display Name, the native field name is used as the column name.

    Function

    Lets you apply a function to the column values. Each field belongs to one of three types; string, integer, or datetime. When you add a column to a query, CA User Activity Reporting Module displays only those functions that apply to its type.

    Group Order

    Sets the query display to show the selected columns grouped by the selected attribute. For example, you can set the query to group events by source name. You can control the order in which it is applied to various columns. If the first column values are identical, the second are applied. For example, you can group multiple events from the same source by username.

    Sort Order

    Controls the order in which the selected value is sorted. You can control the order in which it is applied to various columns. If the first column values are identical, the second are applied.

    Descending

    Sets the column values to display in descending order (highest to lowest value).

    Not Null

    Controls whether the row is displayed in a table or Event Viewer if it contains no value. Selecting the Not Null check box removes the row from the query result if it contains no displayable value.

    Visible

    Controls whether the column is displayed in a table or Event Viewer. You can use this setting to make the column data available in the details view without showing it in the display itself.

    Note: If you select any function other than TRIM, TOLOWER, TOUPPER or a Group Order setting for a column, you must also select the same setting for other columns. Otherwise, CA User Activity Reporting Module displays error messages.

  6. (Optional) Use the up and down arrows at the top of the Selected Columns pane to change the column order as needed.
  7. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close, the new query appears in the Query List. Otherwise the Query Design step you choose appears.

More information:

How to Create a Query

Add Query Columns

Set Query Filters

You can filter the information returned by your query using simple or advanced filters. Simple filters let you create single-term filter statements easily and apply them to the default CA User Activity Reporting Module databases. Advanced filters let you build more complex statements, including nested statements. You can apply advanced filters to either internal queries or external ODBC queries.

To set query filters

  1. Open the query design wizard.
  2. Enter the name and tag, if not already specified, then advance to the Query Filters step.

    The query filters dialog appears, displaying the Simple Filters Tab.

    Note: Simple filters are not available if you select a custom connection when creating a query. Use advanced filters to qualify a custom ODBC query.

  3. Create any simple filters you want, to search for stated CEG field values.
  4. Click the Advanced Filters tab.
  5. Create any advanced filters you want.
  6. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close, the new query appears in the Query List, otherwise the Query Design step you select appears.

Create a Simple Event Filter

You can create simple filters to set search parameters for common values. For example, you could set the Ideal Model field to "Content Management" to identify all events with that value in the Ideal Model CEG field. Simple filters are used by many features, including event and incident queries, suppression and summarization rules, and event forwarding rules.

To create a simple filter

  1. Select the check box for any simple filter field or fields you want to define, and select a value from the drop-down list, or enter the value you want in the text entry field.
  2. Click Save when you have added all the simple filters you want.

More information

Using Advanced Filters

Create an Advanced Event Filter

Using Advanced Filters

Create an Advanced Event Filter

Advanced filters are used by many features, including query creation, report scheduling,alert jobs, and local and global filters.

To create an advanced filter

  1. If you are creating a scheduled report job or action alert job, click the Events or Incidents tab to set the appropriate filter type. Since a report or alert job may contain both event and incident queries, you can set the filter types separately.
  2. Click New Event Filter.

    The first row of the event filter table becomes active, and its Logic and Operator columns are populated with the default values "And" and "Equal to" respectively.

  3. Click the Logic cell and change the logic value as needed.
  4. Click the Column cell, and select the event information column you want from the drop-down menu.
  5. Click the Operator cell, and select the operator you want from the drop-down menu.
  6. Click the Value cell, and enter the value you want.
  7. (Optional) Click the open and closed parentheses cells and enter the number of parentheses you need.
  8. (Optional) Repeat steps 1 through 6 as needed to add additional filter statements.
  9. Click Save when you have entered all the filter statements you want.

More information:

Using Advanced Filters

Create a Simple Event Filter

How to Create a Query

Using Advanced Filters

Global and Local Filters

Using Advanced Filters

You can use advanced filters to qualify any function that queries databases, including narrowing queries, or adding additional qualifications to simple filters. The Advanced Filters interface provides a form for entering logic columns, operators and values according to your filtering requirements.

Note: This section contains a brief overview of the terms used in advanced filters. To use advanced filters to their full potential you need a thorough understanding of the terms and the Common Event Grammar.

The following terms join multiple filter statements:

And

Displays the event information if all the joined terms are true.

Or

Displays the event information if any of the joined terms are true.

Having

Refines the terms of the main query statement by adding a qualifying statement. For example, you could set an advanced filter and add a "having" statement to return only events of a certain severity level from the specified hosts.

Advanced filters use the following operators to create the basic conditions:

Relational Operators

Include the event information if the column bears the appropriate relation to the value you enter. The following relational operators are available:

For example, using Greater than would include the event information from your chosen column if its value is greater than the value you set.

Like

Includes the event information if the column contains a pattern you enter, using % to set the pattern you want. For example, L% would return any values beginning with L, %L% would return any values where L is not the first or last letter.

Not like

Includes the event information if the column does not contain the pattern you specify.

In set

Includes the event information if the column contains one or more of the values in the quote-delineated set you enter. Multiple values in the set must be comma-separated.

Not in set

Includes the event information if the column does not contain one or more of the values in the quote-delineated set you enter. Multiple values in the set must be comma-separated.

Matches

Includes any event information that matches one or more of the characters that you enter, allowing you to search for key words. Matches is not available for ODBC queries.

Keyed

Includes any event information that is set as a key value during Report Server configuration. You can use key values to set business relevance or other organizational groups.

Not Keyed

Includes any event information that is not set as a key value during Report Server configuration. You can use key values to set business relevance or other organizational groups.

More information:

Create an Advanced Event Filter

How to Set Result Conditions

You can set a date range and other result conditions for the query, including row limits and base display time period. You can change result conditions at any time, making them a useful way to modify queries without altering the base query or its filters.

If you are creating a scheduled report or action alert, you can set result conditions for both event and incident queries that make up the jobs.

You can set the following types of result conditions:

More information:

How to Create a Query

Set a Time or Date Range

Set Display and Group Conditions

Set a Time or Date Range

You can set a time or date range condition for your query. This improves the efficiency of your query by narrowing the portion of the event log store it must search.

You can use a predefined time range, or create a custom time range. You must set both a beginning and an end time for a custom time range. If you only set a single time parameter, it is expressed as a "Where" clause.

To set result conditions

  1. Open the result conditions dialog.
  2. If you are creating a scheduled report job or action alert job, click the Events or Incidents tab to set the appropriate filter type. Since a report or alert job can contain both event and incident queries, you can set the filter types separately.
  3. Select a predefined time range from the drop-down list. If you create a custom ODBC query, also select the datetime column you want the query to use as a reference.

    Note: If you are creating an action alert or scheduled report, the interface displays the following default time ranges:

  4. (Optional) Create a custom time range using the following substeps:
    1. Click Edit beside the 'Dynamic End Time' entry field in the Date Range Selections area. This lets you set the end of the time period you want the query to search.

      The Dynamic Time Specification dialog appears.

    2. Select the reference time you want to base the parameter on, and click Add.
    3. Select the time parameter you want, and click Add. You can add multiple time parameters.
    4. Click OK when you are finished adding parameters,

      The Dynamic Time Specification dialog closes, and the values you selected appear in the 'Dynamic End Time' area. If you use multiple parameters, they form a complete time statement, with each parameter referring to the first. For example, adding the 'Start of the Month,' and 'Day of the Week - Tuesday' values in the 'Dynamic End Time' area ends your query on the first Tuesday of the month.

      Note: When you use 'Number of' values, such as 'Number of days' or Number of hours' enter a negative number to set a time in the past. Using a positive number sets a future end time, and causes the query to continue sending results as long as at least one qualified event is in the log store.

      For example, adding the 'now,' and 'number of minutes -10' values to the 'Dynamic Start Time' area starts your query 10 minutes before the selected end time.

    5. Repeat step 2 in the 'Dynamic Start Time' area to set the beginning of the time period you want the query to search.

    If you do not enter a date range, the query is applied all events in the log store. If you enter an invalid date range, your query might not return any results.

  5. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close the new query appears in the Query List, otherwise the Query Design step you choose appears.

Set Display and Group Conditions

You can set conditions that allow you to control the query display and conditions that search for events based on how they are grouped. If you are setting conditions for a custom ODBC query, only the Row Limit and No Limit options are available.

To set display and group conditions

  1. Open the result conditions dialog.
  2. If you are creating a scheduled report job or action alert job, click the Events or Incidents tab to set the appropriate filter type. Since a report or alert job can contain both event and incident queries, you can set the filter types separately.
  3. Use the Results check boxes to enable any of the following display qualifications you want:
    Default Query Limit

    This value is only available for Action Alerts and Report Scheduling. It sets the alert or report job to use the row limit of the individual queries in the job. If you select any other results value when creating a job, CA User Activity Reporting Module overrides the row limits in the component queries.

    Row Limit

    Sets the maximum number of event rows that the query displays, starting with the most recent events.

    No Limit

    Sets the query to retrieve all events that match its filter. This can include many events, so plan the query accordingly.

    Show Other

    Indicates the presence of other results that are not displayed due to the row limit. This value allows you to compare the selected events in the context of all events of that type. For example, if you choose a row limit of 10 for your event viewer display and select show other, events beyond 10 are displayed as a single entry titled Other, showing all remaining events. This setting is only effective when row limit is selected.

    Time Granularity

    Sets the detail level of the time period field used in the query display.

  4. Use the Result Conditions to query for various types of grouped event conditions. For example, you could set your query to search for the latest grouped event after a selected date, or a certain number of grouped events. A grouped event is a refined event for which you have set a Function and Group Order in the Query Creation step.

    The group conditions use the same time statement system as the time range fields.

  5. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close the new query appears in the Query List, otherwise the Query Design step you choose appears.

More information:

How to Create a Query

How to Set Result Conditions

Set a Time or Date Range

Create a Query Display Visualization

To create a new query display you must set the Visualization details that control how the event information appears.

To create a query display visualization

  1. Open the query design wizard.
  2. Enter the name and tag, if not already specified, then advance to the Visualization step.
  3. Choose whether you want your query display to use an Event Viewer or Chart.

    If you choose Event Viewer, the visualization step is complete. The event columns appear in the Event Viewer display in the order in which you placed them during the Query Columns construction step.

  4. If you choose a Chart, you can select one or more chart types. Selecting multiple chart types allows users to toggle back and forth between them in the report display. The up and down arrows that appear beside each type control the order in which they appear in the Change Visualization menu.

    Note: Table is always available as a visualization even if you do not add it during this step.

  5. Select the event you want to appear as the X (horizontal) Axis from the column drop-down, enter label text if you want any to appear, and select one of the following options from the display type menu:
  6. Repeat Step 4 using the Y-Axis Settings menus to set the Y (vertical) Axis column, label, and type options.
  7. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close the new query appears in the Query List, otherwise the Query Design step you choose appears.

Add a Drill Down Report

You can add one or more drill down reports to your query. Drill down reports let users click a query display element and display another related report.

To add a drill down report

  1. Open the query design wizard.
  2. Enter the name and tag, if not already specified, and then advance to the Drill Down step.
  3. Click Add Drilldown.
  4. Enter the name or browse for the report you want to make available as a drill down item.
  5. Select one or more available parameters on which to focus the drill down report and move them to the Selected Parameters list. The drill down reports use the selected parameters to preserve your query focus.
  6. Click the appropriate arrow to advance to the Query Design step you want to complete next, or click Save and Close.

    If you click Save and Close the new query appears in the Query List, otherwise the Query Design step you choose appears.

Edit a Query

You can edit existing custom queries. You cannot edit a subscription query; however, you can copy a subscription query and edit your copy. If you edit a query, the changes you make affect any reports using that query.

To edit a query

  1. Click the Queries and Reports tab and the Queries subtab.

    The Query Tag Filter list and the Query List appear.

  2. Expand the User folder in the Query List and select the query you want to edit.
  3. Click Options at the top of the list, and select Edit.

    The query design wizard appears, populated with the specifications of the query you selected.

  4. Make the changes you want, and click Save.

More information:

How to Create a Report

Delete a Custom Query

Disable Show Selected Query

Delete a Custom Query

You can delete a custom query. You cannot delete a subscription query.

To delete a query

  1. Select the query you want to delete.
  2. Click Options at the top of the list, and select Delete.

    A confirmation dialog appears.

  3. Click Yes.

    The deleted query is removed from the Query List.

More information:

Edit a Query

Disable Show Selected Query

Exporting and Importing Query Definitions

Disable Show Selected Query

You can set your query list so that you can make changes without loading queries. Normally, selecting a query from the list displays it in the details window.

Disabling this default mode saves time by letting you select a query from the list and edit it immediately, without waiting for it to display. This is especially useful if you have multiple queries to edit and already know what changes you plan to make.

Note: Because only users with the Administrator or Analyst mode can create or edit queries, only these users can disable the show selected query setting.

To disable show selected query

  1. Click Options at the top of the Query List.

    The Options menu appears.

  2. Clear the check beside Show Selected Query.

    Any query selected from the list is not displayed until Show Selected Query is re-enabled.

Exporting and Importing Query Definitions

You can export and import details of custom queries for use in other management servers. This lets you transfer successful custom queries between CA User Activity Reporting Module environments, or from a test to a live environment.

More information:

Export Query Definitions

Import Query Definitions

Export Query Definitions

You can export the details of user-created queries for use in other management servers. The export is saved as an XML file.

To export query details

  1. Click the Queries and Reports tab, and then click the Queries subtab.

    The Query List appears.

  2. Click Options at the top of the list, and select Export.

    The Export User Query Definitions dialog appears, displaying available user-created reports.

  3. Select the query or queries you want to export using the shuttle control, and click Export.

    An export dialog appears.

  4. Enter or browse for the location you want to save the XML export files, and click Save.

    The query files are saved to your chosen location and a confirmation dialog appears.

  5. Click OK, and then Close.

    The Export User Query Definitions dialog closes.

More information:

Exporting and Importing Query Definitions

Import Query Definitions

Import Query Definitions

You can import query definition XML files for use in the local management server.

To import report details

  1. Click the Queries and Reports tab, and then the Queries subtab.

    The Query List appears.

  2. Click Options at the top of the list, and select Import.

    The Import File dialog opens

  3. Enter or browse for the location of the file you want to import, and click OK.

    The Import Results window appears.

  4. Click Import Another File to repeat step 3, or Close.

    The Import Results window closes.

More information:

Exporting and Importing Query Definitions

Export Query Definitions

How to Create a Report

You can create custom reports for your environment, either by using the process outlined in this section to create an entirely new report, or by using a pre-defined report as a template. You can view custom reports or set them as scheduled report templates.

You can also edit or delete custom reports, and export report information. You can perform these customization tasks only if you are logged in as a user with the Administrator or Analyst roles.

The process of creating a new report using the report design wizard has the following steps:

  1. Opening the report design wizard.
  2. Adding report details - Naming the new report and assigning category tags.
  3. Designing a report layout - choosing which queries are included in the report and how they will be displayed.

More information:

Tag Tasks

Open Report Design Wizard

Add Report Details

Design Report Layout

Open Report Design Wizard

To create a new custom report from scratch or based on an existing report, you must open the report design wizard.

To open the report design wizard

  1. Click the Queries and Reports tab, then the Reports subtab.

    The Reports List appears.

  2. Click Options, and then select either New or Copy.

    The Report Design wizard appears.

    When using the wizard:

Add Report Details

You can create a report from scratch or from a copy of an existing report. When you create a report, you name it and add any subscription or custom tags you want to associate with it.

To add report details

  1. Open the report design wizard.
  2. Enter a report name. You can also enter optional description information for reference.
  3. Select the connection type you want. UARM Default appears in the drop-down list, along with the names of any ODBC connections set up in the Report Service area.
    UARM Default

    Targets your report to the internal event and incident databases.

    ODBC Connections

    Targets your report to an external ODBC table you select. To complete a report, you must have configured custom ODBC queries that target your chosen database.

  4. Select one or more tags that you want the report to be associated with using the Tags shuttle control.
  5. (Optional) To add a custom category tag, enter a tag name in the Add Custom Tag entry field, and click Add Tag.

    The custom Tag appears as in the Selected Tags list.

  6. (Optional) To add one or more nested tags, select a tag, or type the parent tag name, followed by a backslash, followed by the name of the child tag, then click Add Tag. For example, you could type: "Regulations\Industry Standards". You can add additional tags, maintaining the format: a\b\c and so on.

    Note: If you delete one of the custom nested tags, all the tags in which it is nested are also deleted, including the parent tag. If you nest a custom tag inside a subscription tag, and then delete it, only the custom tags are deleted.

    When you complete the process, the new tags appear in the list, with the nested custom tags visible when you expand the parent tag.

  7. Advance to the Layout step or click Save and Close if at least one query has already been selected.

More information:

Delete a Custom Report

Edit a Report

Tag Tasks

Design Report Layout

You can design your report structure by specifying the grid size and dimensions and then selecting queries to display in each grid section. A report can contain either internal CA User Activity Reporting Module queries, or queries directed to an external ODBC database, but not both.

To design a report layout

  1. Open the report design wizard. If this is a new report, enter a name, select a tag, and advance to the Layout step.
  2. Select or enter the number of rows and columns you want to appear in your report, using the Grid Rows and Columns areas in the Report Layout pane. These settings control the number of query display areas the report contains. You can include up to ten rows and/or columns.

    The appropriate number of rows, columns, and corresponding query displays appears in the report layout pane.

    Note: You can use the arrows at the right side and bottom of individual query display areas to expand or shrink them horizontally or vertically.

  3. (Optional) Enter or select a minimum pixel size for the query display areas in the Min. Width and Min. Height areas.
  4. Drag the query you want to display in each display area from the Query List to the appropriate area in the report layout:
  5. (Optional) Click Edit at the top of each query display area to edit the query you have placed there or create a custom query.
  6. Click Save and Close.

    The Report Design wizard closes. The new report appears in the Report List under the User folder.

More information:

Add Report Details

Example: Create a Report from Existing Queries

You can create custom reports composed of predefined queries and tailor it to your specifications.

To create a report from existing queries

  1. Identify the queries to include in the custom report.
    1. Click the Queries and Reports tab and the Queries subtab, if not displayed.
    2. Enter a key word or key phrase in the Search field to display the queries with the content from which you want to make a selection. For example, enter critical hosts trend.
    3. Note the names of the queries you want to include in the custom report. For example, you can define a report of the trends associated with business critical hosts from those listed in the following illustration, for example, the ones for System Access, Resource Access and Account Creations.

    Three queries with Business Critical Hosts trend are shown.

  2. For the first query to include in the report, create a copy and add a custom tag.
    1. Select a query and select Copy from the Options drop-down list.
    2. Rename the query and enter a custom tag to add. For example, rename Copy of System Access by Business Critical Hosts Trend to Custom System Access by Business Critical Hosts Trend.
    3. Add a custom tag. For example, enter Critical_Assets_Trend and click Add Tag.

      Enter Critical_Hosts_Trend for the custom tag.

    4. Click the move button to move the preselected tag to the Available Tags area. For example, move System Access. The only tag selected is the one you added.

    The tag appears as selected.

    1. Click Save and Close.
  3. For the other queries to include in the report, create a copy and select the custom tag you created.
    1. Select a query and select Copy from the Options drop-down list.
    2. Rename the query and select the new custom tag. For example, rename Copy of Resource Access by Business Critical Hosts Trend to Custom Resource Access by Business Critical Hosts Trend, move Critical_Assets_Trend to the Selected Tags list and remove the preselected tag.
    3. Click Save and Close.

    The copied queries display under User:

    Custom queries are listed under the User folder.

  4. If the queries are associated with keyed list, define the values for that keyed list.
  5. Initiate the report creation process as follows:
    1. Click the Queries and Reports tab and then the Reports subtab.
    2. Select New from the Options drop-down list under the Report List.

      The Report Design wizard appears.

      Add the custom tag, Critical_Assets_Trend.

  6. Design the report layout.

    Select grid rows 3 and columns 1.

  7. Click Save and Close.
  8. Schedule the report based on the custom tag you created.
  9. View the report.

Note: It is good practice to examine any new report to verify that it provides the desired information in the best possible way.

More information:

View a Generated Report

Example: Set Up Federation and Federated Reports

You can collect logs from high-volume, geographically separate data centers and set up reporting so that distributed data is queried from just one of the data centers.

Consider an example scenario where the two high-volume data centers are located in New York and Virginia, where New York is the corporate headquarters. Each data center has a collection server that collects and processes incoming event logs and sends them to its reporting server. The reporting server handles queries, alerts, and reports. Most queries, alerts, and reports target event data collected through agents; consolidating data from these event sources requires federation among reporting servers and collection servers.

Some queries, alerts, and reports target self-monitoring events generated by CA User Activity Reporting Module servers; consolidating this type of data requires inclusion of the management server in the federation. If consolidating self-monitoring event data is not desired, the management server can be excluded from the federation. Self-monitoring events from this server can be monitored with non-federated local reports. For simplicity, the management server is excluded in this federation; inclusion could be achieved by creating a meshed federation between the NY-Reporting-ELM and Management-ELM.

The server names are as follows:

Assume the Administrator in New York wants all reports and alerts that are run from the New York site to include data from the Virginia site, but wants all reports and alerts run from the Virginia site to include only locally collected data.

The following example shows how to federate the servers and configure reporting to meet the criteria for this scenario. Procedures for configuring auto-archiving are not included in this example, but auto-archiving should be configured for any high-volume architecture.

  1. Log into a CA User Activity Reporting Module with Administrator credentials.
  2. Click the Administration tab and select the Services subtab.
  3. Create a hierarchical federation, where NY-Reporting-ELM is the parent and VA-Reporting-ELM is the child as follows:
    1. Expand the Event Log Store service, and then select the server name that is to be the parent in the hierarchical federation, in this case, NY-Reporting-ELM.

    The event log store lists NY-Collection-ELM, NY-Reporting-ELM, VA-Collection-ELM, and VA-Reporting--ELM, where NY-Reporting-ELM is selected.

    1. Select VA-Reporting-ELM from the available federation children list and move it to the selected list.

    Select VA-Reporting-ELM as the Federated Child.

  4. Create a meshed federation between the NY-Reporting-ELM and the NY-Collection-ELM as follows, where each is a child of the other:
    1. Select the NY-Reporting-ELM from the Event Log Store list.
    2. Select NY-Collection-ELM from the available federation children and move it to the selected list.
    3. Select the NY-Collection-ELM from the Event Log Store list.
    4. Select NY-Reporting-ELM from the available federation children and move it to the selected list.
  5. Create a meshed federation between the VA-Reporting-ELM and the VA-Collection-ELM as follows, where each is a child of the other:
    1. Select the VA-Reporting-ELM from the Event Log Store list.
    2. Select VA-Collection-ELM from the available federation children and move it to the selected list.
    3. Select the VA-Collection-ELM from the Event Log Store list.
    4. Select VA-Reporting-ELM from the available federation children and move it to the selected list.
  6. Configure global report server settings and local overrides for VA-Reporting-ELM as follows. Geographically distant servers often use different mail servers.
    1. Select Alerting Service on the Service List
    2. Configure global or local settings as needed for mail server options from the NY-Reporting-ELM node.
    3. If you plan to email reports, select Report Server and then the NY-Reporting-ELM node.
    4. Set global or local PDF format options, or report options related to report and alert retention.
  7. For each report scheduled to run from NY-Reporting-ELM, do the following:
    1. Select the Scheduled Reports tab and the Report Scheduling tab.
    2. Click Schedule a Report.
    3. Select the report to schedule and complete steps 2, 3, 4, and 5 as needed.
    4. Click the Server Selection step, select NY-Reporting-ELM from the available servers list and move it to the selected servers list and then accept the default, Yes, for federated query.
    5. Click Save and Close.

      On the Schedule Reports wizard, server selection step, select yes for federated query.

    The resulting reports include data from NY-Reporting-ELM, its peer, NY-Collection-ELM, its child, VA-Reporting-ELM, and its child's peer, VA-Collection-ELM.

    Note: A federated query run from VA-Reporting-ELM includes data from VA-Reporting-ELM and its peer VA-Collection-ELM. It does not include data from NY-Reporting-ELM, since this server is its parent in the hierarchical federation.

More information:

Configuring a CA User Activity Reporting Module Federation

Queries and Reports in a Federated Environment

Example: Federation Map for a Large Enterprise

Edit a Report

You can edit a custom report.

Note: You can disable the Show Selected Report option when editing multiple reports. This lets you select and edit reports without waiting for them to display in the details pane.

To edit a report

  1. Select the report you want to edit from the Report List.
  2. Click Options at the top of the list, and select Edit.

    The Report Design wizard appears, populated with the specifications of the report you selected.

  3. Make the changes you want and then click Save and Close.

    The edited report appears in the Report List under User folder.

More information:

How to Create a Report

Disable Show Selected Report

Delete a Custom Report

You can delete a custom report. You cannot delete a subscription report.

To delete a custom report

  1. Select the custom report you want to delete from the Report List.
  2. Click Options at the top of the list, and select Delete.

    A confirmation dialog appears.

  3. Click Yes.

    The deleted report is removed from the Report List.

More information:

How to Create a Report

Edit a Report

Example: Delete Daily Reports More Than 30 Days Old

You can implement policies on report retention through the global configuration of report servers. You can set a different retention policy for each schedule report recurrence, that is,

You must change the default of Never Runs for the Reports Retention utility to a frequency. Be sure the frequency with which you set the utility to run is often enough to do the deletions at the frequency you configure. For example, if you want to delete your daily reports 1 day after they run, and you schedule daily reports to be run at 6 a.m. and 6 p.m., you would set the reports retention utility to run every 12 hours at the minimum.

Example: Delete all Daily Reports Older Than 30 Days

  1. Click the Administration tab and the Services subtab.

    The Service List shows services by service.

  2. Click Report Server

    The Global Service Configuration: Report Server appears.

  3. Use the following guidelines to complete this configuration:
  4. Click Save.

Export Report Definitions

You can export the details of user-created files for use in other management servers. The export is saved as an XML file. An exported report definition includes the definitions for all the queries in that report.

To export report details

  1. Click the Queries and Reports tab, and then the Reports subtab.

    The Report List appears.

  2. Click Options at the top of the list, and select Export.

    The Export User Definitions dialog appears, displaying available user-created reports.

  3. Select the report or reports you want to export using the shuttle control, and click Export.

    An export dialog appears.

  4. Enter or browse for the location you want to save the XML export files, and click Save.

    The Report files are saved to your chosen location and a confirmation dialog appears.

  5. Click OK, and then Close.

    The Export User Report Definitions dialog closes.

More information:

Import Report Definitions

Import Report Definitions

You can import report definition XML files for use in the local management server.

To import report details

  1. Click the Queries and Reports tab, and then the Reports subtab.

    The Report List appears.

  2. Click Options at the top of the list, and select Import.

    An Import File dialog opens

  3. Enter or browse for the location of the file you want to import, and click OK.

    The Import Results window appears.

  4. Click Import Another File to repeat step 3, or Close.

    The Import User Report and Query and Query Definitions window closes.

More information:

Export Report Definitions

Preparing to Use Reports with Keyed Lists

All reports are built from one or more queries. Some queries used in predefined reports are designed to select all values from a given table where a certain attribute field contains a value used as criteria for compiling the list of key values. For example, an assets table has an IsCritical field. A query that selects all asset names from the asset table where IsCritical equals Yes, would select only the names of critical assets. These names could be returned to CA User Activity Reporting Module to refresh the values for the Critical_Assets key.

Preparing to use predefined reports with keyed lists involves the following tasks:

In addition, you can add new keys for custom reports that use keyed lists and then add values for each new key. You can also add values to the Business_Critical_Sources key and the ELM_System_Lognames key for on demand queries of your own design.

Enabling Dynamic Values Import

The procedures required to enable dynamic values import apply only to CA IT PAM users.

If you use CA IT PAM and have existing tables or spreadsheets where you keep lists of files, databases, hosts, and users, for example, you can leverage this data. You can create a process that reads the table or file, selects the values pertinent to the key, and returns those values to the CA User Activity Reporting Module values list for that key.

To import dynamic values

  1. Create a process in CA IT PAM for each key values list that you want to generate on demand.

    Note: If any process reads a database table, install a CA IT PAM agent on the server with the SQL Server 2005 database.

  2. Configure CA IT PAM integration for dynamic values in CA User Activity Reporting Module.

More information:

Create a CA IT PAM Process to Generate a Values List

Configure CA IT PAM Integration for Dynamic Values

About Dynamic Values Processes

A dynamic values process is a CA IT PAM process that you can invoke to populate or update the values list for a selected key that is used in reports or alerts. The assumption is that you are already storing master lists of the files, databases, hosts, users, and so forth that make up your work environment and that this master list is designed with attributes that allow you to query for sets of values of interest. If you use CA IT PAM, you can create processes that can be invoked to run the queries that return the data to CA User Activity Reporting Module for use as key values in the reports and alerts based on keys. Being able to dynamically create a values list is a useful way to keep volatile key list updated with current values.

Create a CA IT PAM Process to Generate a Values List

You can create a process in CA IT PAM for each key values list that you want to be able to generate on demand. Use your CA IT PAM documentation for details on process creation. Each process must meet CA User Activity Reporting Module requirements regarding InputKey, the ValueList and FaultString local process parameters, and the Success and Failure calculation operators.

Use the following guidelines:

If you create a script, consider these additional guidelines:

More information:

Configure CA IT PAM Integration for Dynamic Values

Configure CA IT PAM Integration for Dynamic Values

You can configure CA IT PAM integration to leverage either or both of the following types of CA IT PAM processes:

Configuration for either purpose requires the ability to launch and log in to CA IT PAM. Gather the following values:

Configuration of CA IT PAM for dynamic values lets you import the list of values that are dynamically generated by the configured dynamic values process. The import is done when setting up or refreshing keyed values used in certain reports and alerts.

The following procedure addresses both the common settings and the one specific to dynamic values.

To configure CA IT PAM integration for the dynamic values process

  1. Click the Administration tab and the Services subtab.
  2. Click Report Server

    The Global Service Configuration: Report Server appears.

  3. Scroll to the IT PAM area.
  4. Make the following entries to enable CA IT PAM access:
    1. Enter the fully qualified host name of the server on which CA IT PAM is installed
    2. Accept the default port number, 8080
    3. Enter valid login credentials for CA IT PAM
  5. Enter a process path in the Dynamic Values Process field.

    This process path becomes the default when importing dynamic values.

  6. Click Save.

    The following message appears: Confirmation: Configuration changes saved successfully.

Approaches to Maintaining Keyed Lists

Keyed lists are used in some predefined reports and in some predefined queries tagged as appropriate for action alerts. If you plan to use these reports or create alerts that use these queries, you can use any combination of the following approaches to maintaining your keyed lists.

If you plan to create custom reports that use a keyed list, you can add a custom key and then add or import its values.

You can identify the keyed list or lists used in a query and then update that list before scheduling a report or alert that includes that query.

More information:

Using Queries Tagged as Action Alert

Update a Keyed List Manually

Update a Keyed List with Export/Import

Example: Update a Keyed List with a CSV File

Create a Keyed List

Keyed lists let you create a group and assign values to it. You can then query the group name and any of the values in the group will return a positive result. You can assign values individually or import them from a .csv file. You can create custom keyed lists or add values to predefined lists.

For example, some queries for Privilege Grant reports search for a key value named "Privileged_Groups". When a query includes this value, it returns all rows where that field contains any of the values specified in the group.

To create a Keyed List

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.
  2. Click New for a new list, or select the list to which you want to add values.

    Keyed List Details appears in the right pane.

  3. Type a name and description for the keyed list, and select a type.
  4. Enter the IT PAM dynamic values process that generates values for the selected key.

    Note: The IT PAM dynamic values process updates only the Users list of the Keyed List Values table. The Users list is periodically overwritten with the latest values.

  5. (Optional) If you want to test the validity of the entered IT PAM dynamic value process, click the test icon.

    If the connection is successful, a confirmation message is displayed.

  6. If you want to import values, go to Step 10. If you want to add values individually, go to Step 7.
  7. Click Add at the top of the Keyed List Values table.

    A highlighted row appears in the User column.

  8. Click the row, and type a value.
  9. Repeat step 6-7 to add additional values.
  10. Click Import at the top of the List Details area, browse for the file containing the values you want to import, and click OK.

    The values appear in the Values area.

    Note: You can only import .csv files that do not contain special characters.

  11. When you have added all the values you want, click Save.

    The new list appears in the User folder of the Keyed Lists folder.

More information:

Configure CA IT PAM Integration

Update a Keyed List Manually

You can update the values in a keyed list in several ways. One way is to add, edit, and delete values manually.

To update a keyed list manually

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.
  2. Expand the Keyed List folder, and select the keyed list you want to update.
  3. To add a value to the keyed list:
    1. Select the key to which you want to add a value.
    2. Click Add Value.
    3. Enter the name of the value in the Name field and click OK.

      The added value appears in the Values list for the selected key.

    4. Repeat these steps for each value to add.
  4. To delete a value in a keyed list:
    1. Select the key with an unneeded value.
    2. Select the value to deleted and click Remove Value

      A confirmation message appears.

    3. Click OK.

      The value is deleted from the Values list of the selected key.

    4. Repeat these steps for each value to delete.
  5. To edit a value in the keyed list:
    1. Select the key with the value to modify.
    2. Select the value to modify and click Edit Value.
    3. Edit the entry in the Name field and click OK.

      The value is displayed with the modified name in the Values list of the selected key.

    4. Repeat these steps for each value to edit.
  6. Click Save.

    The values for the selected keys are updated.

Update a Keyed List with Export/Import

If you store values that correspond to a key in an Excel spreadsheet, you can save that spreadsheet as a comma-separated values list (*.csv) and populate the Keyed List for the selected with an import.

You can update keyed list values you store in a CSV file in the following ways:

To update a keyed list with export or import

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.
  2. Expand the Keyed List folder, and select the keyed list you want to update.
  3. To update values for a selected key from a CSV file that contains current values:
    1. Select the key in the Key Values list that you want to update.
    2. Click Import Values on the Values list toolbar.

      The Import file dialog appears.

    3. Click Browse, and navigate to the location where the CSV file containing the values for the selected key is saved.
    4. Select the file to import and click Open, and then Click OK.

    The Values list is updated with the values from the CSV file.

  4. To update the values for a selected key where the CSV file either does not exist or is not current:
    1. Select the key in the Key Values list that you want to update.
    2. In the Values toolbar, click Export Values, navigate to the location where you want to save the CSV file, and click Save.

      A success confirmation appears.

    3. Click OK.
    4. Navigate to the exported file, open the spreadsheet, and modify or delete existing columns as required. Scroll to display the last column, and add new entries. Then, save the file as a CSV file.
    5. Select the same key and click Import Values.
    6. Click Browse, select the file you saved, and click Open.
    7. Click OK.

    The file is uploaded. You can scroll to the bottom of the Values list to confirm your new entry is present.

Example: Update a Keyed List with a CSV File

You can supply values for keyed lists in the following three ways:

Use the following example as a guide to updating the values in any user-defined keyed list where the values are stored in an Excel spreadsheet saved as a comma-separated values list (*.csv).

To update a keyed list with a CSV file

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.
  2. Expand the Keyed List folder, and select the keyed list you want to update, such as Default_Accounts, and click Export Values.

    An Export dialog appears with file.csv as the default filename.

  3. Select the directory where you want to save the exported file. Change the file name, for example, Default_Accounts.csv and click Save.

    A confirmation message appears.

  4. Click OK.
  5. Browse to the exported .csv file, open it and scroll to display the last column, and add the entry you want to include. Optionally, delete the column for any default entry you want to remove from the keyed list for Default_Accounts.
  6. Save and close the .csv file and return to the CA User Activity Reporting Module interface.
  7. Click Import Values for the list you want to update here, the Default_Accounts keyed list.
  8. Click Browse, select the file you saved, and click Open.
  9. Click OK.

    The file is uploaded. Scroll to the bottom of the Values list to confirm that your new entry is present.

Update a Keyed List with a Dynamic Values Process

If you use CA IT PAM processes to generate a list of values associated with a key used in CA User Activity Reporting Module queries, run the IT PAM dynamic values process from CA User Activity Reporting Module and update the values for a given key. Importing saves you the time of manually entering all the values for a given key. When values for one of your keys change, you can refresh them in CA User Activity Reporting Module by selecting the key and repeating the import of dynamic values.

Configure CA IT PAM integration for dynamic values before attempting to import keyed list values from CA IT PAM.

To import values for a keyed list from CA IT PAM

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.
  2. Expand the Keyed List folder, and select the keyed list you want to update.
  3. To create a key for the values to import:
    1. Click Add at the top of the keyed values table.

      The first available row in the User column is selected

    2. Click the row, and type the name of the new key.
    3. Click Save.
  4. To refresh dynamic values for an existing key:
    1. Select the key.
    2. Click Import Dynamic Values list at the top of the details pane.

      The Import Dynamic Values dialog appears.

    3. Enter the name of the IT PAM Dynamic Values Process that generates the values for the selected key, and then click OK.

      The associated CA IT PAM process is run, a file with the results is returned, and values for the selected key are refreshed.

    4. Click Save.

More information:

Create a CA IT PAM Process to Generate a Values List

Configure CA IT PAM Integration for Dynamic Values

About Dynamic Values Processes

Enabling Dynamic Values Import

Determine Keyed List Usage for a Query

It is good practice to keep keyed lists updated with current values. To update a keyed list used in a particular report or alert, first identify the queries used in the report or alert. Then, determine the keyed list used in the source query or query. Queries that use a keyed lists often reference the keyed list name in the query name. For example, there are queries with "Default Accounts" or "Privileged Group" in the query name.

To determine keyed list usage for a query

  1. Open a copy of the query you want to check for keyed list usage in the query design wizard.
  2. Click the Query Filters step and then click the Advanced Filters tab.
  3. A query using a keyed list has a filter with the operator Keyed. The value is the name of the keyed list Default_Accounts for example.
  4. Click Cancel. The query copy is not saved.

Creating Keyed Values for Predefined Reports

Some predefined keys that are used in predefined reports have no predefined values. To use these reports effectively, you must supply values for the respective keyed lists. You can also add custom values to keyed lists with predefined values.

Examples of Keyed Lists that have no predefined values include:

You can add values to any keyed lists manually or by import.

Create Keyed Values for Critical_Assets

This topic provides an example of adding custom values to a keyed list that has none provided by default. You can follow this example to add values to other existing keyed lists.

You can use certain reports and queries to monitor activities by your business critical hosts. To do this, you must first identify these hosts as values in the key-value list for Critical_Assets.

Reports that use the Critical_Assets list include the following:

Similar reports for CA Access Control, CA Identity Manager, and CA SiteMinder use the Critical_Assets keyed list, for example: CA Access Control - Account Creations by Business Critical Hosts.

Queries that use the Critical_Assets list include the following:

If you create a custom query on critical assets, define the filter as follows:

Column

Operator

Value

dest_hostname

Keyed

Critical_Assets

To define a filter for other keyed lists, replace the value with the list value you want. For example, you could set the filter value to EPHI_Database to filter for hostnames belonging to that keyed list.

To create keyed values for Critical_Assets

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.
  2. Expand the Keyed List folder, and select Critical_Assets.
  3. Take one of the following actions to create this list:
  4. Click Save.

    Reports using this keyed list that are generated by scheduled jobs begin reflecting data for the updated values.

Customize Keyed Values for Administrators

This topic provides an example of adding custom values to a predefined keyed list that has some values already set. You can follow this example to add values to other existing keyed lists.

You can use predefined reports and their associated queries to monitor activities by your administrators. Predefined values include Administrator, root, sa, and admin. To customize the list, identify other accounts in your environment that have admin privileges as values in the key-value list for Administrators.

If you create a custom query that uses this key, define the filter as follows:

Column

Operator

Value

dest_username

Keyed

Administrators

To define a filter for other keyed lists, replace the value with the list value you want. For example, you could set the filter value to EPHI_Database to filter for hostnames belonging to that keyed list.

To customize keyed values for Administrators

  1. Click the Administration tab, the Library subtab, and the Keyed List folder.

    A list of keys to which you add user-defined values is displayed at the bottom of the main pane.

  2. Select the key, Administrators.

    The predefined values appear.

  3. Take one or more of the following actions to update this list:
  4. Click Save.

    Reports using this keyed list that are generated by scheduled jobs begin reflecting data for the updated values.

View a Report Using a Keyed List

You can view the results of a report before scheduling it to be generated. Certain predefined reports use keyed lists, where the key is predefined but the values are user-defined. Once you add or import values for a key, it is a good practice to view the report using the keyed list.

To view a report using a keyed list

  1. Click the Queries and Reports tab and the Reports subtab.
  2. Select a report that uses a keyed list.
  3. View the results.