Using Monitoring Center for Security 2.2 - Defining and Viewing Reports [CiscoWorks Monitoring Center for Security]

Table Of Contents

Defining and Viewing Reports

Understanding Audit Log Report Templates

Understanding IDS Alarm Report Templates

Understanding CSA Report Templates

Understanding Firewall Report Templates

Predefined Report Definitions

Understanding the Reporting Workflow

Creating a Report Definition

Running a Report

Scheduling a Report

Viewing a Summary of Report Definition Details

Editing Report Parameters

Deleting a Report Definition

Working with Pending Reports

Editing A Pending Report Schedule

Deleting a Pending Report

Working with Completed Reports

Viewing a Completed Report

Printing a Completed Report

Exporting a Completed Report

E-mailing a Completed Report

Deleting a Completed Report

Defining and Viewing Reports

You can access reporting features of Monitoring Center for Security (Security Monitor) from the Reports tab. Security Monitor includes reports about events, sources, destinations, or a specific device on your network.

You can generate the following report types from templates provided:

•Audit Reports—Provide information about system events. For more information, see Understanding Audit Log Report Templates.

•IDS Alarm Reports—Provide information about sensor events. By default, all events with a severity level of Medium or higher are retained by Security Monitor. Therefore, unless you delete events from the database, you can generate reports based on all recorded events.

If the desired event is not being generated, verify that the sensor signature setting that corresponds to the event is enabled in Management Center for IPS Sensors (IPS MC). Sensors generate events for only those signatures that are enabled. These events are then received by the Security Monitor server. For more information, see Understanding IDS Alarm Report Templates.

•CSA Reports—Provide information about events generated by Security Agent MC. You can generate reports based on event severity, on the group generating the event, and on the individual host systems producing events. For more information, see Understanding CSA Report Templates.

•Firewall Reports—Provide information about firewall events. For more information, see Understanding Firewall Report Templates.

Additionally, Security Monitor includes several predefined report definitions. For more information, see Predefined Report Definitions.

This chapter contains the following topics:

•Understanding Audit Log Report Templates

•Understanding IDS Alarm Report Templates

•Understanding CSA Report Templates

•Understanding Firewall Report Templates

•Predefined Report Definitions

•Understanding the Reporting Workflow

•Working with Pending Reports

•Working with Completed Reports

Understanding Audit Log Report Templates

Audit log reports provide information about management server events. You can use the following templates to generate audit log reports in Security Monitor:

•Audit Log Report—Reports audit records by the server and application. Unlike the other report templates, this report template provides a broad, non-task-specific view of audit records in the database. You can filter these reports by Date/Time, Event Severity, Applications, Subsystem, and Task Type.

•Subsystem Report—Reports audit records ordered by the IDS subsystem, which includes systems from IPS MC and Security Monitor and systems common to each. You can filter these reports by Date/Time, Event Severity, and Subsystem.

•Console Notification Report—Reports the console notification records generated by the notification subsystem. You can filter these reports by Date/Time and Event Severity.

•Monitored Devices Report—Reports information about the monitored devices in Security Monitor, such as device name, IP address, and device type. There are no filters for this report.

Understanding IDS Alarm Report Templates

You can use the following templates to generate IDS alarm reports in Security Monitor:

•IDS Summary Report—Provides a summary of alarms for an organization during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category.

•IDS Top Sources Report—Reports the specified number of source IP addresses that have generated the most alarms during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Destination Direction, Destination IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of sources).

•IDS Top Destinations Report—Reports the specified number of destination IP addresses that have been targeted for attack during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of destinations).

•IDS Top Alarms Report—Reports the specified number of top alarms, by signature name, that have been generated during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of alarms).

•IDS Top Source/Destination Pairs Report—Reports the specified number of source/destination pairs (that is, connections or sessions) that have generated the most alarms during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of source/destination pairs).

•IDS Alarm Source Report—Reports alarms based on the source IP address that generated the alarm. Filterable by Event Level, Risk Rating, Time/Date, Event Count, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarm Destination Report—Reports alarms based on the destination IP address that generated the alarm. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarm Report—Reports logged alarms based on signature names. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarm Source/Destination Pair Report—Reports logged alarms based on source/destination IP address pairs (that is, connections or sessions). Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarms by Hour Report—Reports alarms in one-hour intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarms by Day Report—Reports alarms in one-day intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarms by Sensor Report—Reports logged alarms based on the sensor that detected the event. Filterable by Event Level, Risk Rating, Event Count, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•24 Hour Metrics Report—Reports all alarm traffic from the most recent 24 hours in 15-minute intervals. There are no filters for this report.

•Daily Metrics Report—Reports event traffic totals, by day, for a given time period. Reporting occurs in 24-hour intervals, starting at midnight. The report shows events by platform (Network IDS, PIX Security, IOS Security, CSA Host IDS) and event type (IDS, Firewall, or Secure Agent).

You can generate the following IDS alarm summary reports. The summary reports differ from the previous reports because they do not contain the alarm details table.

•IDS Service Categories Summary Report—Reports events grouped by service category for a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category.

•IDS OS Categories Summary Report—Reports events grouped by operating system for a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category.

•IDS Attack Categories Summary Report—Reports events grouped by attack categories for a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category.

•IDS Top Sources Report—Reports the specified number of source IP addresses that have generated the most events during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Destination Direction, Destination IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of sources).

•IDS Top Destinations Report—Reports the specified number of destination IP addresses that have been targeted for attack during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of destinations).

•IDS Top Alarms Report—Reports the specified number of top alarms, by signature name, that have been generated during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of alarms).

•IDS Top Source/Destination Pairs Report—Reports logged alarms based on source/destination IP address pairs (that is, connections or sessions). Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of source/destination pairs).

•IDS Alarm Report—Reports logged alarms based on signature names. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarms by Hour Report—Reports alarms in one-hour intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarms by Day Report—Reports alarms in one-day intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Alarms by Sensor Report—Reports logged alarms based on the sensor that detected the event. Filterable by Event Level, Risk Rating, Event Count, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category.

•IDS Victim Summary—Graphical report showing the number of victims over a given time period broken down by day, week, or month. For example, you can define a report showing the number of victims per week for the last 100 days. Filterable by Time/Date, Time Interval, Risk Rating, and IDS Signature or Signature Category.

•IDS Attacker Summary—Graphical report showing the number of attackers over a given time period broken down by day, week, or month. For example, you can define a report showing the number of attackers per month for the last 6 months. Filterable by Time/Date, Time Interval, Risk Rating, and IDS Signature or Signature Category.

Understanding CSA Report Templates

You can use the following templates to generate reports for Security Agent MC events in Security Monitor:

•CSA Event Summary Report—Summarizes event activity by event level, count, and rule type. Filterable by Alert Level and Time/Date.

•CSA Event Details Report—Reports event activity by event level, count, agent, event name, policy, and rule type. Filterable by Alert Level, Time/Date, Rule Type, and Top N (where N is the number of events).

•CSA Administrative Events—Filterable by Alert Level, Time/Date, and Top N (where N is the number of events).

•CSA Events By Severity—Reports event activity sorted by event severity levels. Filterable by Alert Level, Time/Date, Rule Type, and Top N (where N is the number of events).

•CSA Events By Group—Reports event activity sorted by the group that generated the event. Filterable by Alert Level, Time/Date, Rule Type, and Top N (where N is the number of events).

•CSA Network Event Report—Reports details such as the protocol accessing the network, the source and destination addresses of the connection, and the source and destination ports. Filterable by Alert Level, Time/Date, and Top N (where N is the number of events).

•CSA Event Log Report—Provides a log of event information including the event ID, event level, host, and date. Filterable by Alert Level, Time/Date, and Top N (where N is the number of events).

Understanding Firewall Report Templates

You can use the following templates to generate firewall reports in Security Monitor:

•Firewall Events Summary Report—Summarizes the security, warning, and informational events that the selected firewall has experienced within the specified time period. Filterable by Time/Date, Firewall Address, and Event Level.

•Firewall Detailed Events Report—Provides detailed information for each security event received. Filterable by Time/Date, Source IP Address, and Event Level.

•Firewall User Activity Summary Report—Summarizes the activities of all users who have made service requests through the selected firewall within the specified time period. Filterable by Time/Date and Firewall Address.

•Firewall Most Active Users Report—Lists the users who have made the most service requests through the selected firewall within the specified time period. This report provides statistics for up to N (defaults to 20) users. Filterable by Time/Date, Firewall Address, and Top N (where N is the number of users).

•Firewall Network Traffic Summary Report—Summarizes all activities based on the service requests made through the selected firewall within the specified time period. Filterable by Time/Date and Firewall Address.

•Firewall Most Accessed Web Sites Report—Lists the HTTP sites that users who request services through the selected firewall have accessed the most within the specified time period. This report provides statistics for up to N (defaults to 20) sites. Filterable by Time/Date, Firewall Address, and Top N (where N is the number of sites).

•Firewall Detailed Network Traffic Report—Provides transaction information about a network service's sessions that transpire during a given time interval. For example, you can generate reports about HTTP on port 80, SSL on port 443, or DNS on port 53. To generate a detailed service report, you must configure the firewall to enable logging of statistical events for the network service. Filterable by Time/Date, Firewall Address, and Service.

•Firewall Detailed User Activity—Describes the full activities of all network session transactions that a specific user has conducted through the selected firewall within the specified time period. It presents the full list of network sessions that have occurred within the time period. Filterable by Time/Date and Firewall Address.

•Firewall Denied Connection Report—Lists all TCP, UDP, and ICMP messages for denied connections sent out by the firewall for the specified time period. Filterable by Time/Date and Firewall Address.

•Firewall Denied Message Activity Report—Lists all syslog messages for denied connections sent out by the firewall within the specified time period. You can filter which types of deny messages appear in the report such as VPN, Attack, and AAA and ACL. Filterable by Time/Date, Firewall Address, and Denied Events.

Predefined Report Definitions

Security Monitor includes a number of predefined report definitions to help you get started using the reporting features. You can edit the filtering parameters to customize a report definition to fit your particular needs. For more information, see Editing Report Parameters.

The predefined report definitions typically use the report templates available in Security Monitor combined with a selection of filtering parameters. For information on particular report templates, previously discussed, see Chapter 1 "Defining and Viewing Reports."

The following predefined Audit Log report definitions are available:

•1-Day Application Errors—The following filters are defined for this report:

–Task Type—Any

–Date/Time—Last 1 Day

–Event Severity—fatal, error

–Subsystem—Any

–Applications—Any

•1-Day Console Notifications—The following filters are defined for this report:

–Date/Time—Last 1 Day

–Event Severity—fatal, error, warning, information, debug

•Monitored Devices Report—This report has no filtering options.

•1-Day Pruning Activity—The following filters are defined for this report:

–Date/Time—Last 1 Day

–Event Severity—fatal, error, warning, information, debug

–Subsystem—IDS_Database Prune

The following predefined IDS alarms report definitions are available:

•24 Hour Alarm Metrics—This report has no filtering options.

•30-Day Alarm Metrics—The following filter is defined for this report:

–Time/Date—Last 30 Days

•30-Day Details: IDS Alarm Destinations—Uses the IDS Alarm Destination Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Details: IDS Alarm Source/Destination Pairs—Uses the IDS Alarm Source/Destination Pair Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Details: IDS Alarm Sources—Uses the IDS Alarm Source Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Details: IDS Alarms—Uses the IDS Alarm Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Details: IDS Alarms by Day—Uses the IDS Alarms by Day Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Time/Date—Last 30 Days

–Event Level—High, Medium, Low, Informational

•30-Day Details: IDS Alarms by Hour—Uses the IDS Alarms by Hour Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Details: IDS Top 50 Alarm Destinations—Uses the IDS Top Destinations Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Source Direction—Any

–Source IP Address—Any

–Top N—50

–Time/Date—Last 30 Days

–IDS Signatures—Any

–IDS Devices—Any

•30-Day Details: IDS Top 50 Alarm Source/Destination Pairs—Uses the IDS Top Source/Destination Pairs Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Top N—50

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Details: IDS Top 50 Alarm Sources—Uses the IDS Top Sources Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Destination Direction—Any

–Destination IP Address—Any

–Risk Rating—Between 80 AND 100 inclusive

–Top N—50

–Time/Date—Last 30 Days

–IDS Signatures—Any

–IDS Devices—Any

•30-Day Details: IDS Top 50 Alarms—Uses the IDS Top Alarms Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Top N—50

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day IDS Alarm Summary—Uses the IDS Summary Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Destination Direction—Any

–Source Direction—Any

–Risk Rating—Between 80 AND 100 inclusive

–Time/Date—Last 30 Days

–IDS Signatures—Any

•Detailed IDS Alarms by Sensor—Uses the IDS Alarms by Sensor Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

The following predefined IDS Alarms (summaries only) report definitions are available:

•30-Day Summary: IDS Alarms by Attack Categories—Uses the IDS Attack Categories Summary Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Destination Direction—Any

–Source Direction—Any

–Risk Rating—Between 80 AND 100 inclusive

–Time/Date—Last 30 Days

–IDS Signatures—Any

•30-Day Summary: IDS Alarms by Day—Uses the IDS Alarms by Day Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Time/Date—Last 30 Days

–Event Level—High, Medium, Low, Informational

•30-Day Summary: IDS Alarms by Hour—Uses the IDS Alarms by Hour Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Time/Date—Last 30 Days

–Event Level—High, Medium, Low, Informational

•30-Day Summary: IDS Alarms by OS Categories—Uses the IDS OS Categories Summary Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Destination Direction—Any

–Source Direction—Any

–Risk Rating—Between 80 AND 100 inclusive

–Time/Date—Last 30 Days

–IDS Signatures—Any

•30-Day Summary: IDS Alarms by Sensor—Uses the IDS Alarms by Sensor Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Event Count—Any

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

•30-Day Summary: IDS Alarms by Service Categories—Uses the IDS Service Categories Summary Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Destination Direction—Any

–Source Direction—Any

–Risk Rating—Between 80 AND 100 inclusive

–Time/Date—Last 30 Days

–IDS Signatures—Any

•30-Day Summary: IDS Top 50 Alarm Destinations—Uses the IDS Top Destinations Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Source Direction—Any

–Source IP Address—Any

–Risk Rating—Between 80 AND 100 inclusive

–Top N—50

–Time/Date—Last 30 Days

–IDS Signatures—Any

–IDS Devices—Any

•30-Day Summary: IDS Top 50 Alarm Sources—Uses the IDS Top Sources Report template. The following filters are defined for this report:

–Event Level—High, Medium, Low, Informational

–Destination Direction—Any

–Destination IP Address—Any

–Risk Rating—Between 80 AND 100 inclusive

–Top N—50

–Time/Date—Last 30 Days

–IDS Signatures—Any

–IDS Devices—Any

•30-Day Summary: IDS Top 50 Alarms—Uses the IDS Top Alarms Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Top N—50

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

•30-Day Summary: IDS Top 50 Source/Destination Pairs—Uses the IDS Top Source/Destination Pairs Report template. The following filters are defined for this report:

–Risk Rating—Between 80 AND 100 inclusive

–Destination IP Address—Any

–Destination Direction—Any

–IDS Signatures—Any

–Top N—50

–Source Direction—Any

–IDS Devices—Any

–Source IP Address—Any

–Event Level—High, Medium, Low, Informational

–Time/Date—Last 30 Days

The following predefined CSA Alarms report definitions are available:

•30-Day Details: Secure Agent Top 50 Events—Uses the CSA Event Details Report template. The following filters are defined for this report:

–Rule Type—Any

–Top N—50

–Time/Date—Last 30 Days

–Alert Level—High, Medium

•30-Day Secure Agent Top 50 Admin Events—Uses the CSA Administrative Events template. The following filters are defined for this report:

–Top N—50

–Time/Date—Last 30 Days

–Alert Level—High, Medium, Low, Informational

•30-Day Secure Agent Top 50 Events by Group—Uses the CSA Events by Group template. The following filters are defined for this report:

–Rule Type—Any

–Top N—50

–Time/Date—Last 30 Days

–Alert Level—High, Medium, Low, Informational

•30-Day Secure Agent Top 50 Events by Severity—Uses the CSA Events by Severity template. The following filters are defined for this report:

–Rule Type—Any

–Top N—50

–Time/Date—Last 30 Days

–Alert Level—High, Medium, Low, Informational

•30-Day Secure Agent Top 50 Network Events—Uses the CSA Network Event Report summary. The following filters are defined for this report:

–Top N—50

–Time/Date—Last 30 Days

–Alert Level—High, Medium, Low, Informational

•30-Day Summary Secure Agent Events—Uses the CSA Event Summary Report template. The following filters are defined for this report:

–Time/Date—Last 30 Days

–Alert Level—High, Medium, Low, Informational

•30-Day Secure Agent Top 100 Event Log Entries—Uses the CSA Event Log Report template. The following filters are defined for this report:

–Top N—100

–Time/Date—Last 30 Days

–Alert Level—High, Medium, Low, Informational

The following predefined Firewall report definitions are available:

•Firewall 30-Day Denied Connections—Uses the Firewall Denied Connection Report template. The following filters are defined for this report:

–Firewall Address—Any

–Time/Date—Last 30 Days

•Firewall 30-Day Denied Message Activity—Uses the Firewall Denied Message Activity Report template. The following filters are defined for this report:

–Firewall Address—Any

–Denied Events—All Services

–Time/Date—Last 30 Days

•Firewall 30-Day Detailed Events—Uses the Firewall Detailed Events Report template. The following filters are defined for this report:

–Event Level—Any

–Source IP Address—Any

–Time/Date—Last 30 Days

•Firewall 30-Day Detailed Network Traffic—Uses the Firewall Detailed Network Traffic Report template. The following filters are defined for this report:

–Firewall Address—Any

–Time/Date—Last 30 Days

–Service—All Services

•Firewall 30-Day Detailed User Activity—Uses the Firewall Detailed User Activity Report template. The following filters are defined for this report:

–Firewall Address—Any

–Time/Date—Last 30 Days

•Firewall 30-Day Events Summary—Uses the Firewall Events Summary Report template. The following filters are defined for this report:

–Event Level—Any

–Time/Date—Last 30 Days

–Firewall Address—Any

•Firewall 30-Day Most Accessed Web Sites—Uses the Firewall Most Accessed Web Sites Report template. The following filters are defined for this report:

–Firewall Address—Any

–Top N—20

–Time/Date—Last 30 Days

•Firewall 30-Day Most Active Users—Uses the Firewall Most Active Users Report template. The following filters are defined for this report:

–Firewall Address—Any

–Top N—20

–Time/Date—Last 30 Days

•Firewall 30-Day Network Traffic Summary—Uses the Firewall Network Traffic Summary Report template. The following filters are defined for this report:

–Firewall Address—Any

–Time/Date—Last 30 Days

•Firewall 30-Day User Activity Summary—Uses the Firewall User Activity Summary Report template. The following filters are defined for this report:

–Firewall Address—Any

–Time/Date—Last 30 Days

Understanding the Reporting Workflow

The following is a basic workflow for working with reports:

1. Create a report definition or select a predefined report.

A report definition is a report template that you customize. Report definitions that you create are saved so that you can run or schedule a report based on that definition at any time. For more information, see Creating a Report Definition, and Predefined Report Definitions.

2. Run the report or create a report schedule.

After you create a report definition, you can run a report based on that definition. You can also schedule a report to run later or at regular intervals. For more information, see Running a Report, and Scheduling a Report.

3. View the completed report.

After you run a report, you can view it from the Completed Reports page. You can also e-mail completed reports and export them to PDF or CSV files. For more information, see Working with Completed Reports.

In addition to performing the tasks of the basic workflow, you can also edit and delete pending reports. Pending reports include reports that are running or are scheduled to run in the future. For more information, see Working with Pending Reports.

This section contains the following topics:

•Creating a Report Definition

•Running a Report

•Scheduling a Report

•Viewing a Summary of Report Definition Details

•Editing Report Parameters

•Deleting a Report Definition

Creating a Report Definition

From the Reports page, you can define the parameters for the report you want to run. You must create a report definition (or select one previously defined) before you can run or schedule a report.

To define a report, follow these steps:

Step 1 Select Reports > Definitions. Then, click Create.

The Select Report Template page appears.

Step 2 Select a template for the report type that you want to define.

Tip If you are using Security Monitor, you can filter the report templates that appear on the page. From the Report Group list, select All to show all report templates, Audit Log to show only audit report templates, IDS Alarms to show only IDS alarm templates, IDS Alarms (summaries only) to show only IDS alarm summary templates, CSA Alarms to show only CSA alarm templates, or Firewall Reports to show only firewall report templates.

Step 3 Enter a name for your report in the Report Title field. The default report title is the name of the report type you selected in the previous step. Then, click Next.

The Report Filtering page appears.

Step 4 Enter the report parameters for the report type you selected. Then, click Next.

The Confirm page appears.

Step 5 Confirm that the report options are correct. Then, perform the appropriate step below:

a. To save the report definition without running or scheduling a report, click Finish.

The Reports page appears. The report definition you just created appears in the list.

b. To run a report now based on the report definition you just created, click the Run now radio button. Then, click Finish.

The Reports page appears. The report definition you just created appears in the list. To view the completed report, select Reports > Completed.

c. To schedule a report based on the report definition you just created, click the Launch "Run with Options" radio button. Then, click Finish.

The Schedule window appears. You must define the scheduling options. For more information, see the procedure in Scheduling a Report.

Running a Report

After a report has been defined, you can run it on demand.

To run a report, follow these steps:

Step 1 Select Reports > Definitions. Then, click the Create button.

The Reports page appears.

Step 2 Select the check box corresponding to the title of the report definition that you want to run.

Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions.

A check mark appears next to the report you selected.

Step 3 Click Run.

The Pending Reports page appears. You can view the status of your report on this page. You can view the completed report by selecting Reports > Completed.

Scheduling a Report

After a report has been defined, you can define a schedule for the report to run. Scheduled reports run either one or more times based on the parameters you select.

Tip Before you can schedule a report, you must create a report definition unless you are using a predefined report. For more information, see Creating a Report Definition.

To schedule a report, follow these steps:

Step 1 Select Reports > Definitions.

The Reports page appears.

Step 2 Click Run with Options next to the report title you want to schedule to run.

Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only firewall report definitions.

The Schedule pop-up window appears.

Step 3 Select the Use a schedule check box.

The scheduling options appear in the Schedule pop-up window.

Step 4 Specify the date that you want the report to run in the Date field. The date is specified by day, month, and year. Click the calendar icon next to the Date field to select a date from the calendar.

Step 5 Specify the time that you want the report to run in the Time field. The time is specified in hours, minutes, and seconds. The time zone used to determine the time is to the right of the Time field.

Step 6 To run the report at regular intervals, select the Repeat every check box, then select an option in the list box. You can schedule the report to run every day, week, weekday, weekend day, hour, or minute.

Step 7 To export the generated report to a file:

a. Select the Export to a File on the VMS Server check box.

The exporting options appear in the Schedule pop-up window.

b. Select a format for the file from the Format list. You can export to an HTML, PDF, or comma-separated value (CSV) file.

c. Specify the exact path to the file that is to contain the generated report in the File field. The path should include the filename and, if you do not select the Append default file extension when saved check box in the following step, the desired extension; for example, /<dir>[/<dir>/[...]]/<filename>[.<ext>].

Note If you generate a report with the same path, filename, and extension as a previously generated report, the previous report is overridden.

d. To automatically append the file extension to the filename, select the Append default file extension when saved check box. By default, the check box is selected.

Step 8 To send an email notification to someone when the report runs:

Note Before you can send email notifications, you must specify the e-mail server that Security Monitor should use. For more information, see Specifying an Email Server, page 1-5.

a. Select the Notify via Email (when generated) check box.

The email notification options appear in the Schedule pop-up window.

b. Enter an email address in the To field. Use commas to separate multiple addresses.

c. Enter a subject for the email in the Subject field. By default, the subject includes the name of the CiscoWorks2000 Server and the report name.

d. Select the Attach a copy of the exported file check box to send a copy of the report as an attachment with the email notification.

e. Enter a message for your email in the text box. The default message informs the recipient that the report has been generated and includes a link to view the report on the CiscoWorks2000 Server.

Step 9 Click Create Schedule.

You can view the scheduled report definition by selecting Reports > Pending.

Viewing a Summary of Report Definition Details

After you create a report definition, it appears on the Reports page. You can view a summary of the report definition details from the Reports page.

To view a report definition details, follow these steps:

Step 1 Select Reports > Definitions.

The Reports page appears.

Step 2 Click the report title in the Title column of the report you want to review.

Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions.

The Report Definition Details dialog box appears. The window displays the report definition attributes such as the report title, the date it was created, who created it, and the report template used to create it. The window also displays the scheduling and data filtering information, if applicable.

Tip If there is a scroll bar on the right side of the window, you can select an option from the Go to list to quickly navigate the window.

Editing Report Parameters

To edit the parameters of a report definition, follow these steps:

Step 1 Select Reports > Definitions.

The Reports page appears.

Step 2 Select the check box corresponding to the title of the report definition that you want to edit, and then click Edit.

Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions.

The Select Report Template page appears.

Step 3 To change the report type, click the radio button next to a different report type.

Step 4 To change the report name, enter a new name for your report in the Report Title field.

Step 5 Click Next

The Report Filtering page appears.

Step 6 Change any report parameters that you want to. Then, click Next.

The Confirm page appears.

Step 7 Confirm the report options are correct. Then, click Finish.

The Reports page appears. The changes you made are saved to the report definition.

Deleting a Report Definition

You can delete any unwanted report definitions. If you delete a report definition, any scheduled reports based on that definition are also deleted, however any completed reports based on that definition are not deleted.

To delete a report definition, follow these steps:

Step 1 Select Reports > Definitions.

The Reports page appears.

Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions.

Step 2 Select the check box corresponding to the title of the report you want to delete.

Tip You can delete more than one report definition at a time. To do so, select the check boxes corresponding to all report definitions that you want to delete.

A check mark appears next to each selected report.

Step 3 To delete the report definition, click Delete.

The selected report definition is deleted.

Working with Pending Reports

On the Pending Reports page, which you access by selecting Reports > Pending, you can view pending reports. Pending reports include reports that are running or are scheduled to run in the future.

The status of a pending report can be one of the following:

•Running—The system is retrieving the report data from the database and generating the report.

•Queued—The report generator can generate only one report at a time. This state indicates that the system recognizes that the report is ready to be generated and that the report is waiting for its turn to run. The Queued state usually occurs when another report is already in the Running state ahead of this one.

•Waiting—The report is not ready to run and is waiting for its run time to arrive. Pending reports in this state usually have a repeating schedule and are between scheduled run times.

You can edit the schedule of a pending report. You can also delete a pending report. When you delete a pending report, no future iterations of the report, if scheduled, will run. For more information, see the following:

•Editing A Pending Report Schedule

•Deleting a Pending Report

Editing A Pending Report Schedule

When you schedule a report to run in the future, once or at regular intervals, the report appears on the Pending Reports page, which you access by selecting Reports > Pending. From the Pending Reports page, you can edit the report schedule.

For information about scheduling a report, see Scheduling a Report.

To edit a pending report schedule, follow these steps:

Step 1 Select Reports > Pending.

The Pending Reports page appears.

Step 2 Select the check box next to the report whose schedule you want to edit. Then, click Edit.

The Schedule pop-up window appears.

Step 3 Edit any parameters that you want to change, and then click Save.

Any changes you made are saved.

Deleting a Pending Report

You can delete from the schedule any pending reports that you no longer want to run. If you delete a pending scheduled report, no future iterations of that report will run.

Deleting a pending report does not delete the report definition. To delete a report definition, see Deleting a Report Definition.

To delete a pending report, follow these steps:

Step 1 Select Reports > Pending.

The Pending Reports page appears.

Step 2 Select the check box next to the report you want to delete, and then click Delete.

The report is deleted. No future iterations of the report, if scheduled, will run.

Working with Completed Reports

From the Completed Reports page, you can view generated reports, export reports, and email reports. You can also delete unwanted reports.

This section contains the following topics:

•Viewing a Completed Report

•Printing a Completed Report

•Exporting a Completed Report

•E-mailing a Completed Report

•Deleting a Completed Report

Viewing a Completed Report

After a report is generated, you can view it.

Tip To understand how data is sorted in a report, refer to the numbers that appear in the column headings of the generated report. These numbers represent the sort keys. For example, data is sorted first based on the data in the column with a (1) in it, followed by the data in the column with a (2) in it, and so on.

To view a report, follow these steps:

Step 1 Select Reports > Completed.

The Completed Reports page appears.

Step 2 Click the title of the report that you want to view.

Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports.

The report appears in a new browser window.

Printing a Completed Report

After you have generated a report, you can view the report in a printer-friendly format and then use your browser's print feature to print that report.

To print a completed report, follow these steps:

Step 1 Select Reports > Completed.

The Completed Reports page appears.

Step 2 Click the title of the report that you want to view.

Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports.

The report appears in a new browser window.

Step 3 Click the Printer Friendly Format icon.

A printer-friendly version of the report appears in a new browser window.

Step 4 Print the report using your browser's print function.

Exporting a Completed Report

After you generate a report, you can export the completed report to a PDF or CSV file.

To export a report, follow these steps:

Step 1 Select Reports > Completed.

The Completed Reports page appears.

Step 2 Click the title of the report that you want to export.

Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports.

The report appears in a new browser window.

Step 3 Click the Export Current Report icon.

The Exporting Report dialog box appears.

Step 4 To export the file in PDF:

a. Click the PDF radio button, and then click OK.

The file appears in a new browser window.

b. Perform the appropriate step below to save the PDF file to disk:

•To use Internet Explorer to save the PDF file, click the Save Copy icon on the Adobe toolbar. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.

•To use Netscape Navigator to save the PDF file, click Save File. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.

Step 5 To export the file in CSV format:

a. Click the CSV radio button, and then click OK.

The File Download dialog box appears.

b. Perform the appropriate step below to save the CSV file to disk:

•To use Internet Explorer to save the CSV file, click Save. The Save As dialog box appears. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.

•To use Netscape Navigator to save the CSV file, select Save this file to disk and click OK. The Enter name of file to save to dialog box appears. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.

E-mailing a Completed Report

After you generate a report, you can e-mail a copy of the completed report to one or more people. The report file will be sent as an e-mail attachment in HTML, PDF, or comma-separated value (CSV) format.

Tip You can also schedule a report to be generated on a regular basis and have the resulting report e-mailed to one or more interested parties. For more information, see Scheduling a Report.

To e-mail a completed report, follow these steps:

Step 1 Select Reports > Completed.

The Completed Reports page appears.

Step 2 Select the check box next to the completed report that you want to e-mail, and then click Email.

The Email Report page appears.

Step 3 Enter an e-mail address in the To field. Use commas to separate multiple addresses.

Step 4 Enter a subject for the e-mail in the Subject field. For example, you might include the name of the CiscoWorks2000 Server and the report name.

Step 5 Select the file format for the report file from the Format list. You can choose from HTML, PDF, or comma-separated value (CSV).

Step 6 Select the Append default file extension check box if you want the system to append the default file extension to the report file. This check box is selected by default.

Step 7 Enter a name for the report file. If you did not select the Append default file extension check box, you must manually append the file extension to the file name.

Step 8 Enter a message for your e-mail in the text box.

Step 9 Click Send.

The system sends the e-mail with the report as an attachment.

Deleting a Completed Report

You can delete completed reports. If the report was generated from a recurring scheduled report, deleting the report does not delete the scheduled report settings and will not prevent future versions of the report from being generated.

To delete a report, follow these steps:

Step 1 Select Reports > Completed.

The Completed Report page appears.

Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports.

Step 2 Select the check box next to the title of the report you want to delete.

Tip You can delete more than one report at a time. To delete more than one report, select the check boxes next to all reports that you want to delete.

A check mark appears next to each report you selected.

Step 3 To delete the selected report, click Delete.

The report is deleted. The report name is removed from the list of available reports.

	Using Monitoring Center for Security 2.2
	Defining and Viewing Reports
Using Monitoring Center for Security 2.2 Preface Security Monitor Overview Getting Started with Security Monitor Configuring Devices to Monitor Monitoring Device Status and Notifications Using the Event Viewer Defining Notifications Defining and Viewing Reports Configuring the System Configuration Settings Maintaining the Database Using Command-Line Utilities	Download this chapter Defining and Viewing Reports Download the complete book Using Monitoring Center for Security 2.2 (Whole Book PDF) (PDF - 2 MB) Table Of Contents Defining and Viewing Reports Understanding Audit Log Report Templates Understanding IDS Alarm Report Templates Understanding CSA Report Templates Understanding Firewall Report Templates Predefined Report Definitions Understanding the Reporting Workflow Creating a Report Definition Running a Report Scheduling a Report Viewing a Summary of Report Definition Details Editing Report Parameters Deleting a Report Definition Working with Pending Reports Editing A Pending Report Schedule Deleting a Pending Report Working with Completed Reports Viewing a Completed Report Printing a Completed Report Exporting a Completed Report E-mailing a Completed Report Deleting a Completed Report Defining and Viewing Reports You can access reporting features of Monitoring Center for Security (Security Monitor) from the Reports tab. Security Monitor includes reports about events, sources, destinations, or a specific device on your network. You can generate the following report types from templates provided: •Audit Reports—Provide information about system events. For more information, see Understanding Audit Log Report Templates. •IDS Alarm Reports—Provide information about sensor events. By default, all events with a severity level of Medium or higher are retained by Security Monitor. Therefore, unless you delete events from the database, you can generate reports based on all recorded events. If the desired event is not being generated, verify that the sensor signature setting that corresponds to the event is enabled in Management Center for IPS Sensors (IPS MC). Sensors generate events for only those signatures that are enabled. These events are then received by the Security Monitor server. For more information, see Understanding IDS Alarm Report Templates. •CSA Reports—Provide information about events generated by Security Agent MC. You can generate reports based on event severity, on the group generating the event, and on the individual host systems producing events. For more information, see Understanding CSA Report Templates. •Firewall Reports—Provide information about firewall events. For more information, see Understanding Firewall Report Templates. Additionally, Security Monitor includes several predefined report definitions. For more information, see Predefined Report Definitions. This chapter contains the following topics: •Understanding Audit Log Report Templates •Understanding IDS Alarm Report Templates •Understanding CSA Report Templates •Understanding Firewall Report Templates •Predefined Report Definitions •Understanding the Reporting Workflow •Working with Pending Reports •Working with Completed Reports Understanding Audit Log Report Templates Audit log reports provide information about management server events. You can use the following templates to generate audit log reports in Security Monitor: •Audit Log Report—Reports audit records by the server and application. Unlike the other report templates, this report template provides a broad, non-task-specific view of audit records in the database. You can filter these reports by Date/Time, Event Severity, Applications, Subsystem, and Task Type. •Subsystem Report—Reports audit records ordered by the IDS subsystem, which includes systems from IPS MC and Security Monitor and systems common to each. You can filter these reports by Date/Time, Event Severity, and Subsystem. •Console Notification Report—Reports the console notification records generated by the notification subsystem. You can filter these reports by Date/Time and Event Severity. •Monitored Devices Report—Reports information about the monitored devices in Security Monitor, such as device name, IP address, and device type. There are no filters for this report. Understanding IDS Alarm Report Templates You can use the following templates to generate IDS alarm reports in Security Monitor: •IDS Summary Report—Provides a summary of alarms for an organization during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category. •IDS Top Sources Report—Reports the specified number of source IP addresses that have generated the most alarms during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Destination Direction, Destination IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of sources). •IDS Top Destinations Report—Reports the specified number of destination IP addresses that have been targeted for attack during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of destinations). •IDS Top Alarms Report—Reports the specified number of top alarms, by signature name, that have been generated during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of alarms). •IDS Top Source/Destination Pairs Report—Reports the specified number of source/destination pairs (that is, connections or sessions) that have generated the most alarms during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of source/destination pairs). •IDS Alarm Source Report—Reports alarms based on the source IP address that generated the alarm. Filterable by Event Level, Risk Rating, Time/Date, Event Count, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarm Destination Report—Reports alarms based on the destination IP address that generated the alarm. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarm Report—Reports logged alarms based on signature names. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarm Source/Destination Pair Report—Reports logged alarms based on source/destination IP address pairs (that is, connections or sessions). Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarms by Hour Report—Reports alarms in one-hour intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarms by Day Report—Reports alarms in one-day intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarms by Sensor Report—Reports logged alarms based on the sensor that detected the event. Filterable by Event Level, Risk Rating, Event Count, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •24 Hour Metrics Report—Reports all alarm traffic from the most recent 24 hours in 15-minute intervals. There are no filters for this report. •Daily Metrics Report—Reports event traffic totals, by day, for a given time period. Reporting occurs in 24-hour intervals, starting at midnight. The report shows events by platform (Network IDS, PIX Security, IOS Security, CSA Host IDS) and event type (IDS, Firewall, or Secure Agent). You can generate the following IDS alarm summary reports. The summary reports differ from the previous reports because they do not contain the alarm details table. •IDS Service Categories Summary Report—Reports events grouped by service category for a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category. •IDS OS Categories Summary Report—Reports events grouped by operating system for a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category. •IDS Attack Categories Summary Report—Reports events grouped by attack categories for a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Destination Direction, and IDS Signature or Signature Category. •IDS Top Sources Report—Reports the specified number of source IP addresses that have generated the most events during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Destination Direction, Destination IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of sources). •IDS Top Destinations Report—Reports the specified number of destination IP addresses that have been targeted for attack during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, IDS Signature or Signature Category, IDS Device, and Top N (where N is the number of destinations). •IDS Top Alarms Report—Reports the specified number of top alarms, by signature name, that have been generated during a specified time period. Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of alarms). •IDS Top Source/Destination Pairs Report—Reports logged alarms based on source/destination IP address pairs (that is, connections or sessions). Filterable by Event Level, Risk Rating, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, IDS Signature or Signature Category, and Top N (where N is the number of source/destination pairs). •IDS Alarm Report—Reports logged alarms based on signature names. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarms by Hour Report—Reports alarms in one-hour intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarms by Day Report—Reports alarms in one-day intervals during a specified time period. Filterable by Event Level, Risk Rating, Event Count, Time/Date, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Alarms by Sensor Report—Reports logged alarms based on the sensor that detected the event. Filterable by Event Level, Risk Rating, Event Count, Source Direction, Source IP Address, Destination Direction, Destination IP Address, IDS Device, and IDS Signature or Signature Category. •IDS Victim Summary—Graphical report showing the number of victims over a given time period broken down by day, week, or month. For example, you can define a report showing the number of victims per week for the last 100 days. Filterable by Time/Date, Time Interval, Risk Rating, and IDS Signature or Signature Category. •IDS Attacker Summary—Graphical report showing the number of attackers over a given time period broken down by day, week, or month. For example, you can define a report showing the number of attackers per month for the last 6 months. Filterable by Time/Date, Time Interval, Risk Rating, and IDS Signature or Signature Category. Understanding CSA Report Templates You can use the following templates to generate reports for Security Agent MC events in Security Monitor: •CSA Event Summary Report—Summarizes event activity by event level, count, and rule type. Filterable by Alert Level and Time/Date. •CSA Event Details Report—Reports event activity by event level, count, agent, event name, policy, and rule type. Filterable by Alert Level, Time/Date, Rule Type, and Top N (where N is the number of events). •CSA Administrative Events—Filterable by Alert Level, Time/Date, and Top N (where N is the number of events). •CSA Events By Severity—Reports event activity sorted by event severity levels. Filterable by Alert Level, Time/Date, Rule Type, and Top N (where N is the number of events). •CSA Events By Group—Reports event activity sorted by the group that generated the event. Filterable by Alert Level, Time/Date, Rule Type, and Top N (where N is the number of events). •CSA Network Event Report—Reports details such as the protocol accessing the network, the source and destination addresses of the connection, and the source and destination ports. Filterable by Alert Level, Time/Date, and Top N (where N is the number of events). •CSA Event Log Report—Provides a log of event information including the event ID, event level, host, and date. Filterable by Alert Level, Time/Date, and Top N (where N is the number of events). Understanding Firewall Report Templates You can use the following templates to generate firewall reports in Security Monitor: •Firewall Events Summary Report—Summarizes the security, warning, and informational events that the selected firewall has experienced within the specified time period. Filterable by Time/Date, Firewall Address, and Event Level. •Firewall Detailed Events Report—Provides detailed information for each security event received. Filterable by Time/Date, Source IP Address, and Event Level. •Firewall User Activity Summary Report—Summarizes the activities of all users who have made service requests through the selected firewall within the specified time period. Filterable by Time/Date and Firewall Address. •Firewall Most Active Users Report—Lists the users who have made the most service requests through the selected firewall within the specified time period. This report provides statistics for up to N (defaults to 20) users. Filterable by Time/Date, Firewall Address, and Top N (where N is the number of users). •Firewall Network Traffic Summary Report—Summarizes all activities based on the service requests made through the selected firewall within the specified time period. Filterable by Time/Date and Firewall Address. •Firewall Most Accessed Web Sites Report—Lists the HTTP sites that users who request services through the selected firewall have accessed the most within the specified time period. This report provides statistics for up to N (defaults to 20) sites. Filterable by Time/Date, Firewall Address, and Top N (where N is the number of sites). •Firewall Detailed Network Traffic Report—Provides transaction information about a network service's sessions that transpire during a given time interval. For example, you can generate reports about HTTP on port 80, SSL on port 443, or DNS on port 53. To generate a detailed service report, you must configure the firewall to enable logging of statistical events for the network service. Filterable by Time/Date, Firewall Address, and Service. •Firewall Detailed User Activity—Describes the full activities of all network session transactions that a specific user has conducted through the selected firewall within the specified time period. It presents the full list of network sessions that have occurred within the time period. Filterable by Time/Date and Firewall Address. •Firewall Denied Connection Report—Lists all TCP, UDP, and ICMP messages for denied connections sent out by the firewall for the specified time period. Filterable by Time/Date and Firewall Address. •Firewall Denied Message Activity Report—Lists all syslog messages for denied connections sent out by the firewall within the specified time period. You can filter which types of deny messages appear in the report such as VPN, Attack, and AAA and ACL. Filterable by Time/Date, Firewall Address, and Denied Events. Predefined Report Definitions Security Monitor includes a number of predefined report definitions to help you get started using the reporting features. You can edit the filtering parameters to customize a report definition to fit your particular needs. For more information, see Editing Report Parameters. The predefined report definitions typically use the report templates available in Security Monitor combined with a selection of filtering parameters. For information on particular report templates, previously discussed, see Chapter 1 "Defining and Viewing Reports." The following predefined Audit Log report definitions are available: •1-Day Application Errors—The following filters are defined for this report: –Task Type—Any –Date/Time—Last 1 Day –Event Severity—fatal, error –Subsystem—Any –Applications—Any •1-Day Console Notifications—The following filters are defined for this report: –Date/Time—Last 1 Day –Event Severity—fatal, error, warning, information, debug •Monitored Devices Report—This report has no filtering options. •1-Day Pruning Activity—The following filters are defined for this report: –Date/Time—Last 1 Day –Event Severity—fatal, error, warning, information, debug –Subsystem—IDS_Database Prune The following predefined IDS alarms report definitions are available: •24 Hour Alarm Metrics—This report has no filtering options. •30-Day Alarm Metrics—The following filter is defined for this report: –Time/Date—Last 30 Days •30-Day Details: IDS Alarm Destinations—Uses the IDS Alarm Destination Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Details: IDS Alarm Source/Destination Pairs—Uses the IDS Alarm Source/Destination Pair Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Details: IDS Alarm Sources—Uses the IDS Alarm Source Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Details: IDS Alarms—Uses the IDS Alarm Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Details: IDS Alarms by Day—Uses the IDS Alarms by Day Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Time/Date—Last 30 Days –Event Level—High, Medium, Low, Informational •30-Day Details: IDS Alarms by Hour—Uses the IDS Alarms by Hour Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Details: IDS Top 50 Alarm Destinations—Uses the IDS Top Destinations Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Source Direction—Any –Source IP Address—Any –Top N—50 –Time/Date—Last 30 Days –IDS Signatures—Any –IDS Devices—Any •30-Day Details: IDS Top 50 Alarm Source/Destination Pairs—Uses the IDS Top Source/Destination Pairs Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Top N—50 –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Details: IDS Top 50 Alarm Sources—Uses the IDS Top Sources Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Destination Direction—Any –Destination IP Address—Any –Risk Rating—Between 80 AND 100 inclusive –Top N—50 –Time/Date—Last 30 Days –IDS Signatures—Any –IDS Devices—Any •30-Day Details: IDS Top 50 Alarms—Uses the IDS Top Alarms Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Top N—50 –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day IDS Alarm Summary—Uses the IDS Summary Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Destination Direction—Any –Source Direction—Any –Risk Rating—Between 80 AND 100 inclusive –Time/Date—Last 30 Days –IDS Signatures—Any •Detailed IDS Alarms by Sensor—Uses the IDS Alarms by Sensor Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational The following predefined IDS Alarms (summaries only) report definitions are available: •30-Day Summary: IDS Alarms by Attack Categories—Uses the IDS Attack Categories Summary Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Destination Direction—Any –Source Direction—Any –Risk Rating—Between 80 AND 100 inclusive –Time/Date—Last 30 Days –IDS Signatures—Any •30-Day Summary: IDS Alarms by Day—Uses the IDS Alarms by Day Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Time/Date—Last 30 Days –Event Level—High, Medium, Low, Informational •30-Day Summary: IDS Alarms by Hour—Uses the IDS Alarms by Hour Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Time/Date—Last 30 Days –Event Level—High, Medium, Low, Informational •30-Day Summary: IDS Alarms by OS Categories—Uses the IDS OS Categories Summary Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Destination Direction—Any –Source Direction—Any –Risk Rating—Between 80 AND 100 inclusive –Time/Date—Last 30 Days –IDS Signatures—Any •30-Day Summary: IDS Alarms by Sensor—Uses the IDS Alarms by Sensor Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Event Count—Any –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational •30-Day Summary: IDS Alarms by Service Categories—Uses the IDS Service Categories Summary Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Destination Direction—Any –Source Direction—Any –Risk Rating—Between 80 AND 100 inclusive –Time/Date—Last 30 Days –IDS Signatures—Any •30-Day Summary: IDS Top 50 Alarm Destinations—Uses the IDS Top Destinations Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Source Direction—Any –Source IP Address—Any –Risk Rating—Between 80 AND 100 inclusive –Top N—50 –Time/Date—Last 30 Days –IDS Signatures—Any –IDS Devices—Any •30-Day Summary: IDS Top 50 Alarm Sources—Uses the IDS Top Sources Report template. The following filters are defined for this report: –Event Level—High, Medium, Low, Informational –Destination Direction—Any –Destination IP Address—Any –Risk Rating—Between 80 AND 100 inclusive –Top N—50 –Time/Date—Last 30 Days –IDS Signatures—Any –IDS Devices—Any •30-Day Summary: IDS Top 50 Alarms—Uses the IDS Top Alarms Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Top N—50 –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days •30-Day Summary: IDS Top 50 Source/Destination Pairs—Uses the IDS Top Source/Destination Pairs Report template. The following filters are defined for this report: –Risk Rating—Between 80 AND 100 inclusive –Destination IP Address—Any –Destination Direction—Any –IDS Signatures—Any –Top N—50 –Source Direction—Any –IDS Devices—Any –Source IP Address—Any –Event Level—High, Medium, Low, Informational –Time/Date—Last 30 Days The following predefined CSA Alarms report definitions are available: •30-Day Details: Secure Agent Top 50 Events—Uses the CSA Event Details Report template. The following filters are defined for this report: –Rule Type—Any –Top N—50 –Time/Date—Last 30 Days –Alert Level—High, Medium •30-Day Secure Agent Top 50 Admin Events—Uses the CSA Administrative Events template. The following filters are defined for this report: –Top N—50 –Time/Date—Last 30 Days –Alert Level—High, Medium, Low, Informational •30-Day Secure Agent Top 50 Events by Group—Uses the CSA Events by Group template. The following filters are defined for this report: –Rule Type—Any –Top N—50 –Time/Date—Last 30 Days –Alert Level—High, Medium, Low, Informational •30-Day Secure Agent Top 50 Events by Severity—Uses the CSA Events by Severity template. The following filters are defined for this report: –Rule Type—Any –Top N—50 –Time/Date—Last 30 Days –Alert Level—High, Medium, Low, Informational •30-Day Secure Agent Top 50 Network Events—Uses the CSA Network Event Report summary. The following filters are defined for this report: –Top N—50 –Time/Date—Last 30 Days –Alert Level—High, Medium, Low, Informational •30-Day Summary Secure Agent Events—Uses the CSA Event Summary Report template. The following filters are defined for this report: –Time/Date—Last 30 Days –Alert Level—High, Medium, Low, Informational •30-Day Secure Agent Top 100 Event Log Entries—Uses the CSA Event Log Report template. The following filters are defined for this report: –Top N—100 –Time/Date—Last 30 Days –Alert Level—High, Medium, Low, Informational The following predefined Firewall report definitions are available: •Firewall 30-Day Denied Connections—Uses the Firewall Denied Connection Report template. The following filters are defined for this report: –Firewall Address—Any –Time/Date—Last 30 Days •Firewall 30-Day Denied Message Activity—Uses the Firewall Denied Message Activity Report template. The following filters are defined for this report: –Firewall Address—Any –Denied Events—All Services –Time/Date—Last 30 Days •Firewall 30-Day Detailed Events—Uses the Firewall Detailed Events Report template. The following filters are defined for this report: –Event Level—Any –Source IP Address—Any –Time/Date—Last 30 Days •Firewall 30-Day Detailed Network Traffic—Uses the Firewall Detailed Network Traffic Report template. The following filters are defined for this report: –Firewall Address—Any –Time/Date—Last 30 Days –Service—All Services •Firewall 30-Day Detailed User Activity—Uses the Firewall Detailed User Activity Report template. The following filters are defined for this report: –Firewall Address—Any –Time/Date—Last 30 Days •Firewall 30-Day Events Summary—Uses the Firewall Events Summary Report template. The following filters are defined for this report: –Event Level—Any –Time/Date—Last 30 Days –Firewall Address—Any •Firewall 30-Day Most Accessed Web Sites—Uses the Firewall Most Accessed Web Sites Report template. The following filters are defined for this report: –Firewall Address—Any –Top N—20 –Time/Date—Last 30 Days •Firewall 30-Day Most Active Users—Uses the Firewall Most Active Users Report template. The following filters are defined for this report: –Firewall Address—Any –Top N—20 –Time/Date—Last 30 Days •Firewall 30-Day Network Traffic Summary—Uses the Firewall Network Traffic Summary Report template. The following filters are defined for this report: –Firewall Address—Any –Time/Date—Last 30 Days •Firewall 30-Day User Activity Summary—Uses the Firewall User Activity Summary Report template. The following filters are defined for this report: –Firewall Address—Any –Time/Date—Last 30 Days Understanding the Reporting Workflow The following is a basic workflow for working with reports: 1. Create a report definition or select a predefined report. A report definition is a report template that you customize. Report definitions that you create are saved so that you can run or schedule a report based on that definition at any time. For more information, see Creating a Report Definition, and Predefined Report Definitions. 2. Run the report or create a report schedule. After you create a report definition, you can run a report based on that definition. You can also schedule a report to run later or at regular intervals. For more information, see Running a Report, and Scheduling a Report. 3. View the completed report. After you run a report, you can view it from the Completed Reports page. You can also e-mail completed reports and export them to PDF or CSV files. For more information, see Working with Completed Reports. In addition to performing the tasks of the basic workflow, you can also edit and delete pending reports. Pending reports include reports that are running or are scheduled to run in the future. For more information, see Working with Pending Reports. This section contains the following topics: •Creating a Report Definition •Running a Report •Scheduling a Report •Viewing a Summary of Report Definition Details •Editing Report Parameters •Deleting a Report Definition Creating a Report Definition From the Reports page, you can define the parameters for the report you want to run. You must create a report definition (or select one previously defined) before you can run or schedule a report. To define a report, follow these steps: Step 1 Select Reports > Definitions. Then, click Create. The Select Report Template page appears. Step 2 Select a template for the report type that you want to define. Tip If you are using Security Monitor, you can filter the report templates that appear on the page. From the Report Group list, select All to show all report templates, Audit Log to show only audit report templates, IDS Alarms to show only IDS alarm templates, IDS Alarms (summaries only) to show only IDS alarm summary templates, CSA Alarms to show only CSA alarm templates, or Firewall Reports to show only firewall report templates. Step 3 Enter a name for your report in the Report Title field. The default report title is the name of the report type you selected in the previous step. Then, click Next. The Report Filtering page appears. Step 4 Enter the report parameters for the report type you selected. Then, click Next. The Confirm page appears. Step 5 Confirm that the report options are correct. Then, perform the appropriate step below: a. To save the report definition without running or scheduling a report, click Finish. The Reports page appears. The report definition you just created appears in the list. b. To run a report now based on the report definition you just created, click the Run now radio button. Then, click Finish. The Reports page appears. The report definition you just created appears in the list. To view the completed report, select Reports > Completed. c. To schedule a report based on the report definition you just created, click the Launch "Run with Options" radio button. Then, click Finish. The Schedule window appears. You must define the scheduling options. For more information, see the procedure in Scheduling a Report. Running a Report After a report has been defined, you can run it on demand. To run a report, follow these steps: Step 1 Select Reports > Definitions. Then, click the Create button. The Reports page appears. Step 2 Select the check box corresponding to the title of the report definition that you want to run. Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions. A check mark appears next to the report you selected. Step 3 Click Run. The Pending Reports page appears. You can view the status of your report on this page. You can view the completed report by selecting Reports > Completed. Scheduling a Report After a report has been defined, you can define a schedule for the report to run. Scheduled reports run either one or more times based on the parameters you select. Tip Before you can schedule a report, you must create a report definition unless you are using a predefined report. For more information, see Creating a Report Definition. To schedule a report, follow these steps: Step 1 Select Reports > Definitions. The Reports page appears. Step 2 Click Run with Options next to the report title you want to schedule to run. Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only firewall report definitions. The Schedule pop-up window appears. Step 3 Select the Use a schedule check box. The scheduling options appear in the Schedule pop-up window. Step 4 Specify the date that you want the report to run in the Date field. The date is specified by day, month, and year. Click the calendar icon next to the Date field to select a date from the calendar. Step 5 Specify the time that you want the report to run in the Time field. The time is specified in hours, minutes, and seconds. The time zone used to determine the time is to the right of the Time field. Step 6 To run the report at regular intervals, select the Repeat every check box, then select an option in the list box. You can schedule the report to run every day, week, weekday, weekend day, hour, or minute. Step 7 To export the generated report to a file: a. Select the Export to a File on the VMS Server check box. The exporting options appear in the Schedule pop-up window. b. Select a format for the file from the Format list. You can export to an HTML, PDF, or comma-separated value (CSV) file. c. Specify the exact path to the file that is to contain the generated report in the File field. The path should include the filename and, if you do not select the Append default file extension when saved check box in the following step, the desired extension; for example, /<dir>[/<dir>/[...]]/<filename>[.<ext>]. Note If you generate a report with the same path, filename, and extension as a previously generated report, the previous report is overridden. d. To automatically append the file extension to the filename, select the Append default file extension when saved check box. By default, the check box is selected. Step 8 To send an email notification to someone when the report runs: Note Before you can send email notifications, you must specify the e-mail server that Security Monitor should use. For more information, see Specifying an Email Server, page 1-5. a. Select the Notify via Email (when generated) check box. The email notification options appear in the Schedule pop-up window. b. Enter an email address in the To field. Use commas to separate multiple addresses. c. Enter a subject for the email in the Subject field. By default, the subject includes the name of the CiscoWorks2000 Server and the report name. d. Select the Attach a copy of the exported file check box to send a copy of the report as an attachment with the email notification. e. Enter a message for your email in the text box. The default message informs the recipient that the report has been generated and includes a link to view the report on the CiscoWorks2000 Server. Step 9 Click Create Schedule. You can view the scheduled report definition by selecting Reports > Pending. Viewing a Summary of Report Definition Details After you create a report definition, it appears on the Reports page. You can view a summary of the report definition details from the Reports page. To view a report definition details, follow these steps: Step 1 Select Reports > Definitions. The Reports page appears. Step 2 Click the report title in the Title column of the report you want to review. Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions. The Report Definition Details dialog box appears. The window displays the report definition attributes such as the report title, the date it was created, who created it, and the report template used to create it. The window also displays the scheduling and data filtering information, if applicable. Tip If there is a scroll bar on the right side of the window, you can select an option from the Go to list to quickly navigate the window. Editing Report Parameters To edit the parameters of a report definition, follow these steps: Step 1 Select Reports > Definitions. The Reports page appears. Step 2 Select the check box corresponding to the title of the report definition that you want to edit, and then click Edit. Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions. The Select Report Template page appears. Step 3 To change the report type, click the radio button next to a different report type. Step 4 To change the report name, enter a new name for your report in the Report Title field. Step 5 Click Next The Report Filtering page appears. Step 6 Change any report parameters that you want to. Then, click Next. The Confirm page appears. Step 7 Confirm the report options are correct. Then, click Finish. The Reports page appears. The changes you made are saved to the report definition. Deleting a Report Definition You can delete any unwanted report definitions. If you delete a report definition, any scheduled reports based on that definition are also deleted, however any completed reports based on that definition are not deleted. To delete a report definition, follow these steps: Step 1 Select Reports > Definitions. The Reports page appears. Tip If you are using Security Monitor, you can filter the report definitions that appear on the page. From the Report Group list, select All to show all report definitions, Audit Log to show only audit log report definitions, IDS Alarms to show only IDS alarm report definitions, IDS Alarms (summaries only) to show only IDS alarm summary report definitions, CSA Alarms to show only CSA alarm report definitions, or Firewall Reports to show only Firewall report definitions. Step 2 Select the check box corresponding to the title of the report you want to delete. Tip You can delete more than one report definition at a time. To do so, select the check boxes corresponding to all report definitions that you want to delete. A check mark appears next to each selected report. Step 3 To delete the report definition, click Delete. The selected report definition is deleted. Working with Pending Reports On the Pending Reports page, which you access by selecting Reports > Pending, you can view pending reports. Pending reports include reports that are running or are scheduled to run in the future. The status of a pending report can be one of the following: •Running—The system is retrieving the report data from the database and generating the report. •Queued—The report generator can generate only one report at a time. This state indicates that the system recognizes that the report is ready to be generated and that the report is waiting for its turn to run. The Queued state usually occurs when another report is already in the Running state ahead of this one. •Waiting—The report is not ready to run and is waiting for its run time to arrive. Pending reports in this state usually have a repeating schedule and are between scheduled run times. You can edit the schedule of a pending report. You can also delete a pending report. When you delete a pending report, no future iterations of the report, if scheduled, will run. For more information, see the following: •Editing A Pending Report Schedule •Deleting a Pending Report Editing A Pending Report Schedule When you schedule a report to run in the future, once or at regular intervals, the report appears on the Pending Reports page, which you access by selecting Reports > Pending. From the Pending Reports page, you can edit the report schedule. For information about scheduling a report, see Scheduling a Report. To edit a pending report schedule, follow these steps: Step 1 Select Reports > Pending. The Pending Reports page appears. Step 2 Select the check box next to the report whose schedule you want to edit. Then, click Edit. The Schedule pop-up window appears. Step 3 Edit any parameters that you want to change, and then click Save. Any changes you made are saved. Deleting a Pending Report You can delete from the schedule any pending reports that you no longer want to run. If you delete a pending scheduled report, no future iterations of that report will run. Deleting a pending report does not delete the report definition. To delete a report definition, see Deleting a Report Definition. To delete a pending report, follow these steps: Step 1 Select Reports > Pending. The Pending Reports page appears. Step 2 Select the check box next to the report you want to delete, and then click Delete. The report is deleted. No future iterations of the report, if scheduled, will run. Working with Completed Reports From the Completed Reports page, you can view generated reports, export reports, and email reports. You can also delete unwanted reports. This section contains the following topics: •Viewing a Completed Report •Printing a Completed Report •Exporting a Completed Report •E-mailing a Completed Report •Deleting a Completed Report Viewing a Completed Report After a report is generated, you can view it. Tip To understand how data is sorted in a report, refer to the numbers that appear in the column headings of the generated report. These numbers represent the sort keys. For example, data is sorted first based on the data in the column with a (1) in it, followed by the data in the column with a (2) in it, and so on. To view a report, follow these steps: Step 1 Select Reports > Completed. The Completed Reports page appears. Step 2 Click the title of the report that you want to view. Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports. The report appears in a new browser window. Printing a Completed Report After you have generated a report, you can view the report in a printer-friendly format and then use your browser's print feature to print that report. To print a completed report, follow these steps: Step 1 Select Reports > Completed. The Completed Reports page appears. Step 2 Click the title of the report that you want to view. Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports. The report appears in a new browser window. Step 3 Click the Printer Friendly Format icon. A printer-friendly version of the report appears in a new browser window. Step 4 Print the report using your browser's print function. Exporting a Completed Report After you generate a report, you can export the completed report to a PDF or CSV file. To export a report, follow these steps: Step 1 Select Reports > Completed. The Completed Reports page appears. Step 2 Click the title of the report that you want to export. Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports. The report appears in a new browser window. Step 3 Click the Export Current Report icon. The Exporting Report dialog box appears. Step 4 To export the file in PDF: a. Click the PDF radio button, and then click OK. The file appears in a new browser window. b. Perform the appropriate step below to save the PDF file to disk: •To use Internet Explorer to save the PDF file, click the Save Copy icon on the Adobe toolbar. Browse to the location where you want to save the file and enter a filename. Then, click Save. The report is saved using the filename and location you specified. •To use Netscape Navigator to save the PDF file, click Save File. Browse to the location where you want to save the file and enter a filename. Then, click Save. The report is saved using the filename and location you specified. Step 5 To export the file in CSV format: a. Click the CSV radio button, and then click OK. The File Download dialog box appears. b. Perform the appropriate step below to save the CSV file to disk: •To use Internet Explorer to save the CSV file, click Save. The Save As dialog box appears. Browse to the location where you want to save the file and enter a filename. Then, click Save. The report is saved using the filename and location you specified. •To use Netscape Navigator to save the CSV file, select Save this file to disk and click OK. The Enter name of file to save to dialog box appears. Browse to the location where you want to save the file and enter a filename. Then, click Save. The report is saved using the filename and location you specified. E-mailing a Completed Report After you generate a report, you can e-mail a copy of the completed report to one or more people. The report file will be sent as an e-mail attachment in HTML, PDF, or comma-separated value (CSV) format. Tip You can also schedule a report to be generated on a regular basis and have the resulting report e-mailed to one or more interested parties. For more information, see Scheduling a Report. To e-mail a completed report, follow these steps: Step 1 Select Reports > Completed. The Completed Reports page appears. Step 2 Select the check box next to the completed report that you want to e-mail, and then click Email. The Email Report page appears. Step 3 Enter an e-mail address in the To field. Use commas to separate multiple addresses. Step 4 Enter a subject for the e-mail in the Subject field. For example, you might include the name of the CiscoWorks2000 Server and the report name. Step 5 Select the file format for the report file from the Format list. You can choose from HTML, PDF, or comma-separated value (CSV). Step 6 Select the Append default file extension check box if you want the system to append the default file extension to the report file. This check box is selected by default. Step 7 Enter a name for the report file. If you did not select the Append default file extension check box, you must manually append the file extension to the file name. Step 8 Enter a message for your e-mail in the text box. Step 9 Click Send. The system sends the e-mail with the report as an attachment. Deleting a Completed Report You can delete completed reports. If the report was generated from a recurring scheduled report, deleting the report does not delete the scheduled report settings and will not prevent future versions of the report from being generated. To delete a report, follow these steps: Step 1 Select Reports > Completed. The Completed Report page appears. Tip If you are using Security Monitor, you can filter the reports that appear on the page. From the Report Group list, select All to show all completed reports, Audit Log to show only audit log reports, IDS Alarms to show only IDS alarm reports, IDS Alarms (summaries only) to show only IDS alarm summary reports, CSA Alarms to show only CSA alarm reports, or Firewall Reports to show only firewall reports. Step 2 Select the check box next to the title of the report you want to delete. Tip You can delete more than one report at a time. To delete more than one report, select the check boxes next to all reports that you want to delete. A check mark appears next to each report you selected. Step 3 To delete the selected report, click Delete. The report is deleted. The report name is removed from the list of available reports.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.