Administration Guide › Action Alerts

Action Alerts

This section contains the following topics:

About Action Alerts

Using Queries Tagged as Action Alert

Identifying Other Queries to Use for Alerts

Customizing Queries for Action Alerts

Action Alert Considerations

Working with CA IT PAM Event/Alert Output Processes

Working with SNMP Traps

How to Create an Action Alert

Example: Create an Action Alert for Low Disk Space

Example: Create an Alert for a Self-Monitoring Event

Example: Email the Administrator when Event Flow Stops

Configure Action Alert Retention

Example: Create an Alert for Business_Critical_Sources

Edit an Action Alert

Disable or Enable Action Alerts

Delete an Action Alert

About Action Alerts

Action Alerts are specialized reports that generate an event when their query conditions are fulfilled. They can help you monitor your environment - allowing automatic notifications for a wide variety of situations and occurrences. For example, you can set action alerts to deliver event trend information, track disk space usage, or deliver notifications when failed access thresholds are exceeded.

Action alerts are a good way to sift through mountains of collected data for those few events on which you need to act right now. You can use action alerts to notify you about almost anything that happens in your log collection network. You can create alerts to let you know about spikes in inbound or outbound traffic, traffic on specific ports, access of certain privileged resources, configuration changes to various network entities like firewalls, databases, or key servers, and so forth.

You can create action alerts in the following ways:

• Using the action alert wizard
• From a query display
• Using a custom-created query

Scheduling options are a significant part of creating an alert, so you have control over how long and how often your alert job runs.

Using Queries Tagged as Action Alert

CA User Activity Reporting Module provides a number of queries with the tag, Action Alerts. To view the list of queries tagged Action Alerts, click the Queries and Reports tab, Queries subtab, and select the Action Alerts tag. The queries with this tag appear in the Query List. When you move your cursor over a query name, its tag or tags display.

Before you schedule action alerts from these queries, you can get more information about what each of these queries do. To view a description and details on a query such as Low Available Disk Space, select that query form the query list, then move your cursor over the query name.

A summary of the query appears, including a description, its filters, and the query conditions.

.

You can either schedule the query as is or you can copy the query to a new name and customize it to your requirements. For example, you can generate an alert when available disk space falls below 25 percent instead of 20 percent. You can create a user-defined query based on the predefined query and then select it for your action alert.

Note: Before using the queries with Privileged Group or Default Account in the title, consider adding your own keyed values for the corresponding keyed lists.

Identifying Other Queries to Use for Alerts

There are queries that are not tagged as Action Alerts that are good candidates for including in a scheduled action alert because they retrieve only events evaluated as severe.

For example, Security Log Cleared by Host Detail retrieves all events where the event action is Security Log Clear. The only tag for this query is Operational Security.

The action, Security Log Clear, is listed in the CEG. The CEG defines the following two event types with a security level mapped to 6, which is severe.

It is a good practice to schedule an alert with this query.

More information:

Identify the Simple Filter for Severe Events

Customizing Queries for Action Alerts

Alerts are designed to notify the appropriate person, process, or product when a severe event occurs. When attempting to identify queries on which to base alerts, consider queries designed to retrieve events with a high security level.

After you identify the definitions for severe events, you can identify the queries that retrieve severe events. If queries do not exist, you can create them.

Consider the following process:

1. Identify the event types that CA considers very severe, where event types are defined by category, class, action, and result.
2. Identify predefined queries that are designed to retrieve only such events.
3. Identify predefined queries that are designed to retrieve events that would include severe events, but could be customized to include only severe events.
4. Create custom queries where predefined queries do not exist.
5. Schedule alerts to run these queries frequently.

More information:

Identify the Simple Filter for Severe Events

Customize Queries to Retrieve Only Severe Events

Create a Query to Retrieve Only Severe Events

Identify the Simple Filter for Severe Events

Events vary in severity from informational to fatal. CA assigns a value between 2 and 7 to indicate the severity of events based on the CEG model of Category, Class, Action and Result. Severity 7 is assigned to system shutdown events. Severity 6 is assigned to events with high security implications or that need immediate attention.

If you plan to create custom queries or to customize predefined queries for use in alerts, it is a good idea to examine the CEG model definitions of severe event types. The model definition is the basis for simple filters. That is, you can create queries that retrieve events based on your specification of their event category, event class, event action, and event result.

To identify the simple filter for severe events

1. Click the Help link.
2. Expand Common Event Grammar, and select Security Level Assignment.
3. Copy the table to a spreadsheet and sort by Security Level from highest to lowest.

   The resulting table lists event types beginning with the most severe based on CA Security Level assignment.

   An example follows. Your results will reflect the current CEG definitions.

Create a Query to Retrieve Only Severe Events

You can create a query from scratch if you do not find a predefined query that retrieves the types of events you want to be notified about. Consider the following types of severe even types:

Example: Create a query to retrieve only virus quarantine failures

Assume, for example, that you want to be notified of any virus quarantine failure. Perhaps the keyword quarantine does not appear in the query list. If such were the case, you can create the query you need and then schedule an alert that runs the query.

To create a query to retrieve virus quarantine failures

1. Click Queries and Reports.
2. Under Query List Options, select New.

   Query Design wizard appears with the Details step displayed.

3. Enter a name.

   For example, enter Alert: Virus Quarantine Failure

4. Enter a custom tag.

   For example, enter Virus Quarantine

5. Click the Query Columns step and add the desired columns.
6. Click the Query Filters step.
7. Enter a simple filter based on the CEG entry for the event.

   For example, select Host Security for category, Antivirus Activity for Class, Virus Quarantine for action, and F for result.

   

8. Select the Result Conditions step and select Last 5 minutes from the Predefined Ranges drop-down, to ensure timely alerting.
9. Click Save and Close.

Customize Queries to Retrieve Only Severe Events

Predefined queries that are not tagged as action alerts are designed for reports. It is appropriate for reports to contain data reflecting events of all levels of severity. You can customize selected queries to retrieve only severe events. To do this, you identify a query that retrieves severe events along with less severe events, copy it, enter filters that ensure retrieval of only the severe event, and save it for selection in an alert.

Before you begin, have at hand your spreadsheet that lists the definitions of severe events. This example is based on the following CEG information:

The query to customize retrieves events for both system shutdown and system startup.

To customize a query to retrieve only severe events

1. Click the Queries and Reports tab.
2. Select a query tag filter that matches the Category of a severe event.

   For example, select Operational Security.

3. Review the query list for queries with names containing keywords found in the Class or Action for the identified event type.

   For example, the keywords System Shutdown appear in queries beginning with the phrase System Startup or Shutdown by Host.

   

4. Copy the query System Startup or Shutdown by Host Detail. Highlight the query and select Copy from the Options drop-down list.
5. Click Query Filters and compare the default with the table entries for the severe event type.

   For this query, only Operational Security is selected.

6. Refer to the table for values to enter for Class and Action.

   For example, select System Activity for the Class and System Shutdown for the action.

   

7. Select the Advanced Filters tab to determine whether modification is needed.

   Click delete for each line since the filter event_action is equal to system startup or shutdown is not pertinent to this custom query.

8. Replace that with a filter for the result.

   For example, create a filter where event_result is equal to either success or failure.

   

9. Click Details and name the query in a way that indicates you want to use it for an alert.

   For example, enter Alert: System Shutdown by Host Detail as the name. Change the description accordingly.

10. Click Result Conditions. For severe conditions, consider querying frequently.

    For example, select the predefined range for the last 5 minutes to run the query every 5 minutes for the occurrence of this severe event.

    

11. Click Save.

    You can create an alert with this query to notify a person, product, or process of a system shutdown success or failed attempt. (Product notification is done through SNMP traps; process notification is done through IT PAM event/alert output.)

Candidate Queries for Modification

Consider modifying selected predefined queries for use with alerts. To customize the query, add the simple filter based on the CEG analysis. Set the Date Range Selection with the Predefined Range, Last 5 minutes to ensure immediate notification. A few examples follow:

Query for Successful Configuration Error

1. Copy Configuration Error Activity Detail.

   This query returns successes as well as failures. Only successes are needed.

2. Set the simple filter as follows:

1. Save as Alert: Successful Configuration Error

Query for Successful Control File Creation

1. Copy Data Manipulation Activity Detail

   This query retrieves all data access actions.

2. Set the simple filter as follows:

1. Save as Alert: Successful Control File Creation

Query for Antivirus Scan Failure

1. Copy Virus Activity by Action

   This query filters for all Antivirus host security actions.

2. Use the following definition as a guide:

1. Define the simple filter as follows:

   

2. Save as Alert: Virus Scan Failed

Query for Virus Cleaning Failure

You can use the predefined query Virus Detection or Cleaning Activity Detail to retrieve both actions with either success or failure results. This may be sufficient for your needs. Optionally, you can create two separate queries based on this query where you specify the result as indicated on the CEG table for severe events.

1. Copy Virus Detection or Cleaning Activity Detail.
2. Create a simple filter to specify result of failure.

1. Remove the Advanced Filter.
2. Save as Alert: Virus Cleaning Failure

Query for Successful Detection of a Virus

You can use the predefined query Virus Detection or Cleaning Activity Detail to retrieve both actions with either success or failure results. This may be sufficient for your needs. Optionally, you can create two separate queries based on this query where you specify the result as indicated on the CEG table for severe events.

1. Copy Virus Detection or Cleaning Activity Detail.
2. Create a simple filter to specify result of success with just the detection activity.

1. Remove the Advanced Filter.
2. Save as Alert: Virus Detected

Action Alert Considerations

You can view the results of any action alert from CA User Activity Reporting Module without any special configuration. Additionally, an action alert can be sent to the following destinations:

• RSS feed
• Email recipients
• SNMP trap destinations, such as CA Spectrum or CA NSM
• A CA IT PAM event/alert output process

Administrators configure these destinations from the Administration tab, Services subtab, under either Global Configuration or Global Service Configuration: Report Server.

Ensure these destinations are configured as follows before attempting to schedule an alert.

• To use the Feed Reader, ensure the checkbox is cleared for Viewing Action Alerts Require Authentication in the Global Configuration.

  The RSS Feed URL follows, where elmhostname is the host name of the CA User Activity Reporting Module server:

   https://{elmhostname}:5250/spin/calm/getActionQueryRssFeeds.csp
  

• To send alerts to email recipients, ensure the Email Settings section is configured in the Global Service Configuration: Report Server.
• (Optional) To send alerts to SNMP destinations, ensure SNMP Configuration section is configured in Global Service Configuration: Report Server.
• To send alerts to the CA IT PAM event/alert output process, ensure the IT PAM section is configured in Global Service Configuration: Report Server. (The only value not required for alerts is that for the Dynamic Values process.)

When you specify result conditions for an action alert, consider the following:

• Use the preset dynamic start time and dynamic end time for the predefined ranges.
  • The predefined range, last 5 minutes, is set with the dynamic end time to 'now', '-2 minutes' and the dynamic start time to 'now', '-7 minutes.' This default range and the other predefined time ranges allow adequate time for the events to be saved to the database.

    Note: Do not change the dynamic end time to 'now' or to 'now', '-1 minutes'. This change from the predefined value can cause incomplete data to be displayed when the URL is launched from the destination. For example, if event count is one of the values, the displayed count when viewed from the URL may be less than the displayed count when viewed from CA User Activity Reporting Module.

• Extend the dynamic end time if incomplete data is displayed with the default setting. For example, set it to 'now', '-10 minutes'

When you create an action alert schedule, consider the following:

• The recurrence interval is the frequency with which the query is run. Therefore, a recurrence interval of 5 minutes means the query is run every five minutes, or 12 times per hour. An action alert is generated only if the query returns results when it is run.
• Set the recurrence interval based on how time critical it is for you to respond when the tested condition occurs.
  • If you need to take immediate action to remedy the condition, set the recurrence interval to a high frequency so you can be notified as soon as possible.
  • If the condition is one that you want to track, but not one that requires intervention, set the recurrence interval to a low frequency.
• Avoid setting the recurrence interval to a high frequency, such as every five minutes, if your CA User Activity Reporting Module server time is not synchronized with your NTP server.

  Important! Your CA User Activity Reporting Module server time must be synchronized with your NTP server to ensure complete results are returned when the query is set to run at a high frequency.

Consider the following filtering options:

• To use the filters that are defined with the included queries, no action is needed.
• To apply additional filters to the queries included in an alert, define them in the Alert Filters step.
• To apply the same set of filters to multiple alert jobs, use a profile.

Before you configure thresholds for action alerts on a CA User Activity Reporting Module report server, consider the following:

• To keep the RSS feed to a reasonable size, set the maximum number of alerts to allow. The more frequent the recurrence intervals on enabled alerts, the faster the feed will fill up if the query or queries return results.
• To ensure that the RSS feed does not retain alerts longer than the data is of interest, specify the action alert retention to the maximum age in days of the oldest record to retain.
• Consider how often you want to check the RSS feed for alerts. That frequency can help you plan how long to keep records.
• If you want the RSS feed to display the most recent result of all jobs at all times, configure the retention values such that infrequently run alerts don't get deleted because they are older than frequently run alerts that fill the queue to capacity.

More information:

Configure Action Alert Retention

Example: Create an Action Alert for Low Disk Space

Working with CA IT PAM Event/Alert Output Processes

Working with CA IT PAM event/alert output processes that are integrated with CA User Activity Reporting Module involves some combination of the following tasks:

• Import the sample event/alert output process
• Create event/alert output processes in CA IT PAM that meet integration requirements
• Configure CA IT PAM integration and specify the default event/alert output process
• Run event/alert output processes from selected query results
• Schedule alerts that run a CA IT PAM process per row
• Schedule alerts that run a CA IT PAM process per query

More information:

Import the Sample Event/Alert Output Process

Example: Run an Event/Alert Output Process with Selected Query Results

Guidelines for Creating an Event/Alert Output Process

Example: Send an Alert that Runs an IT PAM Process Per Row

Example: Send an Alert that Runs an IT PAM Process Per Query

About CA IT PAM Event/Alert Output Processes

CA User Activity Reporting Module detects events that require intervention. You can generate alerts as soon as unwanted events occur. Integration with CA IT PAM makes it possible for an alert to run an event/alert output process. Event/alert output processes are designed to invoke appropriate remedial actions by other products. That is, event/alert output processes are CA IT PAM processes that command other products to take specified actions on specified objects.

CA User Activity Reporting Module, CA IT PAM, and third-party products work together to protect your environment. CA User Activity Reporting Module automates the detection of unwanted events and the IT PAM event/alert output process invokes other products to take the appropriate series of responses.

Integration involves configuring the connection to the CA IT PAM server, specifying the process to run, and specifying the process parameters with default values.

Running the CA IT PAM process can be done on demand from a displayed query result (row) or through scheduled alerts. In both cases, parameter values such as summary and description can be tailored to provide supporting details to the destination product of the CA IT PAM process.

Architecture Supporting CA IT PAM Integration

You need the following network components to run a CA IT PAM event/alert output process from an alert:

• A working CA User Activity Reporting Module environment, for example:
  • Agents with connectors that capture raw events from event sources
  • CA User Activity Reporting Module collection servers that refine the raw events and send them to reporting servers
  • CA User Activity Reporting Module reporting servers that process scheduled alerts and on demand queries
• A CA IT Process Automation Manager r2.1 (CA IT PAM) server configured with processes that invoke another product to perform a routine remediation action
• A server with a product used by the CA IT PAM process, for example, a server with a help desk product

Process of Working with Event/Alert Output Processes

An overview of the work flow for leveraging a CA IT PAM event/alert output process follows:

1. Determine whether to set up CA IT PAM integration with or without the sample process. The advantage of using the sample process is that it lets you see results right away. You can defer updating your own process until you become familiar with integration results. Using the sample process requires CA Service Desk.
2. Do one or both of the following:
   • Import the sample process and specify the CA ServiceDesk connection parameters
   • Create event/alert output processes that meet requirements of CA User Activity Reporting Module integration
3. Gather details for CA IT PAM integration from the sample process or the process you created.
4. Configure CA IT PAM integration for event/alert output.
5. Ensure that users who monitor event/alert output process results at the third-party product have user accounts in CA User Activity Reporting Module and know the credentials with which to log in. You can assign the role of Auditor to such accounts.

   Note: When users log in, all they can do is view the page with the associated query results.

6. Prepare to automate the running of an event/alert output process:
   1. Identify the query or queries that return data on which the third-party product can take action according to the configured CA IT PAM process.
   2. If the query uses a keyed list, ensure the keyed list is populated with the values you need.
   3. Run the event/alert output process on the query results, and verify that the process runs successfully.
7. Schedule an action alert using the documented procedure and the following guidelines.
   1. On the Alert Selection step:
      • Type a job name.
      • Verify selection type is Queries.
      • Select the query or queries you identified during planning.
   2. On the Destination step, select the IT PAM Process tab and specify event/alert output details as follows:
      • Select the queries on which to base the alert.
      • Specify whether to run the process once per query that returns results or once per returned row.
      • Specify IT PAM process parameter values. You can include field values and text for the Summary and Description parameter values only if running the process per row.
   3. Specify details for the remaining steps as with any action alert you schedule, then save and close the wizard.
8. Monitor the results:
   1. Verify the Action Alert Jobs list includes this job.
   2. Monitor self-monitoring events, Event Notification action, to verify that the result of running the IT PAM process was successful.
   3. (Optional) Log on to the third-party product that responded to the event/alert output information from CA User Activity Reporting Module that was passed to it by the IT PAM process.

More information:

Import the Sample Event/Alert Output Process

Design Queries for Events to Send to the Event/Alert Output Process

Example: Run an Event/Alert Output Process with Selected Query Results

Set Notification Destinations

Guidelines for Creating an Event/Alert Output Process

Example: Send an Alert that Runs an IT PAM Process Per Row

How CA IT PAM Integration Works

Assume the following setup has occurred:

• You have configured CA IT PAM on the Report Server configuration page and specified the event/alert output process to run.
• You have scheduled an alert with CA IT PAM as a destination and specified to run the process once per row. For parameters that allow entry of summary and description statements, you entered statements that included CEG fields.
• You have scheduled another alert with CA IT PAM as a destination and specified to run the process once per query. For parameters that allow entry of summary and description statements, you entered literal text.

The end-to-end process involves actions by multiple sources:

• The generation of raw events by event sources
• The collection, and refinement of events by CA User Activity Reporting Module
• The generation of alerts when refined events meet query criteria by CA User Activity Reporting Module
• The sending of event and alert output by CA User Activity Reporting Module to CA IT PAM
• The running of the configured event/alert output process by CA IT PAM on a third-party system
• One of the following:
  • An evaluation of data by a user of the third party system who determines the correct action and takes it.
  • The automated response by that third-party system to the occurrence of the events.

A summary of the processing follows:

1. Event sources generate raw events.
2. Agents collect some of these raw events based on their connectors and transfer the raw events to a collection server.
3. The collection server normalizes and classifies the raw events and transfers the refined events to a reporting server.

   For example, when a configuration change is made on any system, a log is created and classified as a configuration change. The event captures the time of the change, the host where the change was made, the user who performed the change, and the result of the change attempt.

4. The reporting server runs the queries selected for each scheduled alert.
5. When refined events meet the query criteria, the reporting server generates an alert and transfers the following information to CA IT PAM:
   • Alert details
     • Displayed process parameters and their values
     • CEG fields sent for undisplayed process parameters
   • Event details
     • For per row, event details are conveyed by the entries in the fields available for summary and description statements, where users describe the event with the CEG field variables composing the query selected for the alert.
     • For per query, event details are conveyed with a URL to a CA User Activity Reporting Module page that displays event details at the row level.
6. If the send is successful, CA IT PAM continues processing as defined in the configured event/alert output process.
7. If the third party product is CA Service Desk and the process is the sample event/alert output process, the following occurs:
   • A help desk ticket is opened and assigned a number. Fields on the ticket are populated with the parameter values from the alert definition. If a URL is received, it is displayed with the summary statement.
   • CA Service Desk returns the ticket number to CA IT PAM
8. CA IT PAM passes the ticket number back to CA User Activity Reporting Module
9. CA User Activity Reporting Module displays the ticket number as a self-monitoring event.

Example: Data Flow for Event/Alert Output Processing

The arrows on the following diagram illustrate the data flow:

• From collection servers to reporting servers
• From reporting servers to CA IT PAM
• From CA IT PAM to the product to which the CA IT PAM process sends the CA User Activity Reporting Module output, for example, CA Service Desk.

  

When CA User Activity Reporting Module receives notice that the send was successful, it polls CA IT PAM for the status of the process that was run. As soon as CA IT PAM sends the status update, CA User Activity Reporting Module creates a self-monitoring event with the result. The processing sequence follows:

1. CA IT PAM notifies CA User Activity Reporting Module whether the process that was run succeeded or failed.
2. CA User Activity Reporting Module generates a notification creation self-monitoring event with the received result.

Consider the example where the CA IT PAM process creates a help desk ticket with the process parameter values and the event data retrieved by the query. The arrows on the following diagram illustrate the following data flow:

• From the help desk product to CA IT PAM
• From CA IT PAM to the source CA User Activity Reporting Module reporting servers.

  

Import the Sample Event/Alert Output Process

To let you test CA IT PAM integration right away and practice the configuration procedure with known values, CA provides a sample process for this purpose. It is on the DVD with the application. Use of this sample IT PAM process assumes you are using CA Service Desk as your help desk application.

You can then configure CA IT PAM in CA User Activity Reporting Module and test running this sample CA IT PAM process with query results you select. After you become familiar with how CA User Activity Reporting Module operates with CA IT PAM, you can ensure compliance of your own process and substitute those values in the CA IT PAM configuration for your production integration.

To import a sample process and test IT PAM integration

1. Launch CA IT PAM and log on.
2. Launch the ITPAM Client.

   

3. Import the sample IT PAM process, EventAlertOutput.xml, provided on the application DVD under CA/ITPAM. This sample has all the required values defined.
   1. Select File, Open Library Browser.
   2. Click Folders in the left pane, and at the root folder, click Import.

   

   1. Select the sample IT PAM process, EventAlertOutput.xml, from the extracted iso image and click Open.

   

   1. Select both options on the Import Object dialog and click OK.

      

      The resulting display shows the exact name and path. For example, the name is EventAlertOutput and the path is /CA_ELM/.

      

4. Specify the Service Desk connection parameters.
   1. Click the ServiceDesk Connect Parameters tab for Request_Create to view the ServiceDesk Connect Parameters.
   2. Use the following syntax for specifying the Service Desk URL:

      "http://<server name>:8080/axis/services/USD_R11_WebService"
      

   3. Enter valid login credentials to the Service Desk for Service Desk User ID and Password.
5. (Optional) Test the imported process to ensure that it works as a standalone process.
6. Close the ITPAM Client, then click Sign Out to exit CA IT PAM.

View the Sample Event/Alert Output Process

If you import the sample event/alert output process, you can examine its design in CA IT PAM. Use the following guidelines to become familiar with CA User Activity Reporting Module requirements in the context of the sample process. During this walk-through, you will see where to define web service connect parameters and how the calculation operators are defined. In addition, you will notice product-specific requirements. For example, configuring CA Service Desk as the third party product requires use of the Request_Create operator from the CA Service Desk Module and a precalculation operator that maintains values for severity and priority.

To become familiar with the sample event/alert out process

1. Display the model of your target process.
   1. Launch CA IT PAM and log in.
   2. Click ITPAM Client.
   3. From the File menu, select Open Library Browser.
   4. From the Folders tab, select the library folder containing the model for your target process.

      The name of your process and path appear in the main pane.

   5. Double-click the row containing your process name and path.

   A model similar to the following appears. This example model contains minimal requirements for CA User Activity Reporting Module.

   

2. Notice how the ServiceDesk Basic Parameters meet CA User Activity Reporting Module requirements.
   1. Double click the Request_Create_1 icon.

   

   The Request_Create operator passes the data returned by the action alert query to your target product (application). A similar operator is required for any process that is to be run from CA User Activity Reporting Module.

   1. Under ServiceDesk Basic Parameters, notice that local process parameters are specified with the following syntax:

      BasicParameter = Process.LocalParameter
      

      Note: Local process parameters are the Event/Alert Output Process Parameters you add to CA User Activity Reporting Module when you configure CA IT PAM.

   

   1. Since the target application is the CA Service Desk product, the following local process parameters are defined as described on the following table:

The following example shows valid local parameters for ServiceDesk Basic Parameters. The entries are case-sensitive. That is, Process.ReportedBy must be entered exactly as shown with a capital "R" and a capital "B" for example.

1. Click the ServiceDesk Connect Parameters tab for Request_Create to view the ServiceDesk Connect Parameters.
   • Service Desk URL:"http://<server name>:8080/axis/services/USD_R11_WebService"
   • Service Desk User ID:"<SD user>"
   • Password:"<SD password>"
2. Notice that for CA Service Desk, an adjustment is needed to ensure that the values of severity and priority that are entered in CA User Activity Reporting Module are correctly interpreted by CA Service Desk.
   1. A pre-calculation operator appears after Start and before the Create_Process operator. In the following example, it is named Fix_Sev_Pri.

   

   1. Under Properties, Calculate, the following mappings are defined:

      if (Process.Priority == 1) Process.Priority = "pri:504";
      else if (Process.Priority == 2) Process.Priority = "pri:503";
      else if (Process.Priority == 3) Process.Priority = "pri:502";
      else if (Process.Priority == 4) Process.Priority = "pri:501";
      else if (Process.Priority == 5) Process.Priority = "pri:500";
      

      if (Process.Severity == 1) Process.Severity = "sev:800";
      else if (Process.Severity == 2) Process.Severity = "sev:801";
      else if (Process.Severity == 3) Process.Severity = "sev:802";
      else if (Process.Severity == 4) Process.Severity = "sev:803";
      else if (Process.Severity == 5) Process.Severity = "sev:804";
      

3. Notice that the following return value, or output interface, parameters are formatted as required by CA User Activity Reporting Module:
   • ResultString
   • FaultString
4. View the calculation operator for request creation success. This format must be used in any event/alert output process to be run from CA User Activity Reporting Module.
   1. Click the icon for the calculation operator for request creation success.
   2. Select the Calculate tab and click ... in the source code field.
   3. Notice how the success calculation operator is defined in the source code:

      Process.ResultString = "Request " + Request_Create_1.newRequestNumber + " created in CA Service Desk.";
      

5. View the calculation operator for failure. This format is required for any event/alert output process to be run from CA User Activity Reporting Module.
   1. Click the icon for the calculation operator for failure.
   2. Select the Calculate tab and click ... in the source code field.
   3. Notice how the failure calculation operator is defined in the source code, where the Process.FaultString maps to the appropriate SOAP variable:

      Process.FaultString = Request_Create_1.SoapErrorResponse;
      

Guidelines for Creating an Event/Alert Output Process

Certain guidelines must be satisfied for a CA IT PAM process to run from CA User Activity Reporting Module. Before you attempt to run a CA IT PAM process from CA User Activity Reporting Module, verify that the process includes the following:

• Web Service Connect Parameters.
• A success calculation operator that maps Process:ResultString to a statement with literals and variables that expresses the response from the third-party product.
• A failure calculation operator that maps Process:FaultString to the appropriate SOAP response variable.

If your target IT PAM process is for a third-party help desk product, verify that the process also includes the following:

• The product-specific operator.

  For example, a process that targets the BMC Remedy Module would be defined with the Create_Help_Desk_Case operator.

• Product- specific parameters that are mapped to local process parameters: ReportedBy, Summary, Description, EndUser, Priority, and Severity.

  For example, a process that targets the BMC Remedy module would map local parameters to the HelpDesk Create Case Parameters.

Typically, a CA IT PAM process includes only the default process parameters, each of which is mapped to a field in the third-party product. Optionally, you can add CEG fields as process parameters for a given process. The following example shows the following CEG fields in the dataset:

• event_severity
• event_count
• event_datetime

  

Each basic parameters is mapped to a Service Desk field. For example, the ReportedBy process parameter is mapped to the CA Service Desk field named Assignee. When CEG fields are added as process parameters, they can be referred to as values in a basic parameter. For example, the value for the CEG field event_datetime can be defined to appear in the Description field in CA Service Desk by default. This is achieved by adding the Process.event_datetime in the Description field of the Service Desk Basic Parameters.

When you create an alert that runs this process, examine the CEG fields listed under Send field values as parameters. If any listed parameter is a CEG field that you defined as a process parameter, select that field. Consider the following examples:

• All three CEG fields defined in the dataset are displayed for the query System Event Count by Event Action. Therefore, you would select all three to send as parameters to CA IT PAM.

  

• Two of the three CEG fields defined in the dataset are displayed for the query >5 Logins by Admin Accounts. You would select those two to send as parameters to CA IT PAM.

  

More information:

View the Sample Event/Alert Output Process

Gather Details for CA IT PAM Integration

Most of the details required for CA IT PAM integration are part of the CA IT PAM product and process configurations. You can launch CA IT PAM and search for the details as you need them for configuration or you can gather the details first, record them, and then quickly configure CA IT PAM by entering the values you recorded.

You can reference either the sample processes you imported or your own processes that you have modified to meet CA User Activity Reporting Module requirements.

To gather details for CA IT PAM integration

1. Log on to your local CA IT PAM server and verify it is CA IT Process Automation Manager 2.1.
2. Click the ITPAM Client link.
3. Gather details for the first four fields of the IT PAM configuration.
   1. Click Configuration Browser
   2. Click the Properties tab.
   3. Record the Server Name value as your value for IT PAM Server.
   4. Accept port 8080 as the IT PAM port.
   5. Obtain login credentials for CA User Activity Reporting Module from the CA IT PAM administrator and record them for Username and Password.

1. Record the process path and names of the processes you plan to run from CA User Activity Reporting Module.
   1. From the File menu of the ITPAM client, select Open Library Browser
   2. In the Folders tab, select the library folder containing the event/alert output process.
   3. Record the path and name of the process for Event/Alert Output Process.
   4. If different, select the library folder containing the process that returns current values for a specified key.
   5. Record the path and name for Dynamic Values Process.

1. Collect event/alert output process parameters:
   1. Double-click the Event Alert Output process you referenced to open the process.
   2. On the Main Editor tab, click the Request_Create icon to display properties.
   3. Display the ServiceDesk Basic Parameters.
   4. Record those parameters prefixed by Process: in the first column below if they do not exactly match what is shown
   5. Click the Dataset tab.
   6. Click each parameter for the Local_Dataset and record its default value if any.

Example: Run an Event/Alert Output Process with Selected Query Results

All users are authorized to run a CA IT PAM process on demand. You can run the configured CA IT PAM event/alert output process with selected query results for any of the following purposes:

• To perform an on demand event/alert output process based on current needs.
• To test the processing results before creating a scheduled alert for this query with the CA IT PAM process as a destination.

You can run a CA IT PAM process from a displayed query result row. This assumes the results are displayed as a table rather than a chart. You can display query result rows in any of the following ways:

• Select a query from the query list that returns results.
• Select a report from the report list, select a query that returns results.
• Enter a prompt that returns results.

Note: The following topic assumes that a query result row displays when you select the query from the query list.

To become familiar with what data is returned for the CEG fields, see the Common Event Grammar (CEG) Reference guide in online help.

To run the configured CA IT PAM process manually based on a displayed query result row

1. Click the Queries and Reports tab and the Queries subtab.

   The query tag filter and the query list appear.

2. (Optional) Enter search criteria, such as default accounts, on the query list.

   Events that reflect logins by default accounts are good candidates for forwarding to your CA IT PAM event/alert output process.

3. Select the query from the query list for which you want to view results.

   As an alternative, you can display the Reports subtab, select an option from the Report List, switch to individual query view, and select the query from this view.

4. If the results display in a chart, select Change Visualization from the query name drop-down list and select Table.

   

5. Select the query result row for which you want to run the CA IT PAM process.
6. Right-click this query result row and select Run IT PAM process from the drop-down list.

   

   The Run IT PAM process dialog appears. It contains the process name and process parameters defined in the IT PAM configuration of the Report Server service. Additionally, it contains a Select Field drop-down list that allows you to enter variable data returned to the selected CEG field.

7. Complete the fields as follows:
   1. Review the default values shown for the displayed process parameters and identify any values that need to be changed.

      These parameters and their values are derived from the CA IT PAM integration configuration.

   2. To change the displayed default value, type the new value.
   3. To specify a variable value, select that CEG field from the Select Field drop-down list at the top of the dialog, then click Add Field next to the text box to which it applies.
   4. For any field that is blank, type a value, select a variable and add it, or type a sentence that includes selected variables.

      Example Summary: On (event_datetime), the (dest_username) account performed a (event_action) action on the (dest_hostname) host.

      Example Description: The action result (event_result), is logged in the (event_logname) log. The CA Severity is (event_severity).

   5. If the CA IT PAM process specifies parameters that refer to additional CEG fields, select these fields from the displayed list to send as parameters.

   An example follows. Your display may include other fields defined in the custom IT PAM event/alert output process.

   

8. Click OK.

   The progress dialog appears, followed by a message indicating whether the CA IT PAM process ran successfully, and if so, the results of running the process.

   An example follows, where the result is Request 4590 created in Service Desk.

   

9. Click OK.
10. To see the results in CA Service Desk, log on and search for "Request" with the number in the message.

    For example, select Request and enter 4590.

    

11. Service Desk results similar to the following appear.

    

12. Compare the planned summary and description data determined in Step 7 with the summary and description data displayed under Summary Information. It includes the CA Severity data.

Design Queries for Events to Send to the Event/Alert Output Process

After you set up CA IT PAM integration, you can take the first step toward scheduling alerts that generate event/alert output--that of compiling a list of queries on which the alerts are to be based. These are typically queries for events that suggest a policy violation. You can take a combination of several approaches:

• Analyze currently scheduled alerts to identify any that should run the event/alert output process. For example, if the event/alert output process notifies a help desk application, you identify alerts that should open a help desk ticket.
• Analyze your policies to identify those where a violation could be traced back to a logged event, then create a query for such an event.
• Examine the results of other predefined queries to identify data that a third-party product, such as a help desk product, could use to take remedial action.
• If your CA IT PAM event/alert output process creates tickets in a third-party help desk product, review typical types of help desk tickets for causes that could be captured as event logs.

To identify or design queries on which to base alerts that run the CA IT PAM event/alert output process

1. For each event type requiring a help desk ticket, identify, modify, or create one or more queries that capture data for such an event.
   • Identify each predefined query that collects events on such conditions.
   • If a predefined query requires customization, copy the query and then tailor the copy to your needs.
   • If no predefined query exists to collect a particular type of event that requires help desk notification, create the query or queries you need.
2. For any query that is to search for an IT event where one of its fields can have any of several known values, use a predefined keyed list, customize a keyed list, or create a new keyed list. If the values for such a key exist in a csv file, import it. For a list generated by an IT PAM process, configure that process as the Dynamic Values process, create the key and then import the values from CA IT PAM.
3. Determine whether to run the CA IT PAM event/alert output process per query that returns results or per result row.
4. Test the query.
   1. Create the condition that produces the event you want to capture.
   2. Run the query or set of queries manually
   3. Evaluate whether the query results are sufficient for the help desk personnel to complete the needed follow-up.
   4. If not, modify the query or set of queries to provide the required information and retest.

This preparation ensures that when you schedule an alert that runs each such query or set of queries, the resulting event/alert output will contain the data required for resolution.

More information:

Customizing Queries for Action Alerts

Example: Send an Alert that Runs an IT PAM Process Per Row

You can send an alert that runs the CA IT PAM event/alert output process per row or per query. This example illustrates the procedure of running the process per row. It includes an example of what can be viewed for this type of alert by personnel working with both CA IT PAM and the third-party product to which CA IT PAM sends the details.

Prior to creating an alert to run an IT PAM process for a given query, it is a good practice to identify the CEG columns that return data. These columns are the ones to select when creating a summary and description statement for the alert.

Note: Copy the query and click the Query Columns step. For fields designed to be visible, notice the column name corresponding to the display name. For example, the CEG field used to populate the Account column is dest_username.

To create an alert when a default account member logs in successfully

1. Click the Alert Management tab and then click the Alert Scheduling subtab.
2. Click Schedule an Action Alert.

   The Schedule Action Alerts wizard appears.

3. Complete the Alert Selection step as follows:
   1. Enter the job name, for example, Default Account Logins.
   2. Click the Action Alerts tag.
   3. Select the Successful Login by Default Account in last 24 hours query and move it to the Selected Queries list.

      

4. Select a date range for running the query and the maximum number of rows to display.
   1. Click Result Conditions.
   2. Select a date range such as 'now' and 'now' '-1 hours'
   3. Select result display parameters such as row limit of 10 and time granularity as event_datetime.
   4. Skip grouped events.
5. Define the schedule.
6. Define the alert data to pass to the IT PAM process along with the event data retrieved by the query.
   1. Click the Destination step.
   2. Select the IT PAM Process tab.
   3. Select Successful Login by Default Account in the last 24 hours.
   4. Select Run IT PAM process per row.
   5. If the configured IT PAM Process is not the one you want to run, change the path for IT PAM Process. The IT PAM process must contain the full path beginning with a forward slash (/).
   6. (Optional) Create a summary statement with literal text and variables. Here, the variables are derived from CEG fields when the collected data for a row is refined. Following is an example summary statement using variables.

      The  (dest_username) account performed the (event_action) action on (dest_hostname)
      

      The first statement is created as follows:

      • Type the word, "The"
      • Select dest_username from the Select Field drop-down list, then click + next to the Summary field.
      • Type the phrase "account performed the"
      • Select event_action from the Select Field drop-down list, then click + next to the Summary field.
      • Type the phrase "action on"
      • Select dest_hostname from the Select Field drop-down list, then click + next to the Summary field.
   7. (Optional) Create a description with literal text and text derived from CEG fields. Select the desired field from the Select Field drop-down list and click +. For example:

      The (event_logname) log shows the result of (event_result) on (event_datetime)
      

      The(event_result) of the (event_action) is logged in the (event_logname) log.
      

      The (event_logname) log shows the (event_action) action had a result of (event_result).
      

   8. For Send field values as parameters, select each CEG field that the specified IT PAM process uses as a process parameter.

      Note: Since the selected process does not use any CEG field names as parameters, no fields are checked in this example. To determine if a custom process uses such parameters, view the Dataset tab in the CA IT PAM event/alert output process.

      

7. Select a Server.
8. Click Save and Close.
   The job appears on the Action Alert Jobs list.

   

9. Click Alert Management, Self-Monitoring Events to view results. A partial view the information rows follows:

   

10. Click the Alert Management tab, Action Alerts subtab. Select the alert you scheduled to view query results.

    

11. Check the self-monitoring event tab for results returned from CA IT PAM.

    A partial example of a success message follows, where this message appears in the self monitoring events for the Report Server. Notice the ticket number following Results =.

    

12. (Optional) Review the results on CA Service Desk as follows:
    1. Log on to CA Service Desk.
    2. Select Request and enter the issue number.
    3. Click the request number link to review the issue detail and summary information.

More information:

Guidelines for Creating an Event/Alert Output Process

Example: Send an Alert that Runs an IT PAM Process Per Query

You can send an alert that runs the CA IT PAM event/alert output process per row or per query. This example illustrates the procedure of running the process per query. It includes an example of what can be viewed for this type of alert by personnel working with the third-party product to which CA IT PAM sent the details.

To send an alert that runs the CA IT PAM event/alert output process per query

1. Click the Alert Management tab and then click the Alert Scheduling subtab.
2. Click Schedule an Action Alert.

   The Schedule Action Alerts wizard appears.

3. Complete the Alert Selection step as follows:
   1. Enter the job name.
   2. Select a query.
4. (Optional) Select a date range for running the query and the maximum number of rows to display.
   1. Click Result Conditions.
   2. Select a date range such as 'now' and 'now' '-1 hours'
   3. Select result display parameters.
5. Define the schedule.
6. Define the alert data to pass to the IT PAM process along with the event data retrieved by the query.
   1. Click the Destination step.
   2. Select the IT PAM Process tab.
   3. Select the query to send

   

   1. If you want results reported by query, leave the Run IT PAM process per row blank.
   2. Optionally, type literal text in the Summary and Description fields.

      

7. Select a Server.
8. Click Save and Close.
   The job appears on the Action Alert Jobs list.
9. Click the Alert Management tab, Action Alerts subtab. Select the alert you scheduled to view query results.
10. Check the self-monitoring event tab for the action, Notification Creation, with results returned from CA IT PAM. A success message includes the Request number created in the third-party application, if it is a help desk product.

    

11. (Optional) To see what the help desk personnel sees, review the results on CA Service Desk as follows:
    1. Log on to CA Service Desk.
    2. Select Request and enter the number displayed in the result description for Notification Creation. Click Go.

    

    1. Copy the URL displayed in the Summary Information section and paste it into your browser.

       

       The CA User Activity Reporting Module logon dialog appears.

    2. Log into CA User Activity Reporting Module. You can use an account with a low-privilege role such as Auditor.

       The event data returned by the query is presented in the format of the default view of the query, that is, table or chart.

    

    If the display is in table format, you can view raw event data.

More information:

Set Notification Destinations

Working with SNMP Traps

Fault management systems and network operations centers (NOCs) typically receive SNMP traps. You can send alerts to such systems as SNMP v2 traps or SNMP v3 traps, depending on the destination product.

The only required tasks for working with SNMP traps follow:

• Create a custom MIB for each action alert destined for CA NSM.
• Prepare the destination products to receive SNMP traps from CA User Activity Reporting Module.
• Schedule alerts with one or more SNMP trap destinations.

Configuring a default SNMP trap destination is optional.

About SNMP Traps

SNMP is the acronym for Simple Network Management Protocol, an open standard for sending alert messages to a specified destination. There are three versions of SNMP: SNMPv1, SNMPv2, and SNMPv3. CA User Activity Reporting Module can use either SNMPv2 or SNMPv3 to alert one or more third-party management systems when an event that generates an alert occurs.

In CA User Activity Reporting Module, an alert is generated when a scheduled query returns results from the event log databases of recently refined events. A scheduled query can be configured with SNMP trap as a destination. Trap receivers, the destination management systems, can process traps at the rate of approximately 200 traps per second. Trap receivers typically listen on UDP port 162, the well-known port for snmptrap.

CA User Activity Reporting Module gives you the flexibility to create your own custom alerts to send as SNMP traps. For example, you can define alerts that send notification that a critical event has occurred. You can also define alerts for events such as configuration changes. You decide which alerts to send as SNMP traps.

Example Simple Filters for Alerts to Send as Traps

Events that negatively impact operations, such as shutdown of services, errors on devices, and deletion of resource, are of interest to Network Operations Centers (NOCs). You can generate action alerts when such events occur and route them to your NOC. You can create custom alerts for this purpose using Simple Filters in a custom query. Consider the following simple filter examples.

• Device error

  

• Resource deletion

  

• System shutdown

  

About MIB Files

SNMP traps are defined in either standard Management Information Base (MIB) files or enterprise-specific MIBs.

Each private enterprise on the MIB tree has a unique number that is preceded by the numbers of its parent nodes. IANA assigned CA, Inc. the private enterprise number 791. All data sent in SNMP traps by any CA application is associated with object IDs that begin with 1.3.6.1.4.1.791. The CA User Activity Reporting Module application that belongs to CA has 9845 as its identifier. All SNMP trap data sent by CA User Activity Reporting Module action alerts is associated with object IDs (OIDs) beginning with 1.3.6.1.4.1.791.9845.

CA User Activity Reporting Module provides one MIB file. The name of this MIB is CA-ELM.MIB. This MIB defines all the fields that can be sent by action alerts with one trap. That trap includes all CEG fields available in CA User Activity Reporting Module.

When an action alert is sent to an SNMP trap destination, the data that is sent includes a URL. The individual monitoring incoming traps can browse the URL sent by the action alert. Browsing the URL launches a CA User Activity Reporting Module page that displays query results in an easy to read format. This functionality makes the use of MIBs to interpret data sent as SNMP traps unnecessary.

The CA-ELM MIB Tree

You can view the structure of the CA-ELM.MIB file in the MIB tree form. CEG fields are defined under elmAlertVariables with unique SNMP object identifiers. For example, result_severity has an OID of 1.3.6.1.4.1.791.9845.2.88.

The CA-ELM.MIB File

The CA User Activity Reporting Module MIB file, CA-ELM.MIB, is on the installation DVD. The CA User Activity Reporting Module MIB is generated from the CEG source document, which contains the OIDs for each CEG field (elmAlertVariables).

The CA-ELM.MIB file begins with imports as follows:

CAELM-MIB DEFINITIONS ::= BEGIN

  IMPORTS
        MODULE-IDENTITY, OBJECT-TYPE, Integer32, NOTIFICATION-TYPE
                FROM SNMPv2-SMI
        MODULE-COMPLIANCE, OBJECT-GROUP,NOTIFICATION-GROUP
                FROM SNMPv2-CONF				DisplayString
                FROM SNMPv2-TC;       

The following representation is designed to show the structure of the CA User Activity Reporting Module MIB tree, where the top-level nodes include iso(1) org(3) dod(6) internet(1) private(4) enterprises(1). The actual CA-ELM.MIB is not formatted like this representation.

ca OBJECT IDENTIFIER::= { enterprises 791 }                  
	elm MODULE-IDENTITY...::= { ca 9845 }
		elmAlertVariables      ::= { elm 2 }  
			source-username    ::= { elmAlertVariables 1 } 
			source-domainname  ::= { elmAlertVariables 2 } 
			source-groupname   ::= { elmAlertVariables 3 } 
                     ...
  			result-severity    ::= { elmAlertVariables 88 } 
			raw-event          ::= { elmAlertVariables 89 } 
			snippet            ::= { elmAlertVariables 90 } 
		elmAlertTrapGroup      ::= { elm 3 }  
			elmTrap            ::= { elmAlertTrapGroup 1 }		
		elmDynamicVariables    ::= { elm 4 }
			calmAPIURL         ::= { elmDynamicVariables 1 } 
			dynamicData        ::= { elmDynamicVariables 2 } 
		elmConformance         ::= { elm 5 }
			elmGroups          ::= { elmConformance 1 }
				elmDataGroup   ::= { elmGroups 1 }
			elmCompliances     ::= { elmConformance 2 }
				elmCompliance  ::= { elmCompliances 3 }

The CA-ELM.MIB file defines one trap. That trap is defined as follows:

elmTrap NOTIFICATION-TYPE
    OBJECTS {  source-username,source-domainname,source-groupname,source-uid,source-gid,source-hostname,source-hostdomainname,source-address,source-mac-address,source-port,source-processname,source-objectname,source-objectattr,source-objectid,source-objectclass,source-objectvalue,dest-username,dest-domainname,dest-groupname,dest-uid,dest-gid,dest-hostname,dest-hostdomainname,dest-address,dest-mac-address,dest-port,dest-objectname,dest-objectattr,dest-objectid,dest-objectclass,dest-objectvalue,agent-name,agent-address,agent-hostname,agent-hostdomainname,agent-version,agent-id,agent-connector-name,agent-group,event-source-hostname,event-source-hostdomainname,event-source-address,event-source-processname,receiver-name,receiver-hostname,receiver-hostaddress,receiver-hostdomainname,receiver-port,receiver-time-gmt,receiver-timezone,receiver-version,event-protocol,event-logname,event-euuid,event-count,event-summarized,event-duration,event-time-year,event-time-month,event-time-monthday,event-time-weekday,event-time-hour,event-time-minute,event-time-gmt,event-datetime,event-year-datetime,event-month-datetime,event-day-datetime,event-hour-datetime,event-quarterhour-datetime,event-minute-datetime,event-timezone,event-sequence,event-trend,event-action,event-id,event-category,event-class,ideal-model,event-severity,event-result,result-string,result-signature,result-code,result-version,result-priority,result-scope,result-severity,raw-event,snippet }
    STATUS  current
    DESCRIPTION
            "The ELM SNMP Trap."
    ::= { elmAlertTrapGroup 1 }

The elmAlertTrapGroup is 1.3.6.1.4.1.791.9845.3 and the elmTrap is defined by the next node. The default elmTrap ID is 1.3.6.1.4.1.791.9845.3.1. User-defined Custom Trap IDs have the range 1.3.6.1.4.1.791.9845.3.2 to 1.3.6.1.4.1.791.9845.3.999.

Important! The best practice for sending traps to CA Spectrum is to use the default elmTrap ID. The best practice for sending traps to CA NSM is to specify a Custom Trap ID that references an elmTrap ID in a custom MIB.

More information:

Object ID (OID) to CEG Field Mapping

Custom MIBs

Object ID (OID) to CEG Field Mapping

The following table shows the CEG field corresponding to each Object ID (OID) under elmAlertVariables in the MIB tree. This branch of the tree will grow as new fields are added to the CEG. Be sure to check for updates to the MIB and be sure the latest version is available to your SNMP trap destination products.

Custom MIBs

You can create custom MIB files from the provided boilerplate text by adding selected varbinds from the CA-ELM.MIB file content. A custom MIB file for a single alert contains a subset of the contents of the CA-ELM.MIB file. A custom MIB for an alert differs from CA-ELM.MIB in these ways:

• The custom MIB defines only the fields sent by that alert.
• The custom MIB defines a trap that lists these fields in the sequence in which they are sent.
• The custom MIB trap is defined with the OID, 1.3.6.1.4.1.791.9845.3.x, where x is a value between 1 and 999.

  Note: An alert that uses a custom MIB specifies this OID as the value for Custom Trap ID.

• A custom MIB includes the dynamicData varbind only if the query includes calculated fields.

  Calculations can be applied to any field. The event_count field is an example field to which calculations are commonly, but not always, applied. Event_count in the query, System Event Count by Event Action, is a calculated field; it is calculated with Sum. To determine whether a field is calculated, examine the query where the field is defined. An example of a definition of event_count where it is a calculated field follows:

  System_Event_Count_By_Event_Action.xml:    <Column columnname="event_count" datatype="I" displayname="Count" functionname="sum" resultname="event_count" sortdesc="true" sortorder="1" visible="true"/>
  

Boilerplate Text for a Custom MIB

Boilerplate text for a custom MIB follows. If you start a custom MIB with this example, you can replace or insert custom data in locations indicated with the string ###. In sections where you modify data, you can, optionally, modify the description.

CAELM-MIB DEFINITIONS ::= BEGIN
  IMPORTS
        MODULE-IDENTITY, OBJECT-TYPE, Integer32, NOTIFICATION-TYPE
                FROM SNMPv2-SMI
MODULE-COMPLIANCE, OBJECT-GROUP,NOTIFICATION-GROUP
                FROM SNMPv2-CONF				DisplayString
               FROM SNMPv2-TC;                
                
elm MODULE-IDENTITY
    LAST-UPDATED "200907050600Z"
    ORGANIZATION "CA"
    CONTACT-INFO
        "100 Staples drive
        Framingham MA" 
    DESCRIPTION
        "Contains objects describing data for ELM events"
    REVISION "200907050600Z"
    DESCRIPTION
        "Custom MIB <###>."        
    ::= { ca 9845 }

ca OBJECT IDENTIFIER ::= {enterprises 791}  
elmAlertTrapGroup OBJECT IDENTIFIER ::= { elm 3 }  
elmAlertVariables OBJECT IDENTIFIER ::= { elm 2 }  
elmDynamicVariables OBJECT IDENTIFIER ::= { elm 4 }
elmConformance OBJECT IDENTIFIER ::= { elm 5 }
elmGroups      OBJECT IDENTIFIER ::= { elmConformance 1 }
elmCompliances OBJECT IDENTIFIER ::= { elmConformance 2 }


<### Insert elmAlertVariable varbind for each query field ###>

<### Insert the following dynamicData varbind only if query includes calculated fields ###>
dynamicData OBJECT-TYPE
    SYNTAX  DisplayString
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
" This field contains all the elm dynamic variables and data in name=value format."
    ::= { elmDynamicVariables 2 } 

calmAPIURL OBJECT-TYPE
    SYNTAX  OCTET STRING
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
"The OPEN API URL which points to the query result."
    ::= { elmDynamicVariables 1 } 

elmTrap NOTIFICATION-TYPE
    OBJECTS { <### insert list of query fields with hyphens ###> }
    STATUS  current
    DESCRIPTION
            "The ELM SNMP Trap."
    ::= { elmAlertTrapGroup <### insert custom trap ID node number ###> }

elmCompliance MODULE-COMPLIANCE
    STATUS  current
    DESCRIPTION
            "The compliance information."
    MODULE  -- this module
        GROUP       elmDataGroup
        DESCRIPTION
            "This group is mandatory."
    ::= { elmCompliances 3 }
-- units of conformance

elmDataGroup    OBJECT-GROUP
    OBJECTS { <### insert list of query fields with hyphens ###> }    
    STATUS  current
    DESCRIPTION
            "A collection of objects providing information specific to
            ELM data."
    ::= { elmGroups 1 }
END

Example: Create Custom MIB 33 for the Average CPU Load Trend Query

Create a custom MIB for each query sent to CA NSM as an SNMP trap. Each such query is associated with a custom trap ID. The custom MIB defines the fields selected to include in the trap in the order displayed in the action alert.

Consider the example where the query selected for the action alert is Average CPU Load Trend. The selected fields are event_datetime and event_trend.

The Custom Trap ID is 1.3.6.1.4.1.791.9845.3.33.

To create a custom MIB for the custom trap ID ending in 33

1. Open a copy of CA-ELM.MIB for the purpose of copying text to your custom MIB.
2. Open an editor, copy the boilerplate text for custom MIB, and save the file as a new name. For example, save it as Custom MIB n.mib, where n is 33, the final node of the Custom Trap ID specified for the query in the action alert.
3. (Optional) Under elm MODULE-IDENTITY, replace <###> with 33. For example:

    Custom MIB 33."
   

4. Replace the following boilerplate text with text from CA-ELM.MIB

   <### Insert elmAlertVariable varbind for each query field in trap sequence ###>
   

   Copy the elmAlertVariable varbinds for event_datetime and then for event_trend. These varbinds must appear in the MIB in the same sequence that they are sent in the SNMP trap. For example:

   event-datetime OBJECT-TYPE
       SYNTAX  DisplayString
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
   "The calendar date and time expressed in the event information"
       ::= { elmAlertVariables 65 } 
   

   event-trend OBJECT-TYPE
       SYNTAX  Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
   "Trending data for this event."
       ::= { elmAlertVariables 74 }
   

5. Because neither of the fields in this query are calculated fields, delete the following boilerplate text:

   <### Insert the following dynamicData varbind only if query includes calculated fields ###>
   dynamicData OBJECT-TYPE
       SYNTAX  DisplayString
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
   " This field contains all the elm dynamic variables and data in name=value format."
       ::= { elmDynamicVariables 2 } 
   

6. Replace the following boilerplate text under elmTrap:

   OBJECTS { <### insert list of query fields with hyphens ###> }
   

   with the list of selected query fields, as follows:

   OBJECTS { event-datetime,event-trend }
   

7. Replace the following boilerplate text under elmTrap:

   ::= { elmAlertTrapGroup <### insert custom trap ID node number ###> }
   

   with the following:

   ::= { elmAlertTrapGroup 33 }
   

8. Replace the following boilerplate text under elmDataGroup:

   OBJECTS { <### insert list of query fields with hyphens ###> }
   

   with the following:

   OBJECTS { event-datetime,event-trend }
   

9. Save the file.

Example: Custom MIB 33

The following example is a custom MIB developed for an action alert sent as an SNMP trap with the Custom Trap ID ending in 33. The custom trap ID was 1.3.6.1.4.1.791.9845.3.33. The selected query was Average CPU Load Trend and the fields selected to be sent in the SNMP trap are event_datetime, and event_trend.

CAELM-MIB DEFINITIONS ::= BEGIN
  IMPORTS
        MODULE-IDENTITY, OBJECT-TYPE, Integer32, NOTIFICATION-TYPE
                FROM SNMPv2-SMI
MODULE-COMPLIANCE, OBJECT-GROUP,NOTIFICATION-GROUP
                FROM SNMPv2-CONF				DisplayString
               FROM SNMPv2-TC;                
                
elm MODULE-IDENTITY
    LAST-UPDATED "200907050600Z"
    ORGANIZATION "CA"
    CONTACT-INFO
        "100 Staples drive
        Framingham MA" 
    DESCRIPTION
        "Contains objects describing data for ELM events"
    REVISION "200907050600Z"
    DESCRIPTION
        "Custom MIB 33."        
    ::= { ca 9845 }

ca OBJECT IDENTIFIER ::= { enterprises 791}  
elmAlertTrapGroup OBJECT IDENTIFIER ::= { elm 3 }  
elmAlertVariables OBJECT IDENTIFIER ::= { elm 2 }  
elmDynamicVariables OBJECT IDENTIFIER ::= { elm 4 }
elmConformance OBJECT IDENTIFIER ::= { elm 5 }
elmGroups      OBJECT IDENTIFIER ::= { elmConformance 1 }
elmCompliances OBJECT IDENTIFIER ::= { elmConformance 2 }

event-datetime OBJECT-TYPE
    SYNTAX  DisplayString
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
"The calendar date and time expressed in the event information"
    ::= { elmAlertVariables 65 } 

event-trend OBJECT-TYPE
    SYNTAX  Integer32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
"Trending data for this event."
    ::= { elmAlertVariables 74 } 

calmAPIURL OBJECT-TYPE
    SYNTAX  OCTET STRING
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
"The OPEN API URL which points to the query result."
    ::= { elmDynamicVariables 1 } 

elmTrap NOTIFICATION-TYPE
    OBJECTS { event-datetime,event-trend }
    STATUS  current
    DESCRIPTION
            "The ELM SNMP Trap."
    ::= { elmAlertTrapGroup 33 }

elmCompliance MODULE-COMPLIANCE
    STATUS  current
    DESCRIPTION
            "The compliance information."
    MODULE  -- this module
        GROUP       elmDataGroup
        DESCRIPTION
            "This group is mandatory."
    ::= { elmCompliances 3 }
-- units of conformance

elmDataGroup    OBJECT-GROUP
    OBJECTS {  event-datetime,event-trend }    
    STATUS  current
    DESCRIPTION
            "A collection of objects providing information specific to
            ELM data."
    ::= { elmGroups 1 }
END

Example: MIB Tree for Custom MIB 33

The MIB tree for a custom MIB differs from the MIB tree for CA-ELM.MIB in the following ways:

• The objects under elmAlertVariables are limited to the fields in the query. Consider the example where the selected fields are:
  • event_datetime
  • event_trend
• The elmTrap that contains only the query fields replaces elmTrap (1) in CA-ELM.MIB, which contains all CEG fields. Consider the example where the elmTrap is 33. This elmTrap identifier references the final node of the Custom Trap ID, which is 1.3.6.1.4.1.791.9845.3.33.

A depiction of Custom MIB 33 in MIB tree format follows, where the highlighted blocks indicate differences between this custom MIB and the CA-ELM.MIB. The custom MIB defines only two fields under elmAlertVariables. The custom elmTrap includes only the two query fields and has a unique number, 33. The elmDataGroup includes only the two query fields.

MIB Usage Considerations

For a system to understand an SNMP trap it receives from CA User Activity Reporting Module using MIBs, it must know what the composing OIDs define. Requirements follow:

• Import and compile the CA-ELM.MIB file; keep this file updated.
• (CA NSM only) Create, import, and compile one custom MIB for each scheduled alert sent as an SNMP trap.

  Note: The same custom MIB can be used for alerts based on queries that send the same fields in the same order as a trap.

  For example, the following queries all return values for the fields dest_hostname and event_count.

  • Five Failed System Access by System
  • Failed Restore Activity in Last Seven Days by Host Summary
  • Failed Backup Activity in Last Seven Days by Host Summary
  • Excessive (25) Configuration Failures in Last Hour
  • Excessive (25) Configuration Changes in Last Hour
  • Excessive (25) SU Activity by Host in Last Hour
  • Critical or Fatal Events on Critical Host Summary

  If you create separate alerts based on these queries, those alerts would specify the same Custom Trap ID and would be interpreted with the same custom MIB.

Individuals who monitor the SNMP traps received at the destination product can interpret traps sent from CA User Activity Reporting Module in two ways:

• Launch the SNMP trap results page from the URL sent in the trap.
• Use an application that references imported MIBs.

Process of Working with SNMP Traps

Using SNMP traps involves the following procedures:

1. Prepare CA User Activity Reporting Module to send SNMP traps.
   • Configure the default SNMP trap destination.
   • Identify the IP address and port of each additional SNMP trap destination that you can specify when sending alerts as SNMP traps.
   • Identify alerts where query results would be of interest to CA Spectrum, CA NSM, or another SNMP trap receiver.
2. Prepare the SNMP trap destination products to receive SNMP traps from CA User Activity Reporting Module
   • If CA Spectrum is to be a destination:
     • Create an Event Model according to Spectrum documentation. Without an event model, you cannot view trap results at the destination.
     • Configure CA Spectrum to receive SNMP v3 traps.
   • If CA NSM is to be a destination:
     • Install NSM r11.2 GA build on a Windows Server 2003 EE SP1 and apply the patch to update the aws_snmpex.dll file.
     • Configure CA NSM to receive SNMP traps, including SNMP v3 traps.
3. (Optional) Prepare the SNMP trap destination to interpret SNMP traps from CA User Activity Reporting Module with MIBs.
   • Download the CA User Activity Reporting Module MIB to a location accessible from your SNMP trap destination product.

     Note: The CA-ELM.MIB is delivered on the installation DVD. You can download the latest version of this MIB from the CA User Activity Reporting Module product page.

   • Import and compile the CA-ELM.MIB file.
   • (CA NSM only.) For each alert to be sent as an SNMP trap, create a custom MIB with a trap defined with 1.3.6.1.4.1.791.9845.3.x, where x is a whole number equal to or less than 999. Import and compile all custom MIBs.

   Important! This step is optional because traps received from CA User Activity Reporting Module can be interpreted by launching the trap results page from the URL sent in the trap.

4. Schedule alerts with SNMP trap destinations.
5. Verify that the alert was successfully sent as an SNMP trap.
6. (Optional) Monitor results of sent SNMP traps from the trap destination.
   • View the SNMP trap results at the trap destination.
   • Launch the URL to view the data sent by the alert in chart or graph format.

More information:

Configure Integration with an SNMP Trap Destination

Preparing CA Spectrum to Receive SNMP Traps from Alerts

Preparing CA NSM to Receive SNMP Traps from Alerts

Send SNMPv2 Traps to CA Spectrum

Configure Integration with an SNMP Trap Destination

Configure SNMP integration as part of the Global Service Configuration for Report Server. The configuration is the IP address and port of one SNMP trap destination.

You can configure SNMP integration either before or after preparing the destination product to receive and interpret SNMP traps from CA User Activity Reporting Module.

When you create an alert destined for an SNMP trap recipient, you can specify one or more destinations. This configuration serves as the default. This default applies to all servers listed under Report Server.

To configure SNMP integration

1. Click the Administration tab and the Services subtab.
2. Click Alerting Service.
3. Enter the IP address or host name of the destination server for the SNMP traps.
4. Accept the default port, 162, or change it.
5. Click Save.

Preparing CA Spectrum to Receive SNMP Traps from Alerts

You can send alerts in the form of SNMP traps from CA User Activity Reporting Module to any destination in your network that receives and interprets traps. Each trap receiver product has its own requirements.

Prepare CA Spectrum to receive traps from CA User Activity Reporting Module action alerts by:

• Creating a CA Spectrum southbound gateway integration, an integration point that can support any incoming alert data stream format from a third-party system, including SNMP traps such as those generated by CA User Activity Reporting Module.
• Creating a model of the CA User Activity Reporting Module node to enable receipt of SNMP v3 traps.
• Downloading the CA User Activity Reporting Module MIB.
• Importing the CA User Activity Reporting Module MIB into CA Spectrum.

The process for creating a southbound gateway integration is fully documented in the Spectrum Southbound Gateway Toolkit Guide. Creating a southbound gateway integration includes mapping SNMP traps to CA Spectrum events in an AlertMap file and defining the required models. The southbound gateway integration point accepts alert data from third-party systems and displays it within OneClick.

After downloading the MIB file from the CA User Activity Reporting Module product page on Support Online or retrieving it from the installation DVD, you can import it into CA Spectrum.

More information:

Download the CA User Activity Reporting Module MIB

Import the CAELM-MIB into CA Spectrum

Configure CA Spectrum to Accept SNMP v3 Traps

Configure CA Spectrum to Accept SNMP v3 Traps

Before you can send SNMP V3 traps from CA User Activity Reporting Module to CA Spectrum, you must create a model of the CA User Activity Reporting Module appliance in CA Spectrum. SNMP v3 traps are then directed to the CA User Activity Reporting Module node that you modeled.

To create a model that enables Spectrum to receive SNMP v3 traps from action alerts

1. Log on to the Windows server where CA Spectrum is installed.
2. Access the Spectrum OneClick console:
   1. From the Start menu, click All Programs, CA, SPECTRUM Control Panel.

      The SPECTRUM Control Panel appears with a Status indicator at the bottom of the screen.

   2. If Status does not display RUNNING, click Start SpectroSERVER under Process Control.
   3. When Status displays RUNNING, click OneClick Administration.

      OneClick Administration - SPECTRUM Control Panel appears with Host as localhost and Port as 80.

   4. Click OK

      A login dialog appears.

   5. Provide your credentials.

      The SPECTRUM NFM OneClick page appears.

   6. Click Start Console.

      The Login - SPECTRUM OneClick login dialog appears to connect you to SPECTRUM OneClick on local host.

   7. Click OK

      The Console - SPECTRUM OneClick appears with a Navigation pane, a Contents pane, and a Component Detail pane.

3. On the Explorer tab in the Navigation pane, expand the top-level node and select Universe.

   The Contents and Component Detail pane titles display Universe of type Universe.

4. On the Contents pane, click the Topology tab.

   The second button on the tab lets you create a new model by type and add it to this view.

5. Click Create a new model.

   The Select Model Type - SPECTRUM OneClick dialog appears.

6. Click the All Model Types tab
7. Type a string in the Filter field. For example, type gn.

   Model types beginning with Gn appear in the list.

8. Select the desired model type and click OK. For example, select GnSNMPDev and click OK.

   The Create Model of Type <selected model type> opens.

9. Complete the Create Model of Type dialog as follows:
   1. Enter the host name of a CA User Activity Reporting Module server in the Name field.
   2. Enter the IP address of the same server in the Network Address field.
   3. Enter a port in the Agent Port field, if the default 161 is not what you want. For example, enter 162.
   4. Select SNMP v3 as the SNMP Communication option.
   5. Click Profiles.

   The Edit SNMP v3 Profiles window appears with a list of existing profiles, if any.

10. To add a profile, follow these steps:
    1. Type the profile name and type the User ID.
    2. Since this is for SNMP v3, select Authentication with Privacy as the authentication type.
    3. In the next four fields, type an 8-character authentication password twice and type an 8-character privacy password twice.
    4. Click Add to add the profile to the list.
    5. Click OK.

    The profile you added appears first in the V3 Profile drop-down list on the Create Model of Type dialog.

11. Select Discover Connections and click OK.

    The Creating Model progress indicator appears. When processing completes, the created model appears on the Topology tab as a graphic with the host name that you entered and the model type you selected.

Download the CA User Activity Reporting Module MIB

You can download the MIB file from the CA User Activity Reporting Module product page on Support Online or you can retrieve it from the installation DVD. After downloading the CA User Activity Reporting Module MIB, you can import/compile it into each product you configure as an SNMP trap destination.

To download the CA User Activity Reporting Module MIB

1. Log on to the server where you have installed CA Spectrum
2. Launch CA Support Online and log on.
3. Access the CA User Activity Reporting Module product page.
4. Download the CA User Activity Reporting Module MIB file to your network.
5. If you plan to send SNMP traps to CA Spectrum, import the CA User Activity Reporting Module MIB into CA Spectrum.
6. If you plan to send SNMP traps to CA NSM, import the CA User Activity Reporting Module MIB into CA NSM. Refer to the CA NSM documentation for the procedure.

Import the CAELM-MIB into CA Spectrum

Before you send SNMP traps from CA User Activity Reporting Module to CA Spectrum, you can import and compile the CA User Activity Reporting Module MIB using the CA Spectrum OneClick MIB Tools.

Note: The SNMPv2 MIBs referenced in the CA-ELM.MIB are preloaded in CA Spectrum.

To import the CA-ELM.MIB into CA Spectrum

1. Log on to CA Spectrum.
2. Launch the OneClick Console.
3. Click Tools, Utilities, MIB Tools.

   The MIB Tools: Add MIB dialog opens.

4. Click Browse, navigate to the location where you downloaded CA-ELM.MIB, and select this file.
5. Click Compile.

   A success message indicates that the CA User Activity Reporting Module MIB is successfully stored in the following directory on the OneClick web server:

   <$SPECROOT>/MibDatabase/userContrib
   

6. Close the MIB Tools: Add MIB dialog.

   CAELM-MIB is added to the Navigation bar under CA.

   

   In the hierarchy, cai expands to display elm with its subordinate tree objects and their associated OIDs.

   

Example: Alerting CA Spectrum of Configuration Changes

Before you send SNMP traps to CA Spectrum for the first time, it is a good practice to identify the queries that return results pertinent to this destination. When you schedule your first alert with Spectrum as a destination, you may want to track the progress and compare the results displayed in CA User Activity Reporting Module with those that appear in the CA Spectrum interface. Once sending traps to CA Spectrum becomes routine, you may not ever take these preparation and follow-up steps again.

The following example is designed to walk you through the initial process, including:

• Preparing to send SNMP Traps to CA Spectrum
• Sending SNMP traps to CA Spectrum
• Verifying SNMP traps were sent successfully
• Viewing the SNMP traps received by CA Spectrum

More information:

View SNMP Traps on CA Spectrum

Send SNMPv2 Traps to CA Spectrum

Track the Alert Job Progress

Send SNMPv2 Traps to CA Spectrum

The following example shows how to create an alert that notifies CA Spectrum of configuration changes with SNMPv2 traps.

To send SNMPv2 traps to CA Spectrum

1. Open the Alert Scheduling wizard.
   1. Click the Alert Management tab and the Alert Scheduling subtab.
   2. Click the Schedule an Action Alert button.
2. Complete the Alert Selection step.
   1. Type a job name; this is required for any alert.
   2. Verify selection type is Queries.

      Selection of SNMP trap destinations is not allowed for alerts based on tags.

   3. If the queries you want to select are tagged Action Alerts, click the Action Alerts tag to filter the displayed list.
   4. Select the query or queries you identified.

      

3. (Optional) Complete the Alert Filters, Result Conditions, and Schedule Jobs steps as documented in the online help for this wizard.
4. Set the SNMP trap details.
   1. Click the Destination step.
   2. Click the SNMP Trap tab.

      The configured SNMP Trap destination and the queries selected in step 1 of the wizard appear.

   

   Note: By default, the SpectroSERVER listens on the standard SNMP trap port 162. If changed, the port must match the snmp_trap_port parameter in the SPECTRUM .vnmrc file located in the SS directory.

   1. (Optional). To send the trap to up to nine servers in addition to the configured destination server, click the Add button and enter the IP address and port of the server.
   2. For a query where you want all fields included in the trap, just select the query.

      All fields of a selected query are selected by default. The name of the selected query appears above the field list.

      

   3. For a query where you want selected fields included in the trap, select the query and clear the fields that are not to be sent.

      

   4. Select the SNMP Version supported by the selected trap destination for traps received from applications.

      Note: Some trap destination accept Version 3 traps sent directly by devices, but only Version 2 traps from applications that collect events from devices. For this example, we accept Version 2.

5. Select the server and specify whether the query should return results from just selected server(s) or from this server and all of its child (if hierarchical) or peer (if meshed) federated servers.
6. Click Save and Close.

   The job appears on the Action Alert Jobs list. Unless you cleared the Enabled check box on the first step of the wizard, it is displayed as enabled (true in the Enabled column). An abbreviated example follows:

   

Track the Alert Job Progress

You can view results returned by the queries selected for the alert you created. The results displayed for the example Configuration_Changes_Alert are displayed in CA User Activity Reporting Module under the headings Host and Count.

1. Select the Alert Management tab, and the Action Alert subtab.
2. Click the name of the alert that you scheduled.
3. View the results for that alert.

   Example results follow:

   

View SNMP Traps on CA Spectrum

You can view the SNMP traps sent by CA User Activity Reporting Module alerts on the CA Spectrum event model you created for receiving these traps. Received traps are displayed on the Events tab. For the example Configuration_Changes_Alert, the results, ca-elm and 2, are displayed in CA Spectrum with the OIDs 1.3.6.1.4.1.791.9845.2.22 and 1.3.6.1.4.1.791.9845.2.2.

To view SNMP traps on CA Spectrum

1. Log in to CA Spectrum with your CA Spectrum credentials.
2. Bring up the Spectrum Control Panel and start Spectroserver.

   Spectroserver starts.

3. Click OneClick Administrator and log in.

   The Spectrum NFM OneClick application appears.

4. Click Start Console.

   The Spectrum OneClick console appears.

5. Expand the folder created for CA User Activity Reporting Module.
6. Under Universe, select the event model you created for receiving traps sent from CA User Activity Reporting Module.
7. In the right-hand panel, select the Events tab to view traps sent from CA User Activity Reporting Module.

   The value, ca-elm, and event_count=2 is the same data that you could view in CA User Activity Reporting Module.

An unrelated example of how an SNMP trap sent by a CA User Activity Reporting Module alert appears in CA Spectrum OneClick follows. The link is the URL you can paste in a browser to display the CA User Activity Reporting Module table with details presented in CEG format.

More information:

Example: Alerting CA Spectrum of Configuration Changes

Preparing CA NSM to Receive SNMP Traps from Alerts

You can send alerts in the form of SNMP traps from CA User Activity Reporting Module to any destination in your network that receives and interprets traps. Each trap receiver product has its own requirements.

Prepare CA NSM to receive traps from alerts by:

• Verifying that the destination CA NSM system meets system requirements for receiving SNMP trap data from CA User Activity Reporting Module.
• Configuring CA NSM to receive SNMP traps, including enabling support for SNMP v3, modifying port assignments in various files, and starting the required services.

Prepare CA NSM to interpret traps received from action alerts by:

• Creating a custom MIB for each alert you plan to send as an SNMP trap to CA NSM.
• Importing and compiling the CA-ELM.MIB and all custom MIBs.

More information:

Configure CA NSM to Receive SNMP Traps

CA NSM System Requirements

Boilerplate Text for a Custom MIB

CA NSM System Requirements

You can send SNMP traps to CA NSM if your system meets the following CA User Activity Reporting Module interface requirements:

• The CA NSM version is CA NSM r12.2 (GA build).
• CA NSM is installed on Windows Server 2003 EE SP1.
• You have applied the patch T5MK056.caz, which updates the aws_snmpex.dll file and enables CA NSM to receive SNMP v3 traps from CA User Activity Reporting Module.

To apply the patch

1. Download the patch from CA Support.
2. Log on to the server with CA NSM.
3. Stop the SNMP Trap service:
   1. From the Start menu, select Programs, Administrative Tools, Services

      The Services list appears.

   2. Select the SNMP Trap Service, right-click and select Stop from the pop-up menu.
4. Stop all CA NSM services:
   1. Access the command prompt.
   2. Enter the following command:

      Unicntrl stop all
      

5. Copy the download patch file, "T5MK056.caz, to the C:\temp folder.
6. Unzip the patch file with cazipxp.

   Cazipxp.exe -u T5MK056.caz
   

7. Back up the existing aws_snmpex.dll before replacing it.
   1. Navigate to C:\Program Files\CA\SC\CCS\AT\SERVICES\BIN.
   2. Right-click aws_snmpex.dll and select copy.

      A Copy of aws_snmpex.dll is added to the folder.

8. Copy the aws_snmpex.dll from the temp folder to bin folder (C:\Program Files\CA\SC\CCS\AT\SERVICES\BIN)

   CA NSM now meets system requirements. You can configure CA NSM to receive SNMP traps from CA User Activity Reporting Module.

Configure CA NSM to Receive SNMP Traps

Before you can direct alerts to be sent to CA NSM as SNMP traps, you must configure CA NSM to receive traps. You can send both SNMPv2 traps and SNMPv3 traps to CA NSM.

To configure CA NSM to receive SNMP traps from CA User Activity Reporting Module alerts

1. Log on to CA NSM.
2. Enable support for SNMP version3 as follows:
   1. Display the command prompt. From the Start menu, click Run, enter cmd, and click OK.
   2. Type the following:

      caugui settings
      

      The EM Settings window appears.

   3. Click the Event Management tab.
   4. Scroll to display the description: SNMP - Enable SNMP version 3 support.
   5. Select the row and type Y to select YES in the setting column for SNMP Enable SNMP version 3 support.
   6. Click Yes to confirm the change.
   7. Close the window.
3. Change the port used by the SNMP service from the current port, for example 5162, to port 162 as follows:
   1. Open Windows Explorer.
   2. Navigate to the .../System32/drivers/etc folder, typically under C:\WINDOWS.
   3. Back up the Services file. Right click services and select copy.
   4. Open the Services file in a text editor, such as Notepad, and scroll to the entry resembling the following:

      snmptrap     162/udp    snmp-trap   #SNMP trap
      

   5. Edit the snmptrap line to replace the port number 162, with an alternative, for example, 5162. Add the catrapmuxd line where you assign port 162.

      snmptrap    5162/udp
      catrapmuxd   162/udp    catrapmuxd  #CA Trap Multiplexer
      

   6. Save and close the file.
4. Modify the CA Trap Multiplexer configuration file, catrapmux.conf, as follows:
   1. Navigate to C:\Program Files\CA\SC\CCS\WVEM\CAIUSER.
   2. Open CATRAPMUX.CONF in a text editor, such as Notepad.
   3. Scroll to the bottom of the file. Edit the file as needed to include the following entries.

      CATRAPMUX_CMD:6161
      AWS_SNMP:6162
      catrapd:6163
      snmptrap:5162
      

      Note: The first three entries represent default settings.

   4. Save and close the file.
5. Add a line to the snmpv3.dat configuration file to configure SNMP v3 security parameters.
   1. Navigate to the C:\Program Files\CA\SC\CCS\CommonResourcePackages\Misc.
   2. Open snmpv3.dat in a text editor and add the following line at the end of the file.

      *.*.*.* *:*                   test1234:AuthPriv:MD5:test1234:DES:test1234
      

      Note: These are the same parameters that you must enter in the V3 Security Parameters dialog in the Alert wizard in order for the SNMP trap to be received by CA NSM. The username and password are what you configure here, the Auth protocol is MD5 and the Encryption protocol is DES.

   3. Save and close the file.
6. Install the CA Trap Multiplexer service:
   1. Access the command prompt.
   2. Run the following command:

      catrapmuxd uniconfig
      

      CA Trap Multiplexer is added to the Services list with a status of Started.

7. Verify that CA Trap Multiplexer is running and start SNMP Trap Service.
   1. From the Start menu, select Programs, Administrative Tools, Services

      The Services list appears.

   2. Examine the status of CA Trap Multiplexer. Verity that the status is Started.
   3. Select the SNMP Trap Service, right-click and select Start from the pop-up menu.
8. Start all services with a Startup Type of Automatic.
   1. Access the command prompt.
   2. Run the following command:

      Unicntrl start all
      

   CA NSM is now configured to receive SNMP v3 traps based on scheduled alerts sent by CA User Activity Reporting Module.

Example: Alerting CA NSM of Configuration Changes

The following example is designed to walk you through a process of alerting CA NSM of configuration changes. This process includes the following procedures:

• Send SNMP traps to CA NSM
• Verify that SNMP traps were sent successfully
• Access the EM Console on CA NSM
• View the SNMP traps received by CA NSM

More information:

Access the EM Console on CA NSM

View SNMP Traps on CA NSM

Track the Alert Job Progress

Send SNMPv3 Traps to CA NSM

When planning what alerts to send to CA NSM, identify query results that would be of interest to the network operations center. For example, consider queries that detect configuration changes. The following example illustrates how to send a scheduled alert based on the Configuration Change Detail query. This alert specifies CA NSM as the SNMP trap destination.

To send SNMPv3 traps to CA NSM

1. Open the Alert Scheduling wizard.
   1. Log on to CA User Activity Reporting Module with the credentials of an Analyst or Administrator.
   2. Click the Alert Management tab and the Alert Scheduling subtab.
   3. Click the Schedule an Action Alert button.
2. Complete the Alert Selection step.
   1. Type a job name. For example, enter Configuration Changes destined for CA NSM.
   2. Verify that the selection type is Queries. Selection of SNMP trap destinations is not allowed for alerts based on tags.
   3. Select the query or queries you identified. For example, select Configuration Change Detail.
3. (Optional) Complete the Alert Filters, Result Conditions, and Schedule Jobs steps as documented in the online help for this wizard.
4. Click the Destination step, and then click the SNMP Trap tab.
5. Examine the destination server and port entries. If not correct, enter the correct IP address for the destination server and port. To add additional destination servers, click add, and enter the additional destination.
6. Specify the SNMP version information. SNMP Version 2 is selected by default.
   1. Click Version 3. CA NSM is configured to accept SNMP v3 traps.
   2. Click V3 Security.

      The SNMP Version 3 Security Parameters dialog appears.

      Important: The entries on this dialog must match the settings in snmpv3.dat that you configured to enable CA NSM to receive SNMP traps from CA User Activity Reporting Module alerts. The recommended setting follows:

      *.*.*.* *:*   <username>:AuthPriv:MD5:<password>:DES:<password>
      

   3. Select Authentication. Type the configured user name for username, type the configured password for password, and select MD5 for protocol.
   4. Select Encryption. Type the configured password for password and select DES for protocol.
   5. Click OK.
7. Select the query to send as an SNMP trap.

   In this example, when you select Configuration Change Detail, the fields for that query are displayed as selected. Optionally, you can clear any field you do not want included as a trap.

   Important! When you create a custom MIB for this alert, be sure to define a trap with the fields you select here and in the order shown.

   

8. Select the number for the final node, x, of the associated elmTrap OID, where all elmTrap OIDs are defined as 1.3.6.1.4.1.791.9845.3.x.

   The initial nodes of the Custom Trap ID are predefined in the CA-ELM.MIB. The final node number is unique to a trap defined in a custom MIB, where the trap reflects a unique set of fields. A custom MIB file defines the traps sent by the CA User Activity Reporting Module alerts that you defined. In the custom trap referenced by the Custom Trap ID, the fields are listed in the same order as the fields sent by the alert. If the OID for the trap in the custom MIB is 1.3.6.1.4.1.791.9845.3.63, select 63 from the number spinner for Custom Trap ID. Or, if you define the alert first, add a trap in your custom MIB for 1.3.6.1.4.1.791.9845.3.63 that defines the query fields you selected.

9. (Optional) Select Servers.
10. Click Save and Close.

    The job appears on the Action Alert Jobs list with the configured job name.

More information:

Access the EM Console on CA NSM

Track the Alert Job Progress

When you schedule an alert, it is a good practice to track the alert job progress the first time it runs. When you track progress, you can verify that the job runs successfully and that the reported results are what you intended to send.

To monitor the alert job progress and preview the results

1. View the alert job you created on the Action Alerts Jobs list. An partial example follows:

   

2. (Optional) To track the alert job progress, view System Self Monitoring Events Detail. Double-click any line to display the Event Viewer. Scroll to result_string to view the entire message shown on Result Description.

   

3. Preview the results returned by the queries selected for the alert you created.
   1. Select the Alert Management tab, and the Action Alert subtab.
   2. Click the name of the alert that you scheduled.
   3. View the results for that alert.

   Note: Typically, the data displayed here is the data displayed when browsing the URL sent to the destination server. If a difference exists and you want it to be the same, edit the action alert to reset the dynamic end time for Result Conditions. For example, set it to 'now', '-10 minutes'.

Access the EM Console on CA NSM

You can view the SNMP traps sent by CA User Activity Reporting Module from CA NSM. SNMP traps are displayed as messages on the EM Console.

To access the EM Console on CA NSM

1. Log on to the server where the SNMP trap destination, CA NSM is installed.
2. From the Start menu, select Programs, CA, Unicenter, NSM, Enterprise Management, and EM Classic.

   The EM for Windows window appears.

3. Double-click Windows.

   The <hostname> (Windows) window appears.

4. Double-click Event.

   The Event <hostname> (Windows) window appears.

5. Double-click Console Logs.

   The EM Console (<hostname>) appears.

More information:

View SNMP Traps on CA NSM

View SNMP Traps on CA NSM

Consider the example where an alert is scheduled to run the Configuration Change Detail query. In this example, the Custom Trap ID is set to 1.3.6.1.4.1.791.9845.3.63. Nine fields are sent as an SNMP trap.

To view the SNMP trap sent by an Alert based on the Configuration Change Detail query

1. When a self monitoring event indicates that an SNMP trap has been successfully sent to CA NSM, access the EM Console on CA NSM.
2. Wait until a log message appears that indicates receipt of an SNMP trap. The message for this trap contains the custom trap ID, 1.3.6.1.4.1.791.9845.3.63.

   

3. Double-click this message to bring up the message in a format you can copy.

   

4. Copy the message and paste it into a temporary text file.

   The results resemble the following:

   %CATD_I_060, SNMPTRAP: -u auth user 791 155.35.7.63 etr6511l1-sun104.ca.com 6 63 0:05:00 12 
   

   Specifies that the following data is received as an SNMP trap.

   OID: 1.3.6.1.2.1.1.3.0 system.sysUpTime.0 VALUE: (30000) 0:05:00.00 
   

   Specifies the object ID for uptime in hundredths of a second. This is a known OID through SNMP.

   OID: 1.3.6.1.6.3.1.1.4.1.0 .iso.org.dod.internet.snmpV2.snmpModules.1.1.4.1.0 VALUE: 1.3.6.1.4.1.791.9845.3.63 
   

   Specifies the object ID for the snmpTrapOID. The value is the custom trap ID you specified when configuring the alert.

   OID: 1.3.6.1.4.1.791.9845.2.80 .iso.org.dod.internet.private.enterprises.791.9845.2.80 VALUE: 2 
   

   Specifies the OID for event_severity and the severity value of 2, which stands for Informational.

   OID: 1.3.6.1.4.1.791.9845.2.65 .iso.org.dod.internet.private.enterprises.791.9845.2.65 VALUE: Fri Nov 06 2009 10:53:53 PM 
   

   Specifies the OID for event_datetime with the value, the day, date and time when the event with these values occurred.

   OID: 1.3.6.1.4.1.791.9845.2.17 .iso.org.dod.internet.private.enterprises.791.9845.2.17 VALUE: 
   

   Specifies the object ID for dest_username with no value.

   OID: 1.3.6.1.4.1.791.9845.2.1 .iso.org.dod.internet.private.enterprises.791.9845.2.1 VALUE: 
   

   Specifies the object ID for source_username with no value.

   OID: 1.3.6.1.4.1.791.9845.2.22 .iso.org.dod.internet.private.enterprises.791.9845.2.22 VALUE: etr851l2-elm5 
   

   Specifies the object ID for dest_hostname with the hostname of the server where the query results are displayed when you launch the URL.

   OID: 1.3.6.1.4.1.791.9845.2.53 .iso.org.dod.internet.private.enterprises.791.9845.2.53 VALUE: EiamSdk 
   

   Specifies the object ID for event_logname, EiamSdk, the name of the log file that contains these details.

   OID: 1.3.6.1.4.1.791.9845.2.77 .iso.org.dod.internet.private.enterprises.791.9845.2.77 VALUE: Configuration Management 
   

   Specifies the object ID for event_category and the value for Category associated with the Configuration Change Detail query.

   OID: 1.3.6.1.4.1.791.9845.2.75 .iso.org.dod.internet.private.enterprises.791.9845.2.75 VALUE: Configuration Change 
   

   Specifies the object ID for event_action and the value for Action associated with the Configuration Change Detail query.

   OID: 1.3.6.1.4.1.791.9845.2.81 .iso.org.dod.internet.private.enterprises.791.9845.2.81 VALUE: S 
   

   Specifies the object ID for event_result with the value, S, for Success.

   OID: 1.3.6.1.4.1.791.9845.4.1 .iso.org.dod.internet.private.enterprises.791.9845.4.1 VALUE: https://etr6511l1-sun104:5250/spin/calmapi/getObject.csp?type=getQueryViewer&objectId=Subscription/panels/Configuration_Change_Detail&params=%3cParams%3e%3cParam%20id=%22ARG_stop%22%20val=%221257528379%2c%27unixepoch%27%22/%3e%3cParam%20id=%22ARG_start%22%20val=%221257528079%2c%27unixepoch%27%22/%3e%3cParam%20id=%22ARG_localtimezone%22%20val=%22Asia/Calcutta%22/%3e%3c/Params%3e
   

   Specifies the object ID for calmAPIURL under elmDynamicVariables. The value is the URL to the CA User Activity Reporting Module API. After logging in, you can see the query results in the chart or graphic view.

5. Copy the URL at the end of the message, paste it into a browser, and launch the URL.
6. Log on to the CA User Activity Reporting Module API.

   The Configuration Change Detail chart view displays. See the following example:

   

How to Create an Action Alert

The process of creating an Action Alert, using the schedule action alert wizard, has the following main steps:

1. Opening the schedule action alert wizard.
2. Choosing the query or tags on which the alert is based. You can query either the event database, the incident database or both in a single job.
3. (Optional) Setting advanced filters to refine the alert query.
4. (Optional) Setting date range and result conditions
5. (Optional) Defining how often the alert job recurs, and when it is active.
6. (Optional) Configuring automatic alert emails and recipients.
7. (Optional) Selecting whether to run the query on data for the selected server only, or to run it for this server and all of its children.

   Note: You cannot base an action alert on an ODBC query.

More information:

Create an Advanced Event Filter

Define Alert Job Query Destination

Open Schedule Action Alert Wizard

Set Notification Destinations

Open Schedule Action Alert Wizard

To create an action alert job, you must use the schedule action alert wizard.

To open the schedule action alert wizard

1. Click the Alert Management tab.

   The Alert Servers list appears.

2. Select the server where you want to schedule an alert job.

   The Server Details pane shows the selected server, displaying the Generated Alerts tab by default.

3. Click the Alert Scheduling tab, and then the Schedule an Alert button.

   The Schedule Action Alerts wizard appears.

   When using the wizard:

   • Click Save and Close to save the action alert and close the wizard.
   • Click Reset to restore the wizard display to the last-saved settings.

More information:

Set Email Notification Destination

Define Alert Job Query Destination

Select an Alert Query

Select tags or queries as the basis for a new action alert job. The query, plus any filters you add, defines the circumstances under which an alert is generated. For example, to create an alert to monitor traffic from a host or port, use the All Events query, add filters to define the source hosts to monitor, and an event threshold.

Note: The Action Alerts query category contains queries designed for various common alert needs.

To select an alert query

1. Open the schedule action alert wizard.
2. Type a job name.
3. Select the time zone you want to schedule the report in from the time zone drop-down menu.
4. Select the Queries or Tags option button to select reports by tag or individually.

   Note: Scheduling alerts by tag lets you add alerts without altering the job itself. If you select the "Identity Management" Tag, any alert with that tag is added to the job at the scheduled run time. You can add a new alert to the job by giving a query the Identity Management tag. This feature also applies to custom tags.

   (Optional) Clear the Enable check box to enable to action alert later rather than as soon as you finish it. The check box is selected by default.

   Note: The ability to create a disabled alert job is designed for use with recurring alerts. If you clear the Enabled check box for a job, and create that job with a single occurrence ("Now" or "Once") it is removed from the Scheduled Alert list.

5. (Optional) Select a tag or tags to narrow the tags and individual reports displayed. This feature matches the behavior of the Report List.
6. Select the tags or individual queries you want, and use the shuttle control to add them to the Selected Queries area. You can select both event and incident queries in a single alert job.
7. Advance to the scheduling step you want to complete next, or click Save and Close.

   If you click Save and Close the alert job is scheduled, otherwise the step you select appears.

More information:

Create an Advanced Event Filter

Set Alert Job Scheduling Parameters

You can control when your alerts apply by setting their start and end time. You can also control how granular the alert view is by controlling how often the query recurs.

To set alert job scheduling parameters

1. Open the schedule action alert wizard, enter the required information, and advance to the Schedule Jobs step.
2. Set the recurrence interval you want. A lower interval gives a more detailed view, but increases network traffic.

   Before setting a low interval, verify that CA User Activity Reporting Module is synchronized with an NTP server.

3. Set the start and end time you want for the alert job.
4. Advance to the scheduling step you want to complete next, or click Save and Close.

   If you click Save and Close the alert job is scheduled, otherwise the step you choose appears.

Set Notification Destinations

You can set one or more of the following destinations for notification of an alert:

E-mail

You can set automatic email notification for an alert to help ensure that the proper personnel are aware of alerts relating to their job role or responsibility. Configure a mail server for your CA User Activity Reporting Module environment before you send alert notification emails.

IT PAM Process

You can run the specified CA IT PAM process if the alert is for a condition that requires notification of the third-party product. Integration with CA IT PAM must be configured under Report Server and IT PAM must have the process defined before you can run the process from alerts.

SNMP Trap

You can send event data captured by an alert to one or more Network Operations Centers (NOCs). You can target management servers such as CA Spectrum or CA NSM using SNMP v2 or SNMP v3 traps. You specify the destinations during the process of scheduling the alert. Integration with SNMP must be configured before you can send alerts using SNMP.

Note: If you do not set a destination, the alert results are published only to the RSS feed.

More information:

Set Email Notification Destination

Example: Alerting CA Spectrum of Configuration Changes

Example: Send an Alert that Runs an IT PAM Process Per Row

Example: Send an Alert that Runs an IT PAM Process Per Query

Set CA IT PAM Information

Set Email Notification Destination

You can set automatic email notification for an alert job, assuring that the proper personnel are aware of alerts relating to their job role or responsibility. This step is optional.

A mail server must be configured for your CA User Activity Reporting Module environment before you can set alert notification emails.

To set alert notification

1. Open the schedule action alert wizard, enter the required information, and advance to the Destination step.
2. Select the Enable email notification check box.
3. Enter at least one recipient email address. You can enter multiple addresses separated by commas.
4. (Optional) Enter From text, a subject line, and a message body for the notification email.

   Note: The message body is constructed in HTML, so all text you enter appears on one line. To create a break after a line, enter <BR/> at the end of the line of text.

More information:

Set CA IT PAM Information

Set CA IT PAM Information

You can set your alert job to run a CA IT PAM process when the alert is generated.

You can run the process once for each query result row, or you can run the configured process once, regardless of the number of rows. If you run it once per row, define summary and description statements using CEG fields to pass the event data to CA IT PAM. Select the fields that are defined to collect data by the query. If you run it once per query, a URL is automatically passed to CA IT PAM that, when launched, displays all rows of event data. In the third-party product that responds to the CA IT PAM process, the URL is appended to the summary text you enter. For example, it appears in the Summary field of CA Service Desk, if it is the third-party product.

To run a CA IT PAM process when the alert is generated

1. Open the schedule action alert wizard, enter the required information, and advance to the Destination step.
2. Click the IT PAM Process tab.

   A check box for each query for this alert job appears in the left pane.

3. Select a query that you want to send to the CA IT PAM process, and do one of the following:
   • Select Run IT PAM Process per row to run the configured process once for each returned row.
   • Clear Run IT PAM Process per row to run the configured process once, regardless of the number of returned rows.
4. Verify the default entries for the process parameters and change if needed. For undefined fields that allows entry of summary or description information, enter a meaningful statement. If you selected Run IT Process per row, use the CEG fields to convey event data. Select the CEG field and click Add next to the target field.
5. If the CA IT PAM process is defined with CEG fields as local parameters in the dataset, select those CEG fields in the Send field values as parameters list.
6. Select another query from the left pane and repeat steps 3 through 6.

Note: When the queries for a scheduled alert job return results, all the information and parameters required to run the configured process are sent to CA IT PAM.

More information:

Set Email Notification Destination

Set SNMP Trap Information

You can set SNMP Trap inform for an alert job, allowing you to send the alert to one or more third-party management systems. When the selected queries return results, a trap that includes returned data for all selected fields from all selected queries is sent to all selected SNMP trap destinations. This step is optional.

To set SNMP Trap information

1. Open the schedule action alert wizard, enter the required information, and advance to the Destination step.
2. Select the SNMP Trap tab.

   The SNMP Trap tab opens, displaying the Destination Server and Destination Port fields, and a list of the queries included in the Action Alert, each with a check box.

3. Examine the default destination server and port entries. If not correct, enter the correct IP address or fully qualified host name and port number.
4. (Optional) Click Add to enter additional Destination Server and Destination Ports.
5. (Optional) To send the alert using SNMP v3, select SNMP Version 3. SNMP Version 2 is the default.
6. If you select SNMP Version 3, click the V3 Security button to set authentication or encryption in the Security Parameters dialog.

   Important: The entries on this dialog must match the settings in snmpv3.dat that you configured to enable CA NSM to receive SNMP traps from CA User Activity Reporting Module alerts. The recommended setting follows:

   *.*.*.* *:*   <username>:AuthPriv:MD5:<password>:DES:<password>
   

   1. Select Authentication. Type the configured user name for username, type the configured password for password, and select MD5 for protocol.
   2. Select Encryption. Type the configured password for password and select DES for protocol.
7. Select the check box next to any query you want to include in the SNMP trap. For example, if you have three queries showing in the list, you could set SNMP to deliver one, two, or all three.

   Selecting a query displays the fields included in each query, each with a check box selected. You can clear any selected field remove that field in the alert.

8. Enter the custom trap ID you want associated with each query. This allows you to send different queries in a single alert to different trap IDs, if required.
9. Advance to the scheduling step you want to complete next, or click Save and Close.

   If you click Save and Close the alert job is scheduled, otherwise the step you select appears.

More information:

Set Email Notification Destination

Set CA IT PAM Information

Define Alert Job Query Destination

You can choose which federated event log stores are queried by the alert job.

To choose report destinations

1. Open the schedule action alert wizard, enter the required information, and advance to the Server Selection step.
2. Select any available servers you want to query, and move them to the Selected Servers area using the shuttle control.
3. (Optional) If you want to disable federated queries for this alert job, select "No" from the drop-down menu that appears when you click the Federated Queries entry. Report queries are federated by default.
4. Advance to the scheduling step you want to complete next, or click Save and Close.

   If you click Save and Close the alert job is scheduled, otherwise the step you choose appears.

Example: Create an Action Alert for Low Disk Space

Low Available Disk Space is one of the predefined queries with the tag, Action Alerts. Queries with the Action Alerts tag are specifically designed to be used as alerts, but do not become alerts until you schedule them.

The following example shows how to create an action alert from the predefined Low Disk Space query.

1. Click the Queries and Reports tab and the Queries subtab.

   The Query Tag and Query List panes appear.

2. Click the Action Alerts tag.

   The Query List displays the queries tagged with Action Alerts.

3. Click the Low Available Disk Space query in the query list.

   The Low Available Disk Space query appears in the main pane.

4. Click Options and select Schedule Action Alerts.

   

   The Schedule Action Alerts wizard appears with the Alert Selection step selected. Low Available Disk Space is preselected under Selected Queries.

   

5. Enter a job name, such as Low Disk Space. Clear the Enabled checkbox for now. This lets you save and close the action alert schedule before it is complete without risking an attempt to run it.

   

6. You can enter or skip Alert Filters. Filters are additive, that is, when a series of filters are evaluated, they are joined with logical ANDs.
7. Click Result Conditions to override the ones set in the query definition.
   1. To specify the alert should evaluate the disk space for the past hour, enter the date range as 'now' for Dynamic End Time and 'now' '-1 hours' for Dynamic start time.
   2. To specify that you only want to be notified if the query returns a result; and you want to see only the first result returned, select Row Limit and select the value 1. Since the dynamic time range is in hours, select event_hour_datetime as the Time Granularity.
   3. Leave Grouped Events blank since that does not apply to this query.

   

8. Click Schedule Jobs to define the schedule. The default is to start the job immediately with no end date. Set the recurrence interval. For example, set the interval to run the query every hour.

   

9. Click the Destination step. Select enable-email notification; enter your email address in the Email To field. Optionally, enter a subject and email text. Or, email it to the desired recipients and enter your email address in the From field. If you enter multiple email addresses, separate them with a comma (not a semicolon).

   

10. Click Server Selection. By default, the query will run on the current CA User Activity Reporting Module server. Select Federated to run the query on this server and all eligible federated queries.
11. Click Alert Selection. Select Enabled.
12. Click Save and Close.

    The action alert job is displayed on the Alert Scheduling subtab.

    

13. Click the Alert Management tab, Action Alerts to view the results of this action alert.

You will receive email notification as requested. An example follows:

If you click the RSS Link, a page similar to the following appears:

Example: Create an Alert for a Self-Monitoring Event

The predefined query for all self-monitoring events is System All Events Detail. You can copy this query and use it as the basis for defining an alert based on a specific self-monitoring event.

For example, a self-monitoring event is generated when a module requiring you to restart the operating system is downloaded in a subscription update. This self-monitoring event is generated only once. You may want to create an alert as a reminder to restart the operating system, in the event this self-monitoring event is overlooked.

Use the following example as a guide.

1. Create a query based on the query for all self-monitoring events as follows:
   1. Click the Queries and Report tab and the Queries subtab.
   2. Select System All Events Detail in the Query List, expand the Options drop-down list, and select Copy.

   

   The query design wizard appears with the Details step selected.

   1. Replace the name of the copied query with a new name, for example, OS Restart Alert. Optionally, add a short name and new description.
   2. Select Action Alerts from Available Tags and move it to Selected Tags.
2. Create query filters as follows:
   1. Advance to the Query Filters step. Click the Advanced Filters tab.
   2. Click New Event Filter. Select event_logname for Column, leave Equal to for Operator, and select CALM for value.
   3. Click New Event Filter. Select receiver_name for Column, leave Equal to for Operator, and enter Subscription.
   4. Click New Event Filter. Select result_string for Column, leave Equal to for Operator, and enter the message, OS Updates are installed on this host...Please restart the machine for these updates to have effect !!!

      

3. Click Save and Close.

   The new alert appears in the Query Lists under the User folder.

   

4. Schedule an action alert for the user-defined query as follows:
   1. Select the query under the User folder.
   2. Click the Edit button in the right pane to display the OS Restart Alert drop-down list, and select Schedule Action Alert.

   

   The Schedule Action Alerts wizard appears with the Alert Selection step displayed. OS Restart Alert is preselected under Selected Queries.

   1. Enter a job name. For example, enter Restart Operating System Alert.
5. Add an event filter as follows:
   1. Click Alert Filters.
   2. Click New Event Filter.
   3. Select receiver_hostname for Column, leave Equal to for Operator, enter the name of the local CA User Activity Reporting Module for Value.

   

6. Specify the frequency with which to generate the alert when a restart is needed as follows:
   1. Click Schedule Jobs
   2. Set the recurrence interval for the alert generation frequency. For example, select 1 and Days for once a day.
7. Provide your email information as follows to be alerted by email.
   1. Click the Destination step.
   2. Click Enable e-mail notification and provide your email address and any of the other optional information desired.
8. Restrict the notification to when the current server needs to be restarted as follows:
   1. Click Server Selection
   2. Select No for Federated Query.
9. Click Save and Close to save the Alert Job.

   The Action Alert Job appears on the Alert Management tab, Alert Scheduling subtab.

   

Example: Email the Administrator when Event Flow Stops

Administrators need to be notified when any connector on any agent stops collecting events. You can automate this notification when an indicator suggests that this has occurred. You can configure the indicator, which is the elapsed time since a collection server has received events from any connector. You can set the elapsed time to the desired number of minutes, hours, or days. You can extend the query to all collection servers in the federation.

To limit the number of emails sent when a connector goes down, consider only those connectors that have been collecting events up until now. For example, set the alert to return rows only for connectors that did collect events during the hour before this one but did not collect events during the last hour.

To capture this data, select the predefined query, Collection Monitor by Log Manager Agent Connector Down. This query returns the connector name and the agent name when no events are received as defined in Result Conditions in the alert. Use the following example as a guide to generate an alert when no events are received during the last hour from a connector that sent events during the period between one and two hours ago. For the alert destination, specify the email address of the individual to notify. For the schedule to run the query, specify a frequency greater or equal to that of the elapsed time period.

Note: Email Settings must be configured under Administration, Report Server before creating the alert.

To email the Administrator when a connector stops collecting events

1. Select the server from which to run this alert. In a hub and spoke architecture, select a collection server to capture the condition as soon as possible.
2. Select the Alert Management tab and the Alert Scheduling subtab.
3. Click Schedule an Action Alert.
4. Enter a job name, for example, Connector Down.
5. Select from Available Queries, Collection Monitor by Log Manager Agent Connector Down and move it to the Selected Queries list.

   

6. Click Result Conditions.
7. Set the time for the last 2 hours.
   1. Select the Predefined Ranges: Last hour.

      This sets the dynamic end time correctly to 'now', '-2 minutes'

   2. Click Edit dynamic time string for Dynamic Start Time.
   3. For Dynamic Time String, replace 62 with 122.
   4. Click OK.

   

8. Set Result Conditions.
   1. Select Latest grouped event data before and click Edit
   2. Select Now for Reference time and click Add reference time to Dynamic Time string
   3. Click down once on the spinner for Shift time to display -1, select hour from the drop-down list, and click Add time shift to Dynamic Time string.
   4. Click OK.

   

9. Click the Schedule Jobs step and define the recurrence interval. For example, set the interval for 1 hour.

   

10. Click Destination and complete the E-mail tab.
    1. Select Enable e-mail notification.
    2. Enter the administrator's email address for Email To.
    3. Enter your email address for Email From.
    4. Enter the subject in the Subject field. For example, type Connector may be down.
    5. Enter email text. For example, type: Connector stopped sending events within the last hour.
11. Click the Server Selection step and clear Federated if desired.
12. Click Save and Close.

You could define this alert to query for the date range in days, rather than hours, and then schedule it to run once a day. In this case dynamic end time would be set to 'now', dynamic start time would be set to 'now', '-2 days', and latest grouped event dated before would be set to 'now', '-1 days'.

More information:

Example: Federation Map for a Mid-Sized Enterprise

Configure Action Alert Retention

You can control how many action alerts are saved by the report server, and how long they are retained.

To configure action alert retention

1. Click the Administration tab, and then click the Services subtab.

   The Service List appears.

2. Click Report Server for the global setting or the Report Server host for the local setting.

   The Report Server configuration pane appears.

3. Enter a value in the Maximum Action Alerts entry field. Any Alerts above this threshold are deleted, oldest first.
4. Enter a number of days in the Action Alert Retention entry field, after which alerts are deleted.

   Note: Action Alerts are deleted whenever either threshold is exceeded.

5. Click Save.

Example: Create an Alert for Business_Critical_Sources

You can create a custom query with the Business_Critical_Sources keyed list and schedule an alert based on this query. The keyed list is one that has no default values and no associated predefined query or alert. Use the following end-to-end process as a guide.

1. Install an agent.
2. Configure a connector on that agent to collect events from each business critical source.

   

3. Define the hostname values for Business_Critical_Sources user-defined lists (keys).
   1. Click the Administration tab and Services subtab.
   2. Select Report Server from the Service List.
   3. Select Business_Critical_Sources in the User Defined Lists (Keys) area.
   4. Click Add Value in the Values area and enter the hostname of a business critical source.

   

   1. Repeat the last step for each business critical source from which events are collected.
   2. Click Save.
4. Create a query on failed login attempts on business critical sources.
   1. Click Queries and Reports.
   2. Under Query List, enter login in the Search field.
   3. Select Unsuccessful Login Attempt by Host and select Copy from the Options drop-down list.

      The Query Design wizard opens with the name Copy of Unsuccessful Login Attempts by Host.

      Rename to query to Unsuccessful Login Attempts by Business_Critical_Sources.

   4. Select the Query Filters step.
   5. Click the Advanced Filters tab.
   6. Click New Event Filter.

   

   1. Select source_hostname for the column, select Keyed for the operator, and select Business_Critical_Sources as the value.

   

   1. Click Save and Close.
5. Schedule an alert based on this custom query.
   1. Click the Queries and Reports tab.
   2. Select Unsuccessful Login Attempts by Business_Critical_Sources under the User folder of the Query List.
   3. Select Schedule Action Alert from the Edit drop-down list.

      

      The Schedule Action Alerts wizard appears.

   4. Enter a job name, such as Unsuccessful Login Attempts by Business Critical Resources
   5. Click Schedule Jobs and define the schedule.
   6. Optionally, specify email options for Destination.
   7. Click Save and Close.
6. Verify the job is scheduled.
   1. Click the Alert Management tab and the Alert Scheduling subtab.
   2. Verify the job name you entered is listed.

   

7. Check for the generation of the alert.
   1. Click the Alert Management tab. The Action Alerts subtab is displayed.
   2. View the listed alerts to determine whether the job name you listed appears.

More information:

Install an Agent

Create a Connector Based on NTEventLog

Edit an Action Alert

You can edit an existing Action Alert.

To edit an action alert

1. Click the Alert Management tab.

   The Alert Server list appears.

2. Select the server where the Action Alert you want to edit is scheduled.

   The server details pane appears, showing the Generated Reports tab by default.

3. Click the Scheduled Alerts tab, select the alert you want, and click Edit at the top of the list.

   The Schedule Action Alerts wizard appears

4. Make the changes you want, and click Save and Close.

   The edited Action Alert appears in the Action Alerts list.

Disable or Enable Action Alerts

You can disable one or more action alerts when you no longer want the scheduled queries associated with that action alert to run. You can enable action alerts that were previously disabled, so that they run according to the saved schedule.

To disable or enable an action alert job

1. Click the Alert Management tab, and the Alert Scheduling subtab,

   The Action Alert Jobs list appears, showing the status of each job in the Enabled column. If the job is enabled, the Enabled value is true. If it is disabled, the Enabled value is false.

2. Select the job or jobs you want, and click Enable Selected, or Disable Selected.

   The Action Alert Jobs list displays the new status of all the jobs you enable or disable.

   Note: The ability to disable alert jobs is designed for use with recurring alerts. If you disable an alert job with a single occurrence ("Once") it is removed from the Action Alert Jobs list.

Delete an Action Alert

You can delete an unneeded Action Alert.

To delete an action alert

1. Click the Alert Management tab.

   The Alert Server list appears.

2. Select the server which contains the Action Alert you want to delete.

   The server details pane appears.

3. Click the Scheduled Alerts tab, select the alert you want by clicking on the row, and click Delete at the top of the list. You can select multiple alert jobs for deletion.

   Note: The check boxes beside each alert job are used for enabling or disabling alert jobs.

   A confirmation dialog appears.

4. Click Yes

   A deletion successful message appears

5. Click OK.

   The alert job is removed from the Alert Jobs list.