Professional Documents
Culture Documents
Reporting User's Guide
Reporting User's Guide
Legal Notice
Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec Logo, Symantec AntiVirus, Symantec Client Security, Symantec System Center, and Symantec Client Firewall are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group's primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available:
Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your country or language under Global Support. Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Contents
Chapter 2
Chapter 3
Using reports
Reports overview .......................................................................... 21 About reports ........................................................................ 22 Saving report configuration settings .......................................... 23 Printing and saving reports ...................................................... 25 Creating risk reports ..................................................................... 26 Creating scan reports .................................................................... 31 Creating computer status reports .................................................... 35 Creating and viewing scheduled reports ............................................ 37
Chapter 4
Contents
Specifying the reporting server URL by using the Windows registry .......................................................................... 46 Viewing the URL of a reporting server ........................................ 46 Removing a reporting server ..................................................... 46 Configuring the reporting display .................................................... 47 Configuring users ......................................................................... 48 Setting password rules ............................................................ 51 Configuring alerts ........................................................................ 52 Creating alert configurations .................................................... 53 Viewing alert events ............................................................... 56 Acknowledging or unacknowledging alerts .................................. 58 Viewing alert event details ....................................................... 59 Setting automatic refresh intervals .................................................. 60
Chapter 5
Using logs
About logs ................................................................................... 63 Viewing logs ................................................................................ 64 Saving log configuration settings ..................................................... 65 Viewing risk logs .......................................................................... 66 Viewing scan logs ......................................................................... 69 Viewing computer status logs ......................................................... 71 Using events in logs ...................................................................... 74 Displaying event details ........................................................... 74 Exporting log events ............................................................... 76 Deleting log events ................................................................. 77
Chapter 6
Contents
Using agent logs ........................................................................... 95 Enabling or disabling agent tracing ............................................ 95 Deleting agent logs ................................................................. 97 Registry keys for agent configuration ............................................... 97 About registry keys for agent file processing ................................ 98 About registry keys for agent scheduling ..................................... 99
Chapter 7
Chapter 8
Index
Contents
Chapter
Introducing reporting
This chapter includes the following topics:
About reporting How reporting works About events About reports About logs
About reporting
Reporting is a Web application within the Symantec System Center console that you can use to create reports about your security products. The application uses a Web server to deliver information about Symantec Client Security or Symantec AntiVirus products in your network. Reporting includes the following features:
Customizable home page with your most important reports Pre-defined and customizable graphical reports with multiple filter options Role-based user administration that is separate from the Symantec System Center console user administration Optimized to support events from 100 computers to 50,000 computers Supports Microsoft SQL for storing events
You can log into reporting through the Symantec System Center console. You can also log into reporting through a Web browser that is installed on a computer that has access to your reporting server.
10
Information about installing reporting is located in the Symantec Client Security Installation Guide or Symantec AntiVirus Installation Guide.
About events
The events that appear in the reports that you generate in reporting are pulled from the event logs from your primary and secondary management servers. The event logs contain time-stamps in the servers' time zones. When the Log Reader Agent on the reporting server receives the events, it converts the event time-stamps to Greenwich Mean Time (GMT) for insertion into the reporting database. When you create reports, the reporting software displays information about events in the local time of the computer on which you view the reports.
11
Since virus outbreaks can result in an excessive number of virus and firewall events, these events are aggregated before they are forwarded to the Log Reader Agent on the reporting server. For more information about some of the events that appear on the home page, check the Symantec Security Response Web site Attack Signatures page at the following address: http://securityresponse.symantec.com/avcenter/attack_sigs/
About reports
Reporting gives you the up-to-date information that you need to make informed decisions about the security of your network. The reporting home page includes automatically generated charts about top events happening in your network. Reporting also includes reports that you can customize and generate to view graphical representations of events happening in your network. You can create reports about risk and scan events. You can also generate reports about the inventory (computer status) of computers in your security network. In addition, you can create the scheduled reports that run automatically on a schedule. You set the report filters and the time to run the report. When the report is finished, it is available on the scheduled reports page. Currently, reporting allows you to create scheduled reports for virus definition rollouts only.
About logs
You can look at event data directly in reporting if you want to focus on specific events. Logs include event data from your primary and secondary management servers as well as all of the clients reporting to those servers. You can filter the log data. You can also export the log data to a file to backup the event data or use the data in a spreadsheet or other application.
12
Chapter
About basic tasks Logging into reporting Changing your password Using the home page About using the Past 24 hours filter in reports and logs
14
In the Symantec System Center console, in the left pane, under Reporting, under Reporting Servers, click the name of the reporting server that you want to log into. In the right pane, in the login dialog box, type your user name and password. If you log in for the first time, and you are the administrator who installed reporting, use the user name and password you entered during installation.
Click Login.
To log out of reporting, in the top right of the reporting application window, click Logout. If you do not log out, and you are inactive for a period of time, you may be automatically logged out. An administrator can configure the inactivity timeout for each user. The default is 6,000 seconds (100 minutes). Note: If you use reporting in a stand-alone browser, closing the browser window does not log you out of the reporting application. Make sure you click Logout when you are finished with your session.
15
If you log in for the first time, your old password is the password that your administrator assigned to you. After you change the password, the new password is required the next time you log into reporting. To change your password
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Change Password. In the Old Password text box, type your old password. In the New Password text box, type your new password. In the Confirm text box, type your new password. Click Save.
16
Figure 2-1
17
Shows new risks in your security network in the past 24 hours. Click any of the risks to display a page from the Symantec Security Response Web site that gives more details about the risk.
Shows a one-line summary of the alert status in your security network. For example, 100 unacknowledged alerts in the last 24 hours. Click to display the Alert Events page. Your user account must have access to view this page. See Viewing alert events on page 56.
Shows a one-line summary of the status for the agents that are installed on the reporting server. Click to display the Agent Status page. Your user account must have access to view this page. See Checking agent status on page 83.
Shows a line graph of the risks in your security network over the past 24 hours.
18
Current Virus Definition Distribution Shows the current virus definition distribution in your security network. Click on the pie chart to get a more detailed report about the distribution. Security Response Shows the current ThreatCon severity level that is based on information from Symantec Security Response. The ThreatCon severity level provides an overall view of global Internet security. Click any of the links to get additional information. See Using Security Response links on page 19.
Graph type
Auto-refresh
Configures how often the reporting software refreshes the information on the home page.
19
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Home tab, click Homepage Configuration. Change any of the options. Click Save. A message appears indicating your changes are saved.
For more information about the threat levels, click the Symantec link to display the Symantec Web site. Note: Specific security risks are rated with a 1 to 5 level rating. Each link displays a page in a new window. Table 2-3 describes the Security Response links. Table 2-3 Link
Security Alerts
20
Basic reporting tasks About using the Past 24 hours filter in reports and logs
Security Response links on the reporting home page (continued) What appears
Displays the Symantec Web site. You can get information about risks and security risks, virus definition downloads, and recent news about Symantec security products. Displays the virus definition download page of the Symantec Web site. Displays the Symantec Security Response Web site, which shows the latest threats and security advisories. Displays the Security Focus Web site, which shows information about the latest viruses.
Definitions
Latest Risks
Security Focus
Chapter
Using reports
This chapter includes the following topics:
Reports overview Creating risk reports Creating scan reports Creating computer status reports Creating and viewing scheduled reports
Reports overview
You can generate reports on the security products in your network that are based on a collection of filter settings you select. You can save the filter configuration to generate the report at a later date. You can run reports on the following items in your security environment:
Risks Scans Computer Status Scheduled tasks such as virus definition rollouts
There is a default report configuration for each report type. You can modify and save the configuration for the default report. You can create new filter configurations that are based on the default configuration or on an existing configuration that you created. You can also delete your customized configurations if you don't need them any more.
22
When you create a report, the report appears in a separate window. You can then save the report as an HTML or text file. You can also print the report. The saved file is a snapshot of the current data in your reporting database.
About reports
Reports might include tables or charts, or a combination depending on the information that you requested. You can save the report as a Web page, a Web archive, or a text file using the Save As option in your Web browser. The save options capture the data in the report so you have an historical record. You can save the report settings so that you can run the same report at a later date. The active filter settings are listed in the report if an administrator has configured the general setting to include the filters in reports. Important information about reports is listed here:
Time-stamps in reports are given in the user's local time. The reporting database contains events in Greenwich Mean Time (GMT). When you create a report, the GMT values are converted to the local time of the computer on which you view the reports. The data that appears in reports might not have a one-to-one correspondence with what appears in your security products since the reporting software aggregates your events. If you generate a report that includes legacy computers, the IP address and MAC address fields display None. The parent server field is blank in the report if the relevant item is a primary management server, which does not have a parent server. Risk category information in reports is obtained from the Symantec Security Response Web site. Until the Virus Category Agent runs and gathers the information, any reports that you generate show Unknown in risk category fields. Reports that you generate in reporting give an accurate picture of the infected computers in your network. Reports are based on the log data rather than the Windows registry data. If data in spider graphs contains overlapping lines that are difficult to read, re-create the report by using different parameters for the x and y axes or reversing the axes for the current parameters. If you are running the reporting server on a computer using any Asian language, the Arial Unicode MS font should be available on the reporting server. Otherwise, some charts may contain unreadable characters.
23
In Virus Definition Distribution repots, a parent server is not listed unless it has clients. To view information about virus definitions on parent servers, use the Computer Status Logs page and select Only parent servers for the Computer type. If you get database errors when running reports that include a large amount of data, you might want to change database timeout parameters. See Changing timeout parameters on page 108. If you get CGI or terminated process errors, you might want to change other timeout parameters. Information about additional timeout parameters is provided in the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
24
they are saved in the reporting database and the configuration name appears in the Use saved report list box. Note: The configuration settings that you save are available for your user login only. Other reporting users do not have access to your saved settings. If you need to re-install the reporting server, you should make sure that your database information is preserved so that you do not lose your configuration settings. See Restoring an MSDE reporting database on page 106. You can also delete any report configuration that you create. When you delete a configuration, the report is no longer available. The default report configuration name appears in the Use saved report list box and the screen is repopulated with the default configuration settings. To save a report configuration
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, do one of the following:
Click Risk Reports. Click Scan Reports. Click Computer Status Reports.
3 4 5 6 1 2
Change any basic or advanced settings for the report. Click Save Report. In the Name text box, type or select the report configuration name. Click Save.
To delete a report configuration Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, do one of the following:
Click Risk Reports. Click Scan Reports. Click Computer Status Reports.
25
3 4
In the Use saved report list box, select the name of the report configuration that you want to delete. Click the Delete icon.
1 2
In the report window, click File > Print. Select the printer and then click Print.
When you save a copy of the report, you save a snapshot of your security environment that is based on the current data in your reporting database. If you run the same report later, based on the same filter configuration, the new report shows different data. To save a report
1 2 3
In the report window, click File > Save As. In the Save Web Page dialog box, in the Save in selection box, select the location for the file. In the Save as type list, select one of the following:
Web Page, complete (*.htm,*html) Web Archive, single file (*.mht) Web Page, HTML only (*.htm,*.html) Text file (*.txt)
4 5
In the File name list box, type a file name. Click Save.
26
Infected Computers (At Risk Computers) Detection Action Summaries Detections Grouped by Server Group Detections Grouped by Parent Server Detections Grouped by Computer
Risk Detection
Risk Detection Table and Distribution Chart This report includes a distribution pie chart grouped by server group, client group, parent server, computer, or user name. Risk Detection Correlation These reports correlate risk detections using two variables. The variables you can select are computer, user name, server group, client group, parent server, or risk name. The data appear in a three-dimensional bar graph or spider graph. Summary of Detections Grouped by Computer This provides a table of risk detections that are grouped by computer. Risk Distribution Charts This report includes a pie chart and histogram that are grouped by server group, client group, parent server, computer, user name, source, risk type, or severity. Risk Distribution Over Time This report includes a histogram using a daily, monthly, or yearly time interval.
27
Full report Full daily report Full monthly report Full yearly report
Comprehensive reports include by default all of the distribution reports and the new risks report. You can select which reports to include or not include in the combined daily, monthly, or yearly report.
Note: The report headings (Top Reports, Risk Detection, and Comprehensive) that are listed in the Report type drop-down list do not appear if you are using Internet Explorer 5.5 or earlier. To see the headings, upgrade your browser to version 6.0 or higher. You can quickly generate a risk report by selecting from the basic settings that appear by default under What filter settings would you like to use. If you want to configure more filters for the report, you can configure them through Advanced Settings. You can save the report settings to run the same report at a later date. You can also print or save the report. See Printing and saving reports on page 25. Table 3-2 describes the basic settings for risk reports. Table 3-2 Setting
Product
Description
Specifies only the risks that are found from Symantec AntiVirus, Symantec Client Firewall, or all (both) products. The default is Symantec AntiVirus.
Time range
Sets the range of time over which risks were found to include in the report. If you choose Set specific dates, you must set Start date and End date. The default is in the last month.
28
Description
Sets the start date for the date range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the date range. Only available when you select Set specific dates for the time range.
Table 3-3 describes the advanced settings for risk reports. Table 3-3 Setting
Event type
Description
Specifies whether to include all events, or only viruses that are found, IDS, security risks that are found, or firewall violation events. The default is all events.
Action taken
Filter the report by the type of action that was taken by Symantec AntiVirus on the risk. The types of actions in the list depend on the setting for Product.
Scan type
Filters the report that is based on the events that occurred during a particular type of scan. For example, a scheduled scan or a manual scan. By default, all events from any type of scan are used for the report.
Risk type
By default all risk types appear in the report. You can limit the risks in the report to viral, trackware, spyware, hack tool, security risk, jokeware, heuristic, adware, remote access, non-viral malicious code, or dialer. Filters the report by risks with particular severity. Severity is defined in several categories as follows: unknown; 1 is very low; 2 is low; 3 is moderate; 4 is severe; and 5 is very severe. For more details about severity, see the Symantec Security Response Web site. By default, risks of all severity are included in the report.
Risk severity
Compressed events
Specifies whether events that are considered for the report should be weighted or unweighted. Weighted events are the sum of the number of events. Unweighted events are the count of the number of events. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Server group
29
Description
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
IP address
Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User name
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
Risk name
Specifies particular risk names and/or wildcard characters (?, *). Separate each entry with a comma. By default, all risks are included.
30
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Risk Reports.
3 4 5
In the Use saved report list box, select a saved filter configuration that you want to use or use the default configuration. Under What type of Risk Report would you like to see, in the Report type list box, select the type of report that you want to create. Do one of the following:
If you selected the Risk Detection Table and Distribution Chart, Detections Grouped by Computer, or Risk Distribution Charts, the Group By option appears. In the Group by list box, select the option for grouping the report. If you selected the Risk Distribution Over Time report, the Time interval option appears. In the list box, select the time interval. If you selected the Full Daily Report, Fully Monthly report, or Full Yearly report, the Configure reports to be included option appears. Click Configure reports to be included, and then in the new window, select the reports that you want to include in the combined report. Click Save.
31
If you selected Risk Detection Correlation, the Graph type list box appears. Select Spider graph or 3D bar graph. In the x-axis/legs and y-axis/web list box, select which grouping should appear on the chart axes in the 3D bar graph or the legs/web in the spider graph.
6 7 8
Under What filter settings would you like to use, in the Product list box, select the product for which you want to run the report. In the Time range list box, select the date range for the report. If you want to configure additional settings for the report configuration, click Advanced Settings. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page 23.
32
Computers by Last Scan Shows a list of computers in your security network by the last Time time scanned. Computers Not Scanned Shows a list of computers in your security network that have not been scanned.
You can quickly generate a scan report by selecting from the basic settings that appear by default under What filter settings would you like to use. If you want to configure more filters for the report, you can configure them through Advanced Settings. Table 3-5 describes the basic filter settings for scan reports. Table 3-5 Setting
Time range
Start date
Sets the start date for the time range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the time range. Only available when you select Set specific dates for the time range.
33
Table 3-6 describes the advanced scan report settings. Table 3-6 Setting
Duration greater than Files scanned greater than Risks greater than
Server Group
Client Group
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent Server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify parent the server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
34
User
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
1 2 3 4 5
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scan Reports. In the Use saved report list box, select a saved filter configuration you want to use or use the default configuration. Under What type of Scan Report would you like to see, in the Report type list box, select the type of report you want to create. If you selected Scan Distribution Histograms, do the following:
In the Group by list box, select the way you want the information in the report to be grouped. In the Bin width text box, type the data interval you want to use for the group by distribution. In the Number of bins text box, type the number of data intervals you want to include in the report.
Under What filter settings would you like to use, in the Scans From list box, select the date range for the report. You can specify a name for this report configuration in the Name text box or you can use the Scans From setting to filter the default report configuration.
If you want to configure additional settings for the report configuration, click Advanced Settings and make any changes to the configuration. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page 23.
35
Virus Definition Distribution Computers Not Checked Into Parent Server Symantec AntiVirus Product Versions Symantec Client Firewall Product Versions IPS Signature Distribution
You can filter which computers are included in the report through the advanced settings option. You can also print or save the report. See Printing and saving reports on page 25. Table 3-7 describes the advanced configuration settings for computer status reports. Table 3-7 Setting
Time range
Description
Sets the range of time over which computer status was collected to include in the report. If you choose Set specific dates, you must set Last checkin time.
The last time that the computer checked in with its parent server. Only available when you select Set specific dates for the time range.
Includes only those computers with this particular virus definition date. Includes only those computers with this Symantec AntiVirus product version.
SAV scan engine version Includes only those computers with this Scan Engine version. SCF version SCF policy file name Online Includes only those computers with this Symantec Client Firewall version. Includes only those computers with this firewall policy name. Includes all computers, only those computers that connect to their parent servers, or only those computers that do not connect to their parent servers. Includes computers with any Auto-Protect status, or only those computers with Auto-Protect enabled, disabled, or status unknown.
Auto-Protect status
36
Description
Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Client group
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
IP address
Specifies particular addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
Specifies only computers with infections. Displays the Symantec AntiVirus version or the Symantec Client Firewall version in the report. Includes only parent servers or only primary management servers. The default is all computers, including client computers.
Computer type
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Computer Status Reports.
37
3 4
In the Use saved report list box, select a saved filter configuration you want to use or use the default configuration. Under What type of Computer Status Report would you like to see, in the Report type list box, select one of the following reports:
Virus Definition Distribution Computers Not Checked Into Parent Server Symantec AntiVirus Product Versions Symantec Client Firewall Product Versions IPS Signature Distribution
If you want to set more filters for the report configuration, click Advanced Settings and make any changes to the configuration. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page 23.
38
Figure 3-2
Table 3-8 describes the scheduled report configuration settings. Table 3-8 Parameter
Start time
Repeat task
39
Client Group
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent Server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
Select the date, the hour, and the minute on which computers last checked in with their parent servers. The default is the current date.
Online only
Check to include only those computers that are connected to their parent servers.
40
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scheduled Reports.
3 4
Under What type of Scheduled Report would you like to see, in the Sort by list box, select the way you want the scheduled report to be sorted. Do one of the following:
Under What would you like to do, click the Create a new scheduled report icon. Under Scheduled Reports, click the Change icon next to a report which has a status of pending.
Under How would you like to schedule this report, in the text box for Start time, type the start time for the report, and then select the hour and minute from the list boxes. In the Run for text box, type the number of hours that you want the report to run. For example, if you set the Run for time to 48 hours, the report runs every hour for 48 hours. In the Repeat task list box, select how often the report should continue to run. For example, if you specify weekly, the report runs once a week for the number of hours you configure the Run for.
41
Under What settings would you like for this report, specify the server group, client group, parent server, or computer that you want to use to filter the report. In the list boxes for Last Checkin Time, select the time.
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scheduled Reports. In the list of reports, to the left of the Status column, click the icon next to the report that you want to view.
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scheduled Reports. Do one of the following:
Under Scheduled Reports, at the end of the row that lists the report you want to delete, click the Delete icon. Under What would you like to do, click the icon for deleting all scheduled reports.
42
Chapter
About administrative tasks Configuring reporting servers Configuring the reporting display Configuring users Configuring alerts Setting automatic refresh intervals
44
Note: The login for the reporting function is a separate login from the login for the Symantec System Center console. The reporting feature uses separate user accounts that are stored in the reporting database. See Configuring users on page 48.
45
In the Symantec System Center, in the left pane, under System Hierarchy, right-click the server group or primary or secondary management server for which you want to add or change a reporting server. Click All Tasks > Reporting Configuration > Configure Reporting Server.
In the Reporting Server Options dialog box, under Report Server, in the Host name or IP address list box, do one of the following:
Type the host name or IP address of the new reporting server. Select the reporting server URL from the drop-down menu.
Click OK.
In the Symantec System Center, in the left pane, under System Hierarchy, right-click the server group or primary or secondary management server for which you want to add or change a reporting server. Click All Tasks > Reporting Configuration > Configure Reporting Server.
46
In the Reporting Server Options dialog box, under Report Server, in the Host name or IP address list box, include the port number in the following format: http://<host name or IP address>: <port number>. Click OK. Change the URL listed for the Alert Agent on the Alert Configuration page. See Specifying email notification parameters on page 93.
4 5
In the Symantec System Center console, in the left pane, under Reporting, under Reporting Servers, right-click the name of a reporting server for which you want to view the URL, and then click Properties. Click OK.
In the Symantec System Center console, in the left pane, under Reporting, right-click the name of the server that you want to delete, and then click Delete. If the server is a manually added server, the server name is deleted from the console and you no longer have access to reporting on that server. If the server is a discovered server, the server name is deleted from the console. However, the name reappears when the Discovery Service runs again.
47
Manually associate the reporting server's primary management server with a different reporting server. Do this by pointing the primary management server to a different URL. See Viewing the URL of a reporting server on page 46. Remove the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\ CurrentVersion\Reporting\ReportServerURL registry key from the reporting server's primary management server and then delete the reporting server from the Symantec System Center console. You must do these tasks in this order. If you delete the reporting server before you remove the registry key, the reporting server will reappear in the Symantec System Center tree the next time the Discovery Service runs.
The way the date and time appear in reports and on the reporting pages. The automatic refresh interval for events and alerts pages. You can configure the automatic refresh time for the home page separately. See Customizing the home page on page 18. Whether or not active filters are included in reports. The parent server that determines the up-to-date virus definitions.
The general parameters apply to all user sessions for reporting. Table 4-1 describes the general parameters. Table 4-1 Parameter
Date format Date separator
48
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click GUI Configuration > General. Change any of the values for the date format, auto-refresh time, and up-to-date virus definition setting for parents servers. Click Save.
Configuring users
The administrator user or any user who is configured with administrator role privileges can set up users for reporting. User accounts for reporting are separate accounts from those created for Symantec System Center console. You might need to create accounts for users who log into reporting from a computer that is running only a stand-alone browser. You can configure users with one of two roles:
User Administrator
By default, the user role limits the amount of administrative information the user can see. Users who are configured with the user role do not have access to any administrative features for reporting. They cannot view information about other user accounts that are configured for reporting and they cannot view information about or specify any configuration for reporting agents. Currently configured users are listed in a table at the bottom of the User Administration page. By default, all users appear in the list. You can modify the display to show only those users who are configured with administrative privileges or only those configured as general users.
49
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the Filter role list box, select Administrator or User. The display automatically refreshes with the selected list.
You can also specify that the particular user has limited access to particular reports by setting up filters for the type of information they can view. For users who are configured with the administrator role, you can set up filters so they can see only particular user groups. All of the other filters (client group, parent server, etc.) are used for users who are configured with any role. In addition, you can temporarily disable a user account or unlock an account that is locked because a user tried three times to log into reporting unsuccessfully. If a user forgets his/her password, the administrator can reset the password on this page. Note: You should set up at least one other administrator account so that if you forget your administrator password, you can log in through the other administrator account to change the password. Table 4-2 lists the parameters for configuring users with access to reporting. Table 4-2 Option
User Name Role
User parameters
Description
The user name for this reporting user. Whether this user has administrative privileges or user privileges. Administrative users have access to administrative features in reporting. For users who are configured with the administrator role or the user role, you can limit access to particular server groups by specifying particular server group names and/or wildcard characters (?, *). For example, to limit access to server group names beginning with je, type je*. For users who are configured with the user role, you can limit access to particular client groups by specifying particular client group names and/or wildcard characters (?, *). For example, to limit access to client group names ending in er, type *er.
Server group
Client group
50
Description
For users who are configured with the user role, you can limit access to particular parent servers by specifying particular parent server names and/or wildcard characters (?, *). For example, to limit access to the parent server names that have the string tion in them, type *tion*. For users who are configured with the user role, you can limit access to particular computers by specifying particular computer names and/or wildcard characters (?, *). For example, to limit access to computers that are called 1machine, 2machine, 3machine, etc., type ? machine. For users who are configured with the user role, you can limit access to particular IP addresses by specifying particular addresses and/or wildcard characters (?,*). Text appears here to confirm that you have added a new user. The user's password. The user enters this password as the old password when logging in for the first time. This parameter is required.
Computer
IP address
Message Password
The user's password. The user's real name. The user 's phone number. The user's email address. Check this box temporarily to disable the user's account. Displays whether or not the user's account is locked. By default, the account is locked after three unsuccessful logins. To unlock an account, check the box. The number of days since the user last logged in. The IP address from which the user last logged in.
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the User name text box, type a user name. In the Role list box, select Administrator or User.
51
5 6 7
Enter the user's password and then retype the password. Set any filters for the account. Click Save. The new user is added to the table at the bottom of the pane. An icon appears in the Kill session column of the display when the user is currently active.
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the user table, click the select icon. The right pane redisplays with the user's account information. The user is highlighted in the table that appears at the bottom of the page.
4 5 1 2 3 4
To delete an existing user Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the user table, click the delete icon. In the Delete Entry warning, click OK.
Definition
The role to which these password rules apply.
Minimum length of password The minimum number of characters that are required for the user's password. Minimum number of numeric The minimum number of numeric characters that must be included in the user's characters password.
52
Definition
The number of times that a password must be changed before a previous password can be reused. A value of zero disables this feature. The maximum is 10.
Maximum password lifetime The maximum number of days that a user's password is valid. After the lifetime expires, users must change their passwords. A value of zero disables this feature so that the password never expires. Maximum number of invalid The number of times the user can attempt to log in before the user is locked out of logon attempts reporting. A value of zero disables this feature. Inactivity timeout The amount of time, in seconds, that must expire during the user's session during which the user is idle before the user is automatically logged out. A value of zero disables activity timeout. Check or uncheck this box to prevent or allow users to use their user name as their password. The number of days that must expire since the user's last login before the user is locked out of reporting. A value of zero means that the user is not locked out. The number of days that must expire since the user's last login before the user is deleted from the list of reporting users. A value of zero means that the user is not deleted after a particular amount of time. Mark user for review after Marks the user for review. After the number of days that are specified, a red icon appears next to the user name in the user list.
1 2 3 4 5
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click GUI Configuration > Password Rules. In the Rules for role list box, select the role. Change any of the parameters for the password rules. Click Save to save the rules for the selected role.
Configuring alerts
You can create the alert conditions that determine whether notifications are sent to administrators about events in your security network.
53
Note: You can also create notifications to be sent if the reporting agents go down. See Specifying notification options for agents on page 92. To generate alerts, you create the alert configurations that are based on events that are logged by your security products. You can specify notifications to send email to specified users, write information to the reporting database (alert log), or run a batch file when alert conditions are met. You should configure the Alert Agent to send notifications using your email server. You can also specify the email-from address and the reporting URL to be used in the notifications that the agent sends out. The Alert Agent configuration also specifies the name of the batch file that is executed for notifications with that option enabled. See Specifying email notification parameters on page 93.
54
Table 4-4
Virus definitions out of date Sends notifications when virus definitions are out of date for a set number of computers.
To configure an alert
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Configuration.
3 4
Under What type of alert would you like to manage, in the Alert type list box, select the type of alert that you want to configure. Click Create Alert.
55
Under What filter settings would you like to use, set the filters for the events that trigger this alert notification. Some filters are not available depending on the type of notification you selected. Filter
Server group
Description
Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Client group
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
Risk name
Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included.
Risk severity
Specifies a particular risk severity. The risk categories correspond to the risk levels that are defined by Symantec Security Response. Select the category from the list box. By default, all categories are included.
Source
Specifies the source of the event. For example, a scheduled scan. Specifies the action that was taken as a result of the event.
Action
56
Filter
Online only
Description
Includes only the computers that are connected to their parent server. Includes only the computers that checked in with their parent servers today.
Checked-in today
Under What settings would you like for this alert, in the Alarm if text box, do one of the following:
In the Alarm if text box, enter the number of occurrences of the security event, then enter the number of minutes during which the occurrences happen that trigger the notification. In the Alarm if new report available list box, select the type of report that triggers the alert (daily, monthly, or yearly risk report).
Under What should happen when this alert is triggered, check or uncheck Write alert to database to log the notification to the alerts log. This option is not available for the Single virus event or New report available alert types.
Check or uncheck Execute configured batch file to run the batch file you specify on the Agent Configuration page. See Specifying email notification parameters on page 93.
In the Send e-mail to these addresses text box, type the email addresses to which the notification should be sent. Separate each entry with a comma.
57
If you configure the refresh interval, the interval also sets the refresh for the risk log. See Setting automatic refresh intervals on page 60. Table 4-5 describes the settings for filtering the alerts list. Table 4-5 Setting
Time range
Description
Includes only those alert events in the selected date range. If you choose Set specific dates, the Start date and End date options must be set.
Start date
Sets the start date for the date range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the date range. Only available when you select Set specific dates for the time range.
Filter acknowledged
You can filter the log to show only acknowledged alerts or unacknowledged alerts. The default is all alerts. Includes only those alerts with the specified alert type. Includes only those alerts based on notifications that are created by the selected user. Specifies how many events should be included on each page of the alert log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Parent Server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
58
Description
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Risk Name
Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included.
Risk Severity
Specifies particular risk severities and/or wildcard (?,*). Separate each entry with a comma. By default, risks of all severity are included.
Source
Specifies the source of the event that triggered the alert notification. For example, a scheduled scan. Includes only those alert notifications that are based on the selected action.
Actual Action
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Do one of the following:
Select an existing filter from the Use saved filter list box. Click Advanced Settings to create a new filter for the log.
4 5 6
If you selected Advanced Settings, make any changes to the filtering options. If you want to save the filter settings, click Save Filter. If you want to save the filter settings to a new configuration name, in the Name text box, type a new configuration name. A message appears that the filter is saved, and the filter is listed in the Use saved filter list box.
59
To acknowledge alerts
1 2 3 4 5 6 7
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Click Advanced Settings. Make sure the date range is set to the desired range, and then set any other filters that you want to apply to the log display. Set Filter Acknowledged to All or Acknowledged. Click View Log. Under Alert Events, do one of the following:
Click the red Acknowledge icon next to the alert that you want to acknowledge. Click the icon to acknowledge all alerts that currently appear on the page.
To unacknowledge alerts
1 2 3 4 5 6 7
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Click Advanced Settings. Make sure the date range is set to the desired range, and then set any other filters that you want to apply to the log display. Set Filter Acknowledged to All or Not acknowledged. Click View Log. Under Alert Events, do one of the following:
Click the green Unacknowledge icon next to the alert that you want to unacknowledge. Click the icon to unacknowledge all alerts that currently appear on the page.
60
1 2 3 4 5
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Configure any filters that you want to set for displaying the alert events log. Click View Log. The log appears at the bottom of the page. In the column to the left of the alert event for which you want to display details, click the More info icon.
The home page refresh is independent of the logs and alert events refresh value. If you change the refresh level for the home page, the setting is saved for your sessions. Other reporting users can change the refresh for their own sessions. There is a single refresh value for risk, scan, and inventory logs as well as alert events. An administrator can set the default value. The value applies to all user sessions. Any user can set the automatic refresh for logs and alert events by setting the refresh on any of the log pages or the alert events page. If you change the value on one page, the value is changed for all the log pages and the alert events page. The value overrides the default setting for the current user only. To set the automatic refresh interval for the home page
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Home tab, click Homepage Configuration.
61
In the Homepage auto-refresh text box, type the number of seconds after which you want the home page to refresh. The minimum value is 30 seconds; however, you can enter 0 to disable automatic refresh. If you enter a value between 1 and 29, the value is automatically changed to 30.
4 1 2 3
Click Save.
To set the global default refresh interval for alerts and events Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click GUI Configuration > General. Under Auto Refresh, in the Default auto refresh for events and alerts pages text box, type the number of seconds after which you want the alerts and events pages to refresh. The minimum value is 30 seconds. However, you can enter 0 to disable automatic refresh. If you enter a value between 1 and 29, the value is automatically changed to 30.
4 1 2
Click Save.
To set the automatic refresh interval for logs and alert events Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. Do one of the following:
On the Alerts tab, click Alert Events. On the Logs tab, click Risk Logs. On the Logs tab, click Scan Logs. On the Logs tab, click Inventory Logs.
In the Auto-refresh list box, select the automatic refresh interval. The default is Never. The page refreshes immediately and the next refresh occurs after the interval you specified.
62
Chapter
Using logs
This chapter includes the following topics:
About logs Viewing logs Saving log configuration settings Viewing risk logs Viewing scan logs Viewing computer status logs Using events in logs
About logs
The reporting software allows you to view lists of events from your security products. It includes event data from your primary and secondary management servers as well as all the clients reporting to those servers. You may want to view this information to troubleshoot security problems in your network or to delete the events that you no longer need. For example, if you test your servers and have phantom clients or viruses, you might want to delete these events from your logs before you run the servers in a live network. You can also export the log event data to a file for importing into a spreadsheet application or to use for restoring the events to your reporting server. You can view three types of logs:
64
An existing report that uses similar settings Basic settings for viewing the log Advanced settings for filtering the log events
If you get database errors when generating logs that include a large amount of data, you might want to change database timeout parameters. See the section called Changing timeout parameters If you get CGI or terminated process errors, you might want to change other timeout parameters. Information about additional timeout parameters is provided in the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
Viewing logs
You can generate a list of events from your logs that are based on a collection of filter settings you select. You can save the filter configuration to generate the log at a later date. There is a default filter configuration for each log type. You can modify and save the configuration for the default filter. You can create new filter configurations that are based on the default or on an existing configuration that you created. You can delete customized configurations if you do not need them. See Saving log configuration settings on page 65. To view a log quickly
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:
Click Risk Logs. Click Scan Logs. Click Computer Status Logs.
Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default.
65
4 5
Change any basic or advanced settings. Click View Log. The log events appear in the lower part of the pane. You can display additional information about each event. You can also save the settings.
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:
Click Risk Logs. Click Scan Logs. Click Computer Status Logs.
3 4 5 6 7 1 2
Under What filter settings would you like to use, click Advanced Settings. Change any of the settings. Click Save Filter. In the Name box, type a name for a new filter configuration or leave the existing filter name. Click Save.
To delete a log configuration Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:
Click Risk Logs. Click Scan Logs. Click Computer Status Logs.
66
3 4 5
In the Use saved filter box, select the name of the log configuration that you want to delete. Click the Delete icon. Click OK.
Description
Specifies only the risks that are found from Symantec AntiVirus, Symantec Client Firewall, or all (both) products. The default is Symantec AntiVirus.
Time range
Sets the range of time over which risks were found to include in the log display. If you choose Set specific dates, you must set the Start date and End date options.
Start date
Sets the start date for the time range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the time range. Only available when you select Set specific dates for the time range.
67
Description
Specifies the type of events to include. The types of events that appear in the list depend on the setting for Product. The default is all events.
Action taken
Specifies which actions should be included in the log display. Your security product perform the actions. The types of actions that appear in the list depend on setting for Product. The default is all actions.
Scan type
Filters the log that is based on events that occurred during a particular type of scan. For example, a scheduled scan or a manual scan. By default, all events from any type of scan are used for the report.
Risk type
Specifies a particular risk type (viral, trackware, spyware, hack tool, security risk, jokeware, heuristic, adware, remote access, non-viral malicious code, or dialer). By default all risk types appear in the log.
Risk Severity
Filters the log by risks with particular severity. Severity is defined in five categories as follows: unknown; 1 is very low; 2 is low; 3 is moderate; 4 is severe; and 5 is very severe. For more details about severity, see the Symantec Security Response Web site. By default, risks of all severity are included.
Server group
Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Client group
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
68
Description
Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
Risk name
Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included.
Specifies how many events should be included on each page of the log display. Specifies the sort order for columns in the log display. Each column can be sorted in ascending or descending order.
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Risk Logs.
Under What filter settings would you like to use, click the product for which you want to view risk events.
69
4 5
If you want to use a saved filter, select the filter from the Use saved filter list box. In the Time range list box, select the range for which you want to view risk events. If you select Set specific dates, select the start date and the end date for the range.
6 7
If you want to use additional filters on the display, click Advanced Settings. Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page 65.
70
Description
Sets the range of time for which scan events to include in the display. If you choose Set specific dates, you must set Start date and End date.
Start date
Sets the start date for the time range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the time range. Only available when you select Set specific dates for the time range.
Duration greater than Includes only the scan durations that exceed this value. Files scanned greater than Risks greater than Files infected greater than Scan start message Status Limits the data to scans that scanned a number of files greater than this value.
Limits the data to scans that found a number of risks greater than this value. Limits the data to scans that found a number of infections greater than this value.
Includes only those events with the selected scan message. Specifies whether to include all scans, only completed scans, or only cancelled scans in the report. Specifies how many events should be included on each page of the log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Client group
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
71
Description
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
IP address
Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
Sort order
Specifies the sort order for columns in the log display, either ascending or descending.
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Scan Logs. Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default filter. In the Time range list box, select the time period over which you want to view scan events. If you want to use additional filters on the display, click Advanced Settings. Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page 65.
Click View Log. The event data appears at the bottom of the pane.
72
You can filter the information so that only certain types of client status events appear in the display. You can also specify advanced filters to limit the display. Computer status logs show the computers that are infected in your network. These computers require manual attention. For example, you might have to download a tool from the Symantec Web site to clean a particular risk. After you manually clean computers, you can change the infected status by using the computer status log. See Administering daily workflow to eliminate risks on page 112. Table 5-3 describes the settings for computer status logs. Table 5-3 Filter
Time range
Description
Sets the range of time over which risks were found to include in the log display. If you choose Set specific dates, you must set Last checkin time.
The last time that the computer checked in with its parent server. Only available when you select Set specific dates for the time range.
Includes only those computers with this particular virus definition date. Includes only those computers with this Symantec AntiVirus product version.
Antivirus scan engine Includes only those computers with this Scan Engine version. version Firewall version Firewall policy file Online Includes only those computers with this Symantec Client Firewall version. Includes only those computers with this firewall policy name. Includes all computers, only those computers that are connected to their parent servers, or only those computers that are not connected to their parent servers. Includes computers with any Auto-Protect status, or only those computers with Auto-Protect enabled, disabled, or status unknown. Specifies how many events should be included on each page of the log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Auto-Protect status
73
Description
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
IP address
Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
Specifies only computers with infections. Specifies the sort order for columns in the log display, either ascending or descending. Displays the Symantec AntiVirus version or the Symantec Client Firewall version in the report. Includes only parent servers or only primary management servers. The default is both (all).
Computer type
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Computer Status Logs. Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default filter. If you want to use additional filters on the display, click Advanced Settings.
74
Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page 65.
75
Figure 5-1
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:
76
3 4 5 6
Under What filter settings would you like to use, in the Filter list box, select an existing filter or use the default. Change any basic or advanced settings. Click View Log. The log appears at the bottom of the page. In the event column, next to the event for which you want to view events, click the More info icon.
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:
Click Risk Logs. Click Scan Logs. Click Computer Status Logs.
3 4 5
Change any basic or advanced settings. Click View Log. Click Export this log.
77
Definition
Delimited format exports the event data into information that is separated by a special character such as a comma or a semicolon. You can then import information in this format into a spreadsheet application such as Microsoft Excel. This format can be read by the Log Reader Agent. If you export events in this format, you can then copy the file to the following directory on your reporting server: \Program Files\Symantec\Reporting Server\Upload. The Log Reader Agent will process the event data the next time it runs.
If you selected Delimited format, type the special character in the field separator text box.
Click Export. The Export Event Data message appears in a new window. The message indicates the location of the file that you exported. The exported file is located in \Program Files\Symantec\Reporting Server\ Web\Temp.
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:
Click Risk Logs. Click Scan Logs. Click Computer Status Logs.
78
3 4 5 6
Under What filter settings would you like to use, in the Filter list box, select an existing filter or use the default. Change any basic or advanced settings. Click View Log. The log appears at the bottom of the page. Do one of the following:
Check the boxes next to the individual events that you want to delete out of the log. Click Select All to select all events that are displayed on the page. Only the displayed events are selected for deletion. You can click Select None to deselect all of the selected items.
7 8 9
Click the right arrow to display any additional events to select for deletion. Click Delete selected entries. Click OK. All of the events you selected are deleted from the reporting database. These events no longer appear in the log if you display it again. The events also do not appear in any reports that you generate.
Chapter
About reporting agents Configuring reporting agents Specifying email notification parameters Specifying notification parameters for the disk full check Using agent logs Registry keys for agent configuration
80
Reporting agents
Log Reader (Computer The Log Reader Agent for computer status runs on the reporting server and processes the Status) inventory files sent from the Computer Status Agents. The inventory files contain state information about parent servers and clients. Typically, you do not need to change the polling frequency for the Log Reader (Computer Status). Log Reader (Events) The Log Reader Agent for events runs on the reporting server and processes the events that are contained in the log files sent from the Log Sender Agents. If you change the polling frequency for the Log Reader (Events), you might lose performance because if the Log Sender has posted a large volume of events, the agent processing time might take longer than the configured polling frequency. Alert Agent The Alert Agent runs on the reporting server and checks the status of other agents and sends out notifications if those agents have been configured for notifications. The agent also monitors the disk space available to the reporting database. If the current free disk space on the reporting server falls below 100 MB, the Alert Agent logs an alert in the database and sends out email notifications. You can change the 100 MB default on the Agent Notification page. Scheduled Reporting Agent The Scheduled Reporting Agent runs on the reporting server and tracks the number of clients per particular virus definition version. The agent also creates the scheduled reports that you configure as well as a default scheduled report for monitoring the rollouts of virus definitions to computers in your network. You might want to increase or decrease the check-in interval for this agent to increase or decrease the amount of time to update virus definitions statistics for your security network. Virus Category Agent The Virus Category Agent runs on the reporting server. It monitors the Symantec Security Response Web site for information about risks. The information it collects includes the ThreatCon level, the severity of the risks (categories 1 through 5), and when risks were discovered.
Database Maintenance The Database Maintenance Agent runs on the reporting server and deletes old records and compresses duplicate events at particular intervals. The agent performs maintenance on log files, events, compressed events, alerts, the clients that have not checked in, the clients that have been removed or renamed, old virus definitions history records, scans, unused virus definitions records, EICAR events, and inactive users. See Configuring the reporting database maintenance agent on page 102.
81
Description
The Database Backup Agent runs on the reporting server and creates backup files of database records. The file is located in the \Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\Backup\BACKUP_<date>_<time>. You might want to change the interval between backups depending on the amount of data in the database. For example, if you have large amounts of data, you might want to schedule backups more frequently. You might also have auditing requirements in your organization that require database backups at particular intervals. See Configuring the reporting database backup options on page 104.
Log Sender
The Log Sender Agent runs on primary management servers and collects information about events from the log files of your security products. The agent detects the location of the log files from the ALLUSERSPROFILE environment variable. Typically the location of the log files is \..\Application Data\Symantec\Symantec Antivirus Corporate Edition\7.5\logs. The Log Sender Agent also aggregates virus and firewall events and keeps a count of the number of duplicate instances of the same event. You can configure the amount of time that the Log Sender waits before it sends the aggregated record to the reporting server. You can also turn off aggregation by setting Aggregate redundant events every to 0. See Configuring event aggregation on page 89.
Computer Status
The Computer Status Agent runs on parent servers and secondary servers and collects state information about parents and clients. The agent collects the state information in an inventory file and uploads the file to the reporting server.
82
The configuration of the agent's scheduling and status checking parameters The agent logs
In addition, the Alert Agent periodically runs on its own schedule and determines when to send out a notification that an agent is down. When the Alert Agent runs, it makes the status calculation for each agent (the current time minus each agent's Warn after period). If the calculated time is later than the last run time for a particular agent, the Alert Agent sends out notifications for that agent. If you want to make sure that notifications are sent right away when an agent is down, you should configure the Alert Agent's frequency to be a short period of time so it picks up an agent's down status right away. The Alert Agent is also responsible for sending out notifications about your security products. Note: If the Alert Agent itself is down, notifications are not sent out. See Configuring alerts on page 52. Typically you should use the default values provided for the agent scheduling. However, you might want to change these values depending on the requirements of your security network.
83
Note: If you have log files with a large number of events, the Log Sender Agent's initial run might take longer than its scheduled frequency. You can also disable an agent and prevent it from running if you want to troubleshoot a problem with an agent. Table 6-2 shows a summary of the agents' scheduling and status checking parameters. Table 6-2 Parameter
Run every
Next run
The next time the agent will run. This time is automatically calculated by the reporting software by adding the frequency to the current time. You configure the next run time for each agent through the Agent Configuration page.
Warn after
The amount of time the reporting software subtracts from the current time to determine whether an agent is down. If the calculated time is later than the agent's last run time, the agent is considered down. You configure the Warn after time for each agent through the Agent Notification page.
Note: The combined polling frequency of the Log Reader, Log Sender, and the reporting interface are responsible for the event data you view in reports. Typically, you should not change the default values.
84
Note: Depending on how you configure the agent's frequency and the Warn after period, an agent's status on the Agent Status page might not reflect its current state. In addition, the remote agent status in the Symantec System Center console is not available until the remote agents have completed their initial runs. Make sure you do not configure the agent's schedule to be a greater value than the agent's status checking. (The status checking value is the Warn after value on the Agent Notification page.) For example, if you set the Log Sender Agent to run every two hours, but configure the Log Sender's Warn after value to be one hour, the Agent Status page shows the Log Sender agent as down when actually you have configured it not to run. A red icon might appear next to agents for the following reasons:
The agent did not run at its scheduled time. For example, if the agent service was stopped or the computer on which it is installed went down. If you restore your reporting database, the agent service stops automatically and you must restart it. The agent's polling cycle exceeds the agent's status checking (Warn after) value. The agent is running and fails, and the Warn after period expires. Before the Warn after period expires, the agent is considered up and the icon on the Agent Status page is green. After the Warn after period expires, the icon turns red to indicate the agent is considered down. Any notifications you have configured are sent out.
85
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Status.
A remote agent might not check in with the reporting server for many reasons, including the following:
The computer on which the agent is running is down. The agent might be installed incorrectly.
86
1 2
In the Symantec System Center console, in the left pane, click the server or server group name for which you want to see agent status. In the toolbar, click the reporting icon.
Click OK.
87
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration.
Under the Change column, next to the agent for which you want to change the scheduled run time, click the icon.
88
Next to Run every, in the text box, type the wanted number, and then in the list box, select minutes, hours, days, weeks, or months for scheduling the agent. Next to Next run, in the selection drop-down boxes, select the hour and minute to start the next agent run.
5 1
Click Save.
To specify scheduling options for remote agents In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the server for which you want to configure agent scheduling. Click All Tasks > Reporting Configuration > Configure Report Agents. Under Computer Status, in the Scan Inventory every text box, type the number of minutes after which the Computer Status Agent should check the status of the server and its clients. The default is 1 minute. If you configure the remote agents on a primary management server, under Log Sender, in the Process logs every box, type the number of minutes after which the Log Sender Agent should scan logs for events. The default is 10 minutes. Click OK.
2 3
5 1
To run the Log Sender, Computer Status, and Log Reader Agents immediately In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the server for which you want to run the Log Sender and Log Reader Agents immediately. Click All Tasks > Reporting Configuration > Run Now. The Log Sender and Log Reader Agents run immediately. After the agents run and update the reporting server with the latest log information, the agents return to their previous scheduling. If the schedule indicates the agent should have already run, it runs immediately and then follows its next scheduled run time.
Disabling an agent
You can prevent a local agent from running by disabling it. (You cannot disable the remote agents.) For example, if you are running your own database maintenance scripts you might want to disable the Database Maintenance Agent. Or, you might not want to use the Alert Agent if you do not configure alerts for events in your security network.
89
Note: If you disable the Log Reader (for computer status or events), your reports will not be accurate. To disable an agent
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. For the agent that you want to disable, click the Edit icon. Check Disable Agent. If a warning dialog appears, click OK. Click Save.
90
In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary management server on which the Log Sender Agent is running. Click All Tasks > Reporting Configuration > Configure Reporting Agents. Under Log Sender, in the Aggregate redundant events every box, type the number of minutes the Log Sender Agent should wait before aggregating redundant virus and firewall events. The range of values is 0 minutes to 60 minutes. To disable aggregation, set the value to 0.
2 3
Click OK.
Configuring the language option for the Log Sender and Computer Status Agents
When the Log Sender and Computer Status Agents read logs and interpret computer status information, they detect the language that is used by the operating system on the parent server automatically. If you have a mixed environment, however, where the parent server uses English and any of the clients that are connected to that parent server use a different language, you should specify the language of the clients that are connected to the parent server. Otherwise, the information you see in the logs and reports might be garbled. You can specify the language option during the reporting server installation or during reporting agent installation on a remote computer. See the Symantec Client Security Installation Guide or the Symantec AntiVirus Installation Guide. You can specify the following languages:
Latin 1 Japanese Korean Hungarian or Polish Russian Simplified Chinese Traditional Chinese
The Reporting Agents Options dialog box contains the complete list of Latin 1 languages.
91
To configure the language option for the Log Sender and Computer Status Agents
1 2 3 4
In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the parent server. Click All Tasks > Reporting Configuration > Configure Reporting Agents. Under Language, in the list box, select the language of the clients that report to the selected parent server. Click OK.
Reducing the volume of security risk events sent to the reporting server
By default, the Log Sender Agent sends security risk action events to the reporting server. If your security network experiences a large volume of security risks, you might have a large volume of events forwarded to the reporting server. To reduce the volume of events, you can prevent the Log Sender Agent from sending events about actions taken on security risks. Events about security risk occurrences are still sent to the server, but events about the actions taken (side effects) as a result of those security risks are not sent. If you prevent the Log Sender Agent from sending security risk action events to the reporting server, the event detail window for a security risk event will not show any actions. See Displaying event details on page 74. To prevent the Log Sender Agent from sending security risk action events to the reporting server
1 2 3 4
In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the parent server. Click All Tasks > Reporting Configuration > Configure Reporting Agents. Under Log Sender, check Discard security risk action events. Click OK.
92
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. Click the Edit icon next to the Virus Category Agent. Under What proxy settings would you like, do the following:
In the HTTP proxy box, type the name of the proxy server in the format <DNS name>:<port number>. In the Proxy user box, type the user ID that has access to the proxy server. In the Proxy password box, type the password for the user ID that has access to the proxy server.
Click Save.
93
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Notification.
3 4
Under the Edit column, next to the agent for which you want to configure notifications, click the Edit icon. Under What notification settings would you like, next to Warn after, type the value in the text box, and then in the drop-down menu select minutes, hours, or days to wait after the last run time to declare that the agent is down. For any agent except the Alert Agent, do the following:
Check or uncheck Enable e-mail response. In the Notify emails box, type the email address of the person who should receive the notification about this agent. If you want to include multiple recipients, separate each email address with a comma.
Click Save.
94
Configuring reporting agents Specifying notification parameters for the disk full check
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. Click the Edit icon next to the Alert Agent. Under What mail notification parameters would you like, do the following:
In the SMTP server box, type the path to your email server. In the Mail 'from' address box, type the address that should appear as the return address in the notification emails that the Alert Agent generates. In the Reporting URL box, type the reporting server URL. The URL must be correct in order for alerts to appear in the alert events log. The URL also appears in email notifications. In the Batch file box, type the name of the batch file that should run when notifications are sent out. The batch file is located in \Program Files\Common Files\Symantec Shared\Reporting Agent\Win 32. You must have administrative privileges to write to this directory.
Click Save.
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Notification. Click the Change icon next to Disk Full Check. Under What notification settings would you like, in the Warn after free space less than text box, enter the free disk space threshold to be used for the notification. Check Enable e-mail response.
95
In the Notify emails box, type the email address of the person who should receive the notification about this agent. If you want to include multiple recipients, separate each email address with a comma.
Click Save.
You can specify how often the reporting software deletes an agent's log and whether or not tracing is enabled for the agent. Tracing provides additional information in the agent logs for troubleshooting.
96
down. The logs contains any errors that might have occurred. Also, if the log does not contain any new entries, the agent might be installed incorrectly or the computer on which the agent is installed is down. The log files are deleted every week. You might want to delete log files more frequently if your computer has limited disk space. The log files may be configured for tracing, which includes debugging information in the logs. You might want to enable tracing for a particular agent when the agent is consistently down. Or you might want to enable tracing for the Log Reader to determine whether or not a local agent inserts information into the reporting database. If you having trouble with database maintenance, you might want to enable tracing for the Database Maintenance Agent. See Configuring the reporting database maintenance agent on page 102. Do not enable tracing for long periods of time unless you suspect a problem. To enable or disable tracing for local agents
1 2 3 4 5 1
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Change column, next to the agent for which you want to configure tracing, click the Change icon. Under What settings would you like for logging and tracing, check or uncheck Tracing. Click Save.
To enable or disable tracing for remote agents In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary or secondary management server on which the remote agents are installed. Click All Tasks > Reporting Configuration > Configure Report Agents. Under Computer Status, check Enable tracing. If you are configuring tracing on a primary management server, under Log Sender, check or uncheck Enable tracing. Click OK.
2 3 4 5
97
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Change column, next to the agent for which you want to configure tracing, click the icon. Under What settings would you like for logging and tracing, next to Delete logs after, enter the number of days after which you want logs deleted for this agent. Click Save.
5 1
To configure the amount of time before logs are deleted for remote agents In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary or secondary management server on which the remote agents are installed. Click All Tasks > Reporting Configuration > Configure Report Agents. Under Computer Status, in the Delete logs after text box, type the number of days after which you want the logs to be deleted for this agent. If you configure the amount of time before logs are deleted on a primary management server, under Log Sender, in the Delete logs after text box, type the number of days after which you want the logs to be deleted for this agent. Click OK.
2 3 4
98
FileSizeLimit
BatchProcessSize
99
RunNow
RunNowNextRun
Frequency
The NextRun, RunNow, and RunNowNextRun registry keys are located under the following directories:
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\Inventory
100
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\LogSender
Chapter
About database maintenance Configuring the reporting database maintenance agent Configuring the reporting database backup options Restoring an MSDE reporting database Tuning database server memory allocation Changing timeout parameters
102
Maintaining the reporting database Configuring the reporting database maintenance agent
Description
Enable or disable the agent Maintenance frequency The minimum value is 1.
Next run
When the next maintenance occurs You can modify the date and time values to specify an exact time when the next maintenance run occurs.
Time to keep log files The log files are located at x:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\DBmaint_YYYY-MM-DD.log. For the maintenance that occurs on the same date, the log file for that date is appended. For the maintenance that occurs on different dates, new log files are created.
Tracing
Specifies whether to generate debug information in the log file If you think that you have trouble with maintenance runs, you can enable tracing to generate additional debug information in the log file. When you enable tracing, you see the words Tracing Enabled in the third DBmaint INFO statement in the log file. It may be useful to run maintenance tests with and without tracing. You can then open the file with a text editor and see what additional data that tracing generates. Do not enable tracing for long time periods unless you suspect a problem.
Number of days after which risk events are deleted from the database
Compress events after Number of days after which identical risk-found events are compressed into one event Identical risk-found events that occurred in one-hour time intervals are compressed and counted. The infected file names are not compressed.
Maintaining the reporting database Configuring the reporting database maintenance agent
103
Delete events that Number of days after which compressed events are deleted have been compressed This value includes the time before the events were compressed. For example, if you specify after to delete compressed events after 10 days and specify to compress events after seven days, events are deleted three days after they are compressed. Delete acknowledged alerts after Number of days after which acknowledged alerts are deleted from the database
Delete Number of days after which unacknowledged alerts are deleted from the database unacknowledged alerts after Remove clients after Number of days after which information about that clients that have not checked in are removed The client machine record is not deleted. Delete scans after Number of days after which risk scans are deleted from the database
Delete history reports Number of days after which history reports are deleted after Delete unused virus definitions Delete EICAR events Number of days after which records about the virus definitions that are not used currently by any computer or in the stored histories of computers are deleted from the database Number of days after which the virus events that contain EICAR as the name of the virus are deleted from the database The EICAR virus is benign and is used for testing purposes.
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Agent Configuration pane, in the Database Maintenance row, click the Change icon. In the Database Maintenance Agent Configuration panel, in the Run every boxes, specify a time interval for maintenance. In the Delete logs after box, change or accept the default value in days. Check or uncheck Tracing.
104
Maintaining the reporting database Configuring the reporting database backup options
7 8
In the Parameter boxes, accept or change the default values. Click Save.
On the reporting server, create a shared network directory for the backup files. On the SQL server, change the SQL server Log On account from LocalSystem to an administrative account that exists on the computer that runs the SQL server. Use the Services administrative tool to select the SQL server instance and change the Log On account properties.
Table 7-2 describes the database backup parameters. Table 7-2 Option
Disable Agent
Description
Enable or disable the agent If you manage a database on a remote Microsoft SQL Server, you may want to disable the agent and perform backups to tape or some other local device.
Backup frequency When the next backup occurs You can modify the date and time values to specify an exact time when the next backup occurs.
Time to keep log files The log files are located at x:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32. The date format is backup_YYYY--MM-DD.log. For the backups that occur on the same date, the log file for that date is appended. For the backups that occur on different dates, new log files are created.
Maintaining the reporting database Configuring the reporting database backup options
105
Description
Specifies whether to generate debug information in the log file If you think that you have trouble with database backups, you can enable tracing to generate additional debug information in the log file. When you enable tracing, you see the words Tracing Enabled near the beginning of the log. It may be useful to do backup tests with and without tracing. You can then open the file with a text editor and see what additional data that tracing generates. Do not enable tracing for long time periods unless you suspect a problem.
Backup directory
Name of the database backup directory Each backup.dat file is created in a separate directory named BACKUP_date_time. The date format is YYYYMMDD. The time format is HHMMSS. For local databases, the default directory is x:\Program Files\Common Files\Symantec Shared\Reporting Agent\Win32\Backup\. For remote databases, the default directory is invalid and backups will not occur. You must create a network share, and specify the share as \\host_name\shared_directory\. For example, if you created a directory named c:\sql_backup\ on a computer named test450, you would specify \\test450\sql_backup\. You must also change the SQL server Log On account from LocalSystem to an existing administrative account.
1 2 3 4 5 6 7 8 9
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Agent Configuration pane, in the Database Backup row, click the Change icon. In the Database Backup Agent Configuration pane, in the Run every boxes, specify a time interval for maintenance. In the Next run boxes, optionally specify a time to run the next backup. In the Delete logs after box, accept or change the default. Check or uncheck Tracing. In the Backup directory box, accept or change the default. In the Delete backups after box, accept or change the default.
10 Click Save.
106
Create a directory in which to copy the database backup file backup.dat. Create this directory once. Create a logical dump device. Create this dump device once by using a stored procedure. You must first log in the MSDE server by using the sa account that you created when you installed the reporting server. Restore a database. You restore databases as necessary by using Transact-SQL commands. You log in the MSDE server by using the sa account that you created when you installed the reporting server.
1 2
Display a command prompt. Type mkdir backup or some other directory name, and then press Enter.
1 2 3 4
Display a command prompt. Type osql -U sa -S (local), and then press Enter. In the password prompt, type the sa password, and then press Enter. Type use master, and then press Enter.
107
Type exec sp_addumpdevice 'disk', 'reporting_bak', 'x:\backup\backup.dat', and then press Enter. Type the directory name that you created in which to copy the database backup file if it is not x:\backup.
6 7
Type go, and then press Enter. To exit OSQL, type exit, and then press Enter.
1 2 3 4 5
In your reporting database backup directory, browse to the database file that you want to restore. Copy backup.dat to the directory that you created to hold the database backup file. Type osql -U sa -S (local), and then press Enter. In the password prompt, type the sa password, and then press Enter. Type restore database reporting from reporting_bak, and then press Enter. Type the name of your reporting database if it is not reporting. Type the name of the logical dump device that you created if it is not reporting_bak.
6 7
Type go, and then press Enter. If successful, you see a processing statement and the amount of time for the restore to occur.
108
Note: After you set the database server memory allocation, document and remember the setting. The user interface always displays the setting as dedicated. To tune database server memory allocation
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. Make sure the Log Reader Agent (Events) and the Log Reader Agent (Computer Status) are disabled. See Disabling an agent on page 88.
3 4 5 6 7
On the Admin tab, click Database Tuning. In the Database Tuning window, in the System Administrator boxes, type the name and password for the database system administrator. To the right of Tuning Options, check the memory option that best describes the number of applications that run on this computer. Click Update Database. Re-enable the agents.
Connection timeout is 300 seconds (5 minutes) Command timeout is 300 seconds (5 minutes)
Open the Reporter.php file. The file is located in the \Program Files\Symantec\Reporting Server\Resources directory.
Use any text editor to add the following settings to the file:
$CommandTimeout = xxxx $ConnectionTimeout = xxxx If you specify zero, or leave the fields blank, the default settings are used.
109
If you get CGI or terminated process errors, you might want to change other timeout parameters. See the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
110
Chapter
About workflow and use cases Administering daily workflow to eliminate risks Reports and logs that show security risk information Reports and logs that show scanning information Reports and logs that show definitions information Reports and logs that show configuration and status information
112
1 2 3 4 5 6 7 8 9
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Computer Status Logs. On the Computer Status Logs page, click Advanced Settings. Check Infected Only, and then click View Log. Note the Infected Computers, and then click the Infected Icon to display the risk list. Either clean the risks from the computer, unhook the computer from the network, or accept the risks. Display again the Log view of infected computers and locate the computer that you cleaned or unhooked or accepted. Display the home page and note that the numbers in the Still Infectious row shrink in value. For the largest date range, repeat this procedure until both numbers in the Still Infectious row show a value of zero.
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Risk Logs. On the Risk Logs page, click Advanced. In the Action taken list box, select Suspicious. Click View Log. In the event list, do one of the following:
Select the events that you want to delete, and then click Remove selected entries from the database.
Workflow and use cases Reports and logs that show security risk information
113
7 8
Display the home page and note the numbers in the Suspicious row shrink in value. Repeat this procedure as needed.
Type
Infected computers
Options
Date Range: your choice
Display the number of viruses that Risk Reports have been detected on the network. Identify computers that detect the most infections. Risk Reports
Risk Distribution Charts Risk Distribution Charts Risk Distribution Charts Risk Distribution Charts Not applicable
Risk Name
Computer
Identify the groups that experience Risk Reports the most infections. Identify the users who experience the most infections. Drill down and display the types of infections that the most infected users get. Display Security Risk and Viral Threat activity in the over the last 24 hours. Risk Reports
Server Group
User Name
Risk Logs
User Name: One or more user names that are identified in Risk Distribution Chart by User Name Date Range: in the last 24 hours
Home Page
Drill down and display the details Risk Logs about security risks of severity 2 and greater that have hit my network. Display the protective efficiency over the last month. Risk Reports
Identify the top security risks over Risk Reports the last month that hit my network.
114
Workflow and use cases Reports and logs that show scanning information
Options
Scans From: in the last week
Identify the computers that have not Scan Reports run a risk scan in the last week. Identify the length of time it takes for scheduled scans to complete on workstations. Scan Reports
Group by: Scan Time Scan from: your choice Sort Order: Scan Duration
Identify the computers that take the Scan Logs longest to scan.
Not applicable
Identify the computers that do not Computer Status Not applicable comply with the current certified set Logs of definitions. Determine the rate at which virus Scheduled definitions deploy to the computers Reports in my network. Click the icon next to Status and use the color codes
Not applicable
Workflow and use cases Reports and logs that show configuration and status information
115
Identify computers that are running Computer Status Not applicable old versions of Symantec AntiVirus. Logs Identify computers that have Auto-Protect disabled. Identify computers that have not checked into a parent server. Computer Status Not applicable Logs Computer Status Computers Not Reports Checked into Parent Server
116
Workflow and use cases Reports and logs that show configuration and status information
Index
A
Alert Agent description 80 notification parameters 93 status checking 82 alerts acknowledging 58 configuring 52 configuring notifications for 53 types 54 unacknowledging 58 viewing event details 59 viewing events 56 automatic refresh interval 47 setting for the alert and risk logs 61 setting for the home page 60
database maintenance (continued) configuring backups 104 EICAR events 103 OSQL 106 restoring an MSDE reporting database 106 tracing 102 tuning memory allocation 107 Database Maintenance Agent description 80 database server memory tuning 107 disk full check 94
E
event logs 64 past 24-hours filter 20 events about 10 aggregation 89
C
Computer Status Agent description 81 language option 90 computer status reports creating 36 filter settings advanced 36 types 35
H
home page about 15 customizing 18 reports 16 Security Response links 19 viewing 16
D
Database Backup Agent description 81 database backups about 104 configuring for remote SQL servers 104 parameters 105 database errors changing timeout parameters 108 database maintenance about 101 compress events after 102 configuring agent 102
L
Log Reader (Events) Agent description 80 Log Reader (Inventory) Agent description 80 Log Sender Agent description 81 language option 90 security risk action events 91 logs about 11 computer status 71
118
Index
logs (continued) deleting 77, 97 deleting configuration settings 65 event details 74 exporting 76 filtering 64 formats for exporting 77 risk definitions 114 risk events 66 saving configuration settings 65 scan events 69 scans 114 security risks 113 status of clients and servers 114 types 63 viewing 64
M
MSDE reporting database restoring 106
P
passwords changing 14 configuring rules 51 setting 52 proxy settings 91
R
reporting basic tasks 13 changing password 14 configuring display 47 configuring users 48 home page 15 logging into 14 logs 63 overview 9 reporting agents about 79 agent logs 95 configuring 81 database maintenance configuring 102 parameters 102 deleting logs 97 disabling 88 notification options 92
reporting agents (continued) registry keys 97 scheduling 82 scheduling options 86 status checking 8283 tracing 96 troubleshooting 84 reporting display configuring 47 parameters 48 reporting server accessing 13 adding manually 45 changing 45 configuring 44 delete from Symantec System Center console 46 discovering 44 disk full check 94 port number 45 specifying URL 46 URL 44 viewing URL 46 reports about 11, 22 computer status 35 default configuration settings 21 deleting configuration settings 24 details 22 home page 16 overview 21 past 24-hours filter 20 printing 25 risk 26 risk definitions 114 saving 25 saving configuration settings 24 scan 31 scans 114 scheduled 37 security risks 113 status of clients and servers 114 types 21 risk definitions reports and logs 114 risk reports creating 30 filter settings advanced 29 basic 28
Index
119
W
workflow about 111 administering 112
S
scan reports creating 34 filter settings advanced 34 basic 32 types 32 scans reports and logs 114 Scheduled Reporting Agent description 80 scheduled reports about 37 configuration settings 39 creating 40 deleting 41 modifying 40 viewing 41 Security Response Web site accessing from home page 19 security risks action events 91 reports and logs 113 Symantec System Center configuring reporting servers from 44 deleting reporting server from 46
U
use cases about 111 users adding 50 configuring 48 deleting 51 modifying 51 parameters 50 password rules 51 roles 48 setting passwords for 52
V
Virus Category Agent description 80 proxy settings 91