Audit tab

As an opertator, you can access the flexible audit reporting facility from the Reports > Audit tab. You can configure a variety of audit report functions, view default reports, and add new reports to help comply with your organization's auditing functions. You can load reports into a relational ODBC-compliant database and send email reports to users at scheduled intervals.

The image displays the User Activity Report, which is the first of various audit reports supported by the system. Each report summarizes the activity of users, devices, and other data items on the system. The operator clicks Generate to generate the report, clicks Advanced to edit advanced setting, clicks AddNew to add a new report to the system, and clicks Edit to edit an existing report.

To view the report data, the operator clicks the hyperlinked report name, that shows the report data in HTML format, and permits the operator to download the report in HTML, text, or CSV format.

Types of Audit reports

The system creates various different audit reports, each of which summarizes data on various important management activities commonly required by security standards such as PCI-DSS. Basic reports that come with the system are accessed using the tabs (beneath the Reports > Audit tab) listed as follows:

Report type	Description
User Activity Reports	This reporting facility summarizes activity by users, including (but not limited to) User Names, Workstations, Last Logon Times, Sessions, Errors, Lockouts, and other metrics. This report is useful for reviewing all the managed users of network equipment, tracking user logons and access to managed systems.
User Sessions Reports	This reporting facility reports logon sessions for users (delimited by a start and stop message, and containing a common session ID.) By default, this report is configured to execute with the Windows Agent program but the report can be configured for other applications using the Advanced screen.
Device Activity Reports	This reporting facility summarizes activity for each managed device on the system, including (but not limited to) Active and Idle seconds, Security Messages, Application Messages, Critical messages, and total messages received. This report is useful for reviewing the message content and activity of managed devices, including the general nature of the message content and loading.
Perimeter Reports	This reporting facility operates on any message containing two (or more IP addresses, where at least one of the addresses listed in the message is an external address. The report summarizes each external address including (but not limited to) Country Code, Local Addresses, External Addresses, Protocols, and message counts. This report is useful for reviewing external contacts of managed devices and users, and the state of firewall messages.
Account Management Reports	This reporting facility summarizes the account management activities associated with Microsoft Active Directory (and possibly other LDAP based authentication systems.) The report summarizes each change to Active Directory, including accounts added, deleted, modified, groups added deleted, modified, and errors. The report is useful for tracking essential changes to the authentication methods of the system.
Ticket Reports	This reporting facility summarizes ticket activity associated with the system. These reports include a description of each ticket, assignee, ticket resolution, and related messages. The report is useful for reviewing threads and anomalies detected by the system from all received messages.
Parse Reports	A parse report parses the information from a correlation thread into readable fields. For more information, see Parse-report.
Score Cards	This reporting facility summarizes the daily, weekly and monthly counts for user specified threads, useful as a quick summary of the amount and types of data being gathered by the system. Score Cards are especially useful for demonstrating compliance to some internal or regulatory standard.

Report generation

Each of the various reports generates automatically at midnight. Additionally, the operator can launch any report by clicking the Generate option at the top of each report display. The Generate option launches the report as a background process (that might take several minutes to complete.) The status of the report process is displayed each time the screen is refreshed, and this top-level status line indicates when the report is complete. To terminate the report prematurely, the operator clicks the Terminate option for the report.

Like other reports, while the report is being generated in background, the operator is free to leave the screen and check back at a later date for the resulting report.

Audit report viewers

Each of the various reports contain one or more Report Viewers that allow all or a subset of the data to be reviewed. The operator can define a new report viewer by clicking the AddNew option at the top of any screen, and then selecting the particular table columns and qualifiers for the report. The operator can match any field of the report, and can hide columns of the report that are not pertinent or interesting.

Example

The operator can generate a report on locked out users by clicking the AddNew option on the User Activity Report, and then hiding all fields except for the User Name and Account Lockout fields, and then specifying a value of $1 gt 0 for the Account Lockout Match expression.

When the report is then accessed (by clicking on the report hyperlink) the report contains only those users that have at least 1 lockout during the reporting interval.

Multiple report viewers can be defined for each type of report. The basic All report is included as a standard report for all of the report facilities, that can be further modified or deleted to create more specific report content

Audit report advanced parameters

Each of the various reports contains an Advanced option, that permits the operator configure the advanced setting specific to the report (that vary between the types of reports, as documented elsewhere.) The Advanced parameters contain several common controls as follows:

Data Source—Most report facilities include a Data Source setting, that allows the operator to specify a source for the messages, by default All Messages. If the administrator has configured a specific thread, this setting can speed up the report generator execution by limiting the message source to more specific messages.

Match Expression—Most report facilities include a Match expression,that allows the operator to restrict the messages to a particular match pattern.
The User Activity report can restrict the data to certain messages meeting a set of qualified users, whereas the Device Activity report can restrict the data to certain qualified devices.By default, the Match Expression for all screens is an asterisk, that matches all messages.

Report Span Days—All report facilities include a Span Days setting, by default 1 day, that limits the number of days that will be processed. This setting should be adjusted conservatively to prevent the report generator from taking too long to complete.

Span Max Data Records—All report facilities include a Span Max Data Records value, by default 1 million records, that limits the number of messages that is scanned by the report viewer. If the Span Max Data Records value is achieved, the report generator terminates with no further processing for that particular report.

DSN Name—All report facilities include a DSN select menu that allows the operator to specify an ODBC Data Source Name that includes the message data. (The DSN is configured in the Reports > ODBC tab, discussed elsewhere.) You must specify both a DSN Name and a Database Table name, and then the report generator automatically create and load the database table with information each time the generator is executed.

Database Table Name—All report facilities include a Database Table value. If the operator configures a DSN Name (above) AND ALSO a valid table name, then the report generator will automatically create and load the database table with information each time the generator is executed.

Publish Text via RSS—All report facilities include a Publish Text via RSS select menu. If the operator sets this advanced setting to Yes, then the audit report information is automatically published via RSS. This setting has no effect if RSS is not enabled using the Reports > RSS screen.

Updating SQL databases with Audit information

To support flexible SQL queries and third party report writers, the information within each report can be copied to a configured ODBC data source. This requires the following:

The operator should configure an ODBC Data Source Name via the Reports > ODBC tab of the system. Any ODBC compliant database is acceptable, including Microsoft Access reports.
The operator should click the Advanced option of the report facility, and then select the DSN name configured as preceding, and also select an appropriate Database table name.
The operator can subsequently generate the report (or wait for the report to be generated automatically at midnight.) The data is then automatically loaded into the relational database table configured as preceding. This can be checked using the Reports > ODBC tab of the system.

Note

The database table, if it exists, is automatically dropped and then created each time the report generator runs.

Therefore, if the database is accessed while the report generator is running, incomplete results might exist in the database table. If this is a concern, special safeguards should be implemented to notify SQL applications that the data is being updates. Consult with vendor support for more information.

Sending audit reports by email

As an operator, you can automatically send an email of audit reports to users at periodic intervals using the Reports > Email tab of the system.

To send audit reports by email

Configure the SMTP interface to the system on the System > SMTP tab.
This step is required before BMC Defender Server can send any email message.
To add a new report, click AddNew on the Reports > E Mail tab.
For E-Mail Attachment Type, select Audit HTML Report.
Complete the other information, including an item from the Select Audit HTML Report list, and click SaveNew.

For more information on the Reports > E-Mail facility, see E-Mail-tab.

Limiting access to specific Audit reports

A common requirement of organizations is to limit access of data using role-based users. The Audit report facility permits the user to create a Profile, that limits the viewing of any Audit data to specific report names. This function is available using the System > Logins > Access Profiles screen. The Administrator can select Audit Reports, available to a specific user profile, by clicking the AddNew option, and then clicking the Select Audit Reports option on that screen. This displays a screen that allows the Administrator to check-off the particular audit reports available for that user profile.

When the profile is subsequently assigned to a user logon, the user is able to see (and access) only those reports that were selected by the Administrator.

Example

You might be able to access only those Device Activity reports related to routers or certain windows platforms.

This provides a consistent method of limiting access to the system for certain types of message data.

Additional notes

The time to generate a report depends upon a number of factors, the biggest factor being the amount of data to process, and the CPU limitations of the system. The report generation time can be improved by limiting the data to be processed. The operator can specify a thread, that contains a smaller subset of messages, and can reduce the number of records and days to process. These configuration options are available using the Advanced option on each report generator screen.