Using Monitoring Center for Security 1.2
Defining and Viewing Reports
Download this chapter
Defining and Viewing ReportsDefining and Viewing Reports
Download the complete book
Using Monitoring Center for Security 1.2 (whole book PDF)Using Monitoring Center for Security 1.2 (whole book PDF) (PDF - 2 MB)
give_us_feedback

Table of Contents

Defining and Viewing Reports
Understanding the Types of Reports
 Scheduling and Generating Reports
 Viewing Reports
 Saving a Generated Report as an HTML File
 Deleting Generated Reports
 Editing Report Parameters
 Deleting Scheduled Report Templates

Defining and Viewing Reports

You can access the reporting features that are available in Monitoring Center for Security (Security Monitor) from the Reports tab. You can generate and view reports about network activities monitored by sensors on your network. The reports include summary reports about alarms, sources, destinations, or a specific sensor on your network. By default, all events monitored by a sensor are retained by Security Monitor. Therefore, unless you delete events from the database, you can generate reports based on all recorded activities.

If the desired event is not being generated, verify that the sensor signature setting that corresponds to the event is enabled. Sensors generate events for only those signatures that are enabled. These events are then received by the Security Monitor server.

You can also generate the following report types:

  • Audit Reports—Provide information about system events.
  • Firewall Reports—Provide information about Firewall events.
  • CSA Reports—Provide information about events generated by Management Center for Cisco Security Agents (Security Agent MC).

Refer to the following topics for more information about defining and viewing reports:

Understanding the Types of Reports

You can view four categories of reports in Security Monitor: alarm reports, audit reports, CSA reports, and Firewall reports. Alarm reports provide information about the events being collected by Security Monitor. Audit reports provide information about Security Monitor system events. CSA reports provide information about Security Agent MC events. Firewall reports provide information about Firewall events.

Reports can be generated on-demand or scheduled for a later date and time. You can configure scheduled reports to repeat at regular intervals.

About Alarm Reports

You can generate the following alarm reports in Security Monitor:

  • IDS Top Sources Report—Reports the specified number of source IP addresses that have generated the most events during a specified time period. Filterable by Date/Time, Top n, where n is the number of sources, Destination Direction, Destination IP Address, Signature or Signature Category, Sensor, and Event Level.
  • IDS Top Source/Destination Pairs Report—Reports the specified number of source/destination pairs (that is, connections or sessions) that have generated the most alarms during a specified time period. Filterable by Date/Time, Top n, where n is the number of source/destination pairs, Signature or Signature Category, Sensor, Event Level, Source Direction, Destination Direction, Source Address, and Destination Address.
  • IDS Top Destinations Report—Reports the specified number of destination IP addresses that have been targeted for attack during a specified time period. Filterable by Date/Time, Top n, where n is the number of destinations, Source Direction, Source Address, Signature or Signature Category, Sensor, and Event Level.
  • IDS Top Alarms Report—Reports the specified number of top alarms, by signature name, that have been generated during a specified time period. Filterable by Date/Time, Top n, where n is the number of alarms, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Signature or Signature Category.
  • IDS Summary Report—Provides a summary of event information for an organization during a specified time period. Filterable by Date/Time, Organization, Source Direction, Destination Direction, Signature or Signature Category, and Event Level.
  • IDS Alarms by Sensor Report—Reports logged alarms based on the sensor (Host ID) that detected the event. Filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Event Count.
  • IDS Alarms by Hour Report—Reports alarms in one-hour intervals over the time specified by the user. Filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Event Count.
  • IDS Alarms by Day Report—Reports alarms in one-day intervals over the time specified by the user. Filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Signature or Signature Category, Sensor, Event Level, and Event Count.
  • IDS Alarm Source/Destination Pair Report—Reports logged alarms based on source/destination IP address pairs (that is, connections or sessions). Filterable by Date/Time, Signature or Signature Category, Sensor, Event Level, Alarm Count, Source Direction, Destination Direction, Source Address, and Destination Address.
  • IDS Alarm Source Report—Reports alarms based on the source IP address that generated the alarm. Filterable by Date/Time, Destination Direction, Destination Address, Signature or Signature Category, Sensor, Event Level, Alarm Count, Source Direction, and Source Address.
  • IDS Alarm Report—Reports logged alarms based on signature names. Filterable by Date/Time, Source Direction, Destination Direction, Source Address, Destination Address, Sensor, Event Level, Event Count, and Signature or Signature Category.
  • IDS Alarm Destination Report—Reports alarms based on the destination IP address that generated the alarm. Filterable by Date/Time, Source Direction, Source Address, Signature or Signature Category, Sensor, Event Level, Event Count, Destination Direction, and Destination Address.
  • Daily Metrics Report—Reports event traffic totals, by day, from the selected date until the current date. Reporting occurs in 24-hour intervals, starting at midnight. The report shows events by platform (PIX, IOS, Sensor, RDEP) and event type (IDS or Security).
  • 24 Hour Metrics Report—Reports all alarm traffic from the most recent 24 hours in 15 minute intervals. There are no filters for this report.

About Audit Reports

Audit reports provide information about management server events. If IDS MC and Security Monitor are installed on the same server, the generated audit reports and scheduled audit report templates are shared between the applications.

The following audit reports are available:

  • Subsystem Report—Reports audit records ordered by the IDS subsystem, which includes systems from IDS MC and Security Monitor and systems common to each. Filterable by Event Severity, Date/Time, and Subsystem.
  • Sensor Version Import Report—Reports the audit records that are generated when the version identifier of IDS sensor devices is imported into IDS MC. These records indicate success or failure of the import operation. Filterable by Device, Event Severity, and Date/Time.
  • Sensor Configuration Import Report—Reports the audit records that are generated when you import IDS Sensor configurations into IDS MC. The resulting records can be used to determine success or failure in device configuration import tasks. Filterable by Device, Event Severity, and Date/Time.
  • Sensor Configuration Deployment Report—Reports records related to IDS sensor configurations deployed to devices using IDS MC. These records indicate successful deployment or provide error messages where appropriate for deployment operations. Filterable by Device, Event Severity, and Date/Time.
  • Console Notification Report—Reports the console notification records generated by the notification subsystem. Filterable by Event Severity and Date/Time.
  • Audit Log Report—Reports audit records by the server and application. Unlike the other report templates, this report template provides a broad, non-task-specific view of audit records in the database. Filterable by Task Type, Event Severity, Date/Time, Subsystem, and Applications.

About CSA Reports

You can generate the following reports for Security Agent MC events in Security Monitor:

  • CSA Summary Report—Filterable by Alert Level and Time/Date.
  • CSA Alerts By Severity—Filterable by Alert Level and Time/Date.
  • CSA Alerts By Group—Filterable by Alert Level, Time/Date and Rule.
  • CSA Administration Event Summary—Filterable by Alert Level and Time/Date.

About Firewall Reports

You can generate the following Firewall reports in Security Monitor:

  • User Activity Summary—Summarizes the activities of all users who have made service requests through the selected Firewall within the specified time period. Filterable by Time/Date and Firewall Address.
  • Network Traffic Summary—Summarizes all activities based on the service requests made through the selected Firewall within the specified time period. Filterable by Time/Date and Firewall Address.
  • Most Active Users—Lists the users who have made the most service requests through the selected Firewall within the specified time period. This report provides statistics for up to N (defaults to 20) users. Filterable by Time/Date, Firewall Address, and Top N.
  • Most Accessed Web Sites—Lists the HTTP sites that users who request services through the selected Firewall have accessed the most within the specified time period. This report provides statistics for up to N (defaults to 20) sites. Filterable by Time/Date, Firewall Address, and Top N.
  • Event Summary Report—Summarizes the security, warning, and informational events that the selected Firewall has experienced within the specified time period. Filterable by Time/Date and Firewall Address.
  • Detailed User Activity—Describes the full activities of all network session transactions that a specific user has conducted through the selected Firewall within the specified time period. It presents the full list of network sessions that have occurred within the time period. Filterable by Time/Date and Firewall Address.
  • Detailed Network Traffic—Provides transaction information about a network service's sessions that transpire during a given time interval. For example, you can generate reports about HTTP on port 80, SSL on port 443, or DNS on port 53. To generate a detailed service report, you must configure the Firewall to enable logging of statistical events for the network service. Filterable by Time/Date, Firewall Address, and Service.
  • Denied Message Activity—Lists all syslog messages for denied connections sent out by the Firewall within the specified time period. You can filter which types of deny messages appear in the report such as VPN, Attack, and AAA and ACL. Filterable by Time/Date, Firewall Address, and Denied Events.
  • Denied Connection Activity—Lists all TCP, UDP, and ICMP messages for denied connections sent out by the Firewall for the specified time period. Filterable by Time/Date and Firewall Address.
  • Security Alarm Source Report—Summarizes alarms received on the syslog port by the source of the events. For example, if Security Monitor receives alarms from a PIX Firewall, use this report to view the alarm information. Filterable by Event Level, Source IP Address, and Time/Date.
  • Security Alarm Detailed Report—Provides detailed information for each security alarm received. Filterable by Event Level, Source IP Address, and Time/Date.

About Scheduled Reports

For each report type that you choose to generate, you can enter a report title, schedule, and notification options. Enter this information in the Schedule Report page when you select Reports > Generate. You can run the report immediately, or you can schedule the report to run at a later time, at regular intervals, or both.

If you choose to run the report at a later time, you must specify the date and time that you want the report to run. Additionally, you can schedule the report to run at regular intervals, such as hourly, daily, or weekly. You can edit the report parameters of a scheduled report on the Edit Scheduled Reports page, which you access by selecting Reports > Scheduled. You can also delete scheduled report templates from this page.

Each time a scheduled report is run, it is added to the Completed Report page.

Scheduling and Generating Reports

On the Select Report page, you can select the type of report to generate and define the parameters for the selected report. Based on the scheduling parameters you select, the report runs immediately, at a later time, or at regular intervals.

To generate a report, follow these steps:

Step 1   Select Reports > Generate.

The Select Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the report type that you want to generate, and then click Select.

The Report Filtering page appears.

Step 3   Enter the report parameters for the report type you selected. Then, click Next.

The Schedule Report page appears.

Step 4   Enter a name for the report in the Report Title field.

Step 5   To export the generated report to an HTML file, select the Export to check box. Then, specify the exact path to the file that is to contain the generated report. The path should include the filename and the desired extension; for example, /<dir>[/<dir>/[...]]/<filename>[.<ext>]. No extension is appended to the filename if you do not specify an extension.

Step 6   Click the Run Now or Schedule for Later radio button under Schedule Options. If you select Run Now, skip to Step 7. If you select Schedule for Later, specify the following options:

a. Specify the date and time that you want the report to run in the Start Time list boxes. The date is specified by month, day, and year. The time is specified in hours and minutes. The time zone used to determine the time is to the right of the Start Time list boxes.

b. To run the report at regular intervals, select an option in the Repeat every list box. You can schedule the report to run every day, week, weekday, weekend day, hour, or minute.

Step 7   To send an e-mail notification to someone when the report runs, select the Email report to check box and enter an e-mail address in the adjacent field. Use commas to separate multiple addresses. Then, click Finish.

If you select Run Now, the report runs and you can view the generated report by selecting Reports > View. If you select Schedule for Later, you can view the scheduled report template by selecting Reports > Scheduled.




Viewing Reports

After you generate a report, you can view it.

Tip To understand how data is sorted in a report, refer to the numbers that appear in the column headings of the generated report. These numbers represent the sort keys. For example, data is sorted first based on the data in the column with a (1) in it, followed by the data in the column with a (2) in it, and so on.

To view a report, follow these steps:

Step 1   Select Reports > View.

The Choose Completed Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box corresponding to the title of the report you want to view.

Step 3   To view the selected report, click View.

The report appears in the Report page.

Step 4   To view the report in a new browser window, click Open in Window. . ..

The report appears in a new browser window.




Saving a Generated Report as an HTML File

After you generate a report, you can save the report as an HTML file.

To save a generated report as an HTML file, follow these steps:

Step 1   Select Reports > View.

The Choose Completed Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   To select the report that you want to export, select the check box corresponding to the report title.

Step 3   Click Open in Window.

If you are using Internet Explorer, the report appears in a new browser window; proceed to Step 4. If you are using Netscape Navigator, the Unknown File Type dialog box appears; skip to Step 5.

Step 4   To save the report, select File > Save As from the Internet Explorer menu bar. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.

Skip Step 5.

Step 5   To save the report, click Save File. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.




Deleting Generated Reports

You can delete generated reports. If the report was generated from a scheduled report template, deleting the report does not delete the associated scheduled report template.

To delete a report, follow these steps:

Step 1   Select Reports > View.

The Choose Completed Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box next to the title of the report you want to delete.

Tip You can delete more than one report at a time. To delete more than one report, select the check boxes next to all reports that you want to delete.

A check mark appears next to each report you selected.

Step 3   To delete the selected report, click Delete.

The report is deleted. The report name is removed from the list of available reports.




Editing Report Parameters

You can edit the report parameters or the schedule for a scheduled report template.

To edit the report parameters, follow these steps:

Step 1   Select Reports > Scheduled.

The Edit Scheduled Reports page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box corresponding to the title of the report template that you want to edit.

A check mark appears next to the report you selected.

Step 3   To open the selected report template, click Edit.

A new page displays the report parameters. Depending on the type of report, the parameters are different.

Step 4   Change any report parameters that you want to. To save your changes, click Finish.

The changes you made are saved to the report template.




Deleting Scheduled Report Templates

You can delete unwanted scheduled report templates. Deleting a scheduled report template also deletes all associated reports that have already been generated.

To delete a scheduled report template, follow these steps:

Step 1   Select Reports > Scheduled.

The Edit Scheduled Reports page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box corresponding to the title of the report you want to delete.

Tip You can delete more than one report template at a time. To do so, select the check boxes corresponding to all the report templates that you want to delete.

A check mark appears next to each report you selected.

Step 3   To delete the report template, click Delete.

The selected report template and all associated end reports are deleted.