Reporting User's Guide

Transcription

1 Reporting User's Guide

2 Reporting User's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec Logo, Symantec AntiVirus, Symantec Client Security, Symantec System Center, and Symantec Client Firewall are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA USA

3 Technical support Licensing and registration Contacting Technical Support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group's primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support.

4 Customer service Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

5 Contents Technical support Chapter 1 Chapter 2 Chapter 3 Chapter 4 Introducing reporting About reporting... 9 How reporting works About events About reports About logs Basic reporting tasks About basic tasks Logging into reporting Changing your password Using the home page Viewing information on the home page Customizing the home page Using Security Response links About using the Past 24 hours filter in reports and logs Using reports Reports overview About reports Saving report configuration settings Printing and saving reports Creating risk reports Creating scan reports Creating computer status reports Creating and viewing scheduled reports Performing administrative tasks About administrative tasks Configuring reporting servers Changing the reporting server port number... 45

6 6 Contents Specifying the reporting server URL by using the Windows registry Viewing the URL of a reporting server Removing a reporting server Configuring the reporting display Configuring users Setting password rules Configuring alerts Creating alert configurations Viewing alert events Acknowledging or unacknowledging alerts Viewing alert event details Setting automatic refresh intervals Chapter 5 Chapter 6 Using logs About logs Viewing logs Saving log configuration settings Viewing risk logs Viewing scan logs Viewing computer status logs Using events in logs Displaying event details Exporting log events Deleting log events Configuring reporting agents About reporting agents Configuring reporting agents Agent scheduling and status checking Checking agent status Specifying scheduling options for agents Disabling an agent Configuring event aggregation Configuring the language option for the Log Sender and Computer Status Agents Reducing the volume of security risk events sent to the reporting server Configuring proxy settings for the Virus Category Agent Specifying notification options for agents Specifying notification parameters Specifying notification parameters for the disk full check... 94

7 Contents 7 Using agent logs Enabling or disabling agent tracing Deleting agent logs Registry keys for agent configuration About registry keys for agent file processing About registry keys for agent scheduling Chapter 7 Chapter 8 Maintaining the reporting database About database maintenance Configuring the reporting database maintenance agent Configuring the reporting database backup options Restoring an MSDE reporting database Tuning database server memory allocation Changing timeout parameters Workflow and use cases About workflow and use cases Administering daily workflow to eliminate risks Reports and logs that show security risk information Reports and logs that show scanning information Reports and logs that show definitions information Reports and logs that show configuration and status information Index

8 8 Contents

9 Chapter 1 Introducing reporting This chapter includes the following topics: About reporting How reporting works About events About reports About logs About reporting Reporting is a Web application within the Symantec System Center console that you can use to create reports about your security products. The application uses a Web server to deliver information about Symantec Client Security or Symantec AntiVirus products in your network. Reporting includes the following features: Customizable home page with your most important reports Pre-defined and customizable graphical reports with multiple filter options Role-based user administration that is separate from the Symantec System Center console user administration Optimized to support events from 100 computers to 50,000 computers Supports Microsoft SQL for storing events You can log into reporting through the Symantec System Center console. You can also log into reporting through a Web browser that is installed on a computer that has access to your reporting server.

10 10 Introducing reporting How reporting works How reporting works About events Information about installing reporting is located in the Symantec Client Security Installation Guide or Symantec AntiVirus Installation Guide. The reporting software consists of a reporting server, a reporting database, and the reporting agents. The reporting server is a Web server. When you log into reporting, you are essentially logging into the reporting server. The reporting database stores the events that the reporting agents collect and read from your primary management server logs. The reporting database can be an existing MS SQL database in your network or the database that is installed with the reporting software. The database has its own maintenance requirements. See About database maintenance on page 101. The reporting agents are installed on the reporting server as well as on your primary and secondary management servers. The agents that are installed on the reporting server are called local agents. The agents that are installed on the primary and secondary management servers are called remote agents. The reporting agents collect information about the security events in your network. The agents also maintain the reporting database and can be configured to send notifications about security events or agent status. Each agent has a specific function. The Computer Status and Log Sender Agents are the remote agents that collect information from the logs of the primary or secondary management server on which they are installed. The Log Reader agent is a local agent on the reporting server that receives the collected information and inserts it into the reporting database. See About reporting agents on page 79. The events that appear in the reports that you generate in reporting are pulled from the event logs from your primary and secondary management servers. The event logs contain time-stamps in the servers' time zones. When the Log Reader Agent on the reporting server receives the events, it converts the event time-stamps to Greenwich Mean Time (GMT) for insertion into the reporting database. When you create reports, the reporting software displays information about events in the local time of the computer on which you view the reports.

11 Introducing reporting About reports 11 About reports About logs Since virus outbreaks can result in an excessive number of virus and firewall events, these events are aggregated before they are forwarded to the Log Reader Agent on the reporting server. For more information about some of the events that appear on the home page, check the Symantec Security Response Web site Attack Signatures page at the following address: Reporting gives you the up-to-date information that you need to make informed decisions about the security of your network. The reporting home page includes automatically generated charts about top events happening in your network. Reporting also includes reports that you can customize and generate to view graphical representations of events happening in your network. You can create reports about risk and scan events. You can also generate reports about the inventory (computer status) of computers in your security network. In addition, you can create the scheduled reports that run automatically on a schedule. You set the report filters and the time to run the report. When the report is finished, it is available on the scheduled reports page. Currently, reporting allows you to create scheduled reports for virus definition rollouts only. You can look at event data directly in reporting if you want to focus on specific events. Logs include event data from your primary and secondary management servers as well as all of the clients reporting to those servers. You can filter the log data. You can also export the log data to a file to backup the event data or use the data in a spreadsheet or other application.

12 12 Introducing reporting About logs

13 Chapter 2 Basic reporting tasks This chapter includes the following topics: About basic tasks Logging into reporting Changing your password Using the home page About using the Past 24 hours filter in reports and logs About basic tasks Reporting is a Web application that runs inside the Symantec System Center console. You can also access reporting from any Web browser that is connected to your reporting server if you know the IP address or host name of the reporting server. Basic tasks include logging into reporting, changing your password, and using the home page to get quick information about events in your security network. This user's guide assumes that you use the Symantec System Center console to access reporting and that you are logged into the console. Procedures for using reporting are similar regardless of how you access reporting. However, procedures for using reporting in a stand-alone browser are not specifically documented in this guide. Note: Viewing reporting through a remote session of the Symantec System Center is supported.

14 14 Basic reporting tasks Logging into reporting Logging into reporting When you log into reporting for the first time, you are required to change your password. However, if you are the administrator who installed reporting and configured the super administrator password during the installation, you do not have to change your password after your first login. You can log into more than one reporting server at the same time. Each reporting server has its own database, so data that you view on one reporting server is different from the data that you view on another reporting server. Note: You must enable active scripting in Internet Explorer before you can log into reporting. To log into reporting 1 In the Symantec System Center console, in the left pane, under Reporting, under Reporting Servers, click the name of the reporting server that you want to log into. 2 In the right pane, in the login dialog box, type your user name and password. If you log in for the first time, and you are the administrator who installed reporting, use the user name and password you entered during installation. 3 Click Login. To log out of reporting, in the top right of the reporting application window, click Logout. If you do not log out, and you are inactive for a period of time, you may be automatically logged out. An administrator can configure the inactivity timeout for each user. The default is 6,000 seconds (100 minutes). Note: If you use reporting in a stand-alone browser, closing the browser window does not log you out of the reporting application. Make sure you click Logout when you are finished with your session. Changing your password You can change your login password. The rules for length of the password and the character requirements are set by your administrator. If you enter a password that violates any of the password rules, an error appears. Password rules are set by a user with administrative privileges. See Setting password rules on page 51.

15 Basic reporting tasks Using the home page 15 If you log in for the first time, your old password is the password that your administrator assigned to you. After you change the password, the new password is required the next time you log into reporting. To change your password 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click Change Password. 3 In the Old Password text box, type your old password. 4 In the New Password text box, type your new password. 5 In the Confirm text box, type your new password. 6 Click Save. Using the home page The home page includes important reports with information about your security network. You can customize the page to modify the filter on the Risks by report. Figure 2-1 shows a sample home page.

16 16 Basic reporting tasks Using the home page Figure 2-1 Sample home page Viewing information on the home page The home page includes several automatically generated reports as well as several status items. Some of the home page reports are hyperlinked to more detailed reports. In addition, you can customize some of the reports and configure how often the home page refreshes. See Customizing the home page on page 18. Table 2-1 describes the home page reports. Table 2-1 Report or Status Information Risks by <Server Group>: Past 24 Hours Description Home page reports Shows the risks to your security network in the past 24 hours. You can customize this report to group the risks by client group, parent server, computer, user, or event source. You can also customize this report to appear as a three-dimensional bar graph instead of a pie chart.

17 Basic reporting tasks Using the home page 17 Table 2-1 Report or Status Information Action Summary Description Home page reports (continued) Shows a summary of actions that were taken on the number of viruses and security risks in your network. For any of the actions, click the number of viruses or security risks to get a detailed report. By default, the action summary is shown for the last 24 hours. You can change the time interval to show the summary for the past week. The Suspicious count shows the number of events from Symantec AntiVirus 8.x clients with an Auto-Protect status of Leave Alone. On the computers that are associated with these events, you should run a manual scan to check whether the computers are infected. You can then clear the suspicious event count by deleting the suscipious events in the risk log. See Viewing risk logs on page 66. The Newly Infected count shows the number of risks infecting computers during the selected time interval only. The Still Infected count shows the total number of risks still infecting computers (regardless of the time interval). Both counts show the risks that must be manually cleaned. After the risks are cleaned, an administrator can change the infected status for the computer in the inventory log. See Viewing computer status logs on page 71. New Risks: Past 24 Hours Shows new risks in your security network in the past 24 hours. Click any of the risks to display a page from the Symantec Security Response Web site that gives more details about the risk. Alert status summary Shows a one-line summary of the alert status in your security network. For example, 100 unacknowledged alerts in the last 24 hours. Click to display the Alert Events page. Your user account must have access to view this page. See Viewing alert events on page 56. Agent status summary Shows a one-line summary of the status for the agents that are installed on the reporting server. Click to display the Agent Status page. Your user account must have access to view this page. See Checking agent status on page 83. Risks Per Hour: Past 24 Hours Shows a line graph of the risks in your security network over the past 24 hours.

18 18 Basic reporting tasks Using the home page Table 2-1 Report or Status Information Latest Symantec Virus Definitions Current Virus Definition Distribution Description Home page reports (continued) Shows a one-line summary of the current date and revision for the latest definitions available from Symantec. Shows the current virus definition distribution in your security network. Click on the pie chart to get a more detailed report about the distribution. Security Response Shows the current ThreatCon severity level that is based on information from Symantec Security Response. The ThreatCon severity level provides an overall view of global Internet security. Click any of the links to get additional information. See Using Security Response links on page 19. Customizing the home page You can specify how the home page appears when you log into reporting. When you customize the display, you customize the display for the current user only. The settings that you configure on this page are saved across sessions. The next time you log into reporting these settings are used for the home page display. Table 2-2 describes the home page display options. Table 2-2 Option Graph Graph type Home page display options Definition Selects which distribution to use for the Risks by chart on the home page. You can select Server Group, Client Group, Parent Server, Computer, User, or Event Source. Changes the Risks by chart on the home page to appear as a three-dimensional bar graph. The bar graph consists of two axes. Each axis represents a server group, client group, parent server, computer, user, or event source. You must have at least two of each item type for the graph to display. Auto-refresh Configures how often the reporting software refreshes the information on the home page.

19 Basic reporting tasks Using the home page 19 To customize the home page display 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Home tab, click Homepage Configuration. 3 Change any of the options. 4 Click Save. Using Security Response links A message appears indicating your changes are saved. The home page includes a summary that is based on the information from the Symantec Security Response Web site. The ThreatCon level severity chart appears as well as links to the Symantec Security Response Web site and other security Web sites. The ThreatCon levels are as follows: 1 - Low 2 - Medium 3 - High 4 - Extreme For more information about the threat levels, click the Symantec link to display the Symantec Web site. Note: Specific security risks are rated with a 1 to 5 level rating. Each link displays a page in a new window. Table 2-3 describes the Security Response links. Table 2-3 Link Security Alerts Security Response links on the reporting home page What appears Displays a summary of the potential threats to your security network that is based on information from Symantec Security Response. The summary includes the latest threats, top threats, and links to removal tools. You can also search the Symantec Security Response threat database.

20 20 Basic reporting tasks About using the Past 24 hours filter in reports and logs Table 2-3 Link Symantec Definitions Latest Risks Security Focus Security Response links on the reporting home page (continued) What appears Displays the Symantec Web site. You can get information about risks and security risks, virus definition downloads, and recent news about Symantec security products. Displays the virus definition download page of the Symantec Web site. Displays the Symantec Security Response Web site, which shows the latest threats and security advisories. Displays the Security Focus Web site, which shows information about the latest viruses. About using the Past 24 hours filter in reports and logs If you select Past 24 hours for the time range of a report or a log, the 24-hour time range begins when you first select the filter. If you refresh the page, the start of the 24-hour range does not reset. If you select the filter, and wait to create a report or view an event or alert log, the time range starts when you selected the filter not when you create the report or view the log. If you want to make sure the past 24-hour range starts now, select a different time range and then re-select Past 24 hours Note: The start of the past 24-hour time range filter on the home page is determined at the time the home page is accessed.

21 Chapter 3 Using reports This chapter includes the following topics: Reports overview Creating risk reports Creating scan reports Creating computer status reports Creating and viewing scheduled reports Reports overview You can generate reports on the security products in your network that are based on a collection of filter settings you select. You can save the filter configuration to generate the report at a later date. You can run reports on the following items in your security environment: Risks Scans Computer Status Scheduled tasks such as virus definition rollouts There is a default report configuration for each report type. You can modify and save the configuration for the default report. You can create new filter configurations that are based on the default configuration or on an existing configuration that you created. You can also delete your customized configurations if you don't need them any more.

22 22 Using reports Reports overview When you create a report, the report appears in a separate window. You can then save the report as an HTML or text file. You can also print the report. The saved file is a snapshot of the current data in your reporting database. About reports Reports might include tables or charts, or a combination depending on the information that you requested. You can save the report as a Web page, a Web archive, or a text file using the Save As option in your Web browser. The save options capture the data in the report so you have an historical record. You can save the report settings so that you can run the same report at a later date. The active filter settings are listed in the report if an administrator has configured the general setting to include the filters in reports. Important information about reports is listed here: Time-stamps in reports are given in the user's local time. The reporting database contains events in Greenwich Mean Time (GMT). When you create a report, the GMT values are converted to the local time of the computer on which you view the reports. The data that appears in reports might not have a one-to-one correspondence with what appears in your security products since the reporting software aggregates your events. If you generate a report that includes legacy computers, the IP address and MAC address fields display None. The parent server field is blank in the report if the relevant item is a primary management server, which does not have a parent server. Risk category information in reports is obtained from the Symantec Security Response Web site. Until the Virus Category Agent runs and gathers the information, any reports that you generate show Unknown in risk category fields. Reports that you generate in reporting give an accurate picture of the infected computers in your network. Reports are based on the log data rather than the Windows registry data. If data in spider graphs contains overlapping lines that are difficult to read, re-create the report by using different parameters for the x and y axes or reversing the axes for the current parameters. If you are running the reporting server on a computer using any Asian language, the Arial Unicode MS font should be available on the reporting server. Otherwise, some charts may contain unreadable characters.

23 Using reports Reports overview 23 In Virus Definition Distribution repots, a parent server is not listed unless it has clients. To view information about virus definitions on parent servers, use the Computer Status Logs page and select Only parent servers for the Computer type. If you get database errors when running reports that include a large amount of data, you might want to change database timeout parameters. See Changing timeout parameters on page 108. If you get CGI or terminated process errors, you might want to change other timeout parameters. Information about additional timeout parameters is provided in the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data." Figure 3-1 shows a sample report. Figure 3-1 Sample report Saving report configuration settings For risk, scan, or computer status reports, you can save report settings so that you can generate the report again at a later date. When you save your settings,

24 24 Using reports Reports overview they are saved in the reporting database and the configuration name appears in the Use saved report list box. Note: The configuration settings that you save are available for your user login only. Other reporting users do not have access to your saved settings. If you need to re-install the reporting server, you should make sure that your database information is preserved so that you do not lose your configuration settings. See Restoring an MSDE reporting database on page 106. You can also delete any report configuration that you create. When you delete a configuration, the report is no longer available. The default report configuration name appears in the Use saved report list box and the screen is repopulated with the default configuration settings. To save a report configuration 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, do one of the following: Click Risk Reports. Click Scan Reports. Click Computer Status Reports. 3 Change any basic or advanced settings for the report. 4 Click Save Report. 5 In the Name text box, type or select the report configuration name. 6 Click Save. To delete a report configuration 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, do one of the following: Click Risk Reports. Click Scan Reports. Click Computer Status Reports.

25 Using reports Reports overview 25 3 In the Use saved report list box, select the name of the report configuration that you want to delete. 4 Click the Delete icon. Printing and saving reports When you generate a report, the report appears in a new window. You can print the report or save a copy of the report. Note: Be default, Internet Explorer does not print background colors and images. If this printing option is disabled, the printed report may look different than the report that you created. You can change the settings in your browser to print background colors and images. To print a report 1 In the report window, click File > Print. 2 Select the printer and then click Print. When you save a copy of the report, you save a snapshot of your security environment that is based on the current data in your reporting database. If you run the same report later, based on the same filter configuration, the new report shows different data. To save a report 1 In the report window, click File > Save As. 2 In the Save Web Page dialog box, in the Save in selection box, select the location for the file. 3 In the Save as type list, select one of the following: Web Page, complete (*.htm,*html) Web Archive, single file (*.mht) Web Page, HTML only (*.htm,*.html) Text file (*.txt) 4 In the File name list box, type a file name. 5 Click Save.

26 26 Using reports Creating risk reports Creating risk reports Risk reports are the reports about viruses and security risks that are found in your security environment. You can choose from several different types of reports. Table 3-1 describes the types of risk reports. Table 3-1 Risk report type Top Reports Types of risk reports Description Top reports are the reports that you typically need to view on a regular basis. They include the following: Infected Computers (At Risk Computers) Detection Action Summaries Detections Grouped by Server Group Detections Grouped by Parent Server Detections Grouped by Computer Risk Detection Risk detection reports include the following: Risk Detection Table and Distribution Chart This report includes a distribution pie chart grouped by server group, client group, parent server, computer, or user name. Risk Detection Correlation These reports correlate risk detections using two variables. The variables you can select are computer, user name, server group, client group, parent server, or risk name. The data appear in a three-dimensional bar graph or spider graph. Summary of Detections Grouped by Computer This provides a table of risk detections that are grouped by computer. Risk Distribution Charts This report includes a pie chart and histogram that are grouped by server group, client group, parent server, computer, user name, source, risk type, or severity. Risk Distribution Over Time This report includes a histogram using a daily, monthly, or yearly time interval.

27 Using reports Creating risk reports 27 Table 3-1 Risk report type Comprehensive Reports Types of risk reports (continued) Description Comprehensive reports include the following: Full report Full daily report Full monthly report Full yearly report Comprehensive reports include by default all of the distribution reports and the new risks report. You can select which reports to include or not include in the combined daily, monthly, or yearly report. Note: The report headings (Top Reports, Risk Detection, and Comprehensive) that are listed in the Report type drop-down list do not appear if you are using Internet Explorer 5.5 or earlier. To see the headings, upgrade your browser to version 6.0 or higher. You can quickly generate a risk report by selecting from the basic settings that appear by default under What filter settings would you like to use. If you want to configure more filters for the report, you can configure them through Advanced Settings. You can save the report settings to run the same report at a later date. You can also print or save the report. See Printing and saving reports on page 25. Table 3-2 describes the basic settings for risk reports. Table 3-2 Basic filter settings for risk reports Setting Product Description Specifies only the risks that are found from Symantec AntiVirus, Symantec Client Firewall, or all (both) products. The default is Symantec AntiVirus. Time range Sets the range of time over which risks were found to include in the report. If you choose Set specific dates, you must set Start date and End date. The default is in the last month.

28 28 Using reports Creating risk reports Table 3-2 Basic filter settings for risk reports (continued) Setting Start date Description Sets the start date for the date range. Only available when you select Set specific dates for the time range. End date Sets the end date for the date range. Only available when you select Set specific dates for the time range. Table 3-3 describes the advanced settings for risk reports. Table 3-3 Advanced filter settings for risk reports Setting Event type Description Specifies whether to include all events, or only viruses that are found, IDS, security risks that are found, or firewall violation events. The default is all events. Action taken Filter the report by the type of action that was taken by Symantec AntiVirus on the risk. The types of actions in the list depend on the setting for Product. Scan type Filters the report that is based on the events that occurred during a particular type of scan. For example, a scheduled scan or a manual scan. By default, all events from any type of scan are used for the report. Risk type Risk severity By default all risk types appear in the report. You can limit the risks in the report to viral, trackware, spyware, hack tool, security risk, jokeware, heuristic, adware, remote access, non-viral malicious code, or dialer. Filters the report by risks with particular severity. Severity is defined in several categories as follows: unknown; 1 is very low; 2 is low; 3 is moderate; 4 is severe; and 5 is very severe. For more details about severity, see the Symantec Security Response Web site. By default, risks of all severity are included in the report. Compressed events Server group Specifies whether events that are considered for the report should be weighted or unweighted. Weighted events are the sum of the number of events. Unweighted events are the count of the number of events. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.

29 Using reports Creating risk reports 29 Table 3-3 Advanced filter settings for risk reports (continued) Setting Client group Description Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included. IP address Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included. User name Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included. Risk name Specifies particular risk names and/or wildcard characters (?, *). Separate each entry with a comma. By default, all risks are included.

30 30 Using reports Creating risk reports To create a risk report 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, click Risk Reports. 3 In the Use saved report list box, select a saved filter configuration that you want to use or use the default configuration. 4 Under What type of Risk Report would you like to see, in the Report type list box, select the type of report that you want to create. 5 Do one of the following: If you selected the Risk Detection Table and Distribution Chart, Detections Grouped by Computer, or Risk Distribution Charts, the Group By option appears. In the Group by list box, select the option for grouping the report. If you selected the Risk Distribution Over Time report, the Time interval option appears. In the list box, select the time interval. If you selected the Full Daily Report, Fully Monthly report, or Full Yearly report, the Configure reports to be included option appears. Click Configure reports to be included, and then in the new window, select the reports that you want to include in the combined report. Click Save.

31 Using reports Creating scan reports 31 If you selected Risk Detection Correlation, the Graph type list box appears. Select Spider graph or 3D bar graph. In the x-axis/legs and y-axis/web list box, select which grouping should appear on the chart axes in the 3D bar graph or the legs/web in the spider graph. 6 Under What filter settings would you like to use, in the Product list box, select the product for which you want to run the report. 7 In the Time range list box, select the date range for the report. 8 If you want to configure additional settings for the report configuration, click Advanced Settings. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page Click Create Report. Creating scan reports Scan reports include information about scans run on the computers in your security network. You can create scan filter configurations to filter the data for your scan reports. When you create a report, it appears in a new window. You can save the report settings to run the same report at a later date. You can also print or save the report. See Printing and saving reports on page 25. Table 3-4 describes the types of scan reports.

32 32 Using reports Creating scan reports Table 3-4 Scan report type Scan Distribution Histograms Types of scan reports Description You can select how you want the data in the scan report to be distributed, either by the scan duration, the number of risks or infected files that are found in scans, or the number of files that are scanned or omitted. You can also type the bin width and number of bins to be used in the histogram that is included in the report. The bin width is the data interval to be used for the group by selection. The number of bins specifies how many times the data interval should be repeated in the histogram. Depending on the size of your network and the amount of data you view, you might want to change these values to maximize the information that is generated in the report's histogram. Computers by Last Scan Time Computers Not Scanned Shows a list of computers in your security network by the last time scanned. Shows a list of computers in your security network that have not been scanned. You can quickly generate a scan report by selecting from the basic settings that appear by default under What filter settings would you like to use. If you want to configure more filters for the report, you can configure them through Advanced Settings. Table 3-5 describes the basic filter settings for scan reports. Table 3-5 Setting Time range Basic filter settings for scan reports Description Sets the range of time for which scan information to include in the report. If you choose Set specific dates, you must set Start date and End date. Start date Sets the start date for the time range. Only available when you select Set specific dates for the time range. End date Sets the end date for the time range. Only available when you select Set specific dates for the time range.

33 Using reports Creating scan reports 33 Table 3-6 describes the advanced scan report settings. Table 3-6 Setting Advanced filter settings for scan reports Description Duration greater than Files scanned greater than Risks greater than Files infected greater than Scan start message Status Server Group Includes only the scans whose duration exceeds this value. Limits the data to scans that scanned a number of files greater than this value. Limits the data to scans that found a number of risks greater than this value. Limits the data to scans that found a number of infections greater than this value. Includes only those events with the selected scan message. Specifies whether to include all scans, or only completed scans, started scans, or cancelled scans in the report. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Client Group Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent Server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify parent the server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included.

34 34 Using reports Creating scan reports Table 3-6 Setting IP Address Advanced filter settings for scan reports (continued) Description Specifies particular addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included. User Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included. To create a scan report 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, click Scan Reports. 3 In the Use saved report list box, select a saved filter configuration you want to use or use the default configuration. 4 Under What type of Scan Report would you like to see, in the Report type list box, select the type of report you want to create. 5 If you selected Scan Distribution Histograms, do the following: In the Group by list box, select the way you want the information in the report to be grouped. In the Bin width text box, type the data interval you want to use for the group by distribution. In the Number of bins text box, type the number of data intervals you want to include in the report. 6 Under What filter settings would you like to use, in the Scans From list box, select the date range for the report. You can specify a name for this report configuration in the Name text box or you can use the Scans From setting to filter the default report configuration. 7 If you want to configure additional settings for the report configuration, click Advanced Settings and make any changes to the configuration. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page Click Create Report.

35 Using reports Creating computer status reports 35 Creating computer status reports Computer status reports are reports about the status, or inventory, of the computers in your security network. The reports are as follows: Virus Definition Distribution Computers Not Checked Into Parent Server Symantec AntiVirus Product Versions Symantec Client Firewall Product Versions IPS Signature Distribution You can filter which computers are included in the report through the advanced settings option. You can also print or save the report. See Printing and saving reports on page 25. Table 3-7 describes the advanced configuration settings for computer status reports. Table 3-7 Advanced filter settings for computer status reports Setting Time range Description Sets the range of time over which computer status was collected to include in the report. If you choose Set specific dates, you must set Last checkin time. Last checkin time The last time that the computer checked in with its parent server. Only available when you select Set specific dates for the time range. Definition date SAV product version SAV scan engine version SCF version SCF policy file name Online Auto-Protect status Includes only those computers with this particular virus definition date. Includes only those computers with this Symantec AntiVirus product version. Includes only those computers with this Scan Engine version. Includes only those computers with this Symantec Client Firewall version. Includes only those computers with this firewall policy name. Includes all computers, only those computers that connect to their parent servers, or only those computers that do not connect to their parent servers. Includes computers with any Auto-Protect status, or only those computers with Auto-Protect enabled, disabled, or status unknown.

36 36 Using reports Creating computer status reports Table 3-7 Advanced filter settings for computer status reports (continued) Setting Server group Description Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Client group Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included. IP address Specifies particular addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included. User Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included. Infected only View Computer type Specifies only computers with infections. Displays the Symantec AntiVirus version or the Symantec Client Firewall version in the report. Includes only parent servers or only primary management servers. The default is all computers, including client computers. To create a computer status report 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, click Computer Status Reports.

37 Using reports Creating and viewing scheduled reports 37 3 In the Use saved report list box, select a saved filter configuration you want to use or use the default configuration. 4 Under What type of Computer Status Report would you like to see, in the Report type list box, select one of the following reports: Virus Definition Distribution Computers Not Checked Into Parent Server Symantec AntiVirus Product Versions Symantec Client Firewall Product Versions IPS Signature Distribution 5 If you want to set more filters for the report configuration, click Advanced Settings and make any changes to the configuration. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page Click Create Report. Creating and viewing scheduled reports Scheduled reports are the reports that the reporting application automatically generates based on a schedule that you configure. Currently, scheduled reports are only available for virus definition rollouts. There is a default scheduled report that is always running. You can change the settings for any pending scheduled report (any report that has not yet run) and you can create additional scheduled reports to monitor virus definition rollouts. You can also delete a single scheduled report or all of the scheduled reports. You can print or save the report. See Printing and saving reports on page 25. Figure 3-2 shows a sample scheduled report.

38 38 Using reports Creating and viewing scheduled reports Figure 3-2 Sample scheduled report Table 3-8 describes the scheduled report configuration settings. Table 3-8 Parameter Start time Run for Run every Repeat task Scheduled report configuration settings Definition Sets the date, the hour, and the minute that the report should start to run. The number of hours that the report should run. The report runs every hour during the Run for interval. This value is not configurable. How often the report schedule should be repeated (never, daily, weekly, or monthly). The default is never.

39 Using reports Creating and viewing scheduled reports 39 Table 3-8 Parameter Server Group Scheduled report configuration settings (continued) Definition Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Client Group Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent Server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included. Last checkin time Select the date, the hour, and the minute on which computers last checked in with their parent servers. The default is the current date. Online only Check to include only those computers that are connected to their parent servers.

40 40 Using reports Creating and viewing scheduled reports To create a new scheduled report or change a pending scheduled report 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, click Scheduled Reports. 3 Under What type of Scheduled Report would you like to see, in the Sort by list box, select the way you want the scheduled report to be sorted. 4 Do one of the following: Under What would you like to do, click the Create a new scheduled report icon. Under Scheduled Reports, click the Change icon next to a report which has a status of pending. 5 Under How would you like to schedule this report, in the text box for Start time, type the start time for the report, and then select the hour and minute from the list boxes. 6 In the Run for text box, type the number of hours that you want the report to run. For example, if you set the Run for time to 48 hours, the report runs every hour for 48 hours. 7 In the Repeat task list box, select how often the report should continue to run. For example, if you specify weekly, the report runs once a week for the number of hours you configure the Run for.

41 Using reports Creating and viewing scheduled reports 41 8 Under What settings would you like for this report, specify the server group, client group, parent server, or computer that you want to use to filter the report. 9 In the list boxes for Last Checkin Time, select the time. 10 Check or uncheck Online Only. If you checked Online Only, only those computers that are currently connected to their parent servers are included in the report. 11 Click Save to save the scheduled report configuration. To view a scheduled report 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, click Scheduled Reports. 3 In the list of reports, to the left of the Status column, click the icon next to the report that you want to view. To delete scheduled reports 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Reports tab, click Scheduled Reports. 3 Do one of the following: Under Scheduled Reports, at the end of the row that lists the report you want to delete, click the Delete icon. Under What would you like to do, click the icon for deleting all scheduled reports. 4 In the warning dialog box, click OK.

42 42 Using reports Creating and viewing scheduled reports

43 Chapter 4 Performing administrative tasks This chapter includes the following topics: About administrative tasks Configuring reporting servers Configuring the reporting display Configuring users Configuring alerts Setting automatic refresh intervals About administrative tasks Administrative tasks include configuring reporting servers in your network, configuring the general reporting display, setting up users for reporting, and configuring alerts. Other tasks, such as logging into reporting and using the home page, are described in a separate chapter of this user guide. See About basic tasks on page 13. The tasks that are described in this chapter assume that you are logged into reporting through the Symantec System Center console.

44 44 Performing administrative tasks Configuring reporting servers Note: The login for the reporting function is a separate login from the login for the Symantec System Center console. The reporting feature uses separate user accounts that are stored in the reporting database. See Configuring users on page 48. Configuring reporting servers The Symantec System Center console populates its Reporting Servers node based on the discovery process it uses to find servers running Symantec Client Security or Symantec AntiVirus. See the Symantec Client Security Administrator's Guide or the Symantec AntiVirus Administrator's Guide for more information about the Symantec System Center Discovery Service (Nsctop.exe). When the discovery service runs, it reads the registry settings of servers running Symantec Client Security or Symantec AntiVirus to learn the URL of the reporting server to which the discovered server is forwarding data. The discovery service automatically learns the URL on the servers that have the reporting server, the reporting agents, and Symantec AntiVirus installed. You need to add a reporting server manually if the reporting server is installed on a computer on which Symantec AntiVirus is not installed. In addition, if you are running the Symantec System Center and then install a reporting server, you must manually add the reporting server or run the Discovery Service. You can also delete any reporting server that you add manually to the console. If you delete a reporting server that is discovered through the Symantec System Center Discovery Service, the server is removed from the console. However, the server will reappear in the console the next time the discovery service runs. You might need to change the reporting server that your server group or server uses because you want to use a different reporting server. When you add or change a reporting server, you specify a host name, IP address, or a URL. If you changed the host name in an existing URL path, the host name replaces the existing reporting server name the next time you run the Symantec System Center console. When you add or change a reporting server, the URL is written to the registry.

45 Performing administrative tasks Configuring reporting servers 45 To add or change the reporting server 1 In the Symantec System Center, in the left pane, under System Hierarchy, right-click the server group or primary or secondary management server for which you want to add or change a reporting server. 2 Click All Tasks > Reporting Configuration > Configure Reporting Server. 3 In the Reporting Server Options dialog box, under Report Server, in the Host name or IP address list box, do one of the following: Type the host name or IP address of the new reporting server. Select the reporting server URL from the drop-down menu. 4 Click OK. Changing the reporting server port number By default, the reporting server uses port 80. You can change the port number when you specify the reporting server host name or IP address in the Reporting Server Options dialog box. If you change the reporting server port number, you should modify the reporting URL in the Alert Agent configuration. You must modify this option if you are writing alert events to the alert database or sending alert notification s. Otherwise, alert events will not be available on the Alert Events page and the incorrect URL will be included in notification s. To change the reporting server port number 1 In the Symantec System Center, in the left pane, under System Hierarchy, right-click the server group or primary or secondary management server for which you want to add or change a reporting server. 2 Click All Tasks > Reporting Configuration > Configure Reporting Server.

46 46 Performing administrative tasks Configuring reporting servers 3 In the Reporting Server Options dialog box, under Report Server, in the Host name or IP address list box, include the port number in the following format: name or IP address>: <port number>. 4 Click OK. 5 Change the URL listed for the Alert Agent on the Alert Configuration page. See Specifying notification parameters on page 93. Specifying the reporting server URL by using the Windows registry The reporting server URL is stored in the Windows registry under HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect\ CurrentVersion\Reporting. Use the ReportServerURL registry key to add or change a reporting server URL. Viewing the URL of a reporting server You can quickly view the URL of any reporting server by using the Properties dialog box. You can also change the URL of a manually added reporting server through the Properties dialog box. To view the URL of a reporting server 1 In the Symantec System Center console, in the left pane, under Reporting, under Reporting Servers, right-click the name of a reporting server for which you want to view the URL, and then click Properties. 2 Click OK. Removing a reporting server You might want to remove a reporting server from the Symantec System Center console if you no longer use the reporting server. To delete a reporting server In the Symantec System Center console, in the left pane, under Reporting, right-click the name of the server that you want to delete, and then click Delete. If the server is a manually added server, the server name is deleted from the console and you no longer have access to reporting on that server. If the server is a discovered server, the server name is deleted from the console. However, the name reappears when the Discovery Service runs again.

47 Performing administrative tasks Configuring the reporting display 47 If you uninstall a reporting server, you must do one of the following: Manually associate the reporting server's primary management server with a different reporting server. Do this by pointing the primary management server to a different URL. See Viewing the URL of a reporting server on page 46. Remove the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\ CurrentVersion\Reporting\ReportServerURL registry key from the reporting server's primary management server and then delete the reporting server from the Symantec System Center console. You must do these tasks in this order. If you delete the reporting server before you remove the registry key, the reporting server will reappear in the Symantec System Center tree the next time the Discovery Service runs. Configuring the reporting display You can control the following features of the reporting display and the way some information appears in reports: The way the date and time appear in reports and on the reporting pages. The automatic refresh interval for events and alerts pages. You can configure the automatic refresh time for the home page separately. See Customizing the home page on page 18. Whether or not active filters are included in reports. The parent server that determines the up-to-date virus definitions. The general parameters apply to all user sessions for reporting. Table 4-1 describes the general parameters. Table 4-1 Parameter Date format Date separator General parameters for reporting display Definition Specifies the date format. Specifies the separator character to use in the date format. Appears in the reporting display as well as any reports you create. Default auto refresh for logs and alerts pages Specifies how often the reporting application should refresh. The default is never.

48 48 Performing administrative tasks Configuring users Table 4-1 Parameter General parameters for reporting display (continued) Definition Display active filters in reports Parent server Specifies whether or not to include a list of filters in the reports that you generate. Specifies the parent server on which the virus definition is considered to be up to date. A parent server only appears in the list if it has clients. To configure the reporting display 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click GUI Configuration > General. 3 Change any of the values for the date format, auto-refresh time, and up-to-date virus definition setting for parents servers. 4 Click Save. Configuring users The administrator user or any user who is configured with administrator role privileges can set up users for reporting. User accounts for reporting are separate accounts from those created for Symantec System Center console. You might need to create accounts for users who log into reporting from a computer that is running only a stand-alone browser. You can configure users with one of two roles: User Administrator By default, the user role limits the amount of administrative information the user can see. Users who are configured with the user role do not have access to any administrative features for reporting. They cannot view information about other user accounts that are configured for reporting and they cannot view information about or specify any configuration for reporting agents. Currently configured users are listed in a table at the bottom of the User Administration page. By default, all users appear in the list. You can modify the display to show only those users who are configured with administrative privileges or only those configured as general users.

49 Performing administrative tasks Configuring users 49 To filter the user table 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click User Administration. 3 In the Filter role list box, select Administrator or User. The display automatically refreshes with the selected list. You can also specify that the particular user has limited access to particular reports by setting up filters for the type of information they can view. For users who are configured with the administrator role, you can set up filters so they can see only particular user groups. All of the other filters (client group, parent server, etc.) are used for users who are configured with any role. In addition, you can temporarily disable a user account or unlock an account that is locked because a user tried three times to log into reporting unsuccessfully. If a user forgets his/her password, the administrator can reset the password on this page. Note: You should set up at least one other administrator account so that if you forget your administrator password, you can log in through the other administrator account to change the password. Table 4-2 lists the parameters for configuring users with access to reporting. Table 4-2 User parameters Option User Name Role Server group Client group Description The user name for this reporting user. Whether this user has administrative privileges or user privileges. Administrative users have access to administrative features in reporting. For users who are configured with the administrator role or the user role, you can limit access to particular server groups by specifying particular server group names and/or wildcard characters (?, *). For example, to limit access to server group names beginning with je, type je*. For users who are configured with the user role, you can limit access to particular client groups by specifying particular client group names and/or wildcard characters (?, *). For example, to limit access to client group names ending in er, type *er.

50 50 Performing administrative tasks Configuring users Table 4-2 User parameters (continued) Option Parent server Computer IP address Message Password Description For users who are configured with the user role, you can limit access to particular parent servers by specifying particular parent server names and/or wildcard characters (?, *). For example, to limit access to the parent server names that have the string tion in them, type *tion*. For users who are configured with the user role, you can limit access to particular computers by specifying particular computer names and/or wildcard characters (?, *). For example, to limit access to computers that are called 1machine, 2machine, 3machine, etc., type? machine. For users who are configured with the user role, you can limit access to particular IP addresses by specifying particular addresses and/or wildcard characters (?,*). Text appears here to confirm that you have added a new user. The user's password. The user enters this password as the old password when logging in for the first time. This parameter is required. Confirm password Real name Phone Disabled Locked Days since last login Last login address The user's password. The user's real name. The user 's phone number. The user's address. Check this box temporarily to disable the user's account. Displays whether or not the user's account is locked. By default, the account is locked after three unsuccessful logins. To unlock an account, check the box. The number of days since the user last logged in. The IP address from which the user last logged in. To add a new user 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click User Administration. 3 In the User name text box, type a user name. 4 In the Role list box, select Administrator or User.

51 Performing administrative tasks Configuring users 51 5 Enter the user's password and then retype the password. 6 Set any filters for the account. 7 Click Save. The new user is added to the table at the bottom of the pane. An icon appears in the Kill session column of the display when the user is currently active. To modify an existing user 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click User Administration. 3 In the user table, click the select icon. The right pane redisplays with the user's account information. The user is highlighted in the table that appears at the bottom of the page. 4 Make any changes to the account. 5 Click Save. Setting password rules To delete an existing user 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click User Administration. 3 In the user table, click the delete icon. 4 In the Delete Entry warning, click OK. You can configure password rules for administrators and users. You can configure a separate set of rules for each role type. Table 4-3 describes the options for password rules. Table 4-3 Options for password rules Option Rules for role Minimum length of password Minimum number of numeric characters Definition The role to which these password rules apply. The minimum number of characters that are required for the user's password. The minimum number of numeric characters that must be included in the user's password.

52 52 Performing administrative tasks Configuring alerts Table 4-3 Options for password rules (continued) Option Minimum number of times before password can be reused Maximum password lifetime Maximum number of invalid logon attempts Inactivity timeout Disallow password equal to username Disable user if not used for Delete user after if not used for Definition The number of times that a password must be changed before a previous password can be reused. A value of zero disables this feature. The maximum is 10. The maximum number of days that a user's password is valid. After the lifetime expires, users must change their passwords. A value of zero disables this feature so that the password never expires. The number of times the user can attempt to log in before the user is locked out of reporting. A value of zero disables this feature. The amount of time, in seconds, that must expire during the user's session during which the user is idle before the user is automatically logged out. A value of zero disables activity timeout. Check or uncheck this box to prevent or allow users to use their user name as their password. The number of days that must expire since the user's last login before the user is locked out of reporting. A value of zero means that the user is not locked out. The number of days that must expire since the user's last login before the user is deleted from the list of reporting users. A value of zero means that the user is not deleted after a particular amount of time. Mark user for review after Marks the user for review. After the number of days that are specified, a red icon appears next to the user name in the user list. Configuring alerts To set password rules for reporting user accounts 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click GUI Configuration > Password Rules. 3 In the Rules for role list box, select the role. 4 Change any of the parameters for the password rules. 5 Click Save to save the rules for the selected role. You can create the alert conditions that determine whether notifications are sent to administrators about events in your security network.

53 Performing administrative tasks Configuring alerts 53 Note: You can also create notifications to be sent if the reporting agents go down. Creating alert configurations See Specifying notification options for agents on page 92. To generate alerts, you create the alert configurations that are based on events that are logged by your security products. You can specify notifications to send to specified users, write information to the reporting database (alert log), or run a batch file when alert conditions are met. You should configure the Alert Agent to send notifications using your server. You can also specify the -from address and the reporting URL to be used in the notifications that the agent sends out. The Alert Agent configuration also specifies the name of the batch file that is executed for notifications with that option enabled. See Specifying notification parameters on page 93. Alerts are notifications about events happening in your security network. You can configure notifications to be sent when an event occurs. The notification can be an to an administrator. You can also send the alert notification to the reporting database to be logged in the alert log. You can specify that a batch file runs when the alert occurs. The alerts list shows the alerts that have been sent for events in your security network. You can filter the list to make viewing the alerts easier. You can configuration several types of alert configurations. Table 4-4 describes the types of alert configurations. Table 4-4 Types of alert configurations Alert configuration type Virus outbreak Outbreak on a single computer Outbreak by # of computers Single virus event Description Sends the notifications that are based on the number of overall viruses that are found within a given time period. Sends notifications when a set number of viruses is found on a single computer. Sends notifications when a set number of computers have detected viruses. Sends notifications when viruses are found on a single computer.

54 54 Performing administrative tasks Configuring alerts Table 4-4 Types of alert configurations (continued) Alert configuration type Find new viruses New report available Virus definitions out of date Description Sends notifications when new viruses are found. Sends notifications at the start of a new day, month, or year. notifications include a link to the full risk report. Sends notifications when virus definitions are out of date for a set number of computers. To configure an alert 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Alerts tab, click Alert Configuration. 3 Under What type of alert would you like to manage, in the Alert type list box, select the type of alert that you want to configure. 4 Click Create Alert.

55 Performing administrative tasks Configuring alerts 55 5 Under What filter settings would you like to use, set the filters for the events that trigger this alert notification. Some filters are not available depending on the type of notification you selected. Filter Server group Description Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Client group Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included. Risk name Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included. Risk severity Specifies a particular risk severity. The risk categories correspond to the risk levels that are defined by Symantec Security Response. Select the category from the list box. By default, all categories are included. Source Action Specifies the source of the event. For example, a scheduled scan. Specifies the action that was taken as a result of the event.

56 56 Performing administrative tasks Configuring alerts Filter Online only Checked-in today Description Includes only the computers that are connected to their parent server. Includes only the computers that checked in with their parent servers today. 6 Under What settings would you like for this alert, in the Alarm if text box, do one of the following: In the Alarm if text box, enter the number of occurrences of the security event, then enter the number of minutes during which the occurrences happen that trigger the notification. In the Alarm if new report available list box, select the type of report that triggers the alert (daily, monthly, or yearly risk report). 7 Under What should happen when this alert is triggered, check or uncheck Write alert to database to log the notification to the alerts log. This option is not available for the Single virus event or New report available alert types. 8 Check or uncheck Execute configured batch file to run the batch file you specify on the Agent Configuration page. See Specifying notification parameters on page In the Send to these addresses text box, type the addresses to which the notification should be sent. Separate each entry with a comma. 10 Next to Hyperlink to, select report or event list. 11 Click Save. Viewing alert events The new alert appears in the list. You can view the notifications that were sent out. Only those notifications that are configured with the Write alert to database option are listed in the alert events log. You can view details about any alert event. After you review the alert events log, you might want to acknowledge or unacknowledge the alerts. You can also configure the refresh interval for the alerts log. By default, the list refreshes every 30 seconds.

57 Performing administrative tasks Configuring alerts 57 If you configure the refresh interval, the interval also sets the refresh for the risk log. See Setting automatic refresh intervals on page 60. Table 4-5 describes the settings for filtering the alerts list. Table 4-5 Alert events settings Setting Time range Description Includes only those alert events in the selected date range. If you choose Set specific dates, the Start date and End date options must be set. Start date Sets the start date for the date range. Only available when you select Set specific dates for the time range. End date Sets the end date for the date range. Only available when you select Set specific dates for the time range. Filter acknowledged Alert type Filter created by Limit Server Group You can filter the log to show only acknowledged alerts or unacknowledged alerts. The default is all alerts. Includes only those alerts with the specified alert type. Includes only those alerts based on notifications that are created by the selected user. Specifies how many events should be included on each page of the alert log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Parent Server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included.

58 58 Performing administrative tasks Configuring alerts Table 4-5 Alert events settings (continued) Setting Client Group Description Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Risk Name Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included. Risk Severity Specifies particular risk severities and/or wildcard (?,*). Separate each entry with a comma. By default, risks of all severity are included. Source Actual Action Specifies the source of the event that triggered the alert notification. For example, a scheduled scan. Includes only those alert notifications that are based on the selected action. To view the alert events log 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Alerts tab, click Alert Events. 3 Do one of the following: Select an existing filter from the Use saved filter list box. Click Advanced Settings to create a new filter for the log. 4 If you selected Advanced Settings, make any changes to the filtering options. 5 If you want to save the filter settings, click Save Filter. 6 If you want to save the filter settings to a new configuration name, in the Name text box, type a new configuration name. A message appears that the filter is saved, and the filter is listed in the Use saved filter list box. 7 Click View Alerts. Acknowledging or unacknowledging alerts You can acknowledge or unacknowledge alerts in the alert events log.

59 Performing administrative tasks Configuring alerts 59 To acknowledge alerts 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Alerts tab, click Alert Events. 3 Click Advanced Settings. 4 Make sure the date range is set to the desired range, and then set any other filters that you want to apply to the log display. 5 Set Filter Acknowledged to All or Acknowledged. 6 Click View Log. 7 Under Alert Events, do one of the following: Click the red Acknowledge icon next to the alert that you want to acknowledge. Click the icon to acknowledge all alerts that currently appear on the page. To unacknowledge alerts 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Alerts tab, click Alert Events. 3 Click Advanced Settings. 4 Make sure the date range is set to the desired range, and then set any other filters that you want to apply to the log display. 5 Set Filter Acknowledged to All or Not acknowledged. 6 Click View Log. Viewing alert event details 7 Under Alert Events, do one of the following: Click the green Unacknowledge icon next to the alert that you want to unacknowledge. Click the icon to unacknowledge all alerts that currently appear on the page. You can display details about events that are listed in the alert events log.

60 60 Performing administrative tasks Setting automatic refresh intervals To display alert event details 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Alerts tab, click Alert Events. 3 Configure any filters that you want to set for displaying the alert events log. 4 Click View Log. The log appears at the bottom of the page. 5 In the column to the left of the alert event for which you want to display details, click the More info icon. Setting automatic refresh intervals You can set the automatic refresh intervals for the following items in the reporting display: Home page Logs and alert events The home page refresh is independent of the logs and alert events refresh value. If you change the refresh level for the home page, the setting is saved for your sessions. Other reporting users can change the refresh for their own sessions. There is a single refresh value for risk, scan, and inventory logs as well as alert events. An administrator can set the default value. The value applies to all user sessions. Any user can set the automatic refresh for logs and alert events by setting the refresh on any of the log pages or the alert events page. If you change the value on one page, the value is changed for all the log pages and the alert events page. The value overrides the default setting for the current user only. To set the automatic refresh interval for the home page 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Home tab, click Homepage Configuration.

61 Performing administrative tasks Setting automatic refresh intervals 61 3 In the Homepage auto-refresh text box, type the number of seconds after which you want the home page to refresh. The minimum value is 30 seconds; however, you can enter 0 to disable automatic refresh. If you enter a value between 1 and 29, the value is automatically changed to Click Save. To set the global default refresh interval for alerts and events 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click GUI Configuration > General. 3 Under Auto Refresh, in the Default auto refresh for events and alerts pages text box, type the number of seconds after which you want the alerts and events pages to refresh. The minimum value is 30 seconds. However, you can enter 0 to disable automatic refresh. If you enter a value between 1 and 29, the value is automatically changed to Click Save. To set the automatic refresh interval for logs and alert events 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page Do one of the following: On the Alerts tab, click Alert Events. On the Logs tab, click Risk Logs. On the Logs tab, click Scan Logs. On the Logs tab, click Inventory Logs. 3 In the Auto-refresh list box, select the automatic refresh interval. The default is Never. The page refreshes immediately and the next refresh occurs after the interval you specified.

62 62 Performing administrative tasks Setting automatic refresh intervals

63 Chapter 5 Using logs This chapter includes the following topics: About logs Viewing logs Saving log configuration settings Viewing risk logs Viewing scan logs Viewing computer status logs Using events in logs About logs The reporting software allows you to view lists of events from your security products. It includes event data from your primary and secondary management servers as well as all the clients reporting to those servers. You may want to view this information to troubleshoot security problems in your network or to delete the events that you no longer need. For example, if you test your servers and have phantom clients or viruses, you might want to delete these events from your logs before you run the servers in a live network. You can also export the log event data to a file for importing into a spreadsheet application or to use for restoring the events to your reporting server. You can view three types of logs: Risk logs Scan logs

64 64 Using logs Viewing logs Viewing logs Computer status logs You can filter each log based on: An existing report that uses similar settings Basic settings for viewing the log Advanced settings for filtering the log events If you get database errors when generating logs that include a large amount of data, you might want to change database timeout parameters. See the section called Changing timeout parameters If you get CGI or terminated process errors, you might want to change other timeout parameters. Information about additional timeout parameters is provided in the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data." You can generate a list of events from your logs that are based on a collection of filter settings you select. You can save the filter configuration to generate the log at a later date. There is a default filter configuration for each log type. You can modify and save the configuration for the default filter. You can create new filter configurations that are based on the default or on an existing configuration that you created. You can delete customized configurations if you do not need them. See Saving log configuration settings on page 65. To view a log quickly 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, do one of the following: Click Risk Logs. Click Scan Logs. Click Computer Status Logs. 3 Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default.

65 Using logs Saving log configuration settings 65 4 Change any basic or advanced settings. 5 Click View Log. The log events appear in the lower part of the pane. You can display additional information about each event. You can also save the settings. Saving log configuration settings You can save your log settings so that you can generate the same log again at a later date. Your settings are saved in the reporting database. If you need to re-install the reporting server, make sure that your database information is preserved. See Restoring an MSDE reporting database on page 106. Each filter setting is described later in this chapter. To save a log configuration 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, do one of the following: Click Risk Logs. Click Scan Logs. Click Computer Status Logs. 3 Under What filter settings would you like to use, click Advanced Settings. 4 Change any of the settings. 5 Click Save Filter. 6 In the Name box, type a name for a new filter configuration or leave the existing filter name. 7 Click Save. To delete a log configuration 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, do one of the following: Click Risk Logs. Click Scan Logs. Click Computer Status Logs.

66 66 Using logs Viewing risk logs 3 In the Use saved filter box, select the name of the log configuration that you want to delete. 4 Click the Delete icon. 5 Click OK. Viewing risk logs The risk log includes risk events from the logs on your primary management server, any secondary servers, and their clients. You can filter the information so that only certain types of risk events appear in the display. You specify advanced filters to limit the display. Note: Some of the options that you can select for a filter depend on the product type that you select. You can also configure automatic refresh for the log. The automatic refresh is the same as the automatic refresh for the general reporting display if the refresh is not manually configured for the risk log or the alert log. If it is configured for the alert log, that configures the risk log and vice versa. See Setting automatic refresh intervals on page 60. Table 5-1 shows the filter options for the risk log. Table 5-1 Settings for risk logs Filter Product Description Specifies only the risks that are found from Symantec AntiVirus, Symantec Client Firewall, or all (both) products. The default is Symantec AntiVirus. Time range Sets the range of time over which risks were found to include in the log display. If you choose Set specific dates, you must set the Start date and End date options. Start date Sets the start date for the time range. Only available when you select Set specific dates for the time range. End date Sets the end date for the time range. Only available when you select Set specific dates for the time range.

67 Using logs Viewing risk logs 67 Table 5-1 Settings for risk logs (continued) Filter Event type Description Specifies the type of events to include. The types of events that appear in the list depend on the setting for Product. The default is all events. Action taken Specifies which actions should be included in the log display. Your security product perform the actions. The types of actions that appear in the list depend on setting for Product. The default is all actions. Scan type Filters the log that is based on events that occurred during a particular type of scan. For example, a scheduled scan or a manual scan. By default, all events from any type of scan are used for the report. Risk type Specifies a particular risk type (viral, trackware, spyware, hack tool, security risk, jokeware, heuristic, adware, remote access, non-viral malicious code, or dialer). By default all risk types appear in the log. Risk Severity Filters the log by risks with particular severity. Severity is defined in five categories as follows: unknown; 1 is very low; 2 is low; 3 is moderate; 4 is severe; and 5 is very severe. For more details about severity, see the Symantec Security Response Web site. By default, risks of all severity are included. Server group Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Client group Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included.

68 68 Using logs Viewing risk logs Table 5-1 Settings for risk logs (continued) Filter IP address Description Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included. User Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included. Risk name Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included. Limit Sort order Specifies how many events should be included on each page of the log display. Specifies the sort order for columns in the log display. Each column can be sorted in ascending or descending order. To view risk logs 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, click Risk Logs. 3 Under What filter settings would you like to use, click the product for which you want to view risk events.

69 Using logs Viewing scan logs 69 4 If you want to use a saved filter, select the filter from the Use saved filter list box. 5 In the Time range list box, select the range for which you want to view risk events. If you select Set specific dates, select the start date and the end date for the range. 6 If you want to use additional filters on the display, click Advanced Settings. 7 Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page Click View Log. Viewing scan logs The scan log includes scan events from the logs on your primary management server, any secondary server, and their clients. You can filter the information so that only certain types of scan events appear in the display. You can also specify advanced filters to limit the display. Table 5-2 shows the filter options for scan logs.

70 70 Using logs Viewing scan logs Table 5-2 Settings for scan logs Filter Time range Description Sets the range of time for which scan events to include in the display. If you choose Set specific dates, you must set Start date and End date. Start date Sets the start date for the time range. Only available when you select Set specific dates for the time range. End date Sets the end date for the time range. Only available when you select Set specific dates for the time range. Duration greater than Files scanned greater than Risks greater than Files infected greater than Scan start message Status Limit Server group Includes only the scan durations that exceed this value. Limits the data to scans that scanned a number of files greater than this value. Limits the data to scans that found a number of risks greater than this value. Limits the data to scans that found a number of infections greater than this value. Includes only those events with the selected scan message. Specifies whether to include all scans, only completed scans, or only cancelled scans in the report. Specifies how many events should be included on each page of the log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included. Client group Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.

71 Using logs Viewing computer status logs 71 Table 5-2 Settings for scan logs (continued) Filter Computer Description Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included. IP address Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included. User Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included. Sort order Specifies the sort order for columns in the log display, either ascending or descending. To view scan logs 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, click Scan Logs. 3 Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default filter. 4 In the Time range list box, select the time period over which you want to view scan events. 5 If you want to use additional filters on the display, click Advanced Settings. 6 Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page Click View Log. The event data appears at the bottom of the pane. Viewing computer status logs The computer status log includes status (or inventory) information about computers in your security network.

72 72 Using logs Viewing computer status logs You can filter the information so that only certain types of client status events appear in the display. You can also specify advanced filters to limit the display. Computer status logs show the computers that are infected in your network. These computers require manual attention. For example, you might have to download a tool from the Symantec Web site to clean a particular risk. After you manually clean computers, you can change the infected status by using the computer status log. See Administering daily workflow to eliminate risks on page 112. Table 5-3 describes the settings for computer status logs. Table 5-3 Settings for computer status logs Filter Time range Description Sets the range of time over which risks were found to include in the log display. If you choose Set specific dates, you must set Last checkin time. Last checkin time The last time that the computer checked in with its parent server. Only available when you select Set specific dates for the time range. Definition date Antivirus product version Antivirus scan engine version Firewall version Firewall policy file Online Auto-Protect status Limit Server group Includes only those computers with this particular virus definition date. Includes only those computers with this Symantec AntiVirus product version. Includes only those computers with this Scan Engine version. Includes only those computers with this Symantec Client Firewall version. Includes only those computers with this firewall policy name. Includes all computers, only those computers that are connected to their parent servers, or only those computers that are not connected to their parent servers. Includes computers with any Auto-Protect status, or only those computers with Auto-Protect enabled, disabled, or status unknown. Specifies how many events should be included on each page of the log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.

73 Using logs Viewing computer status logs 73 Table 5-3 Settings for computer status logs (continued) Filter Client group Description Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included. Parent server Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included. Computer Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type?machine and separate each entry with a comma. By default, all computers are included. IP address Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included. User Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included. Infected only Sort order View Computer type Specifies only computers with infections. Specifies the sort order for columns in the log display, either ascending or descending. Displays the Symantec AntiVirus version or the Symantec Client Firewall version in the report. Includes only parent servers or only primary management servers. The default is both (all). To view computer status logs 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, click Computer Status Logs. 3 Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default filter. 4 If you want to use additional filters on the display, click Advanced Settings.

74 74 Using logs Using events in logs 5 Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page Click View Log. Using events in logs Displaying event details You can display event details from logs. In addition, you can export the log data into several different formats. You can also delete log entries. You can display details about the events that are listed in the logs. Note: If the Log Sender Agent is configured to discard security risk action events, the side effects table in the event detail window will not display any data. See Reducing the volume of security risk events sent to the reporting server on page 91. Figure 5-1 shows a sample event detail window.

75 Using logs Using events in logs 75 Figure 5-1 Sample event detail window To display event details 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, do one of the following: Click Risk Logs.

76 76 Using logs Using events in logs Exporting log events Click Scan Logs. Click Computer Status Logs. 3 Under What filter settings would you like to use, in the Filter list box, select an existing filter or use the default. 4 Change any basic or advanced settings. 5 Click View Log. The log appears at the bottom of the page. 6 In the event column, next to the event for which you want to view events, click the More info icon. You can export your event logs in two formats (delimited or Log Reader). You might want to view your log data in a spreadsheet application. The delimited format exports the log to a file spreadsheet applications can read. You also might want to export your logs before you delete any log records. The Log Reader format option allows you to reinsert event data into the reporting database without having to do a database restore. To export logs 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, do one of the following: Click Risk Logs. Click Scan Logs. Click Computer Status Logs. 3 Change any basic or advanced settings. 4 Click View Log. 5 Click Export this log.

77 Using logs Using events in logs 77 6 Select the export option. Option Delimited format Log Reader format Definition Delimited format exports the event data into information that is separated by a special character such as a comma or a semicolon. You can then import information in this format into a spreadsheet application such as Microsoft Excel. This format can be read by the Log Reader Agent. If you export events in this format, you can then copy the file to the following directory on your reporting server: \Program Files\Symantec\Reporting Server\Upload. The Log Reader Agent will process the event data the next time it runs. Deleting log events If you selected Delimited format, type the special character in the field separator text box. 7 Click Export. The Export Event Data message appears in a new window. The message indicates the location of the file that you exported. The exported file is located in \Program Files\Symantec\Reporting Server\ Web\Temp. 8 Click Close window to close the Export Event Data window. You can delete events from your logs. Typically you would only delete events if you are running test data in your network. Before you delete, make sure you backup the event data by exporting the data first. See Exporting log events on page 76. To delete log events 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Logs tab, do one of the following: Click Risk Logs. Click Scan Logs. Click Computer Status Logs.

78 78 Using logs Using events in logs 3 Under What filter settings would you like to use, in the Filter list box, select an existing filter or use the default. 4 Change any basic or advanced settings. 5 Click View Log. The log appears at the bottom of the page. 6 Do one of the following: Check the boxes next to the individual events that you want to delete out of the log. Click Select All to select all events that are displayed on the page. Only the displayed events are selected for deletion. You can click Select None to deselect all of the selected items. 7 Click the right arrow to display any additional events to select for deletion. 8 Click Delete selected entries. 9 Click OK. All of the events you selected are deleted from the reporting database. These events no longer appear in the log if you display it again. The events also do not appear in any reports that you generate.

79 Chapter 6 Configuring reporting agents This chapter includes the following topics: About reporting agents Configuring reporting agents Specifying notification parameters Specifying notification parameters for the disk full check Using agent logs Registry keys for agent configuration About reporting agents The reporting software collects events from computers in your security network through its agent service. The agent service is comprised of several components for collecting and sending events to the reporting server. Some of the agents reside on the reporting server and other agents reside on the primary management server. If you use reporting in an environment where your reporting server and your primary management server are the same computer, all of the agents reside on a single computer. If you have secondary servers in your security environment, and you want to collect computer status (inventory) events from those servers, you must install the reporting agents on those servers. For information about installing reporting agents, see the Symantec Client Security Installation Guide or the Symantec AntiVirus Installation Guide. Table 6-1 describes the reporting agents.

80 80 Configuring reporting agents About reporting agents Table 6-1 Reporting agents Agent Log Reader (Computer Status) Description The Log Reader Agent for computer status runs on the reporting server and processes the inventory files sent from the Computer Status Agents. The inventory files contain state information about parent servers and clients. Typically, you do not need to change the polling frequency for the Log Reader (Computer Status). Log Reader (Events) The Log Reader Agent for events runs on the reporting server and processes the events that are contained in the log files sent from the Log Sender Agents. If you change the polling frequency for the Log Reader (Events), you might lose performance because if the Log Sender has posted a large volume of events, the agent processing time might take longer than the configured polling frequency. Alert Agent The Alert Agent runs on the reporting server and checks the status of other agents and sends out notifications if those agents have been configured for notifications. The agent also monitors the disk space available to the reporting database. If the current free disk space on the reporting server falls below 100 MB, the Alert Agent logs an alert in the database and sends out notifications. You can change the 100 MB default on the Agent Notification page. Scheduled Reporting Agent The Scheduled Reporting Agent runs on the reporting server and tracks the number of clients per particular virus definition version. The agent also creates the scheduled reports that you configure as well as a default scheduled report for monitoring the rollouts of virus definitions to computers in your network. You might want to increase or decrease the check-in interval for this agent to increase or decrease the amount of time to update virus definitions statistics for your security network. Virus Category Agent Database Maintenance The Virus Category Agent runs on the reporting server. It monitors the Symantec Security Response Web site for information about risks. The information it collects includes the ThreatCon level, the severity of the risks (categories 1 through 5), and when risks were discovered. The Database Maintenance Agent runs on the reporting server and deletes old records and compresses duplicate events at particular intervals. The agent performs maintenance on log files, events, compressed events, alerts, the clients that have not checked in, the clients that have been removed or renamed, old virus definitions history records, scans, unused virus definitions records, EICAR events, and inactive users. See Configuring the reporting database maintenance agent on page 102.

81 Configuring reporting agents Configuring reporting agents 81 Table 6-1 Reporting agents (continued) Agent Database Backup Description The Database Backup Agent runs on the reporting server and creates backup files of database records. The file is located in the \Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\Backup\BACKUP_<date>_<time>. You might want to change the interval between backups depending on the amount of data in the database. For example, if you have large amounts of data, you might want to schedule backups more frequently. You might also have auditing requirements in your organization that require database backups at particular intervals. See Configuring the reporting database backup options on page 104. Log Sender The Log Sender Agent runs on primary management servers and collects information about events from the log files of your security products. The agent detects the location of the log files from the ALLUSERSPROFILE environment variable. Typically the location of the log files is \..\Application Data\Symantec\Symantec Antivirus Corporate Edition\7.5\logs. The Log Sender Agent also aggregates virus and firewall events and keeps a count of the number of duplicate instances of the same event. You can configure the amount of time that the Log Sender waits before it sends the aggregated record to the reporting server. You can also turn off aggregation by setting Aggregate redundant events every to 0. See Configuring event aggregation on page 89. Computer Status The Computer Status Agent runs on parent servers and secondary servers and collects state information about parents and clients. The agent collects the state information in an inventory file and uploads the file to the reporting server. Configuring reporting agents An administrator (or any user who is configured with administrator privileges) can configure how often each reporting agent runs. When an agent runs, it collects information from the reporting server, primary management server, secondary management server, and client computers in your security network. The reporting function then uses this information when you generate reports. You can also configure notifications to be sent by when any of the agents have not completed a successful run after a certain amount of time has lapsed. (Notifications are not sent if the Alert Agent is down since the Alert Agent is responsible for sending notifications.) The administrator can also check the agent status and configure how often the agents are scheduled to run. In addition, an administrator can configure logging and tracing for agents to help troubleshoot any problems with the agents running.

82 82 Configuring reporting agents Configuring reporting agents Agent scheduling and status checking The agents run based on a default schedule for each agent, which you can change. The reporting software checks every minute for each agent's next run time, which is configurable. If the agent's next run is now or in the past, the agent runs immediately and then follows its configured polling frequency. The reporting software then automatically calculates the next run time by adding the frequency value to the current time. Agent status is considered to be up, or running, when it follows its scheduled run time. In addition to the agent's frequency and next run time, each agent also has a configurable Warn after period. The agent status is considered to be down, or not running, when the current time minus the agent's Warn after period is later than the last run time. For example, if the current time is 10:00, and the Warn after period is 30 minutes, if the last run time for the agent is earlier than 9:30, the reporting software declares that the agent is down. A red icon next to the agent name on the Agent Status page indicates that the agent is down. If you see that an agent is down, you should check the following: The configuration of the agent's scheduling and status checking parameters The agent logs In addition, the Alert Agent periodically runs on its own schedule and determines when to send out a notification that an agent is down. When the Alert Agent runs, it makes the status calculation for each agent (the current time minus each agent's Warn after period). If the calculated time is later than the last run time for a particular agent, the Alert Agent sends out notifications for that agent. If you want to make sure that notifications are sent right away when an agent is down, you should configure the Alert Agent's frequency to be a short period of time so it picks up an agent's down status right away. The Alert Agent is also responsible for sending out notifications about your security products. Note: If the Alert Agent itself is down, notifications are not sent out. See Configuring alerts on page 52. Typically you should use the default values provided for the agent scheduling. However, you might want to change these values depending on the requirements of your security network.

83 Configuring reporting agents Configuring reporting agents 83 Note: If you have log files with a large number of events, the Log Sender Agent's initial run might take longer than its scheduled frequency. You can also disable an agent and prevent it from running if you want to troubleshoot a problem with an agent. Table 6-2 shows a summary of the agents' scheduling and status checking parameters. Table 6-2 Parameter Run every Agent scheduling and status checking parameters Description The frequency, or how often, the agent runs. The reporting software adds this value to the current time automatically to calculate the next run time. You can also change the next run time by specifying the Regularly scheduled next run. You configure the frequency for each agent through the Agent Configuration page. Next run The next time the agent will run. This time is automatically calculated by the reporting software by adding the frequency to the current time. You configure the next run time for each agent through the Agent Configuration page. Warn after The amount of time the reporting software subtracts from the current time to determine whether an agent is down. If the calculated time is later than the agent's last run time, the agent is considered down. You configure the Warn after time for each agent through the Agent Notification page. Note: The combined polling frequency of the Log Reader, Log Sender, and the reporting interface are responsible for the event data you view in reports. Typically, you should not change the default values. Checking agent status You can check the status of local agents on the reporting server as well as the remote agents that are installed on the primary and secondary management servers. For the local agents on the reporting server, on the Agent Status page in the reporting pane, a green icon appears next to agents that are up. A red icon appears next to agents that are down.

84 84 Configuring reporting agents Configuring reporting agents Note: Depending on how you configure the agent's frequency and the Warn after period, an agent's status on the Agent Status page might not reflect its current state. In addition, the remote agent status in the Symantec System Center console is not available until the remote agents have completed their initial runs. Make sure you do not configure the agent's schedule to be a greater value than the agent's status checking. (The status checking value is the Warn after value on the Agent Notification page.) For example, if you set the Log Sender Agent to run every two hours, but configure the Log Sender's Warn after value to be one hour, the Agent Status page shows the Log Sender agent as down when actually you have configured it not to run. A red icon might appear next to agents for the following reasons: The agent did not run at its scheduled time. For example, if the agent service was stopped or the computer on which it is installed went down. If you restore your reporting database, the agent service stops automatically and you must restart it. The agent's polling cycle exceeds the agent's status checking (Warn after) value. The agent is running and fails, and the Warn after period expires. Before the Warn after period expires, the agent is considered up and the icon on the Agent Status page is green. After the Warn after period expires, the icon turns red to indicate the agent is considered down. Any notifications you have configured are sent out.

85 Configuring reporting agents Configuring reporting agents 85 To check the status of the local agents 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click Agent Status. A remote agent might not check in with the reporting server for many reasons, including the following: The computer on which the agent is running is down. The agent might be installed incorrectly.

86 86 Configuring reporting agents Configuring reporting agents To check the status of the remote agents 1 In the Symantec System Center console, in the left pane, click the server or server group name for which you want to see agent status. 2 In the toolbar, click the reporting icon. 3 Click OK. Specifying scheduling options for agents Typically, you do not need to configure scheduling options for the agents that have polling frequencies in minutes. For the agents that poll on a daily or weekly basis, such as the Database Maintenance Agent, you might want to configure the run time so they poll on the time or day you select. Note: When you first install reporting, you might want to set the Log Sender and Log Reader Agents to poll every minute so that their status appears on the Agent Status page. Otherwise, the agent status will not be accurate until the agents run (the default schedule is 10 minutes). You can force the Log Reader, Log Sender, and Computer Status Agents to run immediately by using an option in the Symantec System Center console. In Run Now mode, these agents run continually for five minutes. After five minutes, each agent returns to its scheduled mode. You can also disable event aggregation on the Log Sender Agent.

87 Configuring reporting agents Configuring reporting agents 87 To specify scheduling options for local agents 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click Agent Configuration. 3 Under the Change column, next to the agent for which you want to change the scheduled run time, click the icon. 4 Do one or both of the following:

88 88 Configuring reporting agents Configuring reporting agents Disabling an agent Next to Run every, in the text box, type the wanted number, and then in the list box, select minutes, hours, days, weeks, or months for scheduling the agent. Next to Next run, in the selection drop-down boxes, select the hour and minute to start the next agent run. 5 Click Save. To specify scheduling options for remote agents 1 In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the server for which you want to configure agent scheduling. 2 Click All Tasks > Reporting Configuration > Configure Report Agents. 3 Under Computer Status, in the Scan Inventory every text box, type the number of minutes after which the Computer Status Agent should check the status of the server and its clients. The default is 1 minute. 4 If you configure the remote agents on a primary management server, under Log Sender, in the Process logs every box, type the number of minutes after which the Log Sender Agent should scan logs for events. The default is 10 minutes. 5 Click OK. To run the Log Sender, Computer Status, and Log Reader Agents immediately 1 In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the server for which you want to run the Log Sender and Log Reader Agents immediately. 2 Click All Tasks > Reporting Configuration > Run Now. The Log Sender and Log Reader Agents run immediately. After the agents run and update the reporting server with the latest log information, the agents return to their previous scheduling. If the schedule indicates the agent should have already run, it runs immediately and then follows its next scheduled run time. You can prevent a local agent from running by disabling it. (You cannot disable the remote agents.) For example, if you are running your own database maintenance scripts you might want to disable the Database Maintenance Agent. Or, you might not want to use the Alert Agent if you do not configure alerts for events in your security network.

89 Configuring reporting agents Configuring reporting agents 89 Note: If you disable the Log Reader (for computer status or events), your reports will not be accurate. To disable an agent 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click Agent Configuration. 3 For the agent that you want to disable, click the Edit icon. 4 Check Disable Agent. 5 If a warning dialog appears, click OK. 6 Click Save. Configuring event aggregation You can determine how long the Log Sender Agent waits before aggregating redundant virus and firewall events. The default is five minutes. The Log Sender Agent sends the first occurrence of a virus or firewall event to the reporting server. During the specified amount of time, any other similar event is not sent to the reporting server. After the specified amount of time, the Log Sender Agent sends an event that includes a count of the number of the same events that occurred during the wait period. Note: The first occurrence of the event includes the location of the affected file. The event that includes the aggregation count includes this location only. If the virus has infected files in different locations, and you want to know what the locations are, check the log file on the affected computer. You might want to increase the amount of time the agent waits before aggregating events if you have an outbreak situation in your security network. In an outbreak situation you have many aggregated events if the agent aggregates events every minute. Fewer aggregated events save network bandwidth and require less space in the reporting database. If you want to make sure that you see every instance of the same event, you can disable aggregation.

90 90 Configuring reporting agents Configuring reporting agents To configure event aggregation 1 In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary management server on which the Log Sender Agent is running. 2 Click All Tasks > Reporting Configuration > Configure Reporting Agents. 3 Under Log Sender, in the Aggregate redundant events every box, type the number of minutes the Log Sender Agent should wait before aggregating redundant virus and firewall events. The range of values is 0 minutes to 60 minutes. To disable aggregation, set the value to 0. 4 Click OK. Configuring the language option for the Log Sender and Computer Status Agents When the Log Sender and Computer Status Agents read logs and interpret computer status information, they detect the language that is used by the operating system on the parent server automatically. If you have a mixed environment, however, where the parent server uses English and any of the clients that are connected to that parent server use a different language, you should specify the language of the clients that are connected to the parent server. Otherwise, the information you see in the logs and reports might be garbled. You can specify the language option during the reporting server installation or during reporting agent installation on a remote computer. See the Symantec Client Security Installation Guide or the Symantec AntiVirus Installation Guide. You can specify the following languages: Latin 1 Japanese Korean Hungarian or Polish Russian Simplified Chinese Traditional Chinese The Reporting Agents Options dialog box contains the complete list of Latin 1 languages.

91 Configuring reporting agents Configuring reporting agents 91 To configure the language option for the Log Sender and Computer Status Agents 1 In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the parent server. 2 Click All Tasks > Reporting Configuration > Configure Reporting Agents. 3 Under Language, in the list box, select the language of the clients that report to the selected parent server. 4 Click OK. Reducing the volume of security risk events sent to the reporting server By default, the Log Sender Agent sends security risk action events to the reporting server. If your security network experiences a large volume of security risks, you might have a large volume of events forwarded to the reporting server. To reduce the volume of events, you can prevent the Log Sender Agent from sending events about actions taken on security risks. Events about security risk occurrences are still sent to the server, but events about the actions taken (side effects) as a result of those security risks are not sent. If you prevent the Log Sender Agent from sending security risk action events to the reporting server, the event detail window for a security risk event will not show any actions. See Displaying event details on page 74. To prevent the Log Sender Agent from sending security risk action events to the reporting server 1 In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the parent server. 2 Click All Tasks > Reporting Configuration > Configure Reporting Agents. 3 Under Log Sender, check Discard security risk action events. 4 Click OK. Configuring proxy settings for the Virus Category Agent The Virus Category Agent retrieves information from the Symantec Web site. You should configure proxy settings for the Virus Category Agent if your reporting server is installed on a computer that uses a proxy server to access the Internet.

92 92 Configuring reporting agents Configuring reporting agents To configure proxy settings for the Virus Category Agent 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click Agent Configuration. 3 Click the Edit icon next to the Virus Category Agent. 4 Under What proxy settings would you like, do the following: In the HTTP proxy box, type the name of the proxy server in the format <DNS name>:<port number>. In the Proxy user box, type the user ID that has access to the proxy server. In the Proxy password box, type the password for the user ID that has access to the proxy server. 5 Click Save. Specifying notification options for agents You might want to configure the notifications that can be sent to administrators who are responsible for monitoring your security network. Notifications alert the users that an agent is down. An agent might be down because a computer is down, or because an agent was installed incorrectly. An agent could also be down because of a misconfiguration of agent parameters. In addition to specifying notifications for agents, you can also specify notifications to be sent when the Disk Full limit is reached (100 MB). The Disk Full limit is the amount of free disk space available on the reporting server. If the free disk space falls below 100 MB, the Log Sender and Computer Status Agents cannot upload files to the reporting server.

93 Configuring reporting agents Specifying notification parameters 93 To specify notifications for a local or remote agent 1 Select the reporting server and make sure you are logged in. See Logging into reporting on page On the Admin tab, click Agent Notification. 3 Under the Edit column, next to the agent for which you want to configure notifications, click the Edit icon. 4 Under What notification settings would you like, next to Warn after, type the value in the text box, and then in the drop-down menu select minutes, hours, or days to wait after the last run time to declare that the agent is down. 5 For any agent except the Alert Agent, do the following: Check or uncheck Enable response. In the Notify s box, type the address of the person who should receive the notification about this agent. If you want to include multiple recipients, separate each address with a comma. 6 Click Save. Specifying notification parameters You can specify server information for the Alert Agent to use when sending out notifications about events in your security network or about reporting agent status.