telus rsa-envision documentation
TRANSCRIPT
RSA envision
TELUS
Version 1.0
2
Table of Contents
RSA envision 3Login Screen 4Overview 5
Dashboard Screen 6Manage User Screen 7Manage Authentication Server Screen 8Manage Groups Screen 9Manage Site Log in Screen 10Setup Access Denied Screen 11Display License Information 12System Performance Screen 13Managed Monitored Devices 14Manage Device Group Filters 15Device Types 16ServicesManage Collector Service 17Setup DNS Resolver ServiceSetup DHCP Polling ServiceSetup Site CommunicationScheduler Service 18Device Services 19Asset Collector ServiceUniversal Device Collection 20Dashboard Items 21Watchlists 22Task ViewerEvent Explorer 23Best PracticesVulnerability and Asset Management 25
Alerts 27Enterprise Dashboard 28Views 29Real-Time Detail 30Import / Export Views 35Output Actions 36Output Actions Templates 39Correlation Alert / Rules 41Correlation Classes 43Import / Export Correlation Rules 44Adding / Modifying Correlation Rules 45Setup Alerter Service 49Setup Alerter History 51
Analysis 52Event Viewer 53Query Tool 56SQL Statements / Syntax 58
Reports 61Reporting Module 62ADHOC Reports 63Compliance Reports 65Scheduled Reports 66Reports Folder 70Setup Reports 71
3
RSA enVision™ is a feature-rich compliance and security application. It allows you to automatically capture and analyze log information from your network, security, application, operating and storage environments. enVision's LogSmart® Internet Protocol Database (IPDB™) provides the only architecture proven to automatically collect and protect All the Data™, from any network device, without filtering or agents. It gives you a true picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance.
enVision is tightly coupled with the underlying appliance operating system and hardware, and together they comprise a highly scalable platform that provides guaranteed levels of performance, plus the ability to grow over time.
4
1. EnVision Login Screen.
- To access the EnVision Web UI, open up Internet Explorer and type the enVision site name or the IP address of the appliance on the address bar. Plus the port 8443 at the end of the address separated by a colon “:” TELUS uses HTTPS web communication for the appliance.
https:\\sarsaenv.araneta:8443Orhttps:\\ 172.17.127.41:8443
Specify user credential to access the EnVision System. Default password for the enVision Administrator is as follows:
Username: administratorPassword: administrator
For Security purposes, it is strongly advised to change the Administrator Password. And DO NOTdisable the account for failsafe reasons.
5
Overview
6
1.1. RSA enVision Dashboard screen.
To display dashboard items, select the corresponding items on the left pane. Depending on the user accessing the envision GUI, It will show different items that’s associated with the user.
7
2. Manage Users Screen
To add / delete or modify a user, Go to the Overview Tab, and then click on system Configuration and expand the Users module. Select the Manage Users to arrive at the screen.
Click ADD to add a user.
Click BULK ADD to add large number of users using Active Directory / LDAP integration.
Tick the check box of a user then click DELETE to remove a user.
Tick the checkbox of a user and click on MODIFY to re-configure the attributes of a user.
Click REPORT to view the list of existing and available users in a HTML Report Type.
8
3. Manage Authentication Servers screen
To add Authentication Servers such as Active Directory or LDAP authentication, you’ll have to specify a Domain User Administrator credential per server. You need to specify this if you are adding a User that needs to reference the credential from a Domain Controller or LDAP.
Click ADD to add Authentication Servers
Tick the checkbox of an Authentication Server and Click DELETE to remove it.
9
4. Manage Groups Screen
To modify or add an Envision User Group, refer to the screen above. Click on a particular User group to view its attributes.
If you are adding a User to particular group, that User will eventually inherit the groups attributes upon being a member of it.
To override any attributes that a group might have on a specific user, click the checkbox for “Override Default”.
10
5. Manage Site Log In Permissions
To configure which User group will be granted access to enVision, refer to the screen above.
To View the details on which Permissions does a group has, click on the Manage Module and Tool Permissions.
To Modify the Settings of Event Explorer log in permissions, click on Manage Event Explorer Permissions.
11
6. Set up Access Denied screen.
Refer to the screen above to configure envision on what to do on Access Failure Scenarios.
12
7. Display License Information.
To view the License Details for TELUS enVision, click the Display License Information on the Left pane of the screen.
13
8. System Performance Module Screen
The Screen above shows the current Status of TELUS’s enVision with details about Collection from different transport protocols such as:
- Syslog (For UNIX and Network devices)- Trapd/SNMP (Anti-Viruses and Security Devices)- Windows (Application, System and Security Events from Windows Hosts)- LEA (Checkpoint Firewall), ODBC (Databases)- SDEE, (Cisco IDS/IPS)- File Reader (Flat File collection, ex. TXT, LOG, etc.)
Also Shows the Usage of the Web Server Activity which hosts the enVision UI, alerting and reporting.The Analysis disk Storage which envision uses for Reporting and Event Viewing.The DB Server Activity of enVision which is the IPDB (Internet Protocol Database.)Alerter Latency for the Time Latency of an Alert View before it is triggered.The Event Storage Capacity which shows you the Disk repository usage.
14
9. Manage Monitored Devices
Displays the Devices in which enVision are currently collecting from. Regardless whether it is supported and recognized as is or identified as Unknown.
You can sort the details either by IP address, Name, Device Type, Site Node or Status.
If a Device is identified as Unknown, the collection state is automatically set to Candidate, which means only a few events were parsed and is not collecting events continuously from it.
The collection state of an unknown device is only set to Active if the device is subject for UDS. (Universal Device Support) only this way can you extract an ample amount of events to be used for UDS development.
Note: It is not advisable to manually add a device, thus leaving envision without the assurance of collecting events from it. It is by best practice to configure the device first to send events to envision and have it recognize the device automatically.
15
10. Manage Device Group Filter:
Use this screen to add and manage Devices groups using STATIC and DYNAMIC selection.
11. Manage Device Attributes Definition:- Manage additional Devices Information and Details used for Asset Inventory.
12. Import / Export Devices Attributes:- Open a file which holds the Devices information and details and add it to envision. You can also
export the existing information to a flat file for future safekeeping.
13. Manage Device Types:- Indicate which devices will be covered for event collection, reporting and alerting of EnVision.
Default configuration has all the devices selected. Un-tick specific device to unselect it.Refer to the next screenshot.
16
17
14. Services -> Manage Services screen
Start, Stop and Restart a particular service. It can be one at a time or a whole selection of services.
Specify whether you want enVision to log the status and activities of the service. This can be useful if you want an alert on any activity that the service might take and have it also displayed in a report.
Edit also the logging level of the services.
15. Manage Collector service- Edit the configuration of the NIC Collector service. Change the default UDP ports which envision
use for Syslog event collection. You can also specify additional ports for use and enable whether envision will support Syslog NG headers.
- Configure the auto-discovery feature of enVision for new devices.- Enable Real-time DNS Resolution of the devices upon discovery. (dependent on the DNS server)- Specify the sampling period for a number of events that envision use to discover new devices.
(Leave default)
18
16. Setup DNS Resolver Service- Configure the Hostname resolution feature of enVision. This applies to the information on
events. - Configure the Label on what envision will display every time the DNS service cannot resolve the
addresses. Default: UNKNOWN, you can change this if needed.
17. Setup DHCP Polling Service- enVision has four polling intervals it uses to resolve the DHCP addresses. The administrator
defines the polling rates for each IP address range on the Set up DHCP Polling Service window.enVision assigns a polling interval to each hostname:
Poll Rate Consists of... Resolution done by...
Discovery Entire defined DHCP address space - all addresses are included.
IP Address, with a default resolution interval of 180 minutes. This is done to identify new hostnames added to the DHCP range.
Slow Hostnames that do not change DHCP addresses frequently.
Hostname, with a default resolution interval of 60 minutes.
Mid Hostnames that change DHCP addresses regularly.
Hostname, with a default resolution interval of 15 minutes.
Rapid Hostnames that change DHCP addresses frequently.
Hostname, with a default resolution interval of 1 minute. If a new Hostname is detected as being part of the DHCP address space, it is automatically added to the Rapid poll rate.
18. Set Up Site Communication- Modify the existing IP addresses that enVision uses for site communication such as Web
Interface and log collection. Change only of necessary.
19. Scheduler Service- The NIC Scheduler Service allows you to run reports, graphs and system events at a specified
time. It can also be used to schedule any executable process such as scripts and binaries that is stored INSIDE enVision directory folders.
19
20. Device ServicesSome devices have device-specific services in enVision. Set up the options for the device-specific service for the device in enVision.
The system includes the following device-specific services: (refer to enVision Online help)
Service Device(s)
FW-1 LEA Client ServiceCheck Point Provider-1
Check Point FW1/VPN-1/SmartDefense
File Reader Service
Apache
Blue Coat Systems CacheOS
Blue Coat Systems SGOS
Cisco Access Control Server
Cisco Content Engine
IBM iSeries
IBM Mainframe ACF2*
IBM Mainframe DB2 UDB*
IBM Mainframe RACF*
IBM Mainframe Top Secret*
Juniper Networks Steel-Belted Radius
Microsoft Exchange Server
Microsoft IIS
Microsoft ISA Server
Network Appliance NetCache
Nortel Alteon Switch Firewall
Oracle
RSA Security
Tripwire Enterprise
Other Devices that writes its logs to a flat file (.log, .w3c, .txt, .unx. etc).
Secure SDEE Collection ServiceCisco Adaptive Security Appliance
Cisco Secure IDS
ODBC Service
ActivIdentity
ISS SiteProtector
McAfee ePolicy Orchestrator
Microsoft SQL Server
Oracle
Windows ServiceMcAfee VirusScan Enterprise
Microsoft Windows
20
21. The NIC Asset Collector service
- Collects asset information (such as operating system, service ports, etc.) and asset vulnerability from third party vulnerability assessment tools and asset tracking tools.
You can view, add, modify and delete configurations associated with the Asset Collector service.
RSA does not support using both the legacy NIC Vulnerability Service and the NIC Asset Collector Service
22. Universal Device Collection
Universal Device Collection allows enVision to collect from any device or application that logs via SNMP and File Reader. The three methods of Universal Device Collection are:
File Reader
ODBC
SNMP Traps
21
23. Dashboard Items -> Manage Dashboard items
- The Dashboard has standard Dashboard reports and graphs as dashboard items. You can also create your own Dashboard reports.
- The administrator can modify various parameters involved with running the reports and graphs. The administrator can set permissions for each of the dashboard items. Other parameters are set on the reports themselves.
- When a report is created, it has the following defaults associated with it:
Time Span 1 hour - summary table reports10 minutes - detailed table reportsYou cannot change these values.
EnabledOff
Refresh rate 1 minute - summary table reports10 minutes - detailed table reports
22
No one would love me if they knew, all the things I hide.
And 24. Watchlists
Watchlists are a named collection of strings that represent a list of like-values. You can use watchlists as a shortcut to filtering the events in enVision on which you want to alert or report.
You configure watchlists using the enVision user interface. You can add values to a watchlist individually or in bulk using the import facility.
You can use watchlists to filter events in reporting (using runtime parameters referred to in the WHERE criteria) and in alerting (using a correlated rule or single event filtering). Filtering is performed by comparing an event variable against items in the watchlist.
When you update a Watchlist, enVision immediately applies this change to the Alerter and views without requiring you to stop and restart the NIC Alerter service or any related views. This means you can update Watchlist information while the NIC Alerter service and views are running.
23
25. Task Viewer
The Task Triage feature allows you to group events into tasks for the purpose of investigation.
You display and work with the tasks in the Event Explorer application.
In addition, you can use the Overview→Task Viewer→Browse Tasks window to review the status of tasks, and you can report on Task Triage data through Standard Task Triage Reports or Task Triage Dashboard Report.
You can create tasks in either the:
enVision Web UI by using the:
Task Create output action associated with an Alerter View for a correlated alert. The task created from the Alerter will have an attached trace log file that contains a list of the event messages that led to the firing of the alert. The initial owner of the Alerter-generated task is the task-dispatchers user group. enVision comes with a default Task Create output action that you can use when creating a view.
Task Escalate output action to escalate tasks to an external application (such as a third-party ticketing system).
enVision Desktop Client (Event Explorer) while viewing event data within a table or chart as event messages of interest are discovered
Event Explorer provides task workflow management operations such as viewing and editing task data, acknowledging new tasks, assigning a task to other users and changing the state of the task.
In Event Explorer, you display the tasks on the Task Triage panel. You view individual tasks in the Task Editor window. You can modify a task, attach files to a task, change its owner and close or delete a task. You can also escalate a task to an external application such as a ticketing system.
Your administrator needs to assign the appropriate Event Explorer permissions to your user profile in enVision. These settings control whether or not a user can:
access Event Explorer (Allow Event Explorer Access permission)
delete a task in Event Explorer (Allow Task Deletion permission), or
escalate tasks in Event Explorer (Allow Task Escalation permission)
24
26. Best Practices
Use the Best Practices tool to access:
Best practice documents, for issues such as compliance regulations.
enVision online Help.
25
27. VAM ( Vulnerability and Asset Management)
enVision's Vulnerability and Asset Management (VAM) feature provides unified management of your assets and vulnerability incident analysis, using the following:
Asset database (ADB).The ADB is a unified view of assets created by merging data from supported vulnerability assessment (VA) tools and imported asset information from asset tracking tools. This view of the assets provides security managers with insight into their operations.
Vulnerability Knowledge Database (VDB). The VDB is an embedded repository of vulnerability information as derived from the National Vulnerability Database (NVD). This greatly expands and improves the incident analysis that you can perform through enVision and enables enVision to automatically correlate security incidents.
26
The VAM feature allows you to perform the following for assets and vulnerabilities:
Event analysis.
Alerting.
Reporting.
Incident response.
Browse assets and vulnerabilities.
27
Alerts
28
28. Enterprise Dashboard
Use the Enterprise Dashboard tool in the Alerts module to monitor the peak status information of multiple views concurrently from a single screen.
Enterprise Dashboard features include:
Easy to use and intuitive map-based interface.
Ability for administrator to choose unique map for each collection. Administrators can upload their own custom maps.
Hierarchy of views and collections (groups of views) allow for the custom display of multiple view statuses simultaneously.
Drill-down capability allows you to go from a high-level display to detailed information within Enterprise Dashboard or start the Real-Time Details tool in the Alerts module to display detailed information about the current view.
Information area displays detailed alert status information for any item.
Flexibility to display status information for multiple views on the same screen.
User restriction to specific views applied for all Enterprise Dashboard collections.
Administrators can customize the way that alert information is categorized and displayed - this allows you to display alerts from multiple views in a way that fits your monitoring needs.
Enterprise Dashboard allows users to monitor multiple views at once, and quickly drill-down into a view to display detailed information.
Users are limited to the views for which they have access (as defined through user permissions for each view). If a user displays a collection that contains a view they do not have access to, no information about that view is visible to them. The alert severity status for that collection is calculated as if the restricted view did not exist.
29
29. Views
A view defines the devices, messages, correlated alerts and user-defined criteria, within a single site, for which enVision issues alerts. The NIC Alerter Service analyzes incoming event messages and generates alerts based on the views. Devices may exist in multiple views, so a series of events by a single device may fire alerts in multiple views.
You can have up to 64 views enabled at one time.
The administrator creates and modifies views using the Manage Views window in the Alerts module.
Alerts display on a view-basis on the Real-Time Details window in the Alerts module. You can display details about the alerts on the Alert History window.
You can optionally assign output actions for individual alerts (such as SMTP, SNMP, text file, or instant message). Each view has specific users allowed to monitor the alerts for the view. Alert data is available for real-time and historical analysis in any site in the NIC Domain.
30
The peak status information of multiple views display on a collection-basis (group of views) on the Enterprise Dashboard window in the Alerts module. A view may only exist in a single Enterprise Dashboard collection.
If a user or user group has access to a view, but does not have access to some of the devices within that view, the view is displayed as if the devices did not exist.
Alert data is available for real-time and historical analysis.
The NIC view, NIC_View, allows you to monitor the system health - alerting you of possible issues within the enVision software environment.
You cannot modify or delete the NIC_View view But You can disable the NIC_View view.
The NIC_View view monitors all devices on its site. The NIC_View view uses a series of correlation rules to alert on NIC events that are an Alert level 0 to 4. The NIC_View view is comprised of the following correlation rules:
NIC_ALERTERNIC_APPSERVERNIC_COLLECTORNIC_CROSSPLATFORMNIC_DBMLSYNCNIC_DNSNIC_EAMANAGERNIC_FORWARDERNIC_LOCATORNIC_LOGGERNIC_NSSERVERNIC_PACKAGERNIC_SCHEDULERNIC_VAM
30. Real-Time Detail
- To display real time alerts on the Real Time Details tool:
Click Alerts→Real-Time Detail and select a view.
enVision displays the Real-Time Details window.
Select the type of alerts to display from the Show drop-down list.
enVision displays the status of the NIC Global Alerts categories, the status of each of the alert levels, and the status of the selected alert category.
31
As the various alerts occur, enVision changes the color of the associated gauge and updates the count displayed under the gauge. The gauges change color based on severity levels.
Proceed according to the following table:
To Click on
Display a list of all the alerts currently in the database that are associated with a level or category.
Alert count value under the gauge for the level or category (the count associated with the gauge must be greater than zero). The system displays the alerts for the level or category on the Alert History window.
Reset the color of the alert indicator and severity levels (Recalculate). The system recalculates the severity
levels and sets the alert indicators back to green.
Periodically, enVision resynchronizes the alerts (stored NIC events in the event database) so that only the more recent alerts display in the Real-Tim e Detail tool and History tool.
32
Use the Real-Time Details window to visually monitor alerts in the incoming events for available views. You can access resolution history for the alerts on the Alert History window.
The number of alerts available to monitor in the Real-Time Details window is dependent on the options set for alert synchronization.
Field Description
Show Select the sections of the window you want to display from the drop-down list. Values are:
Global Alerts, Alert Levels and Alert DetailsGlobal Alerts and Alert Details (default)Global Alerts and Alert LevelsAlert Levels and Alert DetailsGlobal AlertsAlert LevelsAlert Details
Resolve IP Addresses
Select the check box to display the Resolved Name in the Top Source and Top Destination drop-downs.
Click to recalculate all current severity levels and reset all severity level gauges to low (green).
Global Alerts / Levels
GaugesGauges display the current severity levels for each NIC Category alert. The arrows on each gauge indicate the peak value. The alert count for each category displays below the gauge.The gauges and arrows change color to indicate the severity level:
- Low (green)- Guarded (blue)- Elevated (yellow)- High (orange)- Red (severe)
Click on the alert count value under the gauge for the level or category (the count associated with the gauge must be greater than zero). The system displays the alerts for the level or category on the Alert History window.Global Alerts default categories are: Attacks, Recon (Reconnaissance), Content, Auth (Authentication), User, Policies, System, Config (Configuration), Network, and Other.Levels default alert levels are: Level 0-1, Level 2, Level 3, Level 4, Level 5, Level 6, Level 7.
Alert Details
Note: Click on a column heading to sort by column. EnVision continues to sort alerts in this order until you close the Real Time Details window.
33
Field Description
RankDisplays the alert categories ranked by severity level from highest to lowest.
Peak SeverityDisplays the highest alert severity level to date, based on the current alert synchronization, for the alert category. Click on the light to reset the severity level for that alert class and category.
Current Severity
Displays the alert severity level based on alerts generated over the last interval for the alert category. Click on the light to reset the severity level for that alert class and category.
TrendDisplays the current trend of the alert severity level - has it gone up or down over the last interval.
CountDisplays the number of alerts for the alert category included in the current evaluation, based on all the current alert synchronization, for the alert category.
Alert Category
Displays the alert category. Select an alert category to display the Alert Browser window.
Click to display a tool tip with the following information about the latest event received: source device, source asset, destination asset and message content.
Top Device Class
Displays the device class contributing the most alerts to the alert category.
Click on the device class to display a drop-down box with the device class, alert count, latest source address, latest destination address, and latest message displayed. In the drop-down box you can:
Click X to close the drop-down box.
Click the device class to display the Alert History window, with the alerts meeting the search criteria matching the alert class and alert category of the device class you selected.
Top Source Asset
Displays the source asset contributing the most alerts to the alert category.
Click on the source asset to display a drop-down box with the following information about the top five source assets:
Source IP Address - When event thresholds are set, the source IP address displays the IP address of the message that caused the system to generate the alert.Resolved Name - The resolved name displays if available.Count - The count displays the number of alerts for each unique source IP address. For example, If the system generates five alerts from the same source IP address then the Top Source Asset drop-down contains one source IP address with a count of five.
34
In the drop-down box you can:
Click X to close the drop-down box.
Click a source address to display the Alert History window, with the alerts meeting the search criteria matching the alert category and source IP address of the source asset you selected.
Top Destination Asset
Displays the destination asset contributing the most alerts to the alerts to the alert category.
Click on the destination asset to display a drop-down box with the following information about the top five destination assets:
Destination IP Address - When event thresholds are set, the destination IP address displays the IP address of the message that caused the system to generate the alert.Resolved Name - The resolved name displays if available.Count - The count displays the number of alerts for each unique destination IP address. For example, If the system generates ten alerts from different destination IP addresses then the Top Destination Asset drop-down contains five different destination IP addresses, each with a count of one. EnVision displays the top five destination IP addresses sorted by count. If the count is the same enVision sorts based on IP address.
In the drop-down box you can:
Click X to close the drop-down box.
Click a destination address to display the Alert History window, with the alerts meeting the search criteria matching the alert category and IP address of the destination asset you selected.
35
31. Import / Export Views
You can import and export views that consist solely of correlated rules.
The view is not enabled upon import - to use the view you must enable the view on the Manage Views window
36
32. Output Actions
Use the Output Action feature to configure output options for alerts. You set up output actions in the Manage Output Actions window.
Output action types are:
Type Use to
Text File Send alerts to a text file in the directory you specify.
enVision writes all alerts associated with the Text File output action for that view to the file name you specify. The format is identical to the received message.
enVision continues to add alerts to this file over time so the file continues to grow until you delete it. You are responsible for the back up and deletion of this file.
37
Type Use to
SNMP SNMP (Simple Network Management Protocol)
Send alerts through SNMP traps.
SMTP SMTP (Simple Network Management Protocol)
Send alerts through email (SMTP).
You can also send generated reports to a defined e-mail address or addresses (up to five). enVision allows for the e-mail delivery of scheduled and ad hoc reports.
AIM Send alerts through AOL Instant Messenger (AIM).
enVision sends 1 message every 5 seconds. The NIC Alerter Service adds the message to a queue to be sent. For example, a burst of 12 messages in one second will take one minute to send out.
Syslog Forward a syslog message from a source device to an external syslog server in its original format.
Note - Multiple Appliance Site: The A-SRV forwards the syslog messages.
This feature is useful when:
A system other than enVision requires the syslog message, but it cannot handle the load. In this case, enVision performs syslog events filtering.
A system other than enVision requires the syslog message and the source device does not support multiple destinations.
Note: You cannot use the Syslog output action with correlated rule events.
Run Command Launch a command. The run command output action creates an output module that launches a single command immediately. You can specify the executable name and a list of parameters to pass to the command. enVision generates a NIC log event that states the command has started, and whether or not it was successful.
Task Triage Creates a Task Triage task with an attached trace log file containing a list of event messages that fired the alert. Also, you can assign the Task Triage output action only to a correlated rule associated with the Alerter View. You can have only one Task Triage output action within a NIC Domain. In Task Triage, the initial owner of the Alerter-generated task is anyone in the task-dispatchers group.
Caution! Do not delete the Task Triage output action after it has been created. Tasks created by the Alerter rely on the existence of a Task Triage output action for critical setting information.
38
Type Use to
SNPP SNPP (Simple Network Paging Protocol)
Send alerts through SNPP to a cell phone or pager (this means the output message is limited to 128 characters).
You can assign an output action to:
Alerts:
A specific device class/alert/alert severity level combination within a view in the Manage Views - Add/Modify Output Action Information window. (Exception: You cannot assign the Task Triage output action using this method.)
A specific message in a view by clicking the ON/OFF link in the Output Actions Per Alertcolumn in the Manage Views - Customize Alert Configuration Window.
A report to send generated reports through email. enVision uses the SMTP output actions only as a template to pre-fill the email options. (Exception: You cannot assign the Triage output action using this method.)
Depending on the output action you selected, you can apply different output action templates to the output.
You can assign an output action template to a text file output action. An output action template specifies the format and fields for the alert output.
39
33. Output Action Templates
An output action template specifies the format and fields for the alert output. You can use an output template for multiple types of output actions.
You can create custom output action templates, use the NIC-defined output action templates, or modify the NIC-defined output action templates.
There are four NIC-defined templates:
Template Name Use for
Short Format Delivery methods that restrict the amount of information that can be displayed, such as Instant Messenger, mobile email, pagers and mobile phones. The template contains fields that convey the most important information in the shortest amount of text.
Most Common Fields Standard email delivery. This template contains the most-commonly-accessed
40
Template Name Use foralert fields.
Long Format Workflow integration with other computer systems. This template contains all fields available for output.
SNPP SNPP (Simple Network Paging Protocol) delivery method. This template is designed for a pager with limited display room. As a result, enVision only selects the Message ID field for output (the output message is limited to 128 characters).
You can configure the output action template to generate output in either ASCII text string (simple delimited fields) or HTML (using a simple a table so the columns line up) format.
41
34. Correlation Rules
A correlated alert or Correlation Rule is a combination of alerts from various devices that occur within a specified period of time.
Each correlated alert is set up as a correlation rule. The rule identifies a set of events from a device type and defines a set of specific conditions to be met. When the defined conditions are met, the system generates a correlated alert. Each correlated alert has its own message ID and message text, as defined in the correlation rule.
Correlation classes define a set of alert categories and a label for the class; these are used during alert monitoring. Each correlation rule is assigned to a correlation class.
There are system defined correlation rules, assigned to the system correlation class Correlation Rules. You can create additional correlation rules and classes as needed.
The administrator includes a correlation class in a view so that it can be monitored and alerted on. Monitor correlated alerts in the same manner that you monitor system and device alerts.
42
Each correlated alert is set up as a correlation rule. The rule identifies a set of events and defines a set of specific conditions to be met.
When the defined conditions are met, enVision generates a correlated alert. Each correlated alert has its own message ID and message text, as defined in the correlation rule.
There are system-defined correlation rules. In addition, you can create your own correlation rules.
A correlation rule is made up of correlation circuits. Correlation circuits are made up of correlation statements.
A correlation statement defines a set of events from one or more devices, based on a set of device types, with a threshold limit and optional statement filters and cache variable comparisons. Correlation statements are identified by a user-defined statement label. For example here is a statement, STMT1:
Device Type Message ID Threshold
Cisco PIX Firewall 106006 Consider if 10 events come in within 60 seconds
(enVision does not populate the Alerts table with individual events within a threshold. For example, if 10 events occur within one second, enVision does not populate the Alerts table with the first 9.)
You may want to set up composite events so enVision sends you all of the events, within a configurable limit, that are associated with the correlated rule.
A correlation circuit is a combination of correlation statements combined using operators. Correlation circuits are identified by a user-defined circuit label. For example, here is a circuit, FR897:
Operator Within (seconds) Statement Label
STMT1
And not 5 STMT5
You define the logic that defines when the correlation rule triggers an alert by combining circuits. Correlation rules are identified by a user defined message ID. For example, here is the logic for a user-defined correlation rule PIXROUT2:
Operator Within (seconds) Circuit Label
FR897
Followed by3 IDSN761
And SPR419
43
35. Correlation Classes
A correlation class defines a set of rules and a label for the class. You assign correlation rules to a correlation class
44
36. Import / Export Correlation Rules
You can import correlation rules (XML files) into your system.
To import a correlation rule:
1. Click Alerts→Alert Configuration→Correlated Alerts→Import/Export Correlation Rules.
enVision displays the Import/Export Correlation Rules window.
2. Click the Import radio button in the Operation field.
3. Type the directory containing the XML files to import in the Directory field - OR - click to browse and select the directory from which you want to import.
4. Click Update List.
enVision displays XML files located in the specified directory.
5. Select a class name from the Class drop-down list to indicate where the correlated rules are to be stored.
6. Select the check box in the Select column next to each XML file you want to import.
7. Click Apply.
45
37. Adding / Modifying Correlation Rules
Warning: RSA recommends that you do not include NIC System device message 919010 in either your views or in a correlation rule (where the selection criteria results select the 919010 alert message ). Message 919010 alerts on alerts generated. If you add this message to your view or your correlated rule, you will be alerting on alerts, and potentially creating a never-ending loop of alerts. If you do select this message (or create a correlation rule that will include this message), you must set up appropriate thresholds to limit the number of alerts generated by this message.
To add a correlation rule:
1. Click Alerts→Alert Configuration→Correlated Alerts→Manage Correlation Rules.
enVision displays the Manage Correlation Rules window.
2. Click Add.
enVision displays the Manage Correlation Rules - Add/Modify Rule window.
3. Complete the top portion of the window.
4. Optional. Add cache variables (to use with statement filters).
a. Click Manage Cache Variables.
enVision displays the Manage Cache Variables window.
b. Click Add.
46
enVision adds a cache variable entry.
c. Complete the entry.
d. To add another cache variable, repeat steps b and c.
e. Click Apply.
5. Add a circuit:
a. In the Correlation Rule Logic section click Add Circuit.
enVision displays the Add/Modify Circuit Definition window.
b. Type the name of the circuit in the Circuit label field.
c. Add a statement:
a. Click Add Statement.
enVision displays the Add/Modify Statement window.
b. Complete the Statement label and Threshold definition fields.
iii. Select the devices to associate with the statement:
A. Click the radio button to determine how to select devices and either Select devices by Device Class/Type or Select devices by Device Group.
Depending on the option you chose in Step A, enVision displays either the Device Class/Type or Device Groups selection.
B. Click the arrow to open the section.
C. Click Add.
enVision adds a device selection entry.
D. In step A, if you selected the:
Select devices by Device Class/Type radio button:
1. Select the Device Class/Type.
2. Click under IP Address List/Mask.
enVision displays the Select IP Addresses popup window.
3. Complete the window and click Select.
Select devices by Device Group radio button and select the Device Group from the drop-down list.
E. To add another device to the statement, repeat steps A through D.
iv. Select the events for the statement:
47
Note: If you are doing Multi-threading, you should consider appending your event selection in the Add/Modify Statement window based on the variables you want to use in multi-threading. For example, you can use the AND operator and select the variable you want to assure you have selected only events that contain at least that specific variable :
A. Click the arrow to open the Event Selection section.
B. Click Add.
enVision adds an event selection entry.
C. Select the Event Type and Comparison values from the drop-down lists.
D. Click on under Value.
enVision displays theSelect Event IDs popup window.
E. Complete the window and click Select.
F. To add another event selection entry, repeat steps A though E and select the appropriate Operator from the drop-down list to connect the entries.
v. Optional. Set up statement filters:
A. Click Set Filters.
enVision displays the Set Statement Filter window.
B. Click Add Filter.
enVision adds a filter entry.
C. Complete the filter.
D. To add another filter, repeat steps B and C and select the appropriate Join expression from the drop-down list to connect the entries.
E. Click Apply.
vi. Optional. Associate cache with variables:
A. Click Set Cache.
enVision displays the Associate Cache with Variable window.
B. Complete the window and click Apply.
48
vii. Click Apply.
enVision saves the statement.
d. To add another statement, repeat step c (add a statement).
e. Complete the Operator and Within (seconds) fields to connect the statements into a circuit.
f. Use the Order arrows as necessary to position the statements in the correct order.
6. To add another circuit:
a. Repeat step 5 (add a circuit).
b. Complete the Operator and Within (seconds) fields to connect the circuits correlation rule logic.
c. Use the Order arrows as necessary to position the circuits in the correct order.
7. Click Apply.
enVision saves the correlation rule and displays the Manage Correlation Rules window.
49
38. Setup Alerter service
Use the Set Up Alerter Service window to specify the processing options for the NIC Alerter Service.
Field Description
Manage Task Triage
Alert posting - minimum count:
Specify the Alert posting - minimum count setting in combination with the Alert posting - maximum time setting to control the flow of alert postings to the Task Triage server.
The enVision Alerter manages a buffer of fired alerts to post to the Task Triage server. The Alert posting - minimum count setting is the alert count at which the Alerter posts buffered alerts to the Task Triage server. If the total alerts in the buffer reaches this minimum count, the Alerter posts these alerts. At this point, enVision resets the counter and restarts the timer for buffering (defined in the Alert posting - maximumtime field).
Valid values are 1 through 200. The default value is 10.
Alert Posting - minimum time:
Specify the time in seconds at which the enVision Alerter posts buffered alerts to the Task Triage server.
If this timer expires and there are any alerts in the buffer, the Alerter posts these alerts even if the number of buffered alerts is less than the Alert Posting - Minimum Count value. At this point enVision restarts the timer and resets the counter for the Alert Posting - Minimum Count.
50
Field Description
Valid values are 10 through 300. The default value is 60.
Manage Device Asset Values
Refresh rateSelect the refresh rate for the recalculation of the asset values. Values are:
Update asset values when Alerter Service is restarted.Update asset values every n minutes.
Manage Alerts Synchronization
Indicate when the alerts are resynchronized.
Alerter serviceSelect to re-synchronize the alerts when the NIC Alerter Service is restarted.
Maximum number of alert events to monitorSelect to re-synchronize the alerts when the specified number of alerts is reached.
Manage Restart of Alerter Service/Views
Indicate the default check box settings for restarting the NIC Alerter Service and views.
Default view actionSelect to start/restart a view after a configuration change to the view. You can override this on the Manage Views window for an individual view while modifying a view. (The configuration changes for the view do not take effect until the view is restarted).
Show messageSelect to display a message box after a configuration change (other than a change to a view), to remind you that the NIC Alerter Service must be restarted. You can override this on the individual windows on which you make the modification. (The configuration changes you selected on the window do not take effect until the service is restarted).
Restart Alerter Service Select to start/restart the NIC Alerter Service. The options you selected on the window do not take effect until this occurs.
Apply Saves the information and restarts the service (if selected).
51
39. Setup Alerter History
Use the Set Up Display Options window to control the window refresh rate, the column display order and the sort order of the data on the Alert History window in the Alerts Module.
Field Description
Dynamic refresh Select the Refresh the alerts every check box to automatically refresh the data on the History window. Type the time increment and select Secondsor Minutes from the drop-down list to specify how often the automatic refresh occurs. Valid values are 1 through 999 minutes. The default value is 5.
Row count Type the number of rows that display per page. Valid values are 5 through 999. The default value is 20.
Column display order Select a column header and use the up and down arrows to arrange the order in which the columns display on the History window.
Column sort precedence Select a column from the drop-down list by which to sort the data. Select Descending or Ascending from the associated drop-down list to indicate whether the selected column should be sorted in descending or ascending order.
The system displays the window sorted by Timestamp by default.
Apply Saves the information.
52
Analysis
53
40. Event Viewer
Use the Event Viewer tool in the Analysis module to:
Graph events for analysis. You can graph:
Events by event type.
Event types by time.
View incoming data.
The Event Viewer translates the timestamp on the events to the local time of the client running Internet Explorer.
54
To graph events by event type:
1. Click Analysis→Event Viewer →Graph View→Events by Event Type.
enVision displays the Graph Events by Event Type window.
2. Select the time range from the Timeframe drop-down list.
3. Select the time zone from the Time zone drop-down list.
4. Select the site from the Site drop-down list.
5. Select the device type from the Device Type drop-down list.
6. Select the device from the Device drop-down list.
7. Select the type of events to include from the Event Types drop-down list.
8. Optionally, select the Display Advanced Graph Options checkbox. Proceed as follows:
a. Select the type of graph to create, Bar or Line from the Graph Type drop-down list.
b. Select the data type from the Data Type drop-down list.
c. Select the value to display on the Y Axis from the drop-down list: Events, Size or EPS.
9. Click Update Now.
enVision displays the graph.
A tool tip for each bar on the graph displays the event ID associated with the bar and the number of events, size or EPS associated with the event ID, depending on the value you selected in the Y Axis field (Events, Size or EPS
To graph events types by time:
1. Click Analysis→Event Viewer →Graph View→Event Types by Time.
enVision displays the Graph Events Types by Time window.
2. Select the site from the Site drop-down list.
c. Select the device type from the Device Type drop-down list.
d. Select the device from the Device drop-down list.
e. Select the type of events to include from the Event Types drop-down list.
55
f. Select the time range from the Time drop-down list.
g. Select the time zone from the Time zone drop-down list.
h. Optionally, select the Display Advanced Graph Options checkbox. Proceed as follows:
a. Select the type of Automatic Updates: Update on selection change and/or Update every 5 minutes.
b. Select the type of graph to create, Bar or Line from the Graph Type drop-down list.
c. Select the data type from the Data Type drop-down list.
d. Select the value to display on the Y Axis from the drop-down list: Events, Size or EPS.
e. Select the time value to display on the X Axis from the drop-down list.
9. Click Update Now. The system displays the graph.
A tool tip for each bar on the graph displays the time interval, event ID associated with the bar and the number of events, size or EPS associated with the event ID, depending on the value you selected in the Y Axis field (Events, Size or EPS).
10. Optionally, click a value in the Event Types table (to the right of the graph) to change the graph to only display information for that specific event type. (To reset the graph to include the top 14 event types, click Update.)
11. Optionally, right-click on a bar to display a menu.
Click To
Zoom In Zoom in on a time range. The graph displays a time range 50% smallerthan the original (for example, if you originally had a graph showing 1 hour, Zoom In displays a graph showing 30 minutes). The point on the graph which you selected Zoom In becomes the midpoint of the new graph.
Zoom Out Zoom out on a time range. The graph displays a time range 50% larger than the original (for example, if you originally had a graph showing 30 minutes, Zoom out displays a graph showing 1 hour). The point on the graph which you selected Zoom Out becomes the midpoint of the new graph.
Scroll Left Scrolls the graph display to the left.
Scroll Right Scrolls the graph display to the right.
View Events Mark the starting and ending points on the graph, to display a list of Event ID, Date/Time, Device and Event.
56
41. Query Tool
Use the Query tool in the Analysis module to create and run queries on data .
Create a new query or run a query you saved from a previous session. You can save the results of queries that you run in a comma-separated file (.csv file). You can import the .csv file into other applications, such as Microsoft Excel.
Note: The Query Tool is very useful if for creating Alerts and Reports from Scratch. This is where you base the information you want get from an alert or a report.
57
To create a query:
Click Analysis→Query →Create New Query.
enVision displays the Create New Query window.
Warning: When you perform a query on the Alert Notes table, enVision selects (checks) the Date/Time column (and only the Date/Time column) by default. If you run the query with just the Date/Time column checked, enVision does not find any data. You must make sure that the Date/Time column and at least one other column is checked before you run a query on the Alert Notes table.
Click Save to save the query.
Click on the Query menu to refresh the menu and display the new query in the menu. enVision displays the Save Query window. Click Run.
enVision finds the records that match the filter information you entered and displays the information on the Query Results window.
Optionally, click Save All to save the query results in a .csv file in the \piquery\user_ID\query_name\query_name directory (the administrator defines the location of this directory on the Set Up Directories window).
Example - Create a Query
Here is a sample query. This query searches the database and display all HTTP, SMTP, and POP3 traffic from firewall devices.
Query the FireWall Accounting table – this table contains the connection message, from which address, bandwidth, duration and port-specific information can be derived.
Include the ForeignPort field in the query - this field contains the connection port of the foreign host involved in a particular network event.
To further narrow the query results, include the following criteria for the ForeignPort field:
80 (ForeignPort 80 is the port for HTTP traffic destined to outside web servers) 25 (ForeignPort 25 is the port for SMTP traffic destined to outside email servers) 110 (ForeignPort 110 is the port for POP3 email traffic).
Only include the last 4 hours of information in the query results.
58
SQL statement syntax is very important.
Strings in SQL Statements
Values that are an IP Address, a date, a time, and so forth are called strings.
Enclose strings in single quotes.
Strings are case-sensitive.
You can use the SQL operators AND, OR, and NOT with strings. (Reports module only.)
Note: Values that are numbers (such as ports) are not considered strings.
DeviceAddress
For the DeviceAddress field, the address is considered a string. Enclose the entire value in single quotes when the string is part of an SQL statement.
For example: DeviceAddress = '123.123.1.1'
DeviceHostName
For the DeviceHostName field, the host-server-name is considered a string. Enclose the entire value in single quotes when the string is part of an SQL statement.
59
For example: DeviceHostName = 'host-server-name'.
IP Addresses
IP addresses are considered strings. Enclose all strings in single quotes when the string is part of an SQL statement.
For example: ForeignAddress = '123.123.123.123'
Date and Time Formats
Dates and times are considered strings. Enclose all dates and time in single quotes when the string is part of an SQL statement. Use the correct date and time formats and use the format consistently. You must use date and time together in a Date/Time SQL statement.
For example: Date/Time >= '10-24-06 9:00' AND Date/Time <= '10-24-06 13:00'
Dates in strings can appear in the following formats:
mm-dd-yy
mm-dd-yyyy
mm/dd/yy
mm/dd/yyyy
Month dd, yy
Month dd, yyyy
Times in strings can appear in the following 24-hour formats:
hh:mm:ss
hh:mm
Apostrophes
Apostrophes within strings must appear as ' '.
For example, Patriot's S% would appear in a string as: LIKE 'Patriot' 's S%'
60
Special Sequences
Three special sequences are recognized:
\n represents a newline character.
\\ represents a single (\).
\xDD represents the character with hexadecimal code DD.
Troubleshooting
Check the SQL statement syntax.
Replace any double spaces between words, operators, and symbols with a single space.
Delete any extra spaces or carriage returns from the end of the sql statement.
61
Reports
62
42. Reporting Module
The Reports module consists of the following tools:
Tool Use the tool to...
Scheduled Reports Display generated scheduled reports.
Ad Hoc Reports Create, modify and/or run reports.
Report Configuration Manage running reports, manage scheduled reports, schedule reports, manage report folders, and set up reports options.
Use the Reports module to generate reports. You can create tabular reports and graph reports.
The Reports module has standard network security and traffic analysis reports and graphs. You can copy and modify these reports, or create your own custom reports to meet your specific reporting needs.
63
You can run reports ad hoc or schedule the reports to run at specific times. You can create report foldersin which to store generated scheduled reports; this allows you to provide specific clusters of reports to specific key personnel.
The administrator selects the file format of the report results. The results can be displayed in a browser, saved as a CSV file, and/or saved as a PDF file.
Important: You must register the appropriate Unicode font to generate PDF reports with embedded localized report headings and event data.
You can create a bind report - a group of reports that can be scheduled to run as a single report.
Note: The administrators can perform all functions within the Reports module. To provide users access to the Reports module, the administrator assigns users to a user group with permissions for the Reports module. To limit user access to reports or to override the user group permissions, the administrator assigns report permissions for specific device classes.
Note: The Create New Report menu item only displays for users or users within a user group with the Administrator Report Permission set (on the Manage Report Permissions window).
Important: The system considers all traffic inbound unless you configure each local IP address to distinguish between inbound and outbound messages. If you do not perform this task, the system's outbound reports (HTTP, FTP, TELNET, SMTP) will not report traffic correctly.
64
The Reports module has standard network security and traffic analysis reports and graphs. Reports are organized by device class. Reports are available for:
Compliance Correlated alerts Host devices Network devices Security devices Storage devices
Task Triage -Limitations and rules governing standard Task Triage reports:
You cannot bind them.
You cannot specify device groups or a time range in the Run/Copy/Modify/Delete Report window for them.
VAM (Vulnerabilities and Asset Management) -Limitations and rules governing standard VAM reports:
You cannot bind them.
You cannot specify device groups or a time range in the Run/Copy/Modify/Delete Report window for them.
When you select a report, enVision displays the Run/Copy/Modify/Delete Report from which you run the report and specify runtime parameters (if any).
65
Compliance Reports:
enVision has standard compliance reports for various compliance issues.
BASEL II Bill 198 Federal Information Security Management Act of 2002 (FISMA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) National Industrial Security Program Operating Manual (NISPOM) North American Electric Reliability Council (NERC) Payment Card Industry (PCI) Data Security Standard Sarbanes-Oxley Act of 2002 (SOX) Statement on Auditing Standards (SAS) No. 70 (SAS 70)
66
43. Scheduled Reports
You can schedule reports to run automatically at a particular time. Optionally, you can also select for a report to be run on a specific day, on a specific date in a month, and/or run in specific months. You can specify the amount of previously collected data that is to be included in the report.
Important! You must be an administrator to schedule a report.
The scheduled report process allows multiple reports to run simultaneously. Bind reports can run all reports within the bind simultaneously, however only one bind can be run at a time.
The administrator sets up options for storing and saving results for scheduled reports on the Set Up Reports window. The administrator can override these options for an individual report on the Schedule Reports window.
Schedule reports using the Schedule Reports window in the Reports module.
Note: If a report result set has been restricted (due to the result set size), the following message displays on the report: Returned X of Y results (where X is the number of rows displayed in the report and Y is
67
the total number of rows that met the report query criteria). If the result set size is greater than the recommended result set size (defined in the Set Up Reports window), and the option for Return all results has been selected for the report, the system saves the report as a CSV file, and an HTML file including the max acceptable number of rows.
Use the Schedule Reports window to schedule the generation of a report, graph or bind.
Important! You must be an administrator to schedule a report.
Field Description
Task type Displays the task type: Report
Site Displays the site name where this report will run.
Node Displays the node name where this report will run.
Task name Type a unique name for this task.
Report name Click to select a report to schedule.
Device groups Select the device groups that define the devices for the data to be included in the report results. Options are:
Device Groups
Select one or more device groups to include in the report results.
Select NIC_ALL to include all the devices you have permission to see. Note: NIC_ALL does not allow you to access all devices currently being analyzed.
Runtime parameters Enter a value to be applied against the runtime parameters when the report is run.
Note: The runtime parameter field remains blank if you did not create a parameter definition for this report.
Folder name Select a folder from the drop-down list. The Scheduler Service includes this report in the selected folder. The default folder is Default.
Time Range Define the time range for the data to be included in the query results. Options are:
Relative - select to run a report for a relative time
Previous - Type the number of previous minutes, hours, days, weeks, or
68
Field Description
months. Valid values are 1 through 9,999 (up to 10 years).
Select Minute(s), Hour(s), Day(s), Week(s), or Month(s) from the drop-down list.
Use last complete hour - Select the checkbox to calculate the time. If the checkbox is not selected, the default assumes that a month is the past 30 days.
The start time is rounded down to the last full unit of the selected time.
Start for last complete day: 12:00AM to 11:59 PM for the previous dayStart for last complete week: 12:00AM Sunday to 11:59 PM Saturday for the previous weekStart for last complete month: 12:00AM of the first day of the previous month to 11:59PM of the last day of the previous month
Custom - Select to run a report for a specific time range. If you select this option, the report will only run one time.
From - To - specify the time range for the report. The time is based on a 24-hour clock. Click the icon to display the calendar to select the date and modify the time.
Selected - displays the time range you specified.
Email Options Click to display the Scheduled Report Email Delivery Options popup window. Use this window to select an existing SMTP output action to use for report delivery and/or the user can enter the email address information for a specific report.
Warning: The Email link only works if the location of the report is under webapps directory (that is, if the report does not show up in the calendar, the link to it will not work).
Result Set Size Specify the size of the result set and output actions.
Return the _X_ _Y_ results
X - drop-down selection. Valid selections are first or last.
Y - result set size. Valid values are 1 to the size defined in the Set Up Reports window. The default is the result set size defined on the Set Up
69
Field Description
Reports window.
Return all Results
Returns all results. If the result set size is greater than the recommended result set size (defined on the Set Up Reports window), the file is saved as CSV (if the option to Save results as an HTML file is selected, the HTML file created is limited to the maximum number of rows).
Display Options Save results as an HTML file
Select to save the report as an HTML file. Selected by default. To display the reports in the web browser from enVision, you must select this option.
Saves results as a CSV File
Select to save the results to a CSV file. If the Save results as a CSV file is selected on the Set Up Reports window, this checkbox is selected by default.
Save results as a PDF file
Select to save the results to a PDF file. This check box is selected by default if the Save results as a PDF file check box is selected on the Set Up Reports window.
Important: You must register the appropriate Unicode font to generate PDF reports with embedded localized report headings and event data.
Directory path Type or click to select the directory path to which the folder will be added. If a path is not selected, the default value is e:\installdir\webapps\pi\pireport
Note: If you specify a directory here, you will not be able to display the scheduled report on the Scheduled Reports window.
Enabled Select the check box to enable the task. The Scheduler Service only processes enabled tasks.
Schedule Click to schedule the task. The task displays on the Manage Scheduled Reports window.
70
Field Description
Schedule Immediate Click to schedule the task for immediate processing.
enVision runs the report once with no recurrence. Here are the advantages of scheduling a report to run immediately as opposed to running it as an ad-hoc report:
enVision sends the report's results to a calendar.If you run this report as an ad-hoc, enVision deletes it as soon as you log out.
You can schedule the report to run as part of a bind.You can only run ad-hoc reports individually.
Set Recurrence Click to display the Set Recurrence window to indicate when and how often the task is to be run.
Cancel Cancels the changes to the window.
44. Reports Folder
Create report folders to provide specific scheduled reports and exported database tables to specific key personnel.
Add folders on the Manage Folders window. You can specify a folder when you schedule a report or database export task. As the system generates the scheduled task, it adds it to the assigned folder.
You access the reports in the folders by selecting the folder on the Display Schedule Report Results window.
You can manage the security for report folder access though a web server, such as Microsoft® Internet Information Systems or Apache Software Foundation's Apache HTTP Server.
71
45. Setup Reports
Report directory Type (or click to select) the default directory in which to store the report results for scheduled reports. The subdirectories in this directory are named based on the time the report results file was generated.
Note: enVision appends pireport to the end of the default directory you selected and names the subdirectories based on the time the report results file was generated.
(You can also specify this directory on the Set Up Directories window.)
Recommended result set size
Define the maximum result set size for a report. Valid values are 1 to 500,000. The default is 5,000.
Report rows Select the check box to save the results as a CSV file.
PDF generation Select the check box to save the results as a PDF file.
Important: You must register the appropriate Unicode font to generate PDF reports with embedded localized report headings and event data.
DNS resolution Select the check box to enable DNS resolution processing for all reports. Selected by default.
If this option is selected, you can override it (turn it off) for individual reports on the Create/Modify Report - Select Additional Report Options Window.
If the Resolve hostnames check box on the Set Up DNS Resolver Service window is not selected, the system will not perform any DNS resolution processing and this field is not enabled.
Report logging Select the check box to enable logging. If this is selected, the NIC Web Server service creates a log file of performance information in the envision/logs nsdatabase.log file. The system continues to add to this file. Select this check box when you are asked to by NIC technical support, to determine the cause of issues occurring during reporting.
Apply Saves the information.