List of all screens
This section provides a listing of screens of the BMC Defender Server, and a brief description of each screen, useful as a site map.
The BMC Defender Server contains all screens in the BMC Defender Server/sigma-web directory, which forms a nested hierarchy of screens and functions. For information about the operating theory behind this system, see BMC Defender Server Sigma-Web-Framework.
An administrator can rename and re-order this list of screens my creating new directories, and renaming the executable CGI programs that reside therein. An administrator and developer can easily add new screens to the system, ranging from simple HTML and text files to batch files to more sophisticated CGI programs.
Refer to the Sigma-Web-Framework for notes on configuration, adaptation, and modifications that can be made to this system, including programming tools and reference material.
Interface features | Description |
|---|---|
Home Screen | This is the first screen displayed on login to the BMC Defender Server, and permits the user to download and read documentation and utilities. A version of this space, in PDF form, is available for download from this page. |
Dashboards Screen | This screen is displayed when the user clicks on the Dashboards tab. It allows the user to view and configure dashboards on the system. These dashboards consist of a layout file, and gadgets that depict real-time system status information. |
Dashboard > Add New Dashboard Wizard | This screen is displayed with the user clicks on Add New at the bottom of a Dashboard screen. The user can create a new dashboard for the system. (The user can also create a dashboard using the Edit Layout screen, described below, and using the SaveNew option on that screen.) |
Dashboard > Edit Layout | This screen is displayed when the user clicks on the Edit Layout at the bottom of a Dashboard screen. The user can change the layout file, provide panel titles and hyperlinks to other dashboards, rename dashboards, save new dashboards, or edit gadgets for each dashboard panel. |
Dashboard > Edit Gadget | This screen is displayed when the user clicks the Edit Gadget on the Edit Layout screen, and also is accessed through the Edit Gadget button in the upper right corner of each gadget windowpane. The user can specify a gadget and the gadget specific parameters for the dashboard panel. |
Messages > Search | This is the first screen displayed when the user clicks on the Messages navigation tab. The screen provides a list of recent events, and permits the user to search the list for keywords, and page the list. This is the main entry point for the GenDex search engine. |
Messages > Search > Advanced Search | This screen is accessed from the Search of the screen by clicking on the Advanced Search hyperlink at the top of the display. The screen permits the user to compose advanced searches based upon match patterns, exclude patterns, partial matches, severity and facility matches, as well as time of day. |
Messages > Search > Device Information | This screen is accessed from the Search screen, as well as from various other screens in the system, when the user clicks on a device name hyperlink. The Device Information screen shows the IP address, DNS name, the ping response, and additionally shows SNMP values to help identify the IP address. |
Messages > Catalogs > Devices | This screen shows the list of all devices that have send messages, the count of the messages since startup, and a count of the messages since the device was first detected. The screen provides a summary overview of the Devices catalog. |
Messages > Catalogs > Devices > View Device Groups | This screen is accessed when the user clicks the View Groups link at the upper right of the Devices screen. The View Device Groups screen shows a list of all the address groups, and the rolled up status of each group, including counts, and time of last message for the group. |
Messages > Catalogs > Devices > Device Item Catalog | This screen is accessed when the user clicks on one of the IP address hyperlinks in the above Devices Catalog screen, and shows the actual messages associated with a selected IP address. The user can delete the catalog item from this screen. |
Messages > Catalogs > Devices > Device Catalog > Analyze | This screen is accessed when the user clicks on an IP address, to view the catalog of messages for the device, and then clicks the Analyze link in the upper right of the display. The screen permits the operator to analyze the messages and their occurrence counts for each Device, User, Facility, and Severity found in the list of messages. |
Messages > Catalogs > Devices > Advanced Device Monitor Configuration | This screen is accessed when the user clicks on the Advanced option on the Messages > Device screen. The user can enter parameters that affect when the status icon colors turn red or green, and the severity of internal messages logged when devices are discovered, idled, or reactivated. |
Messages > Catalogs > Users | This screen shows the list of all usernames discovered by BMC Defender Server, and the count of messages for each user since startup, and the count of messages since the username was first detected. The screen provides a summary overview of the Users catalog. |
Messages > Catalogs > Users > User Item Catalog | This screen is accessed when the user clicks on one of the username hyperlinks in the above Users Catalog screen, and shows the actual messages associated with a selected username. The user can delete the catalog item from this screen. |
Messages > Catalogs > Users > User Catalog > Analyze | This screen is accessed when the user clicks on a user name hyperlink to view the catalog of messages for the username, and then clicks the Analyze link in the upper right of the display. The screen permits the operator to analyze the messages and their occurrence counts for each Device, User, Facility, and Severity found in the list of messages. |
Messages > Catalogs > Users > User Discovery Configuration | This screen is accessed when the user clicks the Advanced option on the Messages > Users screen, and permits the user to configure match patterns, field positions, and exclude patterns needed to enable the discovery of new users on the system. These values are pre-configured for BMC Defender Server, but this screen may be necessary to make adjustments or add new types of user discovery. |
Messages > Catalogs > Facilities | This screen shows the list of all facilities that been specified in received messages, the count of the messages since startup, and a count of the messages since the facility was first detected. The screen provides a summary overview of the Facilities catalog. |
Messages > Catalogs > Facilities > Facility Item Catalog | This screen is accessed when the user clicks on one of the Facility hyperlinks in the above Facilities Catalog screen, and shows the actual messages that are associated with the selected facility. The user can delete the catalog item from this screen. |
Messages > Catalogs > Facilities > Facility Catalog > Analyze | This screen is accessed when the user clicks on a facility hyperlink to view the catalog of messages for the facility, and then clicks the Analyze link in the upper right of the display. The screen permits the operator to analyze the messages and their occurrence counts for each Device, User, Facility, and Severity found in the list of messages. |
Messages > Catalogs > Severities | This screen shows the list of all severities that been specified in received messages, the count of the messages since startup, and a count of the messages since the severity was first detected. The screen provides a summary overview of the Severities catalog. |
Messages > Catalogs > Severities > Severity Item Catalog | This screen is accessed when the user clicks on one of the Severity hyperlinks in the above Severities Catalog screen, and shows the actual messages that are associated with the selected severity. The user can delete the catalog item from this screen. |
Messages > Catalogs > Severities > Severity Catalog > Analyze | This screen is accessed when the user clicks on a Severity hyperlink to view the catalog of messages for the severity, and then clicks the Analyze link in the upper right of the display. The screen permits the operator to analyze the messages and their occurrence counts for each Device, User, Facility, and Severity found in the list of messages. |
Messages > Aux | This screen shows the list of messages that have been filtered for today. The screen shows all the messages for all configured filters. The messages in all files are deleted each night at midnight and restarted. The user can search the list of filtered messages, and page through the list. Users can also report on these messages using the PDF and other reporting functions. (The Parms screen, discussed below, also controls one aspect of filtering, which is the de-duplicate filter time period.) |
Messages > Config > Filters | This is the first screen displayed when the user clicks on the Advanced navigation tab, and depicts the list of filters that are applied to incoming messages. When a message is filtered, it is temporarily moved to the Messages > Aux screen (described above.) The user can add, modify, or delete filters. Filters can be based upon address, facility, device, keyword, and / or time of day. |
Messages > Config > Overrides > Address | This is the first screen displayed when the user clicks on the Overrides navigation tab. The screen shows a list of Address Overrides. The user can override the name of the device in a message, before the message is logged, useful for handling network address translation of IP addresses, and useful in other cataloging applications. |
Messages > Config > Overrides > Address > Parse Specification | This screen is accessed when the operator clicks on the Address Overrides navigation tab, clicks Advanced and then clicks the Auto-Override With Parse Specification option. The screen allows an administrator to configure and test a parse specification that will automatically override the device in the message with some portion of the message content, useful when using a syslog collector, load balancer, network address translation, and other strategies. |
Messages > Config > Overrides > Facility | This screen shows a list of Facility Overrides. The user can override the facility of a message, before the message is logged, using this screen. A user specified facility replaces the actual facility, based upon the device name, the facility, the severity, a keyword, and / or the time of day. This is useful for cataloging messages, and executing action programs. |
Messages > Config > Overrides > Facility > User Facility Editor | This screen is accessed when the operator clicks on the User Defined Facility List hyperlink on the above Facility Override screen. This happens to be the most deeply nested screen within the suite of screens. The User Facility Editor permits an operator to define a new facility that can then be selected in one of the other screens, such as the Correlation Threads or Actions screen, to supply a higher level of organization to event messages. |
Messages > Config > Overrides > Severity | This screen shows a list of Severity Overrides. The user can override the severity of a message, before the message is logged, using this screen. A user specified severity replaces the actual facility, based upon the device name, the facility, the severity, a keyword, or the time of day. This is useful for cataloging messages, and executing action programs. |
Messages > Config > Overrides > Text | This screen shows a list of Text Overrides. The user can override a particular field or value within a message by blanking out the value. This permits sensitive data such as passwords, credit card numbers, and other security items from being logged or displayed. |
Messages > Config > Overrides > Text > Advanced Configuration | This screen is accessed by clicking Advanced option of the Text Override Editor screen, and permits the user to specify several advanced override functions, such as user name masking, and lists of specific keywords that are automatically masked by the system. |
Messages > Config > Forwarding | This screen allows the operator to configure forwarding of messages or any auxiliary file to a third-party syslog collector, useful for mult-tier management strategies, or backing up the data for failover operation. Although other ways exist to forward data, this screen provides the fastest way to relay data to another syslog collector or BMC Defender Server. |
Messages > Config > Colors | This screen allows the user to associate or change the colors of messages that appear in various locations in the BMC Defender Server suite of screens, based upon the logged message severity. |
Messages > Config > Parms | This screen allows the user to configure specific parameters that affect the performance of BMC Defender Server processes, such as the location where syslog data is stored, the location of the Net-SNMP software, and the de-duplication filter time value. |
Correlation > Threads | This screen shows the list of all correlation threads that been configured by the user. These are special, arbitrary catalog items that permit the user to obtain lists of messages based upon the time of day, device, facility, severity, and keyword matches. The user can add, modify, and delete match patterns and specifications from this screen. |
Correlation > Threads > View Thread Groups | This screen is accessed when the user clicks the View Groups link at the upper right of the Threads screen. The View Thread Groups screen shows a list of all the thread groups, and the rolled up status of each group, including counts, and time of last message for the group. |
Correlation > Threads > Correlation Item Catalog | This screen is accessed when the user clicks on one of the Correlation Thread hyperlinks in the above Correlation screen, and shows the actual syslog messages that are associated with the user defined thread. The user can delete the catalog item from this screen, or from the previous screen. |
Correlation > Threads > Thread Catalog > Analyze | This screen is accessed when the user clicks on a Thread hyperlink to view the catalog of messages for the thread, and then clicks the Analyze link in the upper right of the display. The screen permits the operator to analyze the messages and their occurrence counts for each Device, User, Facility, and Severity found in the list of messages. |
Correlation > Triggers | This screen permits the user to set system flags when specific messages are received. These flags can then be used to qualify the correlation threads and actions. This provides a fundamental way of correlating specific information, and creating contexts for messages |
Correlation > Actions | This screen shows a list of user configurable actions that occur when certain messages are logged. The user can configure program names and arguments that are executed when messages match a particular address, facility, severity, message keyword, and / or time of day. |
Correlation > Config > Address Groups | This screen allows the user to configure device groups that can be used in the Match IP Address fields of the correlation threads and actions screens. The user can configure lists of IP addresses and wildcards that represent groups of devices. |
Correlation > Config > Thread Groups | This screen allows the user to configure thread groups that can be used in to organize the Threads screen. The user can configure multiple thread groups, each group consisting of a match expression that matches the title of zero or more threads. The thread groups can be viewed via the Correlation > Threads screen. |
Correlation > Config > Macros | This screen allows the user to configure macro expressions that can be used in the Match Expression fields of the correlation Threads, Triggers, and Actions screens. The user can define a macro that represents a complex match pattern, and then use this macro (with other macros) to match messages. |
Correlation > Config > Lists | This screen allows the user to configure macro expressions that can be used in the Match Expression fields of the correlation Threads, Triggers, and Actions screens. These are similar to the Macros (discussed above) but instead consist of long lists of items, any which of can be used to match or exclude a message. This allows the operator to configure whitelists or blacklists. |
Correlation > Config > Templates | This screen is a wizard that permits the user to load, merge, and replace existing correlation configurations and rules, or save the existing rules to a file. This allows users to checkpoint existing configurations, or quickly switch the system to a new configuration. |
Alerts > Counters | This screen permits the user to configure thresholds on any system counter, so that message rates can be detected. The user can select from various system counters. The Alert screen feeds information back into the syslog server process, so that it can be further correlated. The Alert screen can also be used to open tickets on the system. |
Alerts > Devices | This screen is similar to the Alerts Counters screen above, but implements BMC Defender Server instance management, so that messages will create new instances of alerts, useful for situations where alerts are to be tracked on a per device basis. (See section on Active Instances within this section, for more information.) |
Alerts > Users | This screen is similar to the Alerts Counters and Alert Devices screen above, but implements BMC Defender Server instance management, so that messages will create new instances of alerts associated with managed users, useful for situations where alerts are to be tracked on a per user basis. (See section on Active Instances within this section, for more information.) |
Alerts > Patterns | This screen provides general utility in detecting when certain patterns of messages have been received, based upon the state of triggers on the system. The screen operates in a fashion similar to the Alerts screen, sending syslog messages when patterns of messages are detected, and assigning tickets to system users. |
Alerts > Custom | The Custom Alert screen extends the range of the alerting facility to include execution of arbitrary alerting programs. These external programs are launched at schedule intervals. The output of the alerting program is read by BMC Defender Server, compared to a user define match expression, and a threshold applied to the number of matches can open a ticket. |
Alerts > Config > Alert Formulas | This screen provides advanced functions that work with the Alerts > Counters screen, permitting the user to create formulas that reference multiple system counters, and run math expressions to calculate a single result, which can then be alarmed with a threshold. |
Alerts > Config > Auto-Learn | This screen controls the various parameters of the BMC Defender Server auto-learn function, which automatically adjusts alert threshold each night based one received message history, thereby minimizing the number of internal BMC Defender Server alerts and open tickets. |
Tickets > Opened | This screen shows is the first screen displayed when the user clicks on the Tickets tab. The screen shows the currently opened tickets on the system. Tickets are opened by the Alerts component, and represent the highest level of correlation on the system. |
Tickets > Opened > View Ticket Groups | This screen is accessed when the user clicks the View Groups link at the upper right of the Tickets > Opened and Tickets > Closed screens. The View Ticket Groups screen shows a list of all the ticket groups, and the rolled-up status of each group, including counts, and time of last ticket for the group. |
Tickets > Closed | This screen shows the closed tickets on the system. The user can close individual tickets, or close all tickets associated with a user or ticket group. The closed tickets are retained on the system for the Keep Data interval configured by the user, by default 30 days. |
Tickets > Actions | This screen shows a list of user configurable actions that occur when certain tickets are opened, closed, or modified. The user can configure program names and arguments that are executed based upon ticket information (similar to the Correlation > Actions screen described above, but reflecting the state of tickets.) |
Tickets > Config > Ticket Groups | This screen permits the user to create ticket assignees, which represent groups of tickets. The user configures the alert facility to open tickets and assign these tickets to BMC Defender Server users, or to ticket groups. This organizes the tickets into groups. |
Tickets > Config > Parms | This screen provides miscellaneous parameters that affect ticket execution, including a master enable, throttles to limit ticket action rates, and the ability to enable automatic de-duplication of tickets opened on the same day. |
Reports > Query | This screen permits the user to run a complex query against raw data, returning a list of match results that can be further graphed, searched, and analyzed. The screen performs similar functions to the Messages > Search screen, except can perform more complex (and time consuming) searches, especially useful for forensics. The screen searches Log Data, Archive Data, Auxiliary Files, Tickets, and External data. |
Reports > Query > Run | This screen is accessed via the Query hyperlink in the upper right of each BMC Defender Server screen, or when the user clicks Run Report on the Reports > Query screen. The operator can specify the complex patterns associated with a particular query across a range of messages. |
Reports > Query > Saved Queries | This screen is accessed via the Saved Queries hyperlink, and contains a list of queries that have been saved (on the above Query Run screen, by specifying a name for the query.) The operator selects the saved query, and can modify or delete the query. |
Reports > Query > Analyze | This screen is accessed when the user clicks on the Analyze hyperlink, and permits the operator to analyze the query results and their occurrence counts for each Device, User, Facility, and Severity found in the list of messages. The Query Analyze screen also provides a special Parse function to allow the execution of a parse expression (to see certain fields within the query results.) |
Reports > Audit > User Activity | This screen allows the operator to access audit reports on general user activity, reporting on all users contained in the Messages > Users tab of the system. An operator can configure one or more report viewers to view this data, and view the reports in HTML, CSV, and text format. |
Reports > Audit > User Sessions | This screen allows the operator to access audit reports regarding user sessions, specifically when users are logged in and out of their systems. The reports permit a time card view of network activity, showing the user name, session start time, start time, and duration, as well as other items. An operator can configure one or more report viewers to view this data, and view the reports in HTML, CSV, and text format. |
Reports > Audit > Device Activity | This screen allows the operator to access audit reports on general device activity, reporting on all managed devices contained in the Messages > Devices tab of the system. An operator can configure one or more report viewers to view data, and view the reports in HTML, CSV, and text format. |
Reports > Audit > Perimeter | This screen allows the operator to access audit reports on perimeter activity, reporting on raw messages that contain two or more IP addresses, where one of the IP addresses is external to the organization. An operator can configure one or more report viewers to view this data, and view the reports in HTML, CSV, and text format. |
Reports > Audit > Account Management | This screen allows the operator to access audit reports on account management activity, reporting on messages related to account creation, deletion, modification, group assignments, and other changes to LDAP and Active Directory dealing with user access and authentication. An operator can configure one or more report viewers to view this data, and view the reports in HTML, CSV, and text format. |
Reports > Audit > Tickets | This screen allows the operator to access audit reports on system tickets generated by BMC Defender Server alerts. This provides supervisory visibility to the ticketing system and all incidents identified by the BMC Defender Server program. An operator can configure one or more report viewers to view this data, and view the reports in HTML, CSV, and text format. |
Reports > Audit > Score Cards | This screen allows the operator to configure and view Score Cards, which are reports that reflect the number of messages received given a specific requirement. Score Cards are especially useful for demonstrating compliance to regulatory requirements and standards, but also are useful for self-assessment, as to whether the system is configured for correct coverage of organizational and operational units. |
Reports > PDF | This screen allows users to create or modify PDF reports, and download reports directly from the BMC Defender Server web interface after login. reports are created each night. The user can generate reports on demand from this screen. |
Reports > E-Mail | This screen allows users to create or modify E-mail reports, which consist of summary information and attachments of e-mail message lists. Reports are created each night. The user can generate reports on demand from this screen. |
Reports > ODBC | This screen is a simple interface to the Windows ODBC facility. The user can configure the username and password values associated with an ODBC Data Source Name (DSN), and also run simple SQL statements. (The screen is mentioned here, but not discussed in any detail within this current section. See the BMC Defender Server Sigma Web Framework more information on this screen.) |
Reports > Graphs | This screen permits the user to graph message counts, and depict either daily or hourly event rates. The user can specify complex match patterns to limit the message counts to a range of messages. |
Reports > Pivot | This screen permits the user to analyze regular data, such as firewall data, web server data, or other data that consists of regularly occurring fields. These reports parse the data and create graphs of field items, useful for determining things such as most active URLs, most active source destinations, most active firewall rules, etc. |
System > Prefs | This screen is the first screen displayed when the user clicks the System navigation tab, and shows the user preferences of the system. The user can configure various parameters (such as initial login screen) that apply to the individual BMC Defender Server user. This screen may also be accessed via several links within BMC Defender , Including the username link in the far upper right of the display. |
System > Logins > Users | The screen allows the administrator to configure logins, passwords, and profiles for the various BMC Defender Server users. Various options apply. These are the local logins to the server and apply to both HTTP and Web Screen type logins. |
System > Logins > Profiles | This screen allows the administrator to configure access profiles that can then be selected by the administrator when creating a user login. Profiles are used to limit the visibility and access of the system to certain tabs, dashboards, and pinned items. |
System > Logins > Security | This screen allows the administrator to configure various extra security options for the system, including SSPI (Active Directory) authentication, whether the user is to login to the system using HTTP or Web Screen login dialogs, and various items related to local password expiration and lockout. |
System > SMTP | This screen permits the user to configure SMTP server parameters that are used by the actions facility (i.e. the SENDMAIL program) as well as the E-Mail Report facility. The administrator configures standard SMTP values such as server IP address, and authentication type. |
System > Parms | This screen allows the user to adjust certain System level parameters, such as the CGI timeout, and tab color values. This screen is documented in detail within the BMC Defender Server Sigma Web Framework. For more information, see Sigma-Web-Framework-Parms-tab. |
System > Schedule | This screen allows the user to adjust system startup parameters, and allows the user to specify other programs to be run on a scheduled basis. The screen modifies the CO-svc.exe configuration file. For more information, see Sigma-Web-Framework-Schedule-tab. |
More > User Prefs | This screen is accessed through the More drop down menu at the top right of the display. The screen is identical to the System > Prefs screen, permitting the user to modify his or her preferences. |
More > User Links | This screen is accessed via the More drop down menu at the top right of the display. The screen permits the user to augment the list of links in the program header with other links of interest. These links appear only in the user's private login session. |
More > Keywd Index | This screen is accessed through the More drop down menu at the top right of the display. The screen displays the list of message keywords, identical to the list displayed via the Keyword Index link on the Messages > Search screen. |
More > Send Msg | This screen is accessed via the More drop down menu at the top right of the display. The screen permits the user to send a syslog message to BMC Defender Server, identical to the Post Message link on the Messages > Search screen. |
More > Lookup SID Tool | This screen is accessed via the More drop down menu at the top right of the display. The screen provides general utility in translating a Microsoft Security Identifier (SID) into readable text. (SID values may occur in messages, and are typically represented in a format such as S-1-5-N-N, which translates into a user name, account name, or some other human readable object. |
More > Expr Tool | This screen is accessed via the More drop down menu at the top right of the display. The screen allows a user to enter complex match expressions (including global variables and macros) and see the results of the match expression compared to a user supplied text string. This screen is documented in the Expression-Evaluation-Tool. (The screen is mention here, but not discussed in any detail with this current section.) |
More > Geo IP Tool | This screen is accessed via the More drop down menu at the top right of the display. The screen provides general utility in determining the Geo-location of an IP address. The Geo IP database is used by a variety of BMC Defender Server screens, including the Reports > Audit > Perimeter reports. |
More > Site Map | This screen is accessed via the More drop down menu at the top right of the display. The screen displays a list of all screens (similar to this list) and links to access any screen in the system. |
More > User Manuals | This screen is accessed via the More drop down menu at the top right of the display. The screen displays a list of all user documentation that comes with the system. This includes the documents on the home screen, as well as other sections on the system |
More > Extensions | This screen is accessed via the More drop down menu at the top right of the display. The screen displays a web folder of extra software components and extensions that support the BMC Defender Server system, in particular McAfee EPO extension software, but also site-specific information. |
More > Support | This screen is accessed via the More drop down menu at the top right of the display. The screen launches the BMC Defender Server Support screen in a separate window, directly connecting to the BMC Defender Server public website. |
More > Sys Info | This screen is accessed via the More drop down menu at the top right of the display. The screen displays a status of the system, including program version, processor info, disk space info, and other values. (This screen is always available, even in the license to execute expires.) |
Related topic