Reports Tree

The Reports tree in the Navigator pane organizes the pre-defined summary and detail reports that you can view. It also organizes the custom reports that you define, whether they are generated on demand or scheduled. Under the Reports tree, you can define custom reports, organize existing reports within folders, and modify the parameters of pre-defined and custom reports. In addition, you can view any report defined under this tree from within the GUI client.

Learn More About the Reports Tree

The Reports tree organizes three categories of reports:

Summary Report. Provides summary information about network activity, usage statistics, and system events.
Detail Report. Provides detailed information about network activity, usage statistics, and system events.
Defined Report. Custom summary or detailed reports defined by administrators using the GUI client.

For each report type, you can specify whether you want to view and store the reports using an HTML or ASCII text file format. You can select the appropriate format by selecting the format branch under the report type that you want to define. You can also view them on demand or define scheduled reports. In addition, you can save custom modifications to the standard reports or a particular instance of a standard report as a custom, defined report.

To learn more about the different report types, refer to the corresponding section:

Summary Reports. Summary reports keep you abreast of user and network activity in a concise, scannable format.
Detail Reports. Detail reports enable you to study network activity by analyzing the data for each session that transpired within a user-defined time period.
Defined Reports. Defined reports enable you to define the specific settings for a summary or detail report, whether scheduled or on demand, and to save that report and its settings for easy access whenever you want to view or modify the settings for that report.

Learn More About Summary Reports

Eight types of summary reports exist:

Top FTP Sites. This report type presents the list of FTP sites that users who request services from behind the selected Policy Enforcement Point have accessed the most within the specified time period. This report provides statistics for up to 25 sites.
Top Web Sites. This report type presents the list of HTTP sites that users who request services from behind the selected Policy Enforcement Point have accessed the most within the specified time period. This report provides statistics for up to 25 sites.
Top Users. This report type presents the list of users who have made the most service requests from behind the selected Policy Enforcement Point within the specified time period. This report provides statistics for up to 25 users.
User Activity Summary. This report type summarizes the activities of all users who have made service requests from behind the selected Policy Enforcement Point within the specified time period.
Network Service Summary. This report type summarizes all activities based on the service requests made from behind the selected Policy Enforcement Point within the specified time period.
Event Summary. This report type summarizes the security, warning, and informational events that the selected network object has experienced within the specified time period. You can select a Policy Enforcement Point or a host running a Cisco Secure Policy Manager component.
Device Properties. This report type summarizes the definition and schedule for one or more devices.
Policy Posture. This report type enables you to define and schedule reports for a number of different data sources.

Learn More About Detail Reports

Four types of detail reports exist:

User Activity Detail. This report type describes the full activities of all network session transactions that a specific user has conducted from behind the selected Policy Enforcement Point within the user-specified time period. It presents the full list of network sessions that have occurred within the time period. You can only select from those network objects (user hosts) defined under the selected Policy Enforcement Point.
Network Service Detail. This report type provides transaction information about a network services sessions that transpire during a given time interval. For example, you can generate reports about HTTP on port 80, SSL on port 443, or DNS on port 53. To generate a detailed service report, you must log the statistical audit events for the network service (see Service Statistics in the Configure Logging and Notifications panel). You can only select from those network services that are defined under the Network Services branch of the Tools and Services tree.
Event Detail. This report type provides information about the state of the Policy Enforcement Points and Cisco Secure Policy Manager components installed on your network over a user-specified time period. These reports list audit events (security, warning, and informational) that are related to the security and normal operation of the selected network objects. Each recorded audit event is classified as informational or security relevant. They are also prioritized as normal (green), important (yellow), or severe (red).
Administrator Activity. This report type provides information about the activities of Cisco Secure Policy Manager administrators. These reports list when and who did log on, log off, save, update, change policy, and other information.

Learn More About Defined Reports

Defined reports represent those scheduled and on-demand reports for which you have specified particular settings and have used a unique report name to save those settings. Defined reports are based on the provided report templates under the Reports tree. They can be stored as HTML pages or as ASCII text files. Under the Defined Reports branch, you can find each report that you have customized and saved within the Summary Reports or Detail Reports branches. By default, no defined reports exist.

Definition Panel

The Definition panel organizes the settings for a specific report, whether it is an on-demand report or a scheduled report. From this panel, you can define the scope of the data that you want to study in a report. This scope includes the sources of the audit records, such as a particular Policy Enforcement Point, the period of time for which you want to study the data, and various settings provided by different report types. You can also save these definitions as defined reports or view them immediately without saving the settings.

Learn More About Definition

The Definition panel contains the settings for a pre-defined report type, such as a summary report or a detailed report, as well as for any custom defined reports that you have created. This panel is common to all reports, HTML or text, but the options that are presented vary depending on the type of report that you have selected.

To preserve the settings that you specify for a report, you must save it as a defined report. Otherwise, you can view the report immediately. All report templates reset to their default values each time you access them. Defined reports maintain the specific settings that you define.

All report types require that you specify the data source, which is a Policy Enforcement Point or a host that is running some component of the Cisco Secure Policy Manager system, such as Policy Distribution Points or Primary Policy Databases. This data source is a component that generates audit records. When you specify the data source, you are stating that you want to study the audit records that specific component has generated. For service-based reports, this selection translates into a data view that is specific to one or more Policy Enforcement Points. For event-based reports, you can study security and warning events that a particular Policy Enforcement Point or a Cisco Secure Policy Manager host has generated.

Note You cannot view audit event data for a host that is running only a remote GUI client. This host does not generate audit events in a report.

In addition, all report types except for Device Properties and Policy Posture require that you specify the period of time for which you want to study the data. You can only study periods for which you have enabled proper log generation in the Configure Logging and Notifications panel.

Task List for Definition Panel

You can perform the following tasks from the Definition panel. For step-by-step procedures on performing a specific task, refer to the corresponding section.

Defining Report Settings

Defining Report Settings

Using the existing report definitions under the Summary and Detail Reports branches, you can further refine the information that is represented in a report. Your ability to refine a report definition depends strongly on which audit events you have chosen to retain from within the Configure Logging and Notifications panel. In addition, the type of report that you start with as the basis for your definition also affects what information you can present in the report. You can define a report that is stored either as an ASCII text file or as an HTML file. Again, this selection depends on the type of report that you start with as the basis for your definition.

Note If you intend to schedule a report to be generated, you must complete this panel first. After this panel is complete, you can define the appropriate settings in the Schedule panel associated with this report template.

To define a specific report, perform the following task:

Step 1 To define a new report that is based on summary audit records, expand the Summary Reports branch under the Reports tree in the Navigator pane.

---or---

To define a new report that is based on detailed audit records, expand the Detail Reports branch under the Reports tree in the Navigator pane.

Step 2 Expand the selected report type branch until you view the report template node.

If you want to define a report that will be stored as an HTML file, you must expand the HTML branch. If you want to define a report that is stored as an ASCII text file, you must expand the Text branch.

Step 3 Right-click the report template icon and select Properties Definition on the shortcut menu.

Result: The Definition panel appears in the View pane.

Step 4 Select the Policy Enforcement Point(s) on which you want the report data to be based in the Specify the Data Source box.

This field identifies the network devices defined under the Network Topology tree that generate the audit event records used in the reports. Depending on the report type, you can specify a Policy Enforcement Point (for example, a PIX Firewall), a host running some component of the Cisco Secure Policy Manager, or a combination of hosts and Policy Enforcement Points.

Note To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a range of items. The Ctrl+Click option enables you to select items in any order.

Step 5 To specify the starting time of the time range for which you want to study audit event data generated by the specified data source, click Change to the far left under Specify the Time Range.

You can use one of the following methods to specify the start of the time range:

Absolute. Specifies the month, day, year, and hour for which you want to start reviewing audit records of the selected data source's activity. This date must be today's date or a date that occurred in the past. Only those audit records that were retained are presented in the resultant report. The report presents that data collected since you started storing audit events, but you can specify a previous date without ill effects. If you have archived the audit events to an ODBC-compliant database, the report will not include that data.

---or---

Relative. Specifies a whole number based on hours, minutes, or seconds. This value identifies how far back in time from the current time you want to start reviewing audit records of the data source's activity.

Step 6 To specify the ending time of the time range for which you want to study audit event data generated by the specified data source, click Change to the far right under Specify the Time Range.

You can use one of the following methods to specify the end of the time range:

Now. Specifies that you want to review the audit records that have been generated between the Beginning Time value and the current time. This value does not enable you to limit the scope of your review to a specific time range. Each time you review the report (whether it is scheduled or on demand), it will include the latest audit records.

---or---

Absolute. Specifies the month, day, year, and hour for which you want to stop reviewing audit records of the selected data source's activity. This date must be a date that occurs after the Beginning Time. If a future date is specified, the reports will only include those audit records generated up to the time that you view a report, which means the report's contents can continue to change until this date/time value is reached.

---or---

Relative. Specifies a whole number based on hours, minutes, or seconds. This value identifies how far forward in time from the current time you want to start reviewing audit records of the data source's activity.

Step 7 If you are defining a summary report, continue with Step 8. If you are defining a user activity detail report, skip to Step 10. If you are defining a network service detail report, skip to Step 12. If you are defining an event detail report, skip to Step 14.

Step 8 To specify which report field should be used to sort the table rows in the report, click that field in the Sort By box.

This option is available only for User Activity Summary reports and Network Service Summary reports.

Step 9 To continue defining this report, skip to Step 15.

Step 10 To specify the IP address of the user whose network activity you want to study, type the IP address of the user's host in the User/IP Addr box.

Step 11 To continue defining this report, skip to Step 15.

Step 12 To specify the network service that you want to study, click that network service in the Service box.

The Service box lists network services present under the Network Services branch under the Tools and Services tree in the Navigator pane.

Step 13 To continue defining this report, skip to Step 15.

Step 14 To specify the events that you want to study, click those events in the Events box.

You can select one or more of the following values for this field:

Security. These audit events are related to the state of security on the selected data source(s). Such audit events require immediate attention to ensure the integrity of your network.
Warning. These audit events identify exceptions to normal operation of the selected data source(s).
Information. The audit events provide status about the normal and expected operations of the selected data source(s).

Step 15 Select one of the following options:

To define a schedule by which this report will be generated, click the Schedule tab and see the "Defining Scheduled Reports" section for step-by-step procedures on defining the schedule settings.

---or---

To save this report as a custom on-demand report, click Save and type a descriptive name for this report in the Defined Report Name dialog box that is displayed.

---or---

To view this report immediately, click View.

Step 16 To save any changes that you have made, click Save on the File menu.

Schedule Panel

Using the Schedule panel, you can specify the network activity reports you want to generate and who to notify when they are generated. Typical scheduled reports provide daily, weekly, and monthly usage summary statistics, individual network service breakouts, and security-related event summaries. You can schedule reports to be generated as HTML files or ASCII text files. You can use a standard web browser or the GUI client to view either file type.

Learn More About the Schedule Panel

You can generate reports in either ASCII text or HTML formats. ASCII text files enable you to easily import these reports into other applications for custom formatting and presentation. You can also write custom scripts to perform custom analysis on detailed and summary reports. To view ASCII-based reports, you can use your preferred editor or viewer, such as Notepad.

The Policy Report Point, which is the Reporting subsystem for Cisco Secure Policy Manager, includes a web server component that is responsible for displaying the generated reports, whether scheduled or on-demand. This web server component allows generated reports to be rendered by any HTML-compliant browser.

The Policy Report Point can be configured to listen for HTTP requests on any TCP port number. If you have a custom network service that conflicts with the default port number (8080), you can reassign the port number on which the Policy Report Point listens. For more information on reconfiguring this port number, refer to Cisco Secure Policy Manager Administrator's Guide: System Configuration and Maintenance.

In addition to archiving audit events that are used by the reporting and monitoring subsystems, Cisco Secure Policy Manager provides the ability to export all generated audit events to an ODBC-compliant database. Using this feature, you can perform custom analysis and summary of the network traffic and activities of Policy Enforcement Points and the Cisco Secure Policy Manager servers, such as Policy Distribution Points and Primary Policy Database servers. Many organizations require custom reports and summaries when studying Internet access costs, network and bandwidth usage, and comprehensive security issues. For more information on exporting audit events to an ODBC-compliant database, refer to Cisco Secure Policy Manager Administrator's Guide: System Configuration and Maintenance.

Task List for the Schedule Panel

You can perform the following tasks from the Schedule panel and the View Reports menu command. For step-by-step procedures on performing a specific task, refer to the corresponding section.

Defining Scheduled Reports

Scheduled reports are those reports that Cisco Secure Policy Manager periodically generates after you configure the report options within the Schedule panel. You can specify which reports you want to generate, the format for those reports, and to whom the generated reports should be delivered (via e-mail).

To define a scheduled report, perform the following task:

Note Before you can schedule a report to be generated, you must complete the Definition panel first. After the Definition panel is complete, you can define the appropriate settings in the Schedule panel associated with this report template.

Step 1 To view the Reports tree alone, click Reports on the Navigator toolbar.

Result: The Reports tree appears in the Navigator pane.

Step 2 To define a new report that is based on summary audit records, expand the Summary Reports branch under the Reports tree in the Navigator pane.

---or---

To define a new report that is based on detailed audit records, expand the Detailed Reports branch under the Reports tree in the Navigator pane.

Step 3 To find the report template that you want to use as a basis for this scheduled report, expand the selected report type branch until you view that report template node.

Step 4 To access the Schedule panel, click the Summary Reports icon or the Detail Reports icon that you want to use as the basis for this report.

Result: The Definition panel appears at the forefront of the View pane.

Step 5 To view the Schedule panel, click the Schedule tab.

Result: The Schedule panel appears in the View pane.

Step 6 To access the Date - Time dialog box, click Report Time under Issue Initial Report.

Result: The Date - Time dialog box appears.

Step 7 To specify the time and date when you want the first report to be generated, select one of the following options:

Now. Specifies that you want to generate the first report now.
Absolute. Specifies an absolute time value (the first report is generated on the specified date and time). Select the date value in the Month, Day, and Year boxes. Select the time value in the Hour, Minute, and Second boxes.

Step 8 To accept the date and time you have specified, click OK in the Date - Time dialog box.

Step 9 To specify that the report is generated according to a regular schedule, click the Repeat check box.

Result: The Every box and unit of time options become available.

Step 10 To define a regular schedule by which the report is generated, type the duration value as a whole number in the Every box and click the unit of time.

Step 11 To specify the folder where you want to store the generated report file, type the folder name in the Path relative to <Root>/Data/Reports box.

This directory must be relative to the Data/Reports directory under the Cisco Secure Policy Manager root directory. If you use an absolute path, the reports will not be generated. The default value, which is a blank field, stores the files in Data/Reports.

A folder name can contain up to 255 characters, including spaces. But, it cannot contain any of the following characters: , /, :, *, ?, ", <, >, |.

Step 12 To specify the filename that you want to use when storing the files that contain instances of the scheduled report, type that filename in the Filename box.

A filename can contain up to 255 characters, including spaces. But, it cannot contain any of the following characters: , /, :, *, ?, ", <, >, |.

Step 13 To specify that you want to send an e-mail to designated recipients each time a report is generated, click E-Mail.

For information on the fields that appear in the E-Mail dialog box, see the online help system provided with Cisco Secure Policy Manager.

Step 14 To specify whether to append sequence numbers to the filename of files that contain the scheduled report, select one of the following options:

Overwrite existing file. Specifies that you want to maintain only one file for the selected type and network service specified in the scheduled report rule. If you select this option, you cannot specify a value in the Keep last __ reports check box.
Append date/time stamp to filename. Specifies that you want to append the date and time that the report was generated to the filename that you specified in the Filename box.
Append sequence number to filename. Specifies that you want to append a sequence number to the filename that you specified in the Filename box.

Step 15 To specify the maximum number of files that you want to store that result from this scheduled report rule, click the Keep last __ reports check box and enter a whole number value in the reports box.

This option cannot be used in conjunction with the Overwrite existing file option.

Step 16 To accept the changes that you have made and to close the Schedule panel, click OK.

Step 17 To save any changes that you have made, click Save on the File menu.

Viewing Scheduled HTML Reports

Scheduled reports are those reports that Cisco Secure Policy Manager generates periodically without direct administrator interaction. Using the built-in HTML browser, or a browser from a remote workstation, you can view all HTML-based and text-based scheduled reports that have been generated.

To view scheduled reports in HTML format, perform the following task:

Step 1 On the Tools menu, click View Reports.

Result: The Reports home page appears in the View pane.

Step 2 In the Reports home page, click the Scheduled Reports hyperlink.

The Scheduled Reports page appears. This page lists all the scheduled reports that have been generated according to the settings that you specified in the Schedule Reports panel of the GUI client.

Step 3 In the list of scheduled reports, click the link that identifies the report that you want to view.

Result: The selected report appears in the View pane.

Step 4 To return to the Scheduled Reports page, click Back or press the Backspace key.

Result: The Schedule Reports page appears in the View pane.

Step 5 To view another scheduled report, click the link that identifies the report that you want to view.

Result: The selected report appears in the View pane.

Step 6 Repeat Steps 4 and 5 until you have viewed all the scheduled reports in which you are interested.

Step 7 To close the HTML-browser view, click any node in the Navigator pane.