Implementation Guide › Configuring Event Collection

Configuring Event Collection

This section contains the following topics:

Installing Agents

Using the Agent Explorer

Configuring the Default Agent

Example: Enable Direct Collection Using the ODBCLogSensor

Example: Enable Direct Collection Using the WinRMLinuxLogSensor

View and Control Agent or Connector Status

Installing Agents

With separate installations for specific platforms, CA User Activity Reporting Module agents provide the transport layer for getting events from event sources to the CA User Activity Reporting Module server's event log store. Agents use connectors to collect event logs from different event sources. The following diagram shows the interactions between agents and the CA User Activity Reporting Module server:

After you install an agent on an event source, you can configure one or more connectors to collect events from event sources such as devices, applications, operating systems, and databases. The examples in the diagram include connectors for CA Access Control and an Oracle database. You typically will install only one agent per host server or event source, but you can configure more than one type of connector on that agent. You can use the Agent Explorer that is part of the CA User Activity Reporting Module server to control agents and to configure and to control connectors on an agent. The Agent Explorer also allows you to create agent groups for easier management and control.

You base your configuration of a connector on either an integration or a listener, which are templates that can comprise files for data access, message parsing, and data mapping. CA User Activity Reporting Module provides a number of integrations for popular event sources out-of-the-box.

More Information:

How to Create an Agent Group

View and Control Agent or Connector Status

Using the Agent Explorer

Immediately after you install a CA User Activity Reporting Module server, you have a default agent listed in the Agent Explorer. That agent is installed when you install the CA User Activity Reporting Module server, and you use it for direct syslog event collection.

The Agent Explorer tracks and lists agents as you install them in your network, and provides a centralized place for configuration, command, and control of agents and connectors. Agents register with the CA User Activity Reporting Module server you specify the first-time you start them. When that registration takes place, the agent name appears in the Agent Explorer and you are ready to configure a connector to begin event log collection. Connectors gather event logs and send them to the CA User Activity Reporting Module server. One agent can control many connectors.

Using the Agent Explorer to install, configure, and control connectors and agents involves the following basic steps:

1. Download the agent binaries.
2. Create one or more agent groups (optional).
3. Create and configure a connector, including creating or applying suppression and summarization rules.
4. View agent or connector status.

More information:

About Agents

About Agent Groups

About Log Sensors

Suppression Rule Effects

Configuring the Default Agent

The CA User Activity Reporting Module installation creates a default agent on the CA User Activity Reporting Module server that has two connectors ready for use, a syslog_Connector and a Linux_local Connector. The syslog connector is available for collection of syslog events sent to the CA User Activity Reporting Module server. The Linux_local connector is available for collection of OS-level events from the CA User Activity Reporting Module physical server, or from a syslog file.

In the basic two-server environment, configure one or more syslog connectors on the collection server to receive events.

The process for using the default agent includes the following steps:

1. (optional) Review the syslog integrations and listeners.
2. Create a syslog connector.
3. Verify that the CA User Activity Reporting Module server is receiving syslog events.

Review syslog Integrations and Listeners

You can review the default syslog integrations and listeners before you create a connector. Listeners are essentially a template for your syslog connectors that use specific syslog integrations provided as out-of-the-box content with your CA User Activity Reporting Module server.

To review syslog integrations

1. Log into CA User Activity Reporting Module and access the Administration tab.
2. Click the Library subtab and expand the Event Refinement Library node.
3. Expand both the Integrations node and the Subscription node.
4. Select an integration whose name ends with ..._Syslog.

   The integration details display in the right side window. You can review which message parsing and data mapping file the integration uses and other details such as version and lists of suppression rules and summarization rules.

To review a syslog listener

1. Expand both the Listeners node and the Subscription node.
2. Select the Syslog listener.

   The default listener details display in the right side window. You can review details such as versions, suppression and summarization rules, the default ports on which to listen, a list of trusted hosts, and the listener's time zone.

Create a syslog Connector for the Default Agent

Create a syslog connector to receive syslog events using the default agent on the CA User Activity Reporting Module server.

To create a syslog connector for the default agent

1. Log into CA User Activity Reporting Module and access the Administration tab.
2. Expand the Agent Explorer and an agent group.

   The default agent is automatically installed into the Default Agent Group. You can move this agent to another group.

3. Select the agent name.

   The default agent has the same name you gave the CA User Activity Reporting Module server during installation.

4. Click Create New Connector to open the connector wizard.
5. Click the Listeners option and provide a name for this connector.
6. Apply suppression rules, and suppression rules as needed in the second and third pages of the wizard.
7. Select one or more targeted syslog integrations from the Available list to use with this connector, and move them to the Selected list.
8. Set UDP and TCP port values, if you are not using the defaults, and provide a list of trusted hosts if your implementation uses them.

   Note: When a CA User Activity Reporting Module agent does not run as root, it cannot open a port below 1024. The default syslog connector therefore uses UDP port 40514. The installation applies a firewall rule to the CA User Activity Reporting Module server to redirect traffic from port 514 through 40514.

9. Select a time zone.
10. Click Save and Close to finish the connector.

    The connector begins collecting syslog events that match the selected integrations on the ports you specified.

Verify that CA User Activity Reporting Module Is Receiving syslog Events

You can verify that the connector on the default agent is collecting syslog events with the following procedure.

To verify syslog event receipt

1. Log into CA User Activity Reporting Module and access the Queries and Reports tab.
2. Select the System query tag and open the System All Events Detail query.

   You should see events listed for the default agent, if the you configured the connector correctly and the event source is actively sending events.

Example: Enable Direct Collection Using the ODBCLogSensor

You can enable direct collection of events generated by specific databases and CA products with the ODBCLogSensor. To do this, you create a connector on the default agent that is based on an integration that uses the ODBCLogSensor. Many integrations use this sensor, for example, CA_Federation_Manager, CAIdentityManager, Oracle10g, Oracle9i, and MS_SQL_Server_2005.

Following is a partial list of products that generate events that can be collected directly by the default agent on a CA User Activity Reporting Module server. For each product, a unique connector is used; each connector uses the ODBCLogSensor.

• CA Federation Manager
• CA SiteMinder
• CA Identity Manager
• Oracle 9i and 10g
• Microsoft SQL Server 2005

For a complete list, see the Product Integration Matrix on Support Online.

This example shows how to enable direct collection of events from a Microsoft SQL Server database. The connector deployed on the default agent is based on the MS_SQL_Server_2005 integration. In this example, the SQL Server database resides on an ODBC server. The connector deployed to the CA User Activity Reporting Module agent collects events from the MSSQL_TRACE table. Part of enabling the collection of events from a Microsoft SQL Server database is to direct selected events to this trace table. You can find explicit directions for doing this in the CA Connector Guide for Microsoft SQL Server.

To learn how to configure the Microsoft SQL Server event source

1. Select the Administration tab and the Library subtab.
2. Expand Event Refinement Library, expand Integrations, expand Subscription, and select MS_SQL_Server_2005.

   The View Integration Details displays the sensor name, ODBCLogSensor. Supported platforms include both Windows and Linux.

3. Click the Help link on View Integration Details.

   The Connector Guide for Microsoft SQL Server appears.

4. Review the Prerequisites and Microsoft SQL Server Configuration sections for guidelines.

To configure the event source and verify logging

1. Gather the following details: the IP address of the ODBC server, the database name, the Administrator user name and password required to log on to the server, and the credentials of the low-privileged user used for SQL Server authentication. (This is the user defined to have read-only access to the trace table.)
2. Log on to the ODBC server with the Administrator user name and password.
3. Ensure connectivity over TCP/IP as specified in the Connector Guide for Microsoft SQL Server.
4. Configure the SQL Server and verify that events are being directed to the trace table as specified in the Connector Guide for Microsoft SQL Server.

   Note: Keep a record of the name of the database under which you create the trace table. You must specify that database name in the connection string. For example: master.

To create a connector on the default agent to retrieve events generated by a SQL Server database on an ODBC Server

1. Select the Administration tab and the Log Collection subtab.
2. Expand Agent Explorer, and expand the agent group containing the CA User Activity Reporting Module default agent
3. Select a default agent, that is, an agent with the name of a CA User Activity Reporting Module server.

   The default agent can have other connectors deployed to it.

4. Click Create New Connector.

   

   The New Connector Creation wizard opens with the Connector Details step selected.

5. Select the MS_SQL_Server_2005 integration from the Integration drop-down list.

   This selection populates the Connector Name field with MS_SQL_Server_2005_Connector.

6. (Optional) Replace the default name with one that makes the connector easy for you to identify. Consider providing a unique name if you are monitoring several SQL Server databases with this same agent.

   

7. (Optional) Click the Apply Suppression Rules step and select rules associated with the supported events.

   For example, select MSSQL_2005_Authorization 12.0.44.12.

8. Click the Connector Configuration step and click the Help link.

   Instructions include CA Enterprise Log Manager Sensor Configuration Requirements for both Windows and Linux.

9. Review the steps for Linux, the platform of the default agent, and configure the Connection String and other fields as specified.
   1. Enter the connection string as specified under Sensor Configuration--Linux, where the address is the host name or IP address of the event source and the database is the SQL Server database under which MSSQLSERVER_TRACE is created.

      DSN=SQLServer Wire Protocol;Address=IPaddress,port;Database=databasename
      

   2. Enter the name of the user with read-only event collection access rights. This user must be assigned the db_datareader and public roles to have read-only access.
   3. Enter the password for the specified Username.
   4. Specify the timezone of the database as an offset of GMT.

      Note: On a Window server, this information appears on the Time Zone tab of Date and Time Properties. Open the clock on the system tray.

   5. Select or clear Read from Beginning depending on whether you want the log sensor to read events from the beginning of the database.

   A partial example follows:

   

10. Click Save and Close.

    The new connector name displays under the agent in the Agent Explorer.

    

11. Click the MS_SQL_Server_2005_Connector to view status details.

    Initially, the status shows Configuration pending. Wait until that status shows Running.

    

12. Select the connector and click Running to see event collection details.

    Note: You can also run a report to view data from this database.

To verify that the default agent is collecting events from the target event source

1. Select the Queries and Reports tab. The Queries subtab is displayed.
2. Expand Prompts in the Query List and select Connector.
3. Enter the connector name and click Go.

   Collected events are displayed. The first two are internal events. Those that follow are events collected from the MS SQL trace table you configured.

   Note: If the expected events are not displayed, click Global Filters and Settings in the main toolbar, set the Time Range to No Limit, and save the setting.

4. (Optional) Select Show raw events and examine the result string for the first two event. The result string appears last in the raw event. The following values indicate a successful start.
   • result_string=ODBCSource initiated successfully - MSSQL_TRACE
   • result_string=<connector name> Connector Started Successfully

More information:

Event Sources for Direct Log Collection

Example: Enable Direct Collection Using the WinRMLinuxLogSensor

You can enable direct collection of events generated by Windows applications or the Windows Server 2008 operating system with the WinRMLinuxLogSensor. To do this, you create a connector on the default agent that is based on an integration that uses the WinRMLinuxLogSensor. Many integrations use this sensor, for example, Active_Directory_Certificate_Services, Forefront_Security_for_Exchange_Server, Hyper-V, MS_OCS, and WinRM. The Microsoft Windows application and operating system that generate events that can be retrieved by the WinRMLinuxLogSensor are those for which Windows Remote Management is enabled.

Following is a partial list of products that generate events that can be collected directly by the default agent on a CA User Activity Reporting Module server. For each product, a unique connector is used; each connector uses the WinRMLinuxLogSensor.

• Microsoft Active Directory Certificate Services
• Microsoft Forefront Security for Exchange Server
• Microsoft Forefront Security for SharePoint Server
• Microsoft Hyper-V Server 2008
• Microsoft Office Communication Server
• Microsoft Windows Server 2008

For a complete list, see the Product Integration Matrix on Support Online.

This example shows how to enable direct collection of events using a connector based on the WinRM integration. When such a connector is deployed, it collects events from a Windows Server 2008 operating system event source. Collection begins after you configure the event sources to log events in the Windows Event Viewer and enable Windows Remote Management on the server as specified in the Connector Guide associated with this integration.

To learn how to configure the Windows Server 2008 event source

1. Select the Administration tab and the Library subtab.
2. Expand Event Refinement Library, expand Integrations, expand Subscription, and select WinRM.

   The View Integrations Details displays the sensor name, WinRMLinuxLogSensor. Supported platforms include both Windows and Linux.

3. Click the Help link on the WinRM View Integration Details.

   The Connector Guide for Microsoft Windows Server 2008--WinRM appears.

To configure the event source and verify logging

1. Log on to the target host with a Windows Server 2008 operating system.
2. Follow the directions in the CA Connector Guide for Microsoft Windows Server 2008 to ensure events are displayed in the Windows Event Viewer and to ensure Windows Remote Management is enabled on the target server.

   Note: Part of this process is creating the user name and password that you must enter when you configure the connector. These credentials enable authentication required to establish connectivity between the event source and CA User Activity Reporting Module.

3. Verify logging.
   1. Open eventvwr from the Run dialog.

      The Event Viewer appears.

   2. Expand Windows Logs and click Security.

      A display similar to the following indicates that logging is occurring.

   

To enable direct collection of events from Windows event sources

1. Select the Administration tab and the Log Collection subtab.
2. On the Log Collection Explorer, expand Agent Explorer, and expand the agent group containing the CA User Activity Reporting Module default agent.
3. Select a default agent, that is, an agent with the name of a CA User Activity Reporting Module server.

   The default agent may have other connectors deployed to it.

4. Click Create New Connector

   

   The New Connector Creation wizard opens with the Connector Details step selected.

5. Select an integration that uses the WinRM log sensor from the Integration drop-down list.

   For example, choose WinRM.

   

   This selection populates the Connector Name field with WinRM_Connector

6. (Optional) Click Apply Suppression Rules and select rules associated with the supported events.
7. Click the Connector Configuration step and click the Help link.

   Instructions include CA User Activity Reporting Module Sensor Configuration--WinRM.

   

8. Follow the instructions in this Connector Guide to configure the sensor. Enter the IP address, rather than the hostname, of the host on which you configured Windows Remote Management. The Username and Password entries reflect credentials you added during configuration of Windows Remote Management.

   An example follows:

   

9. Click Save and Close.
10. The new connector name displays under the agent in the Agent Explorer.

    

11. Click WinRM_Connector to view the status details.

    Initially, the status shows Configuration pending. Wait until that status shows Running.

    

12. Click Running to get summary data such as the EPS (events per second).

    

To verify that the default agent is collecting events from the target event source

1. Select the Queries and Reports tab. The Queries subtab is displayed.
2. Expand Prompts in the Query List and select Connector.
3. Enter the connector name and click Go.
4. View the collected events.

More information:

Event Sources for Direct Log Collection

View and Control Agent or Connector Status

You can monitor the status of agents or connectors in your environment, restart agents, and start, stop, and restart connectors as needed.

You can view agents or connectors from different levels of the Agent Explorer folder hierarchy. Each level narrows the available view accordingly:

• From the Agent Explorer folder, you can view all agents or connectors assigned to the current CA User Activity Reporting Module server.
• From a specific agent group folder, you can view agents and connectors assigned to that agent group.
• From an individual agent, you can view only that agent and any connectors assigned to it.

You can determine the FIPS mode (FIPS or non-FIPS) for an agent from all three levels.

To view agent or connector status

1. Click the Administration tab, and then the Log Collection subtab.

   The Log Collection folder list appears.

2. Select the Agent Explorer folder.

   Agent management buttons appear in the details pane.

3. Click Status and Command:

   The status panel appears.

4. Select Agents or Connectors.

   The agent or connector search panel appears.

5. (Optional) Select agent or connector update search criteria. If you enter no search terms, all available updates appear. You can select any one or more of the following criteria to narrow your search:
   • Agent Group—returns only agents and connectors assigned to the selected group.
   • Platform—returns only agents and connectors running on the selected operating system.
   • Agent name pattern—returns only agents and connectors containing the specified pattern.
   • (Connectors only) Integration—returns only connectors using the selected integration.
6. Click Show Status.

   A details chart appears, displaying status for agents or connectors that match your search. For example:

   Total: 10 Running: 8 Pending: 1 Stopped: 1 Not Responding: 0
   

7. (Optional) Click the status display to view details in the Status pane at the bottom of the chart.

   Note: You can click the On Demand button for an agent or connector to refresh the status display.

8. (Optional) If you are viewing connectors, select any connector and click Restart, Start, or Stop. If you are viewing agents, select any agent and click Restart.

More information:

How to Create an Agent Group

How to Apply Subscription Updates