|
|
In Cisco Secure Policy Manager, the reporting and monitoring functions are closely related, because the information processed for reports and evaluated by the monitoring system depends on which audit events you specify to store/retain in the Policy Database.
To set up monitoring and reporting, follow these steps:
1. Specify settings for the Monitoring and Reporting Subsystems.
2. Select the audit events for which you want to retain audit records.
3. Specify how and when you want to notify someone on your staff if a particular audit event occurs.
4. Schedule the generation of periodic reports.
5. Specify how you want to review the reports, via e-mail or online using a web browser.
The GUI client can present detailed and summary reports and notify administrators of suspicious network activity and possible problems in the state of the Primary Policy Database server, other Cisco Secure Policy Manager servers, and the Policy Enforcement Points being managed. However, how you define your monitoring settings (configure logging and notifications) affects the details of the many reports that you can generate about the operation of the security system or a specific network service or device.
The GUI client helps you stay abreast of the state of the security system and the network usage statistics by enabling you to define the rules for audit event logging, delivery of notifications, and scheduled reports.
Once you have defined the monitoring settings, you can specify which reports you want to generate on a periodic basis. At any time, you can generate a report on-demand; however, scheduled reports can provide timely information about the security system or a specific network service. For example, you can schedule reports that provide a summary of the network traffic activity once every minute, hour, day, week, month, year, or any number of these periods. You can schedule four basic categories of reports:
You can use any web browser to generate all report types on demand, or you can use the GUI client to schedule them to run at regular intervals. The reports can be generated as ASCII text or HTML-formatted files. You can distribute scheduled reports via e-mail and store them on the special purpose web server that the Reporting Subsystem uses, enabling you and others to review the reports on an as-needed basis. In addition, you can use other scripts or programs to manipulate any scheduled reports.
Before you can use Cisco Secure Policy Manager to study audit event activities via reports or receive notifications about your network activity, you must configure the system to accept and log the audit events in which you are interested. This task involves defining the audit event filtering rules that Cisco Secure Policy Manager should retain, selecting the Cisco Secure Policy Manager host that will monitor Policy Enforcement Point Syslog streams, and specifying the Syslog settings that the Policy Enforcement Points must generate to ensure that the selected audit events can be detected.
The checklist below outlines the steps required to understand the decision-making process and basic flow required to complete the definition of your Monitoring Subsystem settings. Each step, described in the Step column, may contain several substeps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | Reference | |
|---|---|---|
| 1. Define the audit event filtering rules that Cisco Secure Policy Manager should retain You can define audit events based on three categories:
| "Defining Event Filtering Rules based on Event Classifications" section "Defining Event Filtering Rules based on Specific Events" section "Defining Event Filtering Rules based on Service Statistics" section |
|
Result: Cisco Secure Policy Manager detects and logs the audit events in which you are interested. |
|
| 2. Select the Cisco Secure Policy Manager host that will monitor each Policy Enforcement Point Syslog stream Within Cisco Secure Policy Manager, the Policy Monitor Point plays an important role. It collects the audit event streams from one or more Policy Enforcement Points and combines them into audit records that can be further refined into more meaningful data. The Policy Monitor Point provides this data to the Policy Report Point for administrative reports about network activity. It also combines audit events generated by Result: The Policy Enforcement Points direct all Syslog streams to the Policy Monitor Point so that | |
| 3. Specify the Syslog settings that each Policy Enforcement Point must generate to ensure that the selected audit events can be detected To generate meaningful reports or notifications about the network activity of a Policy Enforcement Point, you must select the appropriate log level that generates the Syslog details required to track session-specific data and device-specific events. To select the appropriate log level, study the audit events that you want Cisco Secure Policy Manager to retain, and then study the documentation provided with your Policy Enforcement Point to determine the minimum log level required to generate all those audit events. Result: The Policy Enforcement Points generate the correct level of syslog messages to ensure that the audit events selected in Step 1 can be detected by the Policy Monitor Point(s) identified in Step 2. |
You can specify which audit events are recorded based on the classification of the events. The setting of event filtering rules based on event classification, combined with any other event filtering rules based on specific events or service statistics, identifies the information that is available for on-demand and scheduled reports.
To define event filtering rules based on event classifications, perform the following task:
Result: The Configure Logging and Notifications panel appears in the View pane.
Step 2 To specify that you want to define event filtering rules based on event classifications, click Event Classifications under Select Event Category.
Result: The list of event classifications appears under Event Description. Audit events in this category are grouped according to general status and severity. The priority color identifies the severity of audit events, where red is severe, yellow is important, and green is normal. By specifying event filtering rules that log events under this category, you determine the availability of audit records that can be used by the Policy Report Point to generate detailed and summary event reports about the primary and secondary servers and Policy Enforcement Points installed on your network. Refer to the online help for definitions of these event classifications.
Step 3 To specify the audit event for which you want to define the event filtering rule, click that audit event in the Event Description list.
Result: The options under Event Disposition become available and can be edited.
Step 4 To specify what you want Cisco Secure Policy Manager to do when an audit event of this type is triggered, click that option under Event Disposition.
For each audit event, you can define one of three rules:
Step 5 If you selected Discard event or Log event, skip to Step 6. If you selected Log event and issue notification specified below, continue with Defining Notification Rules.
Result: The Notification Scheduling, Notification Message, and Notification Methods group boxes appear in the Configure Notifications and Logging panel.
Step 6 To define the event filtering rules for additional audit events based on event classification, repeat Steps 3 through 5. Otherwise, continue with Step 7.
Step 7 To accept your changes and close the Configure Logging and Notifications panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
You can specify which audit events are recorded based on specific audit events that are generated by the agents and subsystems of Cisco Secure Policy Manager, including the Policy Enforcement Points installed on your network. The setting of event filtering rules based on specific events, combined with any other event filtering rules based on event classifications or service statistics, identifies the information that is available for on-demand and scheduled reports.
To define event filtering rules based on specific events, perform the following task:
Result: The Configure Logging and Notifications panel appears in the View pane.
Step 2 To specify that you want to define event filtering rules based on specific events, click Specific Events under Select Event Category.
Result: The list of events that are specific to the operation of Cisco Secure Policy Manager and the Policy Enforcement Points appears under Event Description. Audit events under this category identify individual events regarding the state of the agents that compose Cisco Secure Policy Manager, as well as the state of the servers on which they run and the Policy Enforcement Points. By specifying event filtering rules for audit events in this category, you determine the availability of audit records that can be used by the Policy Report Point to generate summary and detailed event-based reports about the primary and secondary servers and Policy Enforcement Points installed on your network.
Step 3 To specify the audit event for which you want to define the event filtering rule, click that audit event in the Event Description list.
Result: The options under Event Disposition become available and can be edited.
This list of audit events identifies the audit events that can be detected by the Policy Enforcement Points (PIX) and Cisco Secure Policy Manager servers installed on your network.
Step 4 To specify what you want Cisco Secure Policy Manager to do when an audit event of this type is triggered, click that option under Event Disposition.
For each audit event, you can define one of three rules:
Step 5 If you selected Discard event or Log event, skip to Step 6. If you selected Log event and also issue notification specified below, continue with the Specify Pager and E-mail Notification Settings task.
Result: The Notification Scheduling, Notification Message, and Notification Methods group boxes appear in the Configure Notifications and Logging panel.
Step 6 To define the event filtering rules for additional audit events based on specific events, repeat Steps 3 through 5. Otherwise, continue with Step 7.
Step 7 To accept your changes and close the Configure Logging and Notifications panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
You can specify which audit events are recorded for specific network services, such as HTTP and FTP. The setting of event filtering rules based on service statistics, combined with any other event filtering rules based on event classifications or specific events, identifies the information that is available for on-demand and scheduled reports.
To define event filtering rules based on service statistics, perform the following task:
Result: The Configure Logging and Notifications panel appears in the View pane.
Step 2 To specify that you want to define event filtering rules based on service statistics, click Service Statistics under Select Event Category.
Result: The list of available network services appears under Event Description. Audit events under this category are grouped according to the network service for which they can occur. By specifying event filtering rules for audit events in this category, you determine the availability of audit records that can be used by the Policy Report Point to generate user-based and network service-based activity reports about the network sessions traversing the Policy Enforcement Points installed on your network.
 |
Note You cannot define notifications for audit events based on the Service Statistics category. However, you can define notifications for audit events based on the Event Classifications and Specific Events categories. |
Step 3 To specify the network service for which you want to define the event filtering rule, click that network service in the Event Description list.
Result: The options under Event Disposition become available and can be edited.
This list of services corresponds directly to the list of services under the Network Services branch of the Services tree.
Step 4 To specify what you want Cisco Secure Policy Manager to do when an audit event of this type is triggered, click that option under Event Disposition.
For each audit event, you can define one of two rules:
Step 5 To define the event filtering rules for additional audit events based on service statistics, repeat Steps 3 and 4. Otherwise, continue with Step 6.
Step 6 To accept your changes and close the Configure Logging and Notifications panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
To notify administrators about specify network activities and system events within the Cisco Secure Policy Manager system (including Policy Enforcement Points), you must define the notification rules that identify the noteworthy events, specify how often to notify the administrator, and identify to whom the notifications should be sent.This task involves defining the notification rules based on specific audit events, verifying that the Policy Enforcement Points log the appropriate level of syslog messages, verifying that a Cisco Secure Policy Manager host is configured to detect such audit events, verifying that the notification method is properly configured on the Cisco Secure Policy Manager host, and saving the notification rules to the Policy Database.
The checklist below outlines the steps required to understand the decision-making process and basic flow required to complete the definition of your notification rules. Each step, described in the Step column, may contain several sub-steps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | Reference | |
|---|---|---|
| 1. Define the notification rules Cisco Secure Policy Manager can generate notifications based on audit event classifications and specific events. However, you cannot generate notification based on network service activities. To define a notification rules, you must specify the audit event, the notification method, and the configuration settings for that method, including the threshold and message definitions. Result: The notification rules that you want to enforce are specified within Cisco Secure Policy Manager. | |
| 2. Verify that the audit event is generated To verify that the audit events are generated, you must ensure that the Policy Enforcement Points on your network log the appropriate level of Syslog messages to generate the specific audit events on which the notifications rules are based. To select the appropriate log level, study the audit events that you want Cisco Secure Policy Manager to retain (based on both the Log event and Log event and issue notification settings), and then study the documentation provided with your Policy Enforcement Point to determine the minimum log level required to generate all those audit events. Result: The Policy Enforcement Points generate the correct level of Syslog messages to ensure that the audit events selected in Step 1 can be detected by the Policy Monitor Point(s) identified in Step 3. | |
| 3. Verify that the audit event can be detected To verify that the audit events on which the notification rules are based can be detected, you must verify that the Syslog data streams are studied by a Cisco Secure Policy Manager host that is running the Policy Monitor Point feature set. | |
Result: The Policy Enforcement Points direct all Syslog streams to the Policy Monitor Point so that Cisco Secure Policy Manager can detect the audit events on which the notification rules that you selected in Step 1 are based. |
| |
| 4. Verify that the notification method is supported For each Cisco Secure Policy Manager host that is responsible for detecting the audit event on which notification rules are defined, you must verify that the host can generate the specific notification type. Four notification methods exist: Popup. By default this notification method is supported. You do not need to perform any additional configuration to enable this notification method. However, you can use the View notifications panel to refine the definition of this method. E-Mail. By selecting this option, you specify that Cisco Secure Policy Manager should send an e-mail to the specified recipients each time a notification is generated for the selected audit event. Pager. For pager notifications to work properly, you must have a modem installed on each primary and secondary server that has an operating Policy Monitor Point due to MAPI constraints. By installing and configuring a modem, you automatically configure the Microsoft Telephony API (TAPI) settings that Cisco Secure Policy Manager uses to deliver pager-based notifications. Script. When you specify the location for a script file, you must define the full path. In addition, any primary or secondary server that is operating as a Policy Monitor Point for a Policy Enforcement Point that can generate such a notification must have the specified script file installed in the exact same location on that server. Result: Each Policy Monitor Point is configured to generate the desired notification methods. | "Refining Notification Settings" section |
| 5. Save configuration settings and publish the device-specific command sets to the Policy Enforcement Points. Result: You perform a Save and Update operation and distribute the generated commands to the affected Policy Enforcement Points. | "Command Generation, Verification, and Publication Checklist" section |
For audit events that are based on Event Classifications or Specific Events, you can specify event-specific notification rules that alert your staff via a pager service, e-mail, or the GUI client. In addition, you can execute custom scripts or executables that reside on the primary or secondary server that detects that the audit event has been triggered.
This procedure assumes that you have started defining an event filtering rule in the Configure Logging and Notifications panel and that you have selected a specific audit event based on either the Event Classification or Specific Events category in the Event Description list.
If you have not begun defining a rule, refer to the appropriate task for step-by-step procedures that prepare you for this task:
To specify notification settings for event filtering rules, perform the following task:
Result: The Notification Scheduling, Notification Message, and Notification Methods group boxes appear in the Configure Notifications and Logging panel.
Step 2 To specify how many times the selected audit event can be triggered before the first notification is sent, type that value in the Issue first notification after box under Notification Scheduling.
Step 3 To specify how many times after the first notification the selected audit event can be triggered before another notification is published, type that value in the Notify again every box.
Each time this threshold value is reached, an additional notification is published to the targets that you specify for this notification rule.
Step 4 To specify how many hours should pass before the audit event count is reset to zero, type that value in the Reset count every box.
The audit event count is a system value that specifies how many times the selected audit event has occurred. When this value is reset, the system acts as if the audit event has never been triggered, which means that the first notification value must be satisfied before another notification is sent. This feature can be useful when you are aware of a recurring event, such as a TCP_SYN flood attack. In this example, you may want to set the repeat value to a large number so that you are not notified incessantly about something you are aware of; however, you may want to be notified once every hour if the attack is still in progress. Specifying one hour for this value would provide you with this information.
Step 5 To include a description of the event in the notification message, click Include event description under Notification Message.
Step 6 To define a custom message to include in the notification message, click Message under Notification Message.
Result: The Notification Message Content dialog box appears.
|
Note You can define custom messages that instruct the recipients of the notifications as to how they should respond to notifications of this type, or you can explain in greater detail the significance of the audit event so that the recipients do not overreact to notifications of lower importance. |
Step 7 To specify a description of the contents of this notification message, type that description in the Subject box and press Tab.
Result: The cursor appears in the Message box.
Step 8 To specify the message that you want to deliver to e-mail, alphanumeric pager recipients, and/or the GUI client each time a notification is published for the selected audit event, type that message in the Message box.
Step 9 To save the changes that you have made and close the Notification Message Content dialog box, click OK.
Step 10 To require that notifications of activity concerning the selected audit event be acknowledged by an administrator before being removed from the View Notifications panel, click Require confirmation under Notification Message.
The View Notifications panel is also available on the Tools menu. It maintains a list of audit events that are generated by the security system and provides a central location for evaluating activity of the security system. Currently, this option applies only to notifications that are published to the GUI client. You can specify which notifications are published to the GUI client under Notification Methods in the next step.
Step 11 To specify which methods should be used to notify recipients of the selected audit event, select the check box for each option that applies under Notification Methods.
You can select one or any combination of four options:
Step 12 If you selected only Popup Window, skip to Step 24. However, if you selected E-Mail, Pager, or Script, continue with Step 13.
Step 13 If you selected E-Mail, continue with Step 14. Otherwise, continue with Step 17.
Step 14 To specify to whom the selected notification message should be delivered each time this notification is published, click Addresses under Notification Methods.
Result: The E-Mail Recipients dialog box appears.
Step 15 To specify the e-mail address of the recipient to whom you want to deliver the notification message, type that e-mail address in the Recipient(s) box.
Format all e-mail address entries based on the following example:
username@domain.com
|
Note For the e-mail notifications to work, a MAPI client must be installed and running on the primary or secondary server that detects the audit event. An example MAPI client is the Microsoft Exchange client. For more information on installing MAPI and creating a user profile, refer to the "Creating a MAPI Profile" section. |
If you wish to specify more than one recipient, click Add after you have typed the first entry. Repeat this process until you have defined the complete list of recipients. To delete a specific entry in the Recipient(s) list, select the entry and press the Delete key or click Delete. To modify an entry, select the entry and modify the value in the Recipient(s) box.
Step 16 To accept the changes that you have made and close the E-Mail Recipients dialog box, click OK.
Step 17 If you selected Pager, continue with Step 18. Otherwise, continue with Step 20.
Step 18 To specify the pager numbers to which the selected notification message should be delivered each time this notification is published, click Numbers under Notification Methods.
Result: The Pager Recipients dialog box appears.
Enter the pager number. Do not enter the "call-back" number or any other information here. Example: 5559876
Alphanumeric paging is not supported in this release.
|
Note For the pager to work, a TAPI client must be installed and running on the primary or secondary server that detects the audit event. An example TAPI client is a modem. For more information on defining your TAPI settings, refer to the "Configuring a TAPI Client" section. |
If you wish to specify more than one pager number, click Add after you have typed the first entry. Repeat this process until you have defined the complete list of pager numbers. To delete a specific entry in the Phone Number(s) list, select the entry and press the Delete key or click Delete. To modify an entry, select the entry and modify the value in the Phone Number(s) box.
Step 19 To accept the changes that you have made and close the Pager Recipients dialog box, click OK.
Step 20 If you selected Scripts, continue with Step 21. Otherwise, continue with Step 24.
Step 21 To specify the path and name of the scripts that should be executed each time this notification is published, click Name.
Result: The Notification Script(s) dialog box appears.
Step 22 To accept the changes that you have made and close the Notifications Script(s) dialog box, click OK.
Step 23 To define notification settings for additional audit events, select a different audit event in the Event Description list and return to Step 1. Otherwise, continue with Step 24.
Step 24 To accept your changes and close the Configure Logging and Notifications panel, click Apply.
Step 25 To save any changes that you have made, click Save on the File menu.
Before Cisco Secure Policy Manager can send notifications to you via e-mail, you must first install Windows Messaging and create a user profile on the primary or secondary server that is responsible for detecting the audit event for which you have defined an e-mail based notification rule. The following task walks you through the process of determining whether Windows Messaging is installed on the server, installing Windows Messaging, and then creating a user profile.
 |
Tips If you have not installed MAPI or have not defined a MAPI profile, a yellow/exception audit event is generated by the server that detects that audit event. This exception is presented in the summary and detailed event reports. This audit event states that the Scheduler is "unable to find an e-mail profile." |
To set up Windows Messaging and create a user profile, perform the following task:
Result: If Windows Messaging is not installed, a dialog box appears asking if you want to install it.
Step 2 If you receive this dialog box, click Yes. Otherwise, skip to Step 5.
Result: A dialog box appears prompting you to insert the Windows NT Server CD-ROM disc into the local CD-ROM drive.
Step 3 Insert the Windows NT CD-ROM disc and then ensure that the correct path is displayed in the Copy File From box. If not, type the correct path to the Windows NT disc and click Next.
Result: The required files are copied from the Windows NT disc.
Step 4 After you have installed Windows Messaging, double-click the Inbox icon again.
Result: The Windows Messaging Setup Wizard appears and prompts you to choose the type of mail service for your user profile.
Step 5 Under Use the following information services, click Internet E-Mail, and then click Next.
Result: The wizard displays another dialog box that prompts you to enter a name for this user profile.
Step 6 To specify the name that you want to use for this profile, type that name in the Profile Name box, and then click Next.
Result: The wizard displays another dialog box that prompts you to choose the type of connection for your user profile.
Step 7 To select your existing network connection, click Network, and then click Next.
Result: The wizard displays another dialog box that prompts you to specify either the name or the IP address of the mail server.
Step 8 In appropriate box, type the name or IP address of the mail server and then click Next.
Result: The wizard displays another dialog box that prompts you to choose whether to have mail automatically downloaded to the inbox.
Step 9 To automatically download mail to the inbox, click Automatic, and then click Next.
Result: The wizard displays another dialog box that prompts you to specify the e-mail address from which messages on the system originate.
Step 10 In the E-mail Address box, type the e-mail address from which messages on the system should originate and press Tab.
Step 11 In the Your Full Name box, type the name that should appear on all messages originating from the system and click Next.
Result: The wizard displays another dialog box that prompts you to specify the mailbox name on the mail server.
Step 12 In the Mailbox Name box, type the name of the e-mail account on the mail server and press Tab.
Step 13 In the Password box, type the password associated with this account and click Next.
Result: The wizard displays another dialog box that prompts you to specify the filename and location of the personal address book that is associated with this profile.
Step 14 To accept the default personal address book, click Next.
Result: The wizard displays another dialog box that prompts you to specify the filename and location of the personal folders that are associated with this profile.
Step 15 To accept the default personal folders, click Next.
Result: The Finish dialog box appears displays stating you have completed the Windows Messaging configuration.
Step 16 To complete the wizard and save the new user profile, click Finish.
Result: The Windows Messaging Setup Wizard closes.
Before Cisco Secure Policy Manager can send notifications to you via a pager, you must first install a modem on the primary or secondary server that is responsible for detecting the audit event for which you have defined a pager-based notification rule.
|
Tips If you have not installed a modem on the primary or secondary server that detects an audit event for which you have defined a notification rule requesting that the notification be sent via pager, a yellow/exception audit event is generated by the server that detects that audit event. This exception is presented in the summary and detailed event reports. This audit event states that the notifying agent is "unable to establish a connection to a modem." |
TAPI is an API built into Windows NT that enables users and developers to access telephony services. TAPI is automatically configured when you install a modem on a Windows NT-based server or workstation. For specific instructions on installing and configuring a modem, refer to the documentation that came with your modem.
|
Note The modem must be installed on COM1. Alphanumeric paging is not supported in this release. |
If you have properly configured your modem on the primary or secondary server and have tested the modem for functionality, you do not need to configure TAPI.
|
Note After configuring pager notification for the first time, it is best to close all applications, including the GUI client. |
When defining the settings for a notification, an administrator can specify that a particular notification must be confirmed before that notification is deleted from the View Notifications list. This feature provides additional accountability in the review of network activity. It ensures that an administrator reads the notification entry before that entry can be deleted. It also overrides the automatic removal of notifications from the list because the current number of entries exceeds the allowed maximum number.
To confirm a notification entry, perform the following task:
Result: The View Notifications panel appears in the View pane.
Step 2 To select the audit event message that you want to confirm, click that message in the View Notifications list.
This list displays only those notifications that have been generated by the Policy Enforcement Points and the Cisco Secure Policy Manager hosts running on your network.
Step 3 To confirm that you have reviewed the selected entry, click Confirm.
Once you confirm an entry, it is subject to automatic removal from the list. This removal occurs when the number of entries exceeds the allowed maximum number as specified in the Restrict list to box.
Step 4 To confirm additional notification entries, repeat Steps 2 and 3.
Step 5 To accept your changes and close the View Notifications panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
You can manually delete any entry in the View Notifications list. Once you have reviewed a notification, you may not need to keep it in this list. The oldest entries will automatically be removed from the list when the number of entries exceeds the maximum value specified in the Restrict list to box.
To delete a notification entry manually, perform the following task:
Result: The View Notifications panel appears in the View pane.
Step 2 In the View Notifications list, click the audit event message that you want to delete.
This list displays only those notifications that have been generated by the Policy Enforcement Points and the Cisco Secure Policy Manager hosts running on your network.
Step 3 To delete the selected entry, click Delete.
Result: The entry is removed from the View Notifications list.
Step 4 To delete additional notification entries, repeat Steps 2 and 3.
Step 5 To accept your changes and close the View Notifications panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
Once a Policy Enforcement Point or a Cisco Secure Policy Manager host generates a specific notification, you can refine the way the GUI client behaves when other notifications of that type are generated. You can also refine the method used to notify users who are logged on to the GUI client when a notification is generated.
To refine the notification settings for the GUI client, perform the following task:
Result: The View Notifications panel appears in the View pane.
Step 2 To select the audit event message type for which you want to refine the notification settings, click that message type in the View Notifications list.
This list displays only those notifications that have been generated by the Policy Enforcement Points and the Cisco Secure Policy Manager hosts running on your network.
Step 3 To select a notification method, click the option that matches the notification method that you prefer under Event Notification Method.
These options specify what the GUI client does when a notification of the selected type is generated.
|
Note For the Status line message and beep and Popup window options to operate correctly, you must be logged on to the GUI client. Such notifications are delivered to all instances of the GUI client that are connected to the same primary server. If no GUI clients are connected when notifications are generated, the notifications are queued and then delivered to the next GUI client that connects to that primary server. However, you can only confirm and delete such notifications using an administrative account with the Full Access privilege. |
Step 4 To define secondary notifications for additional events, repeat Steps 2 and 3.
Step 5 To accept your changes and close the View Notifications panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
Within Cisco Secure Policy Manager, you can use either scheduled or on-demand reports to study network activity and system status. This task involves defining the audit event filtering rules, selecting report type, specifying the scope of the data that you want to study, and either viewing the report immediately or specifying a schedule for which the report will be generated.
The checklist below outlines the steps required to understand the decision-making process and basic flow required to complete the definition of your Monitoring Subsystem settings. Each step, described in the Step column, may contain several substeps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | References | |
|---|---|---|
| 1. Define audit event filtering rules Based on the type of report that you want to generate, you must define the audit event filtering rules that retain the data that the specified report type requires. In other words, you must configure Cisco Secure Policy Manager to collect and retain the audit events that are required to populate the specified report data. For example, if you want to generate a report about the top FTP sites, you must log the FTP under Service Statistics on the Configure Logging and Notification Settings panel. Result: All audit events required by the report types that you want to generate are logged by Cisco Secure Policy Manager. | |
| 2. Select the Cisco Secure Policy Manager host that will monitor each Policy Enforcement Point's Syslog streams Within Cisco Secure Policy Manager, the Policy Monitor Point plays an important role. It collects the audit event streams from one or more Policy Enforcement Points and combines them into audit records that can be further refined into more meaningful data. | |
| The Policy Monitor Point provides this data to the Policy Report Point for administrative reports about network activity. It also combines audit events generated by Result: The Policy Enforcement Points direct all Syslog streams to the Policy Monitor Point so that Cisco Secure Policy Manager can detect the audit events that you selected in Step 1. |
|
| 3. Define the report settings and view the resultant report Cisco Secure Policy Manager can generate a variety of reports about the system status and activities, as well as the network activity across a specific Policy Enforcement Point. These report types are organized under the Reports branch under the Tools and Services tree in the Navigator pane. In addition, you can view a report immediately (on-demand report) or when a schedule report is generated, you can view the resulting report. It is important to note that unless the audit events have been recorded (meaning that they must first occur, and second they must be logged) before any report can present meaningful information. Result: Custom reports are created and save, and the reports can be viewed once the audit events required by the report occur and are logged by Cisco Secure Policy Manager. | "Defining Report Settings" section |
Using the existing report definitions under the Summary and Detailed Reports branches, you can further refine the information that is represented in a report. Your ability to refine a report definition depends strongly on which audit events you have chosen to retain from within the Configure Logging and Notifications panel. In addition, the type of report that you start with as the basis for your definition also affects what information you can present in the report. You can define a report that is stored as either an ASCII text file or an HTML file. Again, this selection depends on the type of report that you start with as the basis for your definition.
|
Note If you intend to schedule a report to be generated, you must complete this panel first. Once this panel is complete, you can define the appropriate settings on the Schedule panel associated with this report template. |
To define a specific report, perform the following task:
Result: The Reports tree appears in the Navigator pane.
Step 2 To define a new report that is based on summary audit records, expand the Summary Reports branch under the Reports tree.
---or---
To define a new report that is based on detailed audit records, expand the Detailed Reports branch under the Reports tree.
Step 3 To find the report template that you want to use as a basis for this report definition, expand the selected report type branch until you view that report template node in the Navigator pane.
If you want to define a report that will be stored as an HTML file, you must expand the HTML branch. If you want do define a report that is stored as an ASCII text file, you must expand the Text branch.
Step 4 To access the shortcut menu, right-click the report template icon that you want to use as the basis for this report.
Step 5 To view the Definition panel, point to Properties and click Definition on the shortcut menu.
Result: The Definition panel appears in the View pane.
Step 6 To specify the Policy Enforcement Point(s) on which you want to report data to be based, select them in the Specify the Data Source box.
This field identifies the network devices defined under the Network Topology tree that generate the audit event records used in the reports. Depending on the report type, you can specify a Policy Enforcement Point (for example, a PIX Firewall), a host running some component of the Cisco Secure Policy Manager, or a combination of hosts and Policy Enforcement Points.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option allows you to select a range of items. The Ctrl+Click option allows you to select items in any order. |
Step 7 To specify the starting time of the time range for which you want to study audit event data generated by the specified data source, click Change under Beginning Time under Specify the Time Range.
You can use one of the following methods to specify the start of the time range:
---or---
Step 8 To specify the ending time of the time range for which you want to study audit event data generated by the specified data source, click Change under Ending Time under Specify the Time Range.
You can use one of the following methods to specify the end of the time range:
---or---
---or---
Step 9 If you are defining a summary report, then continue with Step 10. If you are defining a user activity detail report, skip to Step 12. If you are defining a network service detail report, skip to Step 14. If you are defining an event detail report, skip to Step 16.
Step 10 To specify which report field should be used to sort the table rows in the report, click that field in the Sort By box.
This option is not available for Event Summary reports.
Step 11 To continue defining this report, skip to Step 17.
Step 12 To specify the IP address of the user whose network activity you want to study, type the IP address of the user's host in the User/IP Addr box.
Step 13 To continue defining this report, skip to Step 17.
Step 14 To specify the network service that you want to study, click that network service in the Service box.
The Service box lists network services present under the Network Services branch under the Tools and Services tree in the Navigator pane.
Step 15 To continue defining this report, skip to Step 17.
Step 16 To specify the events that you want to study, click those events in the Events box.
You can select one or more of the following values for this field:
Step 17 Select one of the following options:
---or---
---or---
Step 18 To save any changes that you have made, click Save on the File menu.
Scheduled reports are those reports that Cisco Secure Policy Manager periodically generates after you configure the report options within the Schedule panel. You can specify which reports you want to generate, the format for those reports, and to whom the generated reports should be delivered (via e-mail).
To define a scheduled report, perform the following task:
|
Note Before you can schedule a report to be generated, you must complete the Definition panel first. After the Definition panel is complete, you can define the appropriate settings in the Schedule panel associated with this report template. |
Result: The Reports tree appears in the Navigator pane.
Step 2 To define a new report that is based on summary audit records, expand the Summary Reports branch under the Reports tree.
---or---
To define a new report that is based on detailed audit records, expand the Detailed Reports branch under the Reports tree.
Step 3 To find the report template that you want to use as a basis for this scheduled report, expand the selected report type branch until you view that report template node in the Navigator pane.
If you want to define a report that will be stored as an HTML file, you must expand the HTML branch. If you want to define a report that is stored as an ASCII text file, you must expand the Text branch.
Step 4 To access the Schedule panel, click the Summary Reports icon or the Detail Reports icon that you want to use as the basis for this report.
Result: The Definition panel appears at the forefront of the View pane.
Step 5 To view the Schedule panel, click the Schedule tab.
Result: The Schedule panel appears in the View pane.
Step 6 To access the Date - Time dialog box, click Report Time under Issue Initial Report.
Result: The Date - Time dialog box appears.
Step 7 To specify the time and date when you want the first report to be generated, select one of the following options:
Step 8 To accept the date and time you have specified, click OK in the Date - Time dialog box.
Step 9 To specify that the report is generated according to a regular schedule, click the Repeat check box.
Result: The Every box and unit of time options become available.
Step 10 To define a regular schedule by which the report is generated, type the duration value as a whole number in the Every box and click the unit of time.
Step 11 To specify the folder where you want to store the generated report file, type the folder name in the Path relative to <Root>/Data/Reports box.
This directory must be relative to the Data/Reports directory under the Cisco Secure Policy Manager root directory. If you use an absolute path, the reports will not be generated. The default value, which is a blank field, stores the files in Data/Reports.
A folder name can contain up to 255 characters, including spaces. But, it cannot contain any of the following characters: /, :, *, ?, ", <, >, |.
Step 12 To specify the filename that you want to use when storing the files that contain instances of the scheduled report, type that filename in the Filename box.
A filename can contain up to 255 characters, including spaces. But, it cannot contain any of the following characters: /, :, *, ?, ", <, >, |.
Step 13 To specify that you want to send an e-mail to designated recipients each time a report is generated, click E-Mail.
Step 14 To specify whether to append sequence numbers to the filename of files that contain the scheduled report, select one of the following options:
Step 15 To specify the maximum number of files that you want to store that result from this scheduled report rule, click the Keep last __ reports check box and enter a whole number value in the reports box.
This option cannot be used in conjunction with the Overwrite existing file option.
Step 16 To accept the changes that you have made and to close the Schedule panel, click OK.
Step 17 To save any changes that you have made, click Save on the File menu.
Scheduled reports are those reports that Cisco Secure Policy Manager generates periodically without direct administrator interaction. Using the built-in HTML browser, or a browser from a remote workstation, you can view all HTML-based and text-based schedule reports that have been generated.
To view scheduled reports in HTML format, perform the following task:
Result: The Reports home page appears in the View pane.
Step 2 In the Reports home page, click the Scheduled Reports hyperlink.
The Scheduled Reports page is displayed. This page lists all the scheduled reports that have been generated according to the settings that you specified in the Schedule Reports panel of the GUI client.
Step 3 In the list of scheduled reports, click the link that identifies the report that you want to view.
Result: The selected report appears in the View pane.
Step 4 To return to the Scheduled Reports page, click Back or press the Backspace key.
Result: The Schedule Reports page appears in the View pane.
Step 5 To view another scheduled report, click the link that identifies the report that you want to view.
Result: The selected report appears in the View pane.
Step 6 Repeat Steps 4 and 5 until you have viewed all of the scheduled reports in which you are interested.
Step 7 To close the HTML-browser view, click any node in the Navigator pane.
Posted: Mon Jun 5 10:43:41 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
