Reporting User's Guide

Reporting User's Guide
Reporting User's Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 10.1.5.5
Legal Notice
Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec Logo, Symantec AntiVirus, Symantec Client Security, Symantec System Center, and Symantec Client Firewall are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group's primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support
Licensing and registration

If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.
Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available:

Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your country or language under Global Support. Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Contents
Technical support Chapter 1 Introducing reporting

About reporting ............................................................................. 9 How reporting works ..................................................................... 10 About events ............................................................................... 10 About reports .............................................................................. 11 About logs ................................................................................... 11
Chapter 2
Basic reporting tasks

About basic tasks .......................................................................... 13 Logging into reporting ................................................................... 14 Changing your password ................................................................ 14 Using the home page ..................................................................... 15 Viewing information on the home page ....................................... 16 Customizing the home page ...................................................... 18 Using Security Response links .................................................. 19 About using the Past 24 hours filter in reports and logs ....................... 20
Chapter 3
Using reports
Reports overview .......................................................................... 21 About reports ........................................................................ 22 Saving report configuration settings .......................................... 23 Printing and saving reports ...................................................... 25 Creating risk reports ..................................................................... 26 Creating scan reports .................................................................... 31 Creating computer status reports .................................................... 35 Creating and viewing scheduled reports ............................................ 37
Chapter 4
Performing administrative tasks

About administrative tasks ............................................................. 43 Configuring reporting servers ......................................................... 44 Changing the reporting server port number ................................ 45
Contents
Specifying the reporting server URL by using the Windows registry .......................................................................... 46 Viewing the URL of a reporting server ........................................ 46 Removing a reporting server ..................................................... 46 Configuring the reporting display .................................................... 47 Configuring users ......................................................................... 48 Setting password rules ............................................................ 51 Configuring alerts ........................................................................ 52 Creating alert configurations .................................................... 53 Viewing alert events ............................................................... 56 Acknowledging or unacknowledging alerts .................................. 58 Viewing alert event details ....................................................... 59 Setting automatic refresh intervals .................................................. 60
Chapter 5
Using logs
About logs ................................................................................... 63 Viewing logs ................................................................................ 64 Saving log configuration settings ..................................................... 65 Viewing risk logs .......................................................................... 66 Viewing scan logs ......................................................................... 69 Viewing computer status logs ......................................................... 71 Using events in logs ...................................................................... 74 Displaying event details ........................................................... 74 Exporting log events ............................................................... 76 Deleting log events ................................................................. 77
Chapter 6
Configuring reporting agents

About reporting agents .................................................................. 79 Configuring reporting agents .......................................................... 81 Agent scheduling and status checking ........................................ 82 Checking agent status ............................................................. 83 Specifying scheduling options for agents .................................... 86 Disabling an agent .................................................................. 88 Configuring event aggregation .................................................. 89 Configuring the language option for the Log Sender and Computer Status Agents .................................................... 90 Reducing the volume of security risk events sent to the reporting server ............................................................................. 91 Configuring proxy settings for the Virus Category Agent ................ 91 Specifying notification options for agents ................................... 92 Specifying email notification parameters .......................................... 93 Specifying notification parameters for the disk full check .................... 94
Contents
Using agent logs ........................................................................... 95 Enabling or disabling agent tracing ............................................ 95 Deleting agent logs ................................................................. 97 Registry keys for agent configuration ............................................... 97 About registry keys for agent file processing ................................ 98 About registry keys for agent scheduling ..................................... 99
Chapter 7
Maintaining the reporting database

About database maintenance ........................................................ 101 Configuring the reporting database maintenance agent ...................... 102 Configuring the reporting database backup options ........................... 104 Restoring an MSDE reporting database ........................................... 106 Tuning database server memory allocation ...................................... 107 Changing timeout parameters ....................................................... 108
Chapter 8
Workflow and use cases

About workflow and use cases ....................................................... 111 Administering daily workflow to eliminate risks ............................... 112 Reports and logs that show security risk information ........................ 113 Reports and logs that show scanning information ............................. 114 Reports and logs that show definitions information .......................... 114 Reports and logs that show configuration and status information ......................................................................... 114
Index
Contents
Chapter
Introducing reporting
This chapter includes the following topics:

About reporting How reporting works About events About reports About logs
About reporting
Reporting is a Web application within the Symantec System Center console that you can use to create reports about your security products. The application uses a Web server to deliver information about Symantec Client Security or Symantec AntiVirus products in your network. Reporting includes the following features:

Customizable home page with your most important reports Pre-defined and customizable graphical reports with multiple filter options Role-based user administration that is separate from the Symantec System Center console user administration Optimized to support events from 100 computers to 50,000 computers Supports Microsoft SQL for storing events
You can log into reporting through the Symantec System Center console. You can also log into reporting through a Web browser that is installed on a computer that has access to your reporting server.
10
Introducing reporting How reporting works
Information about installing reporting is located in the Symantec Client Security Installation Guide or Symantec AntiVirus Installation Guide.
How reporting works

The reporting software consists of a reporting server, a reporting database, and the reporting agents. The reporting server is a Web server. When you log into reporting, you are essentially logging into the reporting server. The reporting database stores the events that the reporting agents collect and read from your primary management server logs. The reporting database can be an existing MS SQL database in your network or the database that is installed with the reporting software. The database has its own maintenance requirements. See About database maintenance on page 101. The reporting agents are installed on the reporting server as well as on your primary and secondary management servers. The agents that are installed on the reporting server are called local agents. The agents that are installed on the primary and secondary management servers are called remote agents. The reporting agents collect information about the security events in your network. The agents also maintain the reporting database and can be configured to send notifications about security events or agent status. Each agent has a specific function. The Computer Status and Log Sender Agents are the remote agents that collect information from the logs of the primary or secondary management server on which they are installed. The Log Reader agent is a local agent on the reporting server that receives the collected information and inserts it into the reporting database. See About reporting agents on page 79.
About events
The events that appear in the reports that you generate in reporting are pulled from the event logs from your primary and secondary management servers. The event logs contain time-stamps in the servers' time zones. When the Log Reader Agent on the reporting server receives the events, it converts the event time-stamps to Greenwich Mean Time (GMT) for insertion into the reporting database. When you create reports, the reporting software displays information about events in the local time of the computer on which you view the reports.
Introducing reporting About reports
11
Since virus outbreaks can result in an excessive number of virus and firewall events, these events are aggregated before they are forwarded to the Log Reader Agent on the reporting server. For more information about some of the events that appear on the home page, check the Symantec Security Response Web site Attack Signatures page at the following address: http://securityresponse.symantec.com/avcenter/attack_sigs/
About reports
Reporting gives you the up-to-date information that you need to make informed decisions about the security of your network. The reporting home page includes automatically generated charts about top events happening in your network. Reporting also includes reports that you can customize and generate to view graphical representations of events happening in your network. You can create reports about risk and scan events. You can also generate reports about the inventory (computer status) of computers in your security network. In addition, you can create the scheduled reports that run automatically on a schedule. You set the report filters and the time to run the report. When the report is finished, it is available on the scheduled reports page. Currently, reporting allows you to create scheduled reports for virus definition rollouts only.
About logs
You can look at event data directly in reporting if you want to focus on specific events. Logs include event data from your primary and secondary management servers as well as all of the clients reporting to those servers. You can filter the log data. You can also export the log data to a file to backup the event data or use the data in a spreadsheet or other application.
12
Introducing reporting About logs
Chapter
Basic reporting tasks


About basic tasks Logging into reporting Changing your password Using the home page About using the Past 24 hours filter in reports and logs
About basic tasks

Reporting is a Web application that runs inside the Symantec System Center console. You can also access reporting from any Web browser that is connected to your reporting server if you know the IP address or host name of the reporting server. Basic tasks include logging into reporting, changing your password, and using the home page to get quick information about events in your security network. This user's guide assumes that you use the Symantec System Center console to access reporting and that you are logged into the console. Procedures for using reporting are similar regardless of how you access reporting. However, procedures for using reporting in a stand-alone browser are not specifically documented in this guide. Note: Viewing reporting through a remote session of the Symantec System Center is supported.
14
Basic reporting tasks Logging into reporting
Logging into reporting

When you log into reporting for the first time, you are required to change your password. However, if you are the administrator who installed reporting and configured the super administrator password during the installation, you do not have to change your password after your first login. You can log into more than one reporting server at the same time. Each reporting server has its own database, so data that you view on one reporting server is different from the data that you view on another reporting server. Note: You must enable active scripting in Internet Explorer before you can log into reporting. To log into reporting
In the Symantec System Center console, in the left pane, under Reporting, under Reporting Servers, click the name of the reporting server that you want to log into. In the right pane, in the login dialog box, type your user name and password. If you log in for the first time, and you are the administrator who installed reporting, use the user name and password you entered during installation.
Click Login.
To log out of reporting, in the top right of the reporting application window, click Logout. If you do not log out, and you are inactive for a period of time, you may be automatically logged out. An administrator can configure the inactivity timeout for each user. The default is 6,000 seconds (100 minutes). Note: If you use reporting in a stand-alone browser, closing the browser window does not log you out of the reporting application. Make sure you click Logout when you are finished with your session.
Changing your password

You can change your login password. The rules for length of the password and the character requirements are set by your administrator. If you enter a password that violates any of the password rules, an error appears. Password rules are set by a user with administrative privileges. See Setting password rules on page 51.
Basic reporting tasks Using the home page
15
If you log in for the first time, your old password is the password that your administrator assigned to you. After you change the password, the new password is required the next time you log into reporting. To change your password
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Change Password. In the Old Password text box, type your old password. In the New Password text box, type your new password. In the Confirm text box, type your new password. Click Save.
Using the home page

The home page includes important reports with information about your security network. You can customize the page to modify the filter on the Risks by report. Figure 2-1 shows a sample home page.
16
Figure 2-1
Sample home page
Viewing information on the home page

The home page includes several automatically generated reports as well as several status items. Some of the home page reports are hyperlinked to more detailed reports. In addition, you can customize some of the reports and configure how often the home page refreshes. See Customizing the home page on page 18. Table 2-1 describes the home page reports. Table 2-1 Report or Status Information
Risks by <Server Group>: Past 24 Hours
Home page reports Description

Shows the risks to your security network in the past 24 hours. You can customize this report to group the risks by client group, parent server, computer, user, or event source. You can also customize this report to appear as a three-dimensional bar graph instead of a pie chart.
17
Table 2-1 Report or Status Information

Action Summary
Home page reports (continued) Description

Shows a summary of actions that were taken on the number of viruses and security risks in your network. For any of the actions, click the number of viruses or security risks to get a detailed report. By default, the action summary is shown for the last 24 hours. You can change the time interval to show the summary for the past week. The Suspicious count shows the number of events from Symantec AntiVirus 8.x clients with an Auto-Protect status of Leave Alone. On the computers that are associated with these events, you should run a manual scan to check whether the computers are infected. You can then clear the suspicious event count by deleting the suscipious events in the risk log. See Viewing risk logs on page 66. The Newly Infected count shows the number of risks infecting computers during the selected time interval only. The Still Infected count shows the total number of risks still infecting computers (regardless of the time interval). Both counts show the risks that must be manually cleaned. After the risks are cleaned, an administrator can change the infected status for the computer in the inventory log. See Viewing computer status logs on page 71.
New Risks: Past 24 Hours
Shows new risks in your security network in the past 24 hours. Click any of the risks to display a page from the Symantec Security Response Web site that gives more details about the risk.
Alert status summary
Shows a one-line summary of the alert status in your security network. For example, 100 unacknowledged alerts in the last 24 hours. Click to display the Alert Events page. Your user account must have access to view this page. See Viewing alert events on page 56.
Agent status summary
Shows a one-line summary of the status for the agents that are installed on the reporting server. Click to display the Agent Status page. Your user account must have access to view this page. See Checking agent status on page 83.
Risks Per Hour: Past 24 Hours
Shows a line graph of the risks in your security network over the past 24 hours.
18
Table 2-1 Report or Status Information

Latest Symantec Virus Definitions
Home page reports (continued) Description

Shows a one-line summary of the current date and revision for the latest definitions available from Symantec.
Current Virus Definition Distribution Shows the current virus definition distribution in your security network. Click on the pie chart to get a more detailed report about the distribution. Security Response Shows the current ThreatCon severity level that is based on information from Symantec Security Response. The ThreatCon severity level provides an overall view of global Internet security. Click any of the links to get additional information. See Using Security Response links on page 19.
Customizing the home page

You can specify how the home page appears when you log into reporting. When you customize the display, you customize the display for the current user only. The settings that you configure on this page are saved across sessions. The next time you log into reporting these settings are used for the home page display. Table 2-2 describes the home page display options. Table 2-2 Option
Graph
Home page display options Definition

Selects which distribution to use for the Risks by chart on the home page. You can select Server Group, Client Group, Parent Server, Computer, User, or Event Source. Changes the Risks by chart on the home page to appear as a three-dimensional bar graph. The bar graph consists of two axes. Each axis represents a server group, client group, parent server, computer, user, or event source. You must have at least two of each item type for the graph to display.
Graph type
Auto-refresh
Configures how often the reporting software refreshes the information on the home page.
19
To customize the home page display
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Home tab, click Homepage Configuration. Change any of the options. Click Save. A message appears indicating your changes are saved.
Using Security Response links

The home page includes a summary that is based on the information from the Symantec Security Response Web site. The ThreatCon level severity chart appears as well as links to the Symantec Security Response Web site and other security Web sites. The ThreatCon levels are as follows:

1 - Low 2 - Medium 3 - High 4 - Extreme
For more information about the threat levels, click the Symantec link to display the Symantec Web site. Note: Specific security risks are rated with a 1 to 5 level rating. Each link displays a page in a new window. Table 2-3 describes the Security Response links. Table 2-3 Link
Security Alerts
Security Response links on the reporting home page What appears

Displays a summary of the potential threats to your security network that is based on information from Symantec Security Response. The summary includes the latest threats, top threats, and links to removal tools. You can also search the Symantec Security Response threat database.
20
Basic reporting tasks About using the Past 24 hours filter in reports and logs
Table 2-3 Link

Symantec
Security Response links on the reporting home page (continued) What appears
Displays the Symantec Web site. You can get information about risks and security risks, virus definition downloads, and recent news about Symantec security products. Displays the virus definition download page of the Symantec Web site. Displays the Symantec Security Response Web site, which shows the latest threats and security advisories. Displays the Security Focus Web site, which shows information about the latest viruses.
Definitions
Latest Risks
Security Focus
About using the Past 24 hours filter in reports and logs

If you select Past 24 hours for the time range of a report or a log, the 24-hour time range begins when you first select the filter. If you refresh the page, the start of the 24-hour range does not reset. If you select the filter, and wait to create a report or view an event or alert log, the time range starts when you selected the filter not when you create the report or view the log. If you want to make sure the past 24-hour range starts now, select a different time range and then re-select Past 24 hours Note: The start of the past 24-hour time range filter on the home page is determined at the time the home page is accessed.
Chapter
Using reports

Reports overview Creating risk reports Creating scan reports Creating computer status reports Creating and viewing scheduled reports
Reports overview
You can generate reports on the security products in your network that are based on a collection of filter settings you select. You can save the filter configuration to generate the report at a later date. You can run reports on the following items in your security environment:

Risks Scans Computer Status Scheduled tasks such as virus definition rollouts
There is a default report configuration for each report type. You can modify and save the configuration for the default report. You can create new filter configurations that are based on the default configuration or on an existing configuration that you created. You can also delete your customized configurations if you don't need them any more.
22
Using reports Reports overview
When you create a report, the report appears in a separate window. You can then save the report as an HTML or text file. You can also print the report. The saved file is a snapshot of the current data in your reporting database.
About reports
Reports might include tables or charts, or a combination depending on the information that you requested. You can save the report as a Web page, a Web archive, or a text file using the Save As option in your Web browser. The save options capture the data in the report so you have an historical record. You can save the report settings so that you can run the same report at a later date. The active filter settings are listed in the report if an administrator has configured the general setting to include the filters in reports. Important information about reports is listed here:
Time-stamps in reports are given in the user's local time. The reporting database contains events in Greenwich Mean Time (GMT). When you create a report, the GMT values are converted to the local time of the computer on which you view the reports. The data that appears in reports might not have a one-to-one correspondence with what appears in your security products since the reporting software aggregates your events. If you generate a report that includes legacy computers, the IP address and MAC address fields display None. The parent server field is blank in the report if the relevant item is a primary management server, which does not have a parent server. Risk category information in reports is obtained from the Symantec Security Response Web site. Until the Virus Category Agent runs and gathers the information, any reports that you generate show Unknown in risk category fields. Reports that you generate in reporting give an accurate picture of the infected computers in your network. Reports are based on the log data rather than the Windows registry data. If data in spider graphs contains overlapping lines that are difficult to read, re-create the report by using different parameters for the x and y axes or reversing the axes for the current parameters. If you are running the reporting server on a computer using any Asian language, the Arial Unicode MS font should be available on the reporting server. Otherwise, some charts may contain unreadable characters.
23
In Virus Definition Distribution repots, a parent server is not listed unless it has clients. To view information about virus definitions on parent servers, use the Computer Status Logs page and select Only parent servers for the Computer type. If you get database errors when running reports that include a large amount of data, you might want to change database timeout parameters. See Changing timeout parameters on page 108. If you get CGI or terminated process errors, you might want to change other timeout parameters. Information about additional timeout parameters is provided in the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
Figure 3-1 shows a sample report. Figure 3-1 Sample report
Saving report configuration settings

For risk, scan, or computer status reports, you can save report settings so that you can generate the report again at a later date. When you save your settings,
24
they are saved in the reporting database and the configuration name appears in the Use saved report list box. Note: The configuration settings that you save are available for your user login only. Other reporting users do not have access to your saved settings. If you need to re-install the reporting server, you should make sure that your database information is preserved so that you do not lose your configuration settings. See Restoring an MSDE reporting database on page 106. You can also delete any report configuration that you create. When you delete a configuration, the report is no longer available. The default report configuration name appears in the Use saved report list box and the screen is repopulated with the default configuration settings. To save a report configuration
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, do one of the following:

Click Risk Reports. Click Scan Reports. Click Computer Status Reports.
3 4 5 6 1 2
Change any basic or advanced settings for the report. Click Save Report. In the Name text box, type or select the report configuration name. Click Save.
To delete a report configuration Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, do one of the following:

Click Risk Reports. Click Scan Reports. Click Computer Status Reports.
25
3 4
In the Use saved report list box, select the name of the report configuration that you want to delete. Click the Delete icon.
Printing and saving reports

When you generate a report, the report appears in a new window. You can print the report or save a copy of the report. Note: Be default, Internet Explorer does not print background colors and images. If this printing option is disabled, the printed report may look different than the report that you created. You can change the settings in your browser to print background colors and images. To print a report
1 2
In the report window, click File > Print. Select the printer and then click Print.
When you save a copy of the report, you save a snapshot of your security environment that is based on the current data in your reporting database. If you run the same report later, based on the same filter configuration, the new report shows different data. To save a report
1 2 3
In the report window, click File > Save As. In the Save Web Page dialog box, in the Save in selection box, select the location for the file. In the Save as type list, select one of the following:

Web Page, complete (*.htm,*html) Web Archive, single file (*.mht) Web Page, HTML only (*.htm,*.html) Text file (*.txt)
4 5
In the File name list box, type a file name. Click Save.
26
Using reports Creating risk reports
Creating risk reports

Risk reports are the reports about viruses and security risks that are found in your security environment. You can choose from several different types of reports. Table 3-1 describes the types of risk reports. Table 3-1 Risk report type
Top Reports
Types of risk reports Description

Top reports are the reports that you typically need to view on a regular basis. They include the following:

Infected Computers (At Risk Computers) Detection Action Summaries Detections Grouped by Server Group Detections Grouped by Parent Server Detections Grouped by Computer
Risk Detection
Risk detection reports include the following:
Risk Detection Table and Distribution Chart This report includes a distribution pie chart grouped by server group, client group, parent server, computer, or user name. Risk Detection Correlation These reports correlate risk detections using two variables. The variables you can select are computer, user name, server group, client group, parent server, or risk name. The data appear in a three-dimensional bar graph or spider graph. Summary of Detections Grouped by Computer This provides a table of risk detections that are grouped by computer. Risk Distribution Charts This report includes a pie chart and histogram that are grouped by server group, client group, parent server, computer, user name, source, risk type, or severity. Risk Distribution Over Time This report includes a histogram using a daily, monthly, or yearly time interval.
27
Table 3-1 Risk report type

Comprehensive Reports
Types of risk reports (continued) Description

Comprehensive reports include the following:

Full report Full daily report Full monthly report Full yearly report
Comprehensive reports include by default all of the distribution reports and the new risks report. You can select which reports to include or not include in the combined daily, monthly, or yearly report.
Note: The report headings (Top Reports, Risk Detection, and Comprehensive) that are listed in the Report type drop-down list do not appear if you are using Internet Explorer 5.5 or earlier. To see the headings, upgrade your browser to version 6.0 or higher. You can quickly generate a risk report by selecting from the basic settings that appear by default under What filter settings would you like to use. If you want to configure more filters for the report, you can configure them through Advanced Settings. You can save the report settings to run the same report at a later date. You can also print or save the report. See Printing and saving reports on page 25. Table 3-2 describes the basic settings for risk reports. Table 3-2 Setting
Product
Basic filter settings for risk reports
Description
Specifies only the risks that are found from Symantec AntiVirus, Symantec Client Firewall, or all (both) products. The default is Symantec AntiVirus.
Time range
Sets the range of time over which risks were found to include in the report. If you choose Set specific dates, you must set Start date and End date. The default is in the last month.
28
Table 3-2 Setting

Start date
Basic filter settings for risk reports (continued)
Description
Sets the start date for the date range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the date range. Only available when you select Set specific dates for the time range.
Table 3-3 describes the advanced settings for risk reports. Table 3-3 Setting
Event type
Advanced filter settings for risk reports
Description
Specifies whether to include all events, or only viruses that are found, IDS, security risks that are found, or firewall violation events. The default is all events.
Action taken
Filter the report by the type of action that was taken by Symantec AntiVirus on the risk. The types of actions in the list depend on the setting for Product.
Scan type
Filters the report that is based on the events that occurred during a particular type of scan. For example, a scheduled scan or a manual scan. By default, all events from any type of scan are used for the report.
Risk type
By default all risk types appear in the report. You can limit the risks in the report to viral, trackware, spyware, hack tool, security risk, jokeware, heuristic, adware, remote access, non-viral malicious code, or dialer. Filters the report by risks with particular severity. Severity is defined in several categories as follows: unknown; 1 is very low; 2 is low; 3 is moderate; 4 is severe; and 5 is very severe. For more details about severity, see the Symantec Security Response Web site. By default, risks of all severity are included in the report.
Risk severity
Compressed events
Specifies whether events that are considered for the report should be weighted or unweighted. Weighted events are the sum of the number of events. Unweighted events are the count of the number of events. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Server group
29
Table 3-3 Setting

Client group
Advanced filter settings for risk reports (continued)
Description
Specifies particular client group names and/or wildcard characters (?, *). For example, to specify on client group names ending in er, type *er and separate each entry with a comma. By default, all client groups are included.
Parent server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify the parent server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
Specifies particular computer names and/or wildcard characters (?, *). For example, to specify the computers that are called 1machine, 2machine, 3machine, etc., type ?machine and separate each entry with a comma. By default, all computers are included.
IP address
Specifies particular IP addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User name
Specifies particular users and/or wildcard characters (?,*). Separate each entry with a comma. By default, all users are included.
Risk name
Specifies particular risk names and/or wildcard characters (?, *). Separate each entry with a comma. By default, all risks are included.
30
To create a risk report
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Risk Reports.
3 4 5
In the Use saved report list box, select a saved filter configuration that you want to use or use the default configuration. Under What type of Risk Report would you like to see, in the Report type list box, select the type of report that you want to create. Do one of the following:
If you selected the Risk Detection Table and Distribution Chart, Detections Grouped by Computer, or Risk Distribution Charts, the Group By option appears. In the Group by list box, select the option for grouping the report. If you selected the Risk Distribution Over Time report, the Time interval option appears. In the list box, select the time interval. If you selected the Full Daily Report, Fully Monthly report, or Full Yearly report, the Configure reports to be included option appears. Click Configure reports to be included, and then in the new window, select the reports that you want to include in the combined report. Click Save.
Using reports Creating scan reports
31
If you selected Risk Detection Correlation, the Graph type list box appears. Select Spider graph or 3D bar graph. In the x-axis/legs and y-axis/web list box, select which grouping should appear on the chart axes in the 3D bar graph or the legs/web in the spider graph.
6 7 8
Under What filter settings would you like to use, in the Product list box, select the product for which you want to run the report. In the Time range list box, select the date range for the report. If you want to configure additional settings for the report configuration, click Advanced Settings. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page 23.
Click Create Report.
Creating scan reports

Scan reports include information about scans run on the computers in your security network. You can create scan filter configurations to filter the data for your scan reports. When you create a report, it appears in a new window. You can save the report settings to run the same report at a later date. You can also print or save the report. See Printing and saving reports on page 25. Table 3-4 describes the types of scan reports.
32
Table 3-4 Scan report type

Scan Distribution Histograms
Types of scan reports Description

You can select how you want the data in the scan report to be distributed, either by the scan duration, the number of risks or infected files that are found in scans, or the number of files that are scanned or omitted. You can also type the bin width and number of bins to be used in the histogram that is included in the report. The bin width is the data interval to be used for the group by selection. The number of bins specifies how many times the data interval should be repeated in the histogram. Depending on the size of your network and the amount of data you view, you might want to change these values to maximize the information that is generated in the report's histogram.
Computers by Last Scan Shows a list of computers in your security network by the last Time time scanned. Computers Not Scanned Shows a list of computers in your security network that have not been scanned.
You can quickly generate a scan report by selecting from the basic settings that appear by default under What filter settings would you like to use. If you want to configure more filters for the report, you can configure them through Advanced Settings. Table 3-5 describes the basic filter settings for scan reports. Table 3-5 Setting
Time range
Basic filter settings for scan reports Description

Sets the range of time for which scan information to include in the report. If you choose Set specific dates, you must set Start date and End date.
Start date
Sets the start date for the time range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the time range. Only available when you select Set specific dates for the time range.
33
Table 3-6 describes the advanced scan report settings. Table 3-6 Setting
Duration greater than Files scanned greater than Risks greater than
Advanced filter settings for scan reports Description

Includes only the scans whose duration exceeds this value. Limits the data to scans that scanned a number of files greater than this value. Limits the data to scans that found a number of risks greater than this value. Limits the data to scans that found a number of infections greater than this value. Includes only those events with the selected scan message. Specifies whether to include all scans, or only completed scans, started scans, or cancelled scans in the report. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Files infected greater than Scan start message Status
Server Group
Client Group
Parent Server
Specifies particular parent server names and/or wildcard characters (?, *). For example, to specify parent the server names that have the string tion in them, type *tion* and separate each entry with a comma. By default, all parent servers are included.
Computer
34
Table 3-6 Setting

IP Address
Advanced filter settings for scan reports (continued) Description

Specifies particular addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User
To create a scan report
1 2 3 4 5
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scan Reports. In the Use saved report list box, select a saved filter configuration you want to use or use the default configuration. Under What type of Scan Report would you like to see, in the Report type list box, select the type of report you want to create. If you selected Scan Distribution Histograms, do the following:
In the Group by list box, select the way you want the information in the report to be grouped. In the Bin width text box, type the data interval you want to use for the group by distribution. In the Number of bins text box, type the number of data intervals you want to include in the report.
Under What filter settings would you like to use, in the Scans From list box, select the date range for the report. You can specify a name for this report configuration in the Name text box or you can use the Scans From setting to filter the default report configuration.
If you want to configure additional settings for the report configuration, click Advanced Settings and make any changes to the configuration. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page 23.
Using reports Creating computer status reports
35
Creating computer status reports

Computer status reports are reports about the status, or inventory, of the computers in your security network. The reports are as follows:

Virus Definition Distribution Computers Not Checked Into Parent Server Symantec AntiVirus Product Versions Symantec Client Firewall Product Versions IPS Signature Distribution
You can filter which computers are included in the report through the advanced settings option. You can also print or save the report. See Printing and saving reports on page 25. Table 3-7 describes the advanced configuration settings for computer status reports. Table 3-7 Setting
Time range
Advanced filter settings for computer status reports
Description
Sets the range of time over which computer status was collected to include in the report. If you choose Set specific dates, you must set Last checkin time.
Last checkin time
The last time that the computer checked in with its parent server. Only available when you select Set specific dates for the time range.
Definition date SAV product version
Includes only those computers with this particular virus definition date. Includes only those computers with this Symantec AntiVirus product version.
SAV scan engine version Includes only those computers with this Scan Engine version. SCF version SCF policy file name Online Includes only those computers with this Symantec Client Firewall version. Includes only those computers with this firewall policy name. Includes all computers, only those computers that connect to their parent servers, or only those computers that do not connect to their parent servers. Includes computers with any Auto-Protect status, or only those computers with Auto-Protect enabled, disabled, or status unknown.
Auto-Protect status
36
Using reports Creating computer status reports
Table 3-7 Setting

Server group
Advanced filter settings for computer status reports (continued)
Description
Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Client group
Parent server
Computer
IP address
Specifies particular addresses and/or wildcard characters (?,*). Separate each entry with a comma. By default, all IP addresses are included.
User
Infected only View
Specifies only computers with infections. Displays the Symantec AntiVirus version or the Symantec Client Firewall version in the report. Includes only parent servers or only primary management servers. The default is all computers, including client computers.
Computer type
To create a computer status report
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Computer Status Reports.
Using reports Creating and viewing scheduled reports
37
3 4
In the Use saved report list box, select a saved filter configuration you want to use or use the default configuration. Under What type of Computer Status Report would you like to see, in the Report type list box, select one of the following reports:

Virus Definition Distribution Computers Not Checked Into Parent Server Symantec AntiVirus Product Versions Symantec Client Firewall Product Versions IPS Signature Distribution
If you want to set more filters for the report configuration, click Advanced Settings and make any changes to the configuration. You can save the current settings to the existing configuration or you can create a new configuration. See Saving report configuration settings on page 23.
Creating and viewing scheduled reports

Scheduled reports are the reports that the reporting application automatically generates based on a schedule that you configure. Currently, scheduled reports are only available for virus definition rollouts. There is a default scheduled report that is always running. You can change the settings for any pending scheduled report (any report that has not yet run) and you can create additional scheduled reports to monitor virus definition rollouts. You can also delete a single scheduled report or all of the scheduled reports. You can print or save the report. See Printing and saving reports on page 25. Figure 3-2 shows a sample scheduled report.
38
Figure 3-2
Sample scheduled report
Table 3-8 describes the scheduled report configuration settings. Table 3-8 Parameter
Start time
Scheduled report configuration settings Definition

Sets the date, the hour, and the minute that the report should start to run. The number of hours that the report should run. The report runs every hour during the Run for interval. This value is not configurable. How often the report schedule should be repeated (never, daily, weekly, or monthly). The default is never.
Run for Run every
Repeat task
39
Table 3-8 Parameter

Server Group
Scheduled report configuration settings (continued) Definition

Client Group
Parent Server
Computer
Last checkin time
Select the date, the hour, and the minute on which computers last checked in with their parent servers. The default is the current date.
Online only
Check to include only those computers that are connected to their parent servers.
40
To create a new scheduled report or change a pending scheduled report
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scheduled Reports.
3 4
Under What type of Scheduled Report would you like to see, in the Sort by list box, select the way you want the scheduled report to be sorted. Do one of the following:
Under What would you like to do, click the Create a new scheduled report icon. Under Scheduled Reports, click the Change icon next to a report which has a status of pending.
Under How would you like to schedule this report, in the text box for Start time, type the start time for the report, and then select the hour and minute from the list boxes. In the Run for text box, type the number of hours that you want the report to run. For example, if you set the Run for time to 48 hours, the report runs every hour for 48 hours. In the Repeat task list box, select how often the report should continue to run. For example, if you specify weekly, the report runs once a week for the number of hours you configure the Run for.
41
Under What settings would you like for this report, specify the server group, client group, parent server, or computer that you want to use to filter the report. In the list boxes for Last Checkin Time, select the time.
10 Check or uncheck Online Only.

If you checked Online Only, only those computers that are currently connected to their parent servers are included in the report.
11 Click Save to save the scheduled report configuration.

To view a scheduled report
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scheduled Reports. In the list of reports, to the left of the Status column, click the icon next to the report that you want to view.
To delete scheduled reports
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Reports tab, click Scheduled Reports. Do one of the following:
Under Scheduled Reports, at the end of the row that lists the report you want to delete, click the Delete icon. Under What would you like to do, click the icon for deleting all scheduled reports.
In the warning dialog box, click OK.
42
Chapter
Performing administrative tasks


About administrative tasks Configuring reporting servers Configuring the reporting display Configuring users Configuring alerts Setting automatic refresh intervals
About administrative tasks

Administrative tasks include configuring reporting servers in your network, configuring the general reporting display, setting up users for reporting, and configuring alerts. Other tasks, such as logging into reporting and using the home page, are described in a separate chapter of this user guide. See About basic tasks on page 13. The tasks that are described in this chapter assume that you are logged into reporting through the Symantec System Center console.
44
Performing administrative tasks Configuring reporting servers
Note: The login for the reporting function is a separate login from the login for the Symantec System Center console. The reporting feature uses separate user accounts that are stored in the reporting database. See Configuring users on page 48.
Configuring reporting servers

The Symantec System Center console populates its Reporting Servers node based on the discovery process it uses to find servers running Symantec Client Security or Symantec AntiVirus. See the Symantec Client Security Administrator's Guide or the Symantec AntiVirus Administrator's Guide for more information about the Symantec System Center Discovery Service (Nsctop.exe). When the discovery service runs, it reads the registry settings of servers running Symantec Client Security or Symantec AntiVirus to learn the URL of the reporting server to which the discovered server is forwarding data. The discovery service automatically learns the URL on the servers that have the reporting server, the reporting agents, and Symantec AntiVirus installed. You need to add a reporting server manually if the reporting server is installed on a computer on which Symantec AntiVirus is not installed. In addition, if you are running the Symantec System Center and then install a reporting server, you must manually add the reporting server or run the Discovery Service. You can also delete any reporting server that you add manually to the console. If you delete a reporting server that is discovered through the Symantec System Center Discovery Service, the server is removed from the console. However, the server will reappear in the console the next time the discovery service runs. You might need to change the reporting server that your server group or server uses because you want to use a different reporting server. When you add or change a reporting server, you specify a host name, IP address, or a URL. If you changed the host name in an existing URL path, the host name replaces the existing reporting server name the next time you run the Symantec System Center console. When you add or change a reporting server, the URL is written to the registry.
45
To add or change the reporting server
In the Symantec System Center, in the left pane, under System Hierarchy, right-click the server group or primary or secondary management server for which you want to add or change a reporting server. Click All Tasks > Reporting Configuration > Configure Reporting Server.
In the Reporting Server Options dialog box, under Report Server, in the Host name or IP address list box, do one of the following:

Type the host name or IP address of the new reporting server. Select the reporting server URL from the drop-down menu.
Click OK.
Changing the reporting server port number

By default, the reporting server uses port 80. You can change the port number when you specify the reporting server host name or IP address in the Reporting Server Options dialog box. If you change the reporting server port number, you should modify the reporting URL in the Alert Agent configuration. You must modify this option if you are writing alert events to the alert database or sending alert notification emails. Otherwise, alert events will not be available on the Alert Events page and the incorrect URL will be included in notification emails. To change the reporting server port number
In the Symantec System Center, in the left pane, under System Hierarchy, right-click the server group or primary or secondary management server for which you want to add or change a reporting server. Click All Tasks > Reporting Configuration > Configure Reporting Server.
46
In the Reporting Server Options dialog box, under Report Server, in the Host name or IP address list box, include the port number in the following format: http://<host name or IP address>: <port number>. Click OK. Change the URL listed for the Alert Agent on the Alert Configuration page. See Specifying email notification parameters on page 93.
4 5
Specifying the reporting server URL by using the Windows registry

The reporting server URL is stored in the Windows registry under HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect\ CurrentVersion\Reporting. Use the ReportServerURL registry key to add or change a reporting server URL.
Viewing the URL of a reporting server

You can quickly view the URL of any reporting server by using the Properties dialog box. You can also change the URL of a manually added reporting server through the Properties dialog box. To view the URL of a reporting server
In the Symantec System Center console, in the left pane, under Reporting, under Reporting Servers, right-click the name of a reporting server for which you want to view the URL, and then click Properties. Click OK.
Removing a reporting server

You might want to remove a reporting server from the Symantec System Center console if you no longer use the reporting server. To delete a reporting server
In the Symantec System Center console, in the left pane, under Reporting, right-click the name of the server that you want to delete, and then click Delete. If the server is a manually added server, the server name is deleted from the console and you no longer have access to reporting on that server. If the server is a discovered server, the server name is deleted from the console. However, the name reappears when the Discovery Service runs again.
Performing administrative tasks Configuring the reporting display
47
If you uninstall a reporting server, you must do one of the following:
Manually associate the reporting server's primary management server with a different reporting server. Do this by pointing the primary management server to a different URL. See Viewing the URL of a reporting server on page 46. Remove the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\ CurrentVersion\Reporting\ReportServerURL registry key from the reporting server's primary management server and then delete the reporting server from the Symantec System Center console. You must do these tasks in this order. If you delete the reporting server before you remove the registry key, the reporting server will reappear in the Symantec System Center tree the next time the Discovery Service runs.
Configuring the reporting display

You can control the following features of the reporting display and the way some information appears in reports:

The way the date and time appear in reports and on the reporting pages. The automatic refresh interval for events and alerts pages. You can configure the automatic refresh time for the home page separately. See Customizing the home page on page 18. Whether or not active filters are included in reports. The parent server that determines the up-to-date virus definitions.
The general parameters apply to all user sessions for reporting. Table 4-1 describes the general parameters. Table 4-1 Parameter
Date format Date separator
General parameters for reporting display Definition

Specifies the date format. Specifies the separator character to use in the date format. Appears in the reporting display as well as any reports you create. Specifies how often the reporting application should refresh. The default is never.
Default auto refresh for logs and alerts pages
48
Performing administrative tasks Configuring users
Table 4-1 Parameter
General parameters for reporting display (continued) Definition

Specifies whether or not to include a list of filters in the reports that you generate. Specifies the parent server on which the virus definition is considered to be up to date. A parent server only appears in the list if it has clients.
Display active filters in reports Parent server
To configure the reporting display
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click GUI Configuration > General. Change any of the values for the date format, auto-refresh time, and up-to-date virus definition setting for parents servers. Click Save.
Configuring users
The administrator user or any user who is configured with administrator role privileges can set up users for reporting. User accounts for reporting are separate accounts from those created for Symantec System Center console. You might need to create accounts for users who log into reporting from a computer that is running only a stand-alone browser. You can configure users with one of two roles:

User Administrator
By default, the user role limits the amount of administrative information the user can see. Users who are configured with the user role do not have access to any administrative features for reporting. They cannot view information about other user accounts that are configured for reporting and they cannot view information about or specify any configuration for reporting agents. Currently configured users are listed in a table at the bottom of the User Administration page. By default, all users appear in the list. You can modify the display to show only those users who are configured with administrative privileges or only those configured as general users.
49
To filter the user table
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the Filter role list box, select Administrator or User. The display automatically refreshes with the selected list.
You can also specify that the particular user has limited access to particular reports by setting up filters for the type of information they can view. For users who are configured with the administrator role, you can set up filters so they can see only particular user groups. All of the other filters (client group, parent server, etc.) are used for users who are configured with any role. In addition, you can temporarily disable a user account or unlock an account that is locked because a user tried three times to log into reporting unsuccessfully. If a user forgets his/her password, the administrator can reset the password on this page. Note: You should set up at least one other administrator account so that if you forget your administrator password, you can log in through the other administrator account to change the password. Table 4-2 lists the parameters for configuring users with access to reporting. Table 4-2 Option
User Name Role
User parameters
Description
The user name for this reporting user. Whether this user has administrative privileges or user privileges. Administrative users have access to administrative features in reporting. For users who are configured with the administrator role or the user role, you can limit access to particular server groups by specifying particular server group names and/or wildcard characters (?, *). For example, to limit access to server group names beginning with je, type je*. For users who are configured with the user role, you can limit access to particular client groups by specifying particular client group names and/or wildcard characters (?, *). For example, to limit access to client group names ending in er, type *er.
Server group
Client group
50
Table 4-2 Option

Parent server
User parameters (continued)
Description
For users who are configured with the user role, you can limit access to particular parent servers by specifying particular parent server names and/or wildcard characters (?, *). For example, to limit access to the parent server names that have the string tion in them, type *tion*. For users who are configured with the user role, you can limit access to particular computers by specifying particular computer names and/or wildcard characters (?, *). For example, to limit access to computers that are called 1machine, 2machine, 3machine, etc., type ? machine. For users who are configured with the user role, you can limit access to particular IP addresses by specifying particular addresses and/or wildcard characters (?,*). Text appears here to confirm that you have added a new user. The user's password. The user enters this password as the old password when logging in for the first time. This parameter is required.
Computer
IP address
Message Password
Confirm password Real name Phone E-mail Disabled Locked
The user's password. The user's real name. The user 's phone number. The user's email address. Check this box temporarily to disable the user's account. Displays whether or not the user's account is locked. By default, the account is locked after three unsuccessful logins. To unlock an account, check the box. The number of days since the user last logged in. The IP address from which the user last logged in.
Days since last login Last login address
To add a new user
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the User name text box, type a user name. In the Role list box, select Administrator or User.
51
5 6 7
Enter the user's password and then retype the password. Set any filters for the account. Click Save. The new user is added to the table at the bottom of the pane. An icon appears in the Kill session column of the display when the user is currently active.
To modify an existing user
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the user table, click the select icon. The right pane redisplays with the user's account information. The user is highlighted in the table that appears at the bottom of the page.
4 5 1 2 3 4
Make any changes to the account. Click Save.
To delete an existing user Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click User Administration. In the user table, click the delete icon. In the Delete Entry warning, click OK.
Setting password rules

You can configure password rules for administrators and users. You can configure a separate set of rules for each role type. Table 4-3 describes the options for password rules. Table 4-3 Option
Rules for role
Options for password rules
Definition
The role to which these password rules apply.
Minimum length of password The minimum number of characters that are required for the user's password. Minimum number of numeric The minimum number of numeric characters that must be included in the user's characters password.
52
Performing administrative tasks Configuring alerts
Table 4-3 Option

Minimum number of times before password can be reused
Options for password rules (continued)
Definition
The number of times that a password must be changed before a previous password can be reused. A value of zero disables this feature. The maximum is 10.
Maximum password lifetime The maximum number of days that a user's password is valid. After the lifetime expires, users must change their passwords. A value of zero disables this feature so that the password never expires. Maximum number of invalid The number of times the user can attempt to log in before the user is locked out of logon attempts reporting. A value of zero disables this feature. Inactivity timeout The amount of time, in seconds, that must expire during the user's session during which the user is idle before the user is automatically logged out. A value of zero disables activity timeout. Check or uncheck this box to prevent or allow users to use their user name as their password. The number of days that must expire since the user's last login before the user is locked out of reporting. A value of zero means that the user is not locked out. The number of days that must expire since the user's last login before the user is deleted from the list of reporting users. A value of zero means that the user is not deleted after a particular amount of time. Mark user for review after Marks the user for review. After the number of days that are specified, a red icon appears next to the user name in the user list.
Disallow password equal to username Disable user if not used for
Delete user after if not used for
To set password rules for reporting user accounts
1 2 3 4 5
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click GUI Configuration > Password Rules. In the Rules for role list box, select the role. Change any of the parameters for the password rules. Click Save to save the rules for the selected role.
Configuring alerts
You can create the alert conditions that determine whether notifications are sent to administrators about events in your security network.
53
Note: You can also create notifications to be sent if the reporting agents go down. See Specifying notification options for agents on page 92. To generate alerts, you create the alert configurations that are based on events that are logged by your security products. You can specify notifications to send email to specified users, write information to the reporting database (alert log), or run a batch file when alert conditions are met. You should configure the Alert Agent to send notifications using your email server. You can also specify the email-from address and the reporting URL to be used in the notifications that the agent sends out. The Alert Agent configuration also specifies the name of the batch file that is executed for notifications with that option enabled. See Specifying email notification parameters on page 93.
Creating alert configurations

Alerts are notifications about events happening in your security network. You can configure notifications to be sent when an event occurs. The notification can be an email to an administrator. You can also send the alert notification to the reporting database to be logged in the alert log. You can specify that a batch file runs when the alert occurs. The alerts list shows the alerts that have been sent for events in your security network. You can filter the list to make viewing the alerts easier. You can configuration several types of alert configurations. Table 4-4 describes the types of alert configurations. Table 4-4 Types of alert configurations Description
Sends the notifications that are based on the number of overall viruses that are found within a given time period. Sends notifications when a set number of viruses is found on a single computer. Sends notifications when a set number of computers have detected viruses. Sends notifications when viruses are found on a single computer.
Alert configuration type

Virus outbreak
Outbreak on a single computer Outbreak by # of computers
Single virus event
54
Table 4-4
Types of alert configurations (continued) Description

Sends notifications when new viruses are found. Sends notifications at the start of a new day, month, or year. Email notifications include a link to the full risk report.
Alert configuration type

Find new viruses New report available
Virus definitions out of date Sends notifications when virus definitions are out of date for a set number of computers.
To configure an alert
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Configuration.
3 4
Under What type of alert would you like to manage, in the Alert type list box, select the type of alert that you want to configure. Click Create Alert.
55
Under What filter settings would you like to use, set the filters for the events that trigger this alert notification. Some filters are not available depending on the type of notification you selected. Filter
Server group
Description
Client group
Parent server
Computer
Risk name
Specifies particular risk names and/or wildcard characters (?,*). Separate each entry with a comma. By default, all risks are included.
Risk severity
Specifies a particular risk severity. The risk categories correspond to the risk levels that are defined by Symantec Security Response. Select the category from the list box. By default, all categories are included.
Source
Specifies the source of the event. For example, a scheduled scan. Specifies the action that was taken as a result of the event.
Action
56
Filter
Online only
Description
Includes only the computers that are connected to their parent server. Includes only the computers that checked in with their parent servers today.
Checked-in today
Under What settings would you like for this alert, in the Alarm if text box, do one of the following:
In the Alarm if text box, enter the number of occurrences of the security event, then enter the number of minutes during which the occurrences happen that trigger the notification. In the Alarm if new report available list box, select the type of report that triggers the alert (daily, monthly, or yearly risk report).
Under What should happen when this alert is triggered, check or uncheck Write alert to database to log the notification to the alerts log. This option is not available for the Single virus event or New report available alert types.
Check or uncheck Execute configured batch file to run the batch file you specify on the Agent Configuration page. See Specifying email notification parameters on page 93.
In the Send e-mail to these addresses text box, type the email addresses to which the notification should be sent. Separate each entry with a comma.
10 Next to Hyperlink to, select report or event list. 11 Click Save.

The new alert appears in the list.
Viewing alert events

You can view the notifications that were sent out. Only those notifications that are configured with the Write alert to database option are listed in the alert events log. You can view details about any alert event. After you review the alert events log, you might want to acknowledge or unacknowledge the alerts. You can also configure the refresh interval for the alerts log. By default, the list refreshes every 30 seconds.
57
If you configure the refresh interval, the interval also sets the refresh for the risk log. See Setting automatic refresh intervals on page 60. Table 4-5 describes the settings for filtering the alerts list. Table 4-5 Setting
Time range
Alert events settings
Description
Includes only those alert events in the selected date range. If you choose Set specific dates, the Start date and End date options must be set.
Start date
Sets the start date for the date range. Only available when you select Set specific dates for the time range.
End date
Sets the end date for the date range. Only available when you select Set specific dates for the time range.
Filter acknowledged
You can filter the log to show only acknowledged alerts or unacknowledged alerts. The default is all alerts. Includes only those alerts with the specified alert type. Includes only those alerts based on notifications that are created by the selected user. Specifies how many events should be included on each page of the alert log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Alert type Filter created by Limit Server Group
Parent Server
Computer
58
Table 4-5 Setting

Client Group
Alert events settings (continued)
Description
Risk Name
Risk Severity
Specifies particular risk severities and/or wildcard (?,*). Separate each entry with a comma. By default, risks of all severity are included.
Source
Specifies the source of the event that triggered the alert notification. For example, a scheduled scan. Includes only those alert notifications that are based on the selected action.
Actual Action
To view the alert events log
1 2 3
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Do one of the following:

Select an existing filter from the Use saved filter list box. Click Advanced Settings to create a new filter for the log.
4 5 6
If you selected Advanced Settings, make any changes to the filtering options. If you want to save the filter settings, click Save Filter. If you want to save the filter settings to a new configuration name, in the Name text box, type a new configuration name. A message appears that the filter is saved, and the filter is listed in the Use saved filter list box.
Click View Alerts.
Acknowledging or unacknowledging alerts

You can acknowledge or unacknowledge alerts in the alert events log.
59
To acknowledge alerts
1 2 3 4 5 6 7
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Click Advanced Settings. Make sure the date range is set to the desired range, and then set any other filters that you want to apply to the log display. Set Filter Acknowledged to All or Acknowledged. Click View Log. Under Alert Events, do one of the following:
Click the red Acknowledge icon next to the alert that you want to acknowledge. Click the icon to acknowledge all alerts that currently appear on the page.
To unacknowledge alerts
1 2 3 4 5 6 7
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Click Advanced Settings. Make sure the date range is set to the desired range, and then set any other filters that you want to apply to the log display. Set Filter Acknowledged to All or Not acknowledged. Click View Log. Under Alert Events, do one of the following:
Click the green Unacknowledge icon next to the alert that you want to unacknowledge. Click the icon to unacknowledge all alerts that currently appear on the page.
Viewing alert event details

You can display details about events that are listed in the alert events log.
60
Performing administrative tasks Setting automatic refresh intervals
To display alert event details
1 2 3 4 5
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Alerts tab, click Alert Events. Configure any filters that you want to set for displaying the alert events log. Click View Log. The log appears at the bottom of the page. In the column to the left of the alert event for which you want to display details, click the More info icon.
Setting automatic refresh intervals

You can set the automatic refresh intervals for the following items in the reporting display:

Home page Logs and alert events
The home page refresh is independent of the logs and alert events refresh value. If you change the refresh level for the home page, the setting is saved for your sessions. Other reporting users can change the refresh for their own sessions. There is a single refresh value for risk, scan, and inventory logs as well as alert events. An administrator can set the default value. The value applies to all user sessions. Any user can set the automatic refresh for logs and alert events by setting the refresh on any of the log pages or the alert events page. If you change the value on one page, the value is changed for all the log pages and the alert events page. The value overrides the default setting for the current user only. To set the automatic refresh interval for the home page
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Home tab, click Homepage Configuration.
61
In the Homepage auto-refresh text box, type the number of seconds after which you want the home page to refresh. The minimum value is 30 seconds; however, you can enter 0 to disable automatic refresh. If you enter a value between 1 and 29, the value is automatically changed to 30.
4 1 2 3
Click Save.
To set the global default refresh interval for alerts and events Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click GUI Configuration > General. Under Auto Refresh, in the Default auto refresh for events and alerts pages text box, type the number of seconds after which you want the alerts and events pages to refresh. The minimum value is 30 seconds. However, you can enter 0 to disable automatic refresh. If you enter a value between 1 and 29, the value is automatically changed to 30.
4 1 2
Click Save.
To set the automatic refresh interval for logs and alert events Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. Do one of the following:

On the Alerts tab, click Alert Events. On the Logs tab, click Risk Logs. On the Logs tab, click Scan Logs. On the Logs tab, click Inventory Logs.
In the Auto-refresh list box, select the automatic refresh interval. The default is Never. The page refreshes immediately and the next refresh occurs after the interval you specified.
62
Chapter
Using logs

About logs Viewing logs Saving log configuration settings Viewing risk logs Viewing scan logs Viewing computer status logs Using events in logs
About logs
The reporting software allows you to view lists of events from your security products. It includes event data from your primary and secondary management servers as well as all the clients reporting to those servers. You may want to view this information to troubleshoot security problems in your network or to delete the events that you no longer need. For example, if you test your servers and have phantom clients or viruses, you might want to delete these events from your logs before you run the servers in a live network. You can also export the log event data to a file for importing into a spreadsheet application or to use for restoring the events to your reporting server. You can view three types of logs:

Risk logs Scan logs
64
Using logs Viewing logs
Computer status logs
You can filter each log based on:

An existing report that uses similar settings Basic settings for viewing the log Advanced settings for filtering the log events
If you get database errors when generating logs that include a large amount of data, you might want to change database timeout parameters. See the section called Changing timeout parameters If you get CGI or terminated process errors, you might want to change other timeout parameters. Information about additional timeout parameters is provided in the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
Viewing logs
You can generate a list of events from your logs that are based on a collection of filter settings you select. You can save the filter configuration to generate the log at a later date. There is a default filter configuration for each log type. You can modify and save the configuration for the default filter. You can create new filter configurations that are based on the default or on an existing configuration that you created. You can delete customized configurations if you do not need them. See Saving log configuration settings on page 65. To view a log quickly
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:

Click Risk Logs. Click Scan Logs. Click Computer Status Logs.
Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default.
Using logs Saving log configuration settings
65
4 5
Change any basic or advanced settings. Click View Log. The log events appear in the lower part of the pane. You can display additional information about each event. You can also save the settings.
Saving log configuration settings

You can save your log settings so that you can generate the same log again at a later date. Your settings are saved in the reporting database. If you need to re-install the reporting server, make sure that your database information is preserved. See Restoring an MSDE reporting database on page 106. Each filter setting is described later in this chapter. To save a log configuration
1 2

3 4 5 6 7 1 2
Under What filter settings would you like to use, click Advanced Settings. Change any of the settings. Click Save Filter. In the Name box, type a name for a new filter configuration or leave the existing filter name. Click Save.
To delete a log configuration Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, do one of the following:

66
Using logs Viewing risk logs
3 4 5
In the Use saved filter box, select the name of the log configuration that you want to delete. Click the Delete icon. Click OK.
Viewing risk logs

The risk log includes risk events from the logs on your primary management server, any secondary servers, and their clients. You can filter the information so that only certain types of risk events appear in the display. You specify advanced filters to limit the display. Note: Some of the options that you can select for a filter depend on the product type that you select. You can also configure automatic refresh for the log. The automatic refresh is the same as the automatic refresh for the general reporting display if the refresh is not manually configured for the risk log or the alert log. If it is configured for the alert log, that configures the risk log and vice versa. See Setting automatic refresh intervals on page 60. Table 5-1 shows the filter options for the risk log. Table 5-1 Filter
Product
Settings for risk logs
Description
Specifies only the risks that are found from Symantec AntiVirus, Symantec Client Firewall, or all (both) products. The default is Symantec AntiVirus.
Time range
Sets the range of time over which risks were found to include in the log display. If you choose Set specific dates, you must set the Start date and End date options.
Start date
End date
67
Table 5-1 Filter

Event type
Settings for risk logs (continued)
Description
Specifies the type of events to include. The types of events that appear in the list depend on the setting for Product. The default is all events.
Action taken
Specifies which actions should be included in the log display. Your security product perform the actions. The types of actions that appear in the list depend on setting for Product. The default is all actions.
Scan type
Filters the log that is based on events that occurred during a particular type of scan. For example, a scheduled scan or a manual scan. By default, all events from any type of scan are used for the report.
Risk type
Specifies a particular risk type (viral, trackware, spyware, hack tool, security risk, jokeware, heuristic, adware, remote access, non-viral malicious code, or dialer). By default all risk types appear in the log.
Risk Severity
Filters the log by risks with particular severity. Severity is defined in five categories as follows: unknown; 1 is very low; 2 is low; 3 is moderate; 4 is severe; and 5 is very severe. For more details about severity, see the Symantec Security Response Web site. By default, risks of all severity are included.
Server group
Client group
Parent server
Computer
68
Table 5-1 Filter

IP address
Settings for risk logs (continued)
Description
User
Risk name
Limit Sort order
Specifies how many events should be included on each page of the log display. Specifies the sort order for columns in the log display. Each column can be sorted in ascending or descending order.
To view risk logs
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Risk Logs.
Under What filter settings would you like to use, click the product for which you want to view risk events.
Using logs Viewing scan logs
69
4 5
If you want to use a saved filter, select the filter from the Use saved filter list box. In the Time range list box, select the range for which you want to view risk events. If you select Set specific dates, select the start date and the end date for the range.
6 7
If you want to use additional filters on the display, click Advanced Settings. Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page 65.
Click View Log.
Viewing scan logs

The scan log includes scan events from the logs on your primary management server, any secondary server, and their clients. You can filter the information so that only certain types of scan events appear in the display. You can also specify advanced filters to limit the display. Table 5-2 shows the filter options for scan logs.
70
Using logs Viewing scan logs
Table 5-2 Filter

Time range
Settings for scan logs
Description
Sets the range of time for which scan events to include in the display. If you choose Set specific dates, you must set Start date and End date.
Start date
End date
Duration greater than Includes only the scan durations that exceed this value. Files scanned greater than Risks greater than Files infected greater than Scan start message Status Limits the data to scans that scanned a number of files greater than this value.
Limits the data to scans that found a number of risks greater than this value. Limits the data to scans that found a number of infections greater than this value.
Includes only those events with the selected scan message. Specifies whether to include all scans, only completed scans, or only cancelled scans in the report. Specifies how many events should be included on each page of the log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Limit Server group
Client group
Parent server
Using logs Viewing computer status logs
71
Table 5-2 Filter

Computer
Settings for scan logs (continued)
Description
IP address
User
Sort order
Specifies the sort order for columns in the log display, either ascending or descending.
To view scan logs
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Scan Logs. Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default filter. In the Time range list box, select the time period over which you want to view scan events. If you want to use additional filters on the display, click Advanced Settings. Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page 65.
Click View Log. The event data appears at the bottom of the pane.
Viewing computer status logs

The computer status log includes status (or inventory) information about computers in your security network.
72
You can filter the information so that only certain types of client status events appear in the display. You can also specify advanced filters to limit the display. Computer status logs show the computers that are infected in your network. These computers require manual attention. For example, you might have to download a tool from the Symantec Web site to clean a particular risk. After you manually clean computers, you can change the infected status by using the computer status log. See Administering daily workflow to eliminate risks on page 112. Table 5-3 describes the settings for computer status logs. Table 5-3 Filter
Time range
Settings for computer status logs
Description
Sets the range of time over which risks were found to include in the log display. If you choose Set specific dates, you must set Last checkin time.
Last checkin time
The last time that the computer checked in with its parent server. Only available when you select Set specific dates for the time range.
Definition date Antivirus product version
Includes only those computers with this particular virus definition date. Includes only those computers with this Symantec AntiVirus product version.
Antivirus scan engine Includes only those computers with this Scan Engine version. version Firewall version Firewall policy file Online Includes only those computers with this Symantec Client Firewall version. Includes only those computers with this firewall policy name. Includes all computers, only those computers that are connected to their parent servers, or only those computers that are not connected to their parent servers. Includes computers with any Auto-Protect status, or only those computers with Auto-Protect enabled, disabled, or status unknown. Specifies how many events should be included on each page of the log display. Specifies particular server group names and/or wildcard characters (?, *). For example, to specify server group names beginning with je, type je* and separate each entry with a comma. By default, all server groups are included.
Auto-Protect status
Limit Server group
73
Table 5-3 Filter

Client group
Settings for computer status logs (continued)
Description
Parent server
Computer
IP address
User
Infected only Sort order View
Specifies only computers with infections. Specifies the sort order for columns in the log display, either ascending or descending. Displays the Symantec AntiVirus version or the Symantec Client Firewall version in the report. Includes only parent servers or only primary management servers. The default is both (all).
Computer type
To view computer status logs
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Computer Status Logs. Under What filter settings would you like to use, in the Use saved filter list box, select an existing filter or use the default filter. If you want to use additional filters on the display, click Advanced Settings.
74
Using logs Using events in logs
Configure any filters you want to use for the display. You can save the current settings. See Saving log configuration settings on page 65.
Click View Log.
Using events in logs

You can display event details from logs. In addition, you can export the log data into several different formats. You can also delete log entries.
Displaying event details

You can display details about the events that are listed in the logs. Note: If the Log Sender Agent is configured to discard security risk action events, the side effects table in the event detail window will not display any data. See Reducing the volume of security risk events sent to the reporting server on page 91. Figure 5-1 shows a sample event detail window.
75
Figure 5-1
Sample event detail window
To display event details
1 2
Click Risk Logs.
76
Click Scan Logs. Click Computer Status Logs.
3 4 5 6
Under What filter settings would you like to use, in the Filter list box, select an existing filter or use the default. Change any basic or advanced settings. Click View Log. The log appears at the bottom of the page. In the event column, next to the event for which you want to view events, click the More info icon.
Exporting log events

You can export your event logs in two formats (delimited or Log Reader). You might want to view your log data in a spreadsheet application. The delimited format exports the log to a file spreadsheet applications can read. You also might want to export your logs before you delete any log records. The Log Reader format option allows you to reinsert event data into the reporting database without having to do a database restore. To export logs
1 2

3 4 5
Change any basic or advanced settings. Click View Log. Click Export this log.
77
Select the export option. Option

Delimited format
Definition
Delimited format exports the event data into information that is separated by a special character such as a comma or a semicolon. You can then import information in this format into a spreadsheet application such as Microsoft Excel. This format can be read by the Log Reader Agent. If you export events in this format, you can then copy the file to the following directory on your reporting server: \Program Files\Symantec\Reporting Server\Upload. The Log Reader Agent will process the event data the next time it runs.
Log Reader format
If you selected Delimited format, type the special character in the field separator text box.
Click Export. The Export Event Data message appears in a new window. The message indicates the location of the file that you exported. The exported file is located in \Program Files\Symantec\Reporting Server\ Web\Temp.
Click Close window to close the Export Event Data window.
Deleting log events

You can delete events from your logs. Typically you would only delete events if you are running test data in your network. Before you delete, make sure you backup the event data by exporting the data first. See Exporting log events on page 76. To delete log events
1 2

78
3 4 5 6
Under What filter settings would you like to use, in the Filter list box, select an existing filter or use the default. Change any basic or advanced settings. Click View Log. The log appears at the bottom of the page. Do one of the following:
Check the boxes next to the individual events that you want to delete out of the log. Click Select All to select all events that are displayed on the page. Only the displayed events are selected for deletion. You can click Select None to deselect all of the selected items.
7 8 9
Click the right arrow to display any additional events to select for deletion. Click Delete selected entries. Click OK. All of the events you selected are deleted from the reporting database. These events no longer appear in the log if you display it again. The events also do not appear in any reports that you generate.
Chapter


About reporting agents Configuring reporting agents Specifying email notification parameters Specifying notification parameters for the disk full check Using agent logs Registry keys for agent configuration
About reporting agents

The reporting software collects events from computers in your security network through its agent service. The agent service is comprised of several components for collecting and sending events to the reporting server. Some of the agents reside on the reporting server and other agents reside on the primary management server. If you use reporting in an environment where your reporting server and your primary management server are the same computer, all of the agents reside on a single computer. If you have secondary servers in your security environment, and you want to collect computer status (inventory) events from those servers, you must install the reporting agents on those servers. For information about installing reporting agents, see the Symantec Client Security Installation Guide or the Symantec AntiVirus Installation Guide. Table 6-1 describes the reporting agents.
80
Configuring reporting agents About reporting agents
Table 6-1 Agent Description
Reporting agents
Log Reader (Computer The Log Reader Agent for computer status runs on the reporting server and processes the Status) inventory files sent from the Computer Status Agents. The inventory files contain state information about parent servers and clients. Typically, you do not need to change the polling frequency for the Log Reader (Computer Status). Log Reader (Events) The Log Reader Agent for events runs on the reporting server and processes the events that are contained in the log files sent from the Log Sender Agents. If you change the polling frequency for the Log Reader (Events), you might lose performance because if the Log Sender has posted a large volume of events, the agent processing time might take longer than the configured polling frequency. Alert Agent The Alert Agent runs on the reporting server and checks the status of other agents and sends out notifications if those agents have been configured for notifications. The agent also monitors the disk space available to the reporting database. If the current free disk space on the reporting server falls below 100 MB, the Alert Agent logs an alert in the database and sends out email notifications. You can change the 100 MB default on the Agent Notification page. Scheduled Reporting Agent The Scheduled Reporting Agent runs on the reporting server and tracks the number of clients per particular virus definition version. The agent also creates the scheduled reports that you configure as well as a default scheduled report for monitoring the rollouts of virus definitions to computers in your network. You might want to increase or decrease the check-in interval for this agent to increase or decrease the amount of time to update virus definitions statistics for your security network. Virus Category Agent The Virus Category Agent runs on the reporting server. It monitors the Symantec Security Response Web site for information about risks. The information it collects includes the ThreatCon level, the severity of the risks (categories 1 through 5), and when risks were discovered.
Database Maintenance The Database Maintenance Agent runs on the reporting server and deletes old records and compresses duplicate events at particular intervals. The agent performs maintenance on log files, events, compressed events, alerts, the clients that have not checked in, the clients that have been removed or renamed, old virus definitions history records, scans, unused virus definitions records, EICAR events, and inactive users. See Configuring the reporting database maintenance agent on page 102.
Configuring reporting agents Configuring reporting agents
81
Table 6-1 Agent

Database Backup
Reporting agents (continued)
Description
The Database Backup Agent runs on the reporting server and creates backup files of database records. The file is located in the \Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\Backup\BACKUP_<date>_<time>. You might want to change the interval between backups depending on the amount of data in the database. For example, if you have large amounts of data, you might want to schedule backups more frequently. You might also have auditing requirements in your organization that require database backups at particular intervals. See Configuring the reporting database backup options on page 104.
Log Sender
The Log Sender Agent runs on primary management servers and collects information about events from the log files of your security products. The agent detects the location of the log files from the ALLUSERSPROFILE environment variable. Typically the location of the log files is \..\Application Data\Symantec\Symantec Antivirus Corporate Edition\7.5\logs. The Log Sender Agent also aggregates virus and firewall events and keeps a count of the number of duplicate instances of the same event. You can configure the amount of time that the Log Sender waits before it sends the aggregated record to the reporting server. You can also turn off aggregation by setting Aggregate redundant events every to 0. See Configuring event aggregation on page 89.
Computer Status
The Computer Status Agent runs on parent servers and secondary servers and collects state information about parents and clients. The agent collects the state information in an inventory file and uploads the file to the reporting server.

An administrator (or any user who is configured with administrator privileges) can configure how often each reporting agent runs. When an agent runs, it collects information from the reporting server, primary management server, secondary management server, and client computers in your security network. The reporting function then uses this information when you generate reports. You can also configure notifications to be sent by email when any of the agents have not completed a successful run after a certain amount of time has lapsed. (Notifications are not sent if the Alert Agent is down since the Alert Agent is responsible for sending notifications.) The administrator can also check the agent status and configure how often the agents are scheduled to run. In addition, an administrator can configure logging and tracing for agents to help troubleshoot any problems with the agents running.
82
Agent scheduling and status checking

The agents run based on a default schedule for each agent, which you can change. The reporting software checks every minute for each agent's next run time, which is configurable. If the agent's next run is now or in the past, the agent runs immediately and then follows its configured polling frequency. The reporting software then automatically calculates the next run time by adding the frequency value to the current time. Agent status is considered to be up, or running, when it follows its scheduled run time. In addition to the agent's frequency and next run time, each agent also has a configurable Warn after period. The agent status is considered to be down, or not running, when the current time minus the agent's Warn after period is later than the last run time. For example, if the current time is 10:00, and the Warn after period is 30 minutes, if the last run time for the agent is earlier than 9:30, the reporting software declares that the agent is down. A red icon next to the agent name on the Agent Status page indicates that the agent is down. If you see that an agent is down, you should check the following:

The configuration of the agent's scheduling and status checking parameters The agent logs
In addition, the Alert Agent periodically runs on its own schedule and determines when to send out a notification that an agent is down. When the Alert Agent runs, it makes the status calculation for each agent (the current time minus each agent's Warn after period). If the calculated time is later than the last run time for a particular agent, the Alert Agent sends out notifications for that agent. If you want to make sure that notifications are sent right away when an agent is down, you should configure the Alert Agent's frequency to be a short period of time so it picks up an agent's down status right away. The Alert Agent is also responsible for sending out notifications about your security products. Note: If the Alert Agent itself is down, notifications are not sent out. See Configuring alerts on page 52. Typically you should use the default values provided for the agent scheduling. However, you might want to change these values depending on the requirements of your security network.
83
Note: If you have log files with a large number of events, the Log Sender Agent's initial run might take longer than its scheduled frequency. You can also disable an agent and prevent it from running if you want to troubleshoot a problem with an agent. Table 6-2 shows a summary of the agents' scheduling and status checking parameters. Table 6-2 Parameter
Run every
Agent scheduling and status checking parameters Description

The frequency, or how often, the agent runs. The reporting software adds this value to the current time automatically to calculate the next run time. You can also change the next run time by specifying the Regularly scheduled next run. You configure the frequency for each agent through the Agent Configuration page.
Next run
The next time the agent will run. This time is automatically calculated by the reporting software by adding the frequency to the current time. You configure the next run time for each agent through the Agent Configuration page.
Warn after
The amount of time the reporting software subtracts from the current time to determine whether an agent is down. If the calculated time is later than the agent's last run time, the agent is considered down. You configure the Warn after time for each agent through the Agent Notification page.
Note: The combined polling frequency of the Log Reader, Log Sender, and the reporting interface are responsible for the event data you view in reports. Typically, you should not change the default values.
Checking agent status

You can check the status of local agents on the reporting server as well as the remote agents that are installed on the primary and secondary management servers. For the local agents on the reporting server, on the Agent Status page in the reporting pane, a green icon appears next to agents that are up. A red icon appears next to agents that are down.
84
Note: Depending on how you configure the agent's frequency and the Warn after period, an agent's status on the Agent Status page might not reflect its current state. In addition, the remote agent status in the Symantec System Center console is not available until the remote agents have completed their initial runs. Make sure you do not configure the agent's schedule to be a greater value than the agent's status checking. (The status checking value is the Warn after value on the Agent Notification page.) For example, if you set the Log Sender Agent to run every two hours, but configure the Log Sender's Warn after value to be one hour, the Agent Status page shows the Log Sender agent as down when actually you have configured it not to run. A red icon might appear next to agents for the following reasons:
The agent did not run at its scheduled time. For example, if the agent service was stopped or the computer on which it is installed went down. If you restore your reporting database, the agent service stops automatically and you must restart it. The agent's polling cycle exceeds the agent's status checking (Warn after) value. The agent is running and fails, and the Warn after period expires. Before the Warn after period expires, the agent is considered up and the icon on the Agent Status page is green. After the Warn after period expires, the icon turns red to indicate the agent is considered down. Any notifications you have configured are sent out.
85
To check the status of the local agents
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Status.
A remote agent might not check in with the reporting server for many reasons, including the following:

The computer on which the agent is running is down. The agent might be installed incorrectly.
86
To check the status of the remote agents
1 2
In the Symantec System Center console, in the left pane, click the server or server group name for which you want to see agent status. In the toolbar, click the reporting icon.
Click OK.
Specifying scheduling options for agents

Typically, you do not need to configure scheduling options for the agents that have polling frequencies in minutes. For the agents that poll on a daily or weekly basis, such as the Database Maintenance Agent, you might want to configure the run time so they poll on the time or day you select. Note: When you first install reporting, you might want to set the Log Sender and Log Reader Agents to poll every minute so that their status appears on the Agent Status page. Otherwise, the agent status will not be accurate until the agents run (the default schedule is 10 minutes). You can force the Log Reader, Log Sender, and Computer Status Agents to run immediately by using an option in the Symantec System Center console. In Run Now mode, these agents run continually for five minutes. After five minutes, each agent returns to its scheduled mode. You can also disable event aggregation on the Log Sender Agent.
87
To specify scheduling options for local agents
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration.
Under the Change column, next to the agent for which you want to change the scheduled run time, click the icon.
Do one or both of the following:
88
Next to Run every, in the text box, type the wanted number, and then in the list box, select minutes, hours, days, weeks, or months for scheduling the agent. Next to Next run, in the selection drop-down boxes, select the hour and minute to start the next agent run.
5 1
Click Save.
To specify scheduling options for remote agents In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the server for which you want to configure agent scheduling. Click All Tasks > Reporting Configuration > Configure Report Agents. Under Computer Status, in the Scan Inventory every text box, type the number of minutes after which the Computer Status Agent should check the status of the server and its clients. The default is 1 minute. If you configure the remote agents on a primary management server, under Log Sender, in the Process logs every box, type the number of minutes after which the Log Sender Agent should scan logs for events. The default is 10 minutes. Click OK.
2 3
5 1
To run the Log Sender, Computer Status, and Log Reader Agents immediately In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the server for which you want to run the Log Sender and Log Reader Agents immediately. Click All Tasks > Reporting Configuration > Run Now. The Log Sender and Log Reader Agents run immediately. After the agents run and update the reporting server with the latest log information, the agents return to their previous scheduling. If the schedule indicates the agent should have already run, it runs immediately and then follows its next scheduled run time.
Disabling an agent
You can prevent a local agent from running by disabling it. (You cannot disable the remote agents.) For example, if you are running your own database maintenance scripts you might want to disable the Database Maintenance Agent. Or, you might not want to use the Alert Agent if you do not configure alerts for events in your security network.
89
Note: If you disable the Log Reader (for computer status or events), your reports will not be accurate. To disable an agent
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. For the agent that you want to disable, click the Edit icon. Check Disable Agent. If a warning dialog appears, click OK. Click Save.
Configuring event aggregation

You can determine how long the Log Sender Agent waits before aggregating redundant virus and firewall events. The default is five minutes. The Log Sender Agent sends the first occurrence of a virus or firewall event to the reporting server. During the specified amount of time, any other similar event is not sent to the reporting server. After the specified amount of time, the Log Sender Agent sends an event that includes a count of the number of the same events that occurred during the wait period. Note: The first occurrence of the event includes the location of the affected file. The event that includes the aggregation count includes this location only. If the virus has infected files in different locations, and you want to know what the locations are, check the log file on the affected computer. You might want to increase the amount of time the agent waits before aggregating events if you have an outbreak situation in your security network. In an outbreak situation you have many aggregated events if the agent aggregates events every minute. Fewer aggregated events save network bandwidth and require less space in the reporting database. If you want to make sure that you see every instance of the same event, you can disable aggregation.
90
To configure event aggregation
In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary management server on which the Log Sender Agent is running. Click All Tasks > Reporting Configuration > Configure Reporting Agents. Under Log Sender, in the Aggregate redundant events every box, type the number of minutes the Log Sender Agent should wait before aggregating redundant virus and firewall events. The range of values is 0 minutes to 60 minutes. To disable aggregation, set the value to 0.
2 3
Click OK.
Configuring the language option for the Log Sender and Computer Status Agents
When the Log Sender and Computer Status Agents read logs and interpret computer status information, they detect the language that is used by the operating system on the parent server automatically. If you have a mixed environment, however, where the parent server uses English and any of the clients that are connected to that parent server use a different language, you should specify the language of the clients that are connected to the parent server. Otherwise, the information you see in the logs and reports might be garbled. You can specify the language option during the reporting server installation or during reporting agent installation on a remote computer. See the Symantec Client Security Installation Guide or the Symantec AntiVirus Installation Guide. You can specify the following languages:

Latin 1 Japanese Korean Hungarian or Polish Russian Simplified Chinese Traditional Chinese
The Reporting Agents Options dialog box contains the complete list of Latin 1 languages.
91
To configure the language option for the Log Sender and Computer Status Agents
1 2 3 4
In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the parent server. Click All Tasks > Reporting Configuration > Configure Reporting Agents. Under Language, in the list box, select the language of the clients that report to the selected parent server. Click OK.
Reducing the volume of security risk events sent to the reporting server
By default, the Log Sender Agent sends security risk action events to the reporting server. If your security network experiences a large volume of security risks, you might have a large volume of events forwarded to the reporting server. To reduce the volume of events, you can prevent the Log Sender Agent from sending events about actions taken on security risks. Events about security risk occurrences are still sent to the server, but events about the actions taken (side effects) as a result of those security risks are not sent. If you prevent the Log Sender Agent from sending security risk action events to the reporting server, the event detail window for a security risk event will not show any actions. See Displaying event details on page 74. To prevent the Log Sender Agent from sending security risk action events to the reporting server
1 2 3 4
In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the parent server. Click All Tasks > Reporting Configuration > Configure Reporting Agents. Under Log Sender, check Discard security risk action events. Click OK.
Configuring proxy settings for the Virus Category Agent

The Virus Category Agent retrieves information from the Symantec Web site. You should configure proxy settings for the Virus Category Agent if your reporting server is installed on a computer that uses a proxy server to access the Internet.
92
To configure proxy settings for the Virus Category Agent
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. Click the Edit icon next to the Virus Category Agent. Under What proxy settings would you like, do the following:
In the HTTP proxy box, type the name of the proxy server in the format <DNS name>:<port number>. In the Proxy user box, type the user ID that has access to the proxy server. In the Proxy password box, type the password for the user ID that has access to the proxy server.
Click Save.
Specifying notification options for agents

You might want to configure the notifications that can be sent to administrators who are responsible for monitoring your security network. Notifications alert the users that an agent is down. An agent might be down because a computer is down, or because an agent was installed incorrectly. An agent could also be down because of a misconfiguration of agent parameters. In addition to specifying notifications for agents, you can also specify notifications to be sent when the Disk Full limit is reached (100 MB). The Disk Full limit is the amount of free disk space available on the reporting server. If the free disk space falls below 100 MB, the Log Sender and Computer Status Agents cannot upload files to the reporting server.
Configuring reporting agents Specifying email notification parameters
93
To specify notifications for a local or remote agent
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Notification.
3 4
Under the Edit column, next to the agent for which you want to configure notifications, click the Edit icon. Under What notification settings would you like, next to Warn after, type the value in the text box, and then in the drop-down menu select minutes, hours, or days to wait after the last run time to declare that the agent is down. For any agent except the Alert Agent, do the following:

Check or uncheck Enable e-mail response. In the Notify emails box, type the email address of the person who should receive the notification about this agent. If you want to include multiple recipients, separate each email address with a comma.
Click Save.
Specifying email notification parameters

You can specify email server information for the Alert Agent to use when sending out notifications about events in your security network or about reporting agent status.
94
Configuring reporting agents Specifying notification parameters for the disk full check
To specify email notification parameters
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. Click the Edit icon next to the Alert Agent. Under What mail notification parameters would you like, do the following:

In the SMTP server box, type the path to your email server. In the Mail 'from' address box, type the address that should appear as the return address in the notification emails that the Alert Agent generates. In the Reporting URL box, type the reporting server URL. The URL must be correct in order for alerts to appear in the alert events log. The URL also appears in email notifications. In the Batch file box, type the name of the batch file that should run when notifications are sent out. The batch file is located in \Program Files\Common Files\Symantec Shared\Reporting Agent\Win 32. You must have administrative privileges to write to this directory.
Click Save.
Specifying notification parameters for the disk full check

In addition to configuring notifications for reporting agent status, you can also configure notifications to alert users when the amount of free disk space on the reporting server falls below a certain amount. To configure notifications for the disk full check
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Notification. Click the Change icon next to Disk Full Check. Under What notification settings would you like, in the Warn after free space less than text box, enter the free disk space threshold to be used for the notification. Check Enable e-mail response.
Configuring reporting agents Using agent logs
95
In the Notify emails box, type the email address of the person who should receive the notification about this agent. If you want to include multiple recipients, separate each email address with a comma.
Click Save.
Using agent logs

The reporting agents each have a log file that you can use to troubleshoot agent activity. For example, if an agent's status is down, you can check the agent log to see if any errors were logged or if there are no new entries in the agent's log. If there are no new entries, the agent is not running correctly. The agent logs are located in the \Program Files\Common Files\Symantec Shared\ Reporting Agents\Win32 directory. Table 6-3 Agent name
Log Reader (Computer Status) Log Reader (Events) Alert Scheduled Reporting Virus Category Agent Database Maintenance Database Backup Log Sender Computer Status
Agent names and corresponding log names Log name

LogReaderInventory_<date>.log LogReaderEvents_<date>.log notag_<date>.log history_<date>.log viruscat_<date>.log DBmaint_<date>.log \Backup\Backup_<date>\backup.dat logsender_<date>.log Parent_Inv_<date>.log
You can specify how often the reporting software deletes an agent's log and whether or not tracing is enabled for the agent. Tracing provides additional information in the agent logs for troubleshooting.
Enabling or disabling agent tracing

The reporting software maintains logs for all of the reporting agents. You might want to look at the log files if any of the agent status indicates that an agent is
96
Configuring reporting agents Using agent logs
down. The logs contains any errors that might have occurred. Also, if the log does not contain any new entries, the agent might be installed incorrectly or the computer on which the agent is installed is down. The log files are deleted every week. You might want to delete log files more frequently if your computer has limited disk space. The log files may be configured for tracing, which includes debugging information in the logs. You might want to enable tracing for a particular agent when the agent is consistently down. Or you might want to enable tracing for the Log Reader to determine whether or not a local agent inserts information into the reporting database. If you having trouble with database maintenance, you might want to enable tracing for the Database Maintenance Agent. See Configuring the reporting database maintenance agent on page 102. Do not enable tracing for long periods of time unless you suspect a problem. To enable or disable tracing for local agents
1 2 3 4 5 1
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Change column, next to the agent for which you want to configure tracing, click the Change icon. Under What settings would you like for logging and tracing, check or uncheck Tracing. Click Save.
To enable or disable tracing for remote agents In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary or secondary management server on which the remote agents are installed. Click All Tasks > Reporting Configuration > Configure Report Agents. Under Computer Status, check Enable tracing. If you are configuring tracing on a primary management server, under Log Sender, check or uncheck Enable tracing. Click OK.
2 3 4 5
Configuring reporting agents Registry keys for agent configuration
97
Deleting agent logs

By default, agent logs are deleted after seven days. You can change the number of days if you want to purge the logs more quickly or if you want to wait longer before the logs are deleted. You can specify delete options for your local agents in the reporting Admin feature. You use the Symantec System Center console to specify delete options for the remote agents (Computer Status and Log Sender). To configure the amount of time before logs are deleted for local agents
1 2 3 4
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Change column, next to the agent for which you want to configure tracing, click the icon. Under What settings would you like for logging and tracing, next to Delete logs after, enter the number of days after which you want logs deleted for this agent. Click Save.
5 1
To configure the amount of time before logs are deleted for remote agents In the Symantec System Center console, in the left pane, under System Hierarchy, right-click the primary or secondary management server on which the remote agents are installed. Click All Tasks > Reporting Configuration > Configure Report Agents. Under Computer Status, in the Delete logs after text box, type the number of days after which you want the logs to be deleted for this agent. If you configure the amount of time before logs are deleted on a primary management server, under Log Sender, in the Delete logs after text box, type the number of days after which you want the logs to be deleted for this agent. Click OK.
2 3 4
Registry keys for agent configuration

You can configure parameters for agent file processing through the Windows registry. These parameters are only configurable through the registry. You can also configure agent scheduling through the registry. The scheduling parameters are available through the reporting user interface.
98
About registry keys for agent file processing

By default, the Log Sender Agent stops processing files when the Log Sender's computer free disk space is less than 100 MB. When the 100 MB limit is reached, the Log Sender Agent logs a low disk space error to its own log and waits until the next polling cycle to check the disk space again. Note: There is also a 100 MB threshold on the reporting server. If the reporting server's free disk space goes lower than 100 MB, the Log Sender Agent continues to send files, but the reporting server cannot process them. You can configure a notifications to alert you and other users about the reporting server available disk space. See Specifying notification parameters for the disk full check on page 94. By default, the Log Sender and Computer Status Agents process log files and create temporary files of 2 MB for uploading to the reporting database. You can change the minimum disk space value on the Log Sender computer by adding new DWORD values under HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\ LANDesk\VirusProtect6\CurrentVersion\Reporting. By default, the Log Sender processes 2,000 records and then sleeps for one second. When the Log Sender sleeps, it relinquishes CPU. You might want to change these defaults if you are running other applications on the reporting server computer. You can change these defaults by adding new DWORD values to the registry under HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\LogSender\LocalData. Table 6-4 describes the registry keys for agent configuration. Table 6-4 Registry key
MinDiskSize
Registry keys for agent file processing Description

Configures the amount of available disk space, in Megabytes, that triggers the Log Sender Agent to stop processing files. The default is 100 MB. Configures the size, in bytes, of the temporary files that the Log Sender Agent and the Computer Status Agent upload to the reporting database. The default is 2,000,000 bytes. Configures the number of records the Log Sender processes before it sleeps and relinquishes CPU. The default is 2,000 records.
FileSizeLimit
BatchProcessSize
99
Table 6-4 Registry key

Sleep
Registry keys for agent file processing (continued) Description

Configures the number of seconds the Log Sender stops processing files and relinquishes CPU after processing the number of files that are specified by BatchProcessSize. The default is one second.
About registry keys for agent scheduling

You can configure agent scheduling through the reporting UI. However, you might want to modify the scheduling parameters through the registry. These registry keys apply to the Log Sender and Computer Status Agents only. Table 6-5 describes the registry keys for agent scheduling. Table 6-5 Registry key
NextRun
Registry keys for agent scheduling Description

Configures the next run time for the Log Sender and Computer Status Agents. The format is YYY-MM-DD hh:mm:ss. Specifies a DWORD value for the duration of the Run Now mode for the Log Sender and Computer Status Agents. After the agents start running, the value is decremented each second until it reaches zero. The default is 300 seconds (five minutes). Configures the next time RunNow will take effect. Only applies when the RunNow value is greater than zero. The format is YYY-MM-DD hh:mm:ss. Configures the frequency, or how often, the agent runs, in seconds. The default for each the Log Sender and Computer Status Agents is 60 seconds.
RunNow
RunNowNextRun
Frequency
The NextRun, RunNow, and RunNowNextRun registry keys are located under the following directories:
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\Inventory\LocalData HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\LogSender\LocalData
The Frequency registry key is located under the following directories:
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\Inventory
100
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Reporting\LogSender
Chapter
Maintaining the reporting database


About database maintenance Configuring the reporting database maintenance agent Configuring the reporting database backup options Restoring an MSDE reporting database Tuning database server memory allocation Changing timeout parameters
About database maintenance

Databases receive and store a constant flow of data. They also generate a constant flow of log files. Databases are maintained so that the stored data and log files do not consume the available disk space and crash the computer on which they run. The reporting database receives and stores a constant flow of client inventory, scan times, risk event times, and so forth. All reporting agents that run on the reporting server, such as the database maintenance and backup agents, generate log files when they run. As a result, you need to be aware of the default database maintenance settings, understand what they mean, and change them if the disk space that is consumed by the reporting database seems to grow constantly. Also, if there is a large spike in risk activity, you may need to delete some data from the database to protect the available disk space on the server.
102
Maintaining the reporting database Configuring the reporting database maintenance agent
Configuring the reporting database maintenance agent

Users who are reporting administrators can configure reporting database maintenance agent settings. Database maintenance agent settings let you manage the size of your database by specifying how long to keep data. You can also specify how often to perform database maintenance. Table 7-1 describes the database maintenance agent parameters that you can modify. The maximum value that you can enter is 65,536. Table 7-1 Parameter
Disable agent Run every
Database maintenance agent parameters
Description
Enable or disable the agent Maintenance frequency The minimum value is 1.
Next run
When the next maintenance occurs You can modify the date and time values to specify an exact time when the next maintenance run occurs.
Delete logs after
Time to keep log files The log files are located at x:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\DBmaint_YYYY-MM-DD.log. For the maintenance that occurs on the same date, the log file for that date is appended. For the maintenance that occurs on different dates, new log files are created.
Tracing
Specifies whether to generate debug information in the log file If you think that you have trouble with maintenance runs, you can enable tracing to generate additional debug information in the log file. When you enable tracing, you see the words Tracing Enabled in the third DBmaint INFO statement in the log file. It may be useful to run maintenance tests with and without tracing. You can then open the file with a text editor and see what additional data that tracing generates. Do not enable tracing for long time periods unless you suspect a problem.
Delete events after
Number of days after which risk events are deleted from the database
Compress events after Number of days after which identical risk-found events are compressed into one event Identical risk-found events that occurred in one-hour time intervals are compressed and counted. The infected file names are not compressed.
Maintaining the reporting database Configuring the reporting database maintenance agent
103
Table 7-1 Parameter Description
Database maintenance agent parameters (continued)
Delete events that Number of days after which compressed events are deleted have been compressed This value includes the time before the events were compressed. For example, if you specify after to delete compressed events after 10 days and specify to compress events after seven days, events are deleted three days after they are compressed. Delete acknowledged alerts after Number of days after which acknowledged alerts are deleted from the database
Delete Number of days after which unacknowledged alerts are deleted from the database unacknowledged alerts after Remove clients after Number of days after which information about that clients that have not checked in are removed The client machine record is not deleted. Delete scans after Number of days after which risk scans are deleted from the database
Delete history reports Number of days after which history reports are deleted after Delete unused virus definitions Delete EICAR events Number of days after which records about the virus definitions that are not used currently by any computer or in the stored histories of computers are deleted from the database Number of days after which the virus events that contain EICAR as the name of the virus are deleted from the database The EICAR virus is benign and is used for testing purposes.
To configure the reporting database maintenance agent
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Agent Configuration pane, in the Database Maintenance row, click the Change icon. In the Database Maintenance Agent Configuration panel, in the Run every boxes, specify a time interval for maintenance. In the Delete logs after box, change or accept the default value in days. Check or uncheck Tracing.
104
Maintaining the reporting database Configuring the reporting database backup options
7 8
In the Parameter boxes, accept or change the default values. Click Save.
Configuring the reporting database backup options

The reporting server generates a full backup of the reporting database in the default directory x:\Program Files\Common Files\Symantec Shared\Reporting Agent\Win32\Backup by using the default time of every day. You can change both defaults. The backups are created in separate directories and the backup directories are located on the computer that runs the reporting server. You can disable the backups if you use SQL Server 2000/2005 and want to use the built-in backup and restore functionality in SQL Server 2000/2005 management consoles. If you want to backup a remote reporting database to the reporting server, you must configure the reporting server and the remote SQL server in the following ways:

On the reporting server, create a shared network directory for the backup files. On the SQL server, change the SQL server Log On account from LocalSystem to an administrative account that exists on the computer that runs the SQL server. Use the Services administrative tool to select the SQL server instance and change the Log On account properties.
Table 7-2 describes the database backup parameters. Table 7-2 Option
Disable Agent
Database backup parameters
Description
Enable or disable the agent If you manage a database on a remote Microsoft SQL Server, you may want to disable the agent and perform backups to tape or some other local device.
Run every Next Run
Backup frequency When the next backup occurs You can modify the date and time values to specify an exact time when the next backup occurs.
Delete logs after
Time to keep log files The log files are located at x:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32. The date format is backup_YYYY--MM-DD.log. For the backups that occur on the same date, the log file for that date is appended. For the backups that occur on different dates, new log files are created.
Maintaining the reporting database Configuring the reporting database backup options
105
Table 7-2 Option

Tracing
Database backup parameters (continued)
Description
Specifies whether to generate debug information in the log file If you think that you have trouble with database backups, you can enable tracing to generate additional debug information in the log file. When you enable tracing, you see the words Tracing Enabled near the beginning of the log. It may be useful to do backup tests with and without tracing. You can then open the file with a text editor and see what additional data that tracing generates. Do not enable tracing for long time periods unless you suspect a problem.
Backup directory
Name of the database backup directory Each backup.dat file is created in a separate directory named BACKUP_date_time. The date format is YYYYMMDD. The time format is HHMMSS. For local databases, the default directory is x:\Program Files\Common Files\Symantec Shared\Reporting Agent\Win32\Backup\. For remote databases, the default directory is invalid and backups will not occur. You must create a network share, and specify the share as \\host_name\shared_directory\. For example, if you created a directory named c:\sql_backup\ on a computer named test450, you would specify \\test450\sql_backup\. You must also change the SQL server Log On account from LocalSystem to an existing administrative account.
Delete backups after
Number of days to keep backup files in backup directories
To configure database backup options
1 2 3 4 5 6 7 8 9
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Admin tab, click Agent Configuration. In the Agent Configuration pane, in the Database Backup row, click the Change icon. In the Database Backup Agent Configuration pane, in the Run every boxes, specify a time interval for maintenance. In the Next run boxes, optionally specify a time to run the next backup. In the Delete logs after box, accept or change the default. Check or uncheck Tracing. In the Backup directory box, accept or change the default. In the Delete backups after box, accept or change the default.
10 Click Save.
106
Maintaining the reporting database Restoring an MSDE reporting database
Restoring an MSDE reporting database

If you use Microsoft SQL Server 2000/2005, you can use the native management consoles to backup and restore reporting databases. MSDE, however, does not provide a management console for managing the SQL server and databases, so you must use a command-line utility. MSDE installs a command-line utility that is called OSQL in the x:\Program Files\Microsoft SQL Server\80\Tools\Binn directory. The OSQL utility lets you run Transact-SQL statements, stored procedures, and script files against the MSDE database. This utility lets you restore a reporting database. Typically, the installation sets the path environment variable to the installation directory so you do not need to path to the directory to execute the command. For reference information about the utility and commands, display the Microsoft Web site. Search for OSQL Utility, Transact-SQL Reference, and System Stored Procedures. To summarize the restoration process, you perform the following procedures:
Create a directory in which to copy the database backup file backup.dat. Create this directory once. Create a logical dump device. Create this dump device once by using a stored procedure. You must first log in the MSDE server by using the sa account that you created when you installed the reporting server. Restore a database. You restore databases as necessary by using Transact-SQL commands. You log in the MSDE server by using the sa account that you created when you installed the reporting server.
To create a directory in which to copy the database backup file
1 2
Display a command prompt. Type mkdir backup or some other directory name, and then press Enter.
To create a logical dump device
1 2 3 4
Display a command prompt. Type osql -U sa -S (local), and then press Enter. In the password prompt, type the sa password, and then press Enter. Type use master, and then press Enter.
Maintaining the reporting database Tuning database server memory allocation
107
Type exec sp_addumpdevice 'disk', 'reporting_bak', 'x:\backup\backup.dat', and then press Enter. Type the directory name that you created in which to copy the database backup file if it is not x:\backup.
6 7
Type go, and then press Enter. To exit OSQL, type exit, and then press Enter.
To restore an MSDE reporting database
1 2 3 4 5
In your reporting database backup directory, browse to the database file that you want to restore. Copy backup.dat to the directory that you created to hold the database backup file. Type osql -U sa -S (local), and then press Enter. In the password prompt, type the sa password, and then press Enter. Type restore database reporting from reporting_bak, and then press Enter. Type the name of your reporting database if it is not reporting. Type the name of the logical dump device that you created if it is not reporting_bak.
6 7
Type go, and then press Enter. If successful, you see a processing statement and the amount of time for the restore to occur.
Tuning database server memory allocation

Microsoft SQL Server grows and shrinks its buffer pool size based on the memory load that is reported by the operating system. The memory cache grows as long as paging does not occur. When other processes allocate memory, the buffer manager releases memory as needed. When multiple instances of SQL Server or other critical servers that run on the same computer, memory contention may occur between the servers. If you receive generic out-of-memory errors or want to limit the amount of memory that SQL Server allocates, you can modify the max server memory option. You have three options for memory tuning: dedicated, dual-purpose, and multi-purpose. Dedicated provides the most memory for Microsoft SQL Server and multi-purpose provides the least memory for Microsoft SQL Server. The allocated memory amount appears in the user interface after you select an option and click save. The Microsoft Web site contains additional information about the max server memory option.
108
Maintaining the reporting database Changing timeout parameters
Note: After you set the database server memory allocation, document and remember the setting. The user interface always displays the setting as dedicated. To tune database server memory allocation
1 2
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. Make sure the Log Reader Agent (Events) and the Log Reader Agent (Computer Status) are disabled. See Disabling an agent on page 88.
3 4 5 6 7
On the Admin tab, click Database Tuning. In the Database Tuning window, in the System Administrator boxes, type the name and password for the database system administrator. To the right of Tuning Options, check the memory option that best describes the number of applications that run on this computer. Click Update Database. Re-enable the agents.
Changing timeout parameters

If you get database errors when running reports or generating logs with large amounts of data, you might want to change the Microsoft SQL server connection and command timeouts. The reporting defaults for these values are as follows:

Connection timeout is 300 seconds (5 minutes) Command timeout is 300 seconds (5 minutes)
To change timeout parameters
Open the Reporter.php file. The file is located in the \Program Files\Symantec\Reporting Server\Resources directory.
Use any text editor to add the following settings to the file:

$CommandTimeout = xxxx $ConnectionTimeout = xxxx If you specify zero, or leave the fields blank, the default settings are used.
109
If you get CGI or terminated process errors, you might want to change other timeout parameters. See the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
110
Chapter
Workflow and use cases


About workflow and use cases Administering daily workflow to eliminate risks Reports and logs that show security risk information Reports and logs that show scanning information Reports and logs that show definitions information Reports and logs that show configuration and status information
About workflow and use cases

Think of workflow as the process that you might follow every morning to eliminate risks on your network. A use case is the act of identifying and displaying information that you want to see. You identify and display this information with reports and logs. Reports let you display summary-like information about your clients and servers. For example, reports let you display the top security risks that infected your network over a specific time. The top security risk might be RPC.Attack and the report identifies how many computers were infected. Logs let you display more specific information that you might want to identify such as computer and user names. For example, if a report identified RPC.Attack as the top security risk, you can use logs to display the computer names that were infected with RPC.Attack, along with the logged in user name.
112
Workflow and use cases Administering daily workflow to eliminate risks
Administering daily workflow to eliminate risks

The daily workflow to eliminate risks is an attempt to eliminate virus and security risk infections from your network. The workflow process is to identify the risk and location, decide how to handle the risk, and then update the reporting database to show that you have responded to the risk. If you have Symantec AntiVirus 8.x clients in your network, you can also eliminate suspicious events. To administer daily workflow to eliminate risks
1 2 3 4 5 6 7 8 9
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Computer Status Logs. On the Computer Status Logs page, click Advanced Settings. Check Infected Only, and then click View Log. Note the Infected Computers, and then click the Infected Icon to display the risk list. Either clean the risks from the computer, unhook the computer from the network, or accept the risks. Display again the Log view of infected computers and locate the computer that you cleaned or unhooked or accepted. Display the home page and note that the numbers in the Still Infectious row shrink in value. For the largest date range, repeat this procedure until both numbers in the Still Infectious row show a value of zero.
To administer daily workflow to eliminate suspicious events
1 2 3 4 5 6
Select the reporting server and make sure you are logged in. See Logging into reporting on page 14. On the Logs tab, click Risk Logs. On the Risk Logs page, click Advanced. In the Action taken list box, select Suspicious. Click View Log. In the event list, do one of the following:
Select the events that you want to delete, and then click Remove selected entries from the database.
Workflow and use cases Reports and logs that show security risk information
113
Click Remove all entries in current view from the database.
7 8
Display the home page and note the numbers in the Suspicious row shrink in value. Repeat this procedure as needed.
Reports and logs that show security risk information

Table 8-1 identifies the important security risk information that you might want to identify and indicates how to display the information. Table 8-1 I want to
Identify the computers that are infected with spyware or a virus.
Security risk information Report or Log

Risk Reports
Type
Infected computers
Options
Date Range: your choice
Display the number of viruses that Risk Reports have been detected on the network. Identify computers that detect the most infections. Risk Reports
Risk Distribution Charts Risk Distribution Charts Risk Distribution Charts Risk Distribution Charts Not applicable
Risk Name
Computer
Identify the groups that experience Risk Reports the most infections. Identify the users who experience the most infections. Drill down and display the types of infections that the most infected users get. Display Security Risk and Viral Threat activity in the over the last 24 hours. Risk Reports
Server Group
User Name
Risk Logs
User Name: One or more user names that are identified in Risk Distribution Chart by User Name Date Range: in the last 24 hours
Home Page
Detection Action Summaries
Drill down and display the details Risk Logs about security risks of severity 2 and greater that have hit my network. Display the protective efficiency over the last month. Risk Reports
Risks Per Hour: Past 24 Not applicable Hours
Detection Action Summaries Risk Distribution Charts
Set Date Range: in the last month
Identify the top security risks over Risk Reports the last month that hit my network.
Risk Name Set Date Range: in the last month
114
Workflow and use cases Reports and logs that show scanning information
Reports and logs that show scanning information

Table 8-2 identifies the important scanning information that you might want to identify and indicates how to display the information. Table 8-2 I want to Scanning information Report or Log Type
Computers that have not been scanned Scan Distribution Histograms
Options
Scans From: in the last week
Identify the computers that have not Scan Reports run a risk scan in the last week. Identify the length of time it takes for scheduled scans to complete on workstations. Scan Reports
Group by: Scan Time Scan from: your choice Sort Order: Scan Duration
Identify the computers that take the Scan Logs longest to scan.
Not applicable
Reports and logs that show definitions information

Table 8-3 identifies the important definitions information that you might want to identify and indicates how to display the information. Table 8-3 I want to
Identify the virus definitions versions in my network.
Definitions information Report or Log Type Options

Not applicable
Computer Status Virus Definition Reports Distribution
Identify the computers that do not Computer Status Not applicable comply with the current certified set Logs of definitions. Determine the rate at which virus Scheduled definitions deploy to the computers Reports in my network. Click the icon next to Status and use the color codes
Virus Definition Date: select the date that is certified
Not applicable
Reports and logs that show configuration and status information

Table 8-4 identifies the important configuration and status information that you might want to identify and indicates how to display the information.
Workflow and use cases Reports and logs that show configuration and status information
115
Table 8-4 I want to

Identify the Symantec AntiVirus software versions in my network.
Configuration and status information Report or Log Type Options

Not applicable
Computer Status Symantec AntiVirus Reports Product Versions
Identify computers that are running Computer Status Not applicable old versions of Symantec AntiVirus. Logs Identify computers that have Auto-Protect disabled. Identify computers that have not checked into a parent server. Computer Status Not applicable Logs Computer Status Computers Not Reports Checked into Parent Server
SAV Product Version: select the version Auto-Protect Status: Off
Set Date Range: your choice
116
Workflow and use cases Reports and logs that show configuration and status information
Index
A
Alert Agent description 80 notification parameters 93 status checking 82 alerts acknowledging 58 configuring 52 configuring notifications for 53 types 54 unacknowledging 58 viewing event details 59 viewing events 56 automatic refresh interval 47 setting for the alert and risk logs 61 setting for the home page 60
database maintenance (continued) configuring backups 104 EICAR events 103 OSQL 106 restoring an MSDE reporting database 106 tracing 102 tuning memory allocation 107 Database Maintenance Agent description 80 database server memory tuning 107 disk full check 94
E
event logs 64 past 24-hours filter 20 events about 10 aggregation 89
C
Computer Status Agent description 81 language option 90 computer status reports creating 36 filter settings advanced 36 types 35
H
home page about 15 customizing 18 reports 16 Security Response links 19 viewing 16
D
Database Backup Agent description 81 database backups about 104 configuring for remote SQL servers 104 parameters 105 database errors changing timeout parameters 108 database maintenance about 101 compress events after 102 configuring agent 102
L
Log Reader (Events) Agent description 80 Log Reader (Inventory) Agent description 80 Log Sender Agent description 81 language option 90 security risk action events 91 logs about 11 computer status 71
118
Index
logs (continued) deleting 77, 97 deleting configuration settings 65 event details 74 exporting 76 filtering 64 formats for exporting 77 risk definitions 114 risk events 66 saving configuration settings 65 scan events 69 scans 114 security risks 113 status of clients and servers 114 types 63 viewing 64
M
MSDE reporting database restoring 106
P
passwords changing 14 configuring rules 51 setting 52 proxy settings 91
R
reporting basic tasks 13 changing password 14 configuring display 47 configuring users 48 home page 15 logging into 14 logs 63 overview 9 reporting agents about 79 agent logs 95 configuring 81 database maintenance configuring 102 parameters 102 deleting logs 97 disabling 88 notification options 92
reporting agents (continued) registry keys 97 scheduling 82 scheduling options 86 status checking 8283 tracing 96 troubleshooting 84 reporting display configuring 47 parameters 48 reporting server accessing 13 adding manually 45 changing 45 configuring 44 delete from Symantec System Center console 46 discovering 44 disk full check 94 port number 45 specifying URL 46 URL 44 viewing URL 46 reports about 11, 22 computer status 35 default configuration settings 21 deleting configuration settings 24 details 22 home page 16 overview 21 past 24-hours filter 20 printing 25 risk 26 risk definitions 114 saving 25 saving configuration settings 24 scan 31 scans 114 scheduled 37 security risks 113 status of clients and servers 114 types 21 risk definitions reports and logs 114 risk reports creating 30 filter settings advanced 29 basic 28
Index
119
risk reports (continued) types 27
W
workflow about 111 administering 112
S
scan reports creating 34 filter settings advanced 34 basic 32 types 32 scans reports and logs 114 Scheduled Reporting Agent description 80 scheduled reports about 37 configuration settings 39 creating 40 deleting 41 modifying 40 viewing 41 Security Response Web site accessing from home page 19 security risks action events 91 reports and logs 113 Symantec System Center configuring reporting servers from 44 deleting reporting server from 46
U
use cases about 111 users adding 50 configuring 48 deleting 51 modifying 51 parameters 50 password rules 51 roles 48 setting passwords for 52
V
Virus Category Agent description 80 proxy settings 91

Reporting User's Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reporting User's Guide

Uploaded by

Copyright:

Available Formats

Reporting User's Guide

Reporting User's Guide

Licensing and registration

Contacting Technical Support

Technical support Chapter 1 Introducing reporting

Basic reporting tasks

Performing administrative tasks

Configuring reporting agents

Maintaining the reporting database

Workflow and use cases

Introducing reporting How reporting works

How reporting works

Introducing reporting About reports

Introducing reporting About logs

Basic reporting tasks

About basic tasks

Basic reporting tasks Logging into reporting

Logging into reporting

Changing your password

Basic reporting tasks Using the home page

Using the home page

Basic reporting tasks Using the home page

Sample home page

Viewing information on the home page

Home page reports Description

Basic reporting tasks Using the home page

Table 2-1 Report or Status Information

Home page reports (continued) Description

New Risks: Past 24 Hours

Alert status summary

Agent status summary

Risks Per Hour: Past 24 Hours

Basic reporting tasks Using the home page

Table 2-1 Report or Status Information

Home page reports (continued) Description

Customizing the home page

Home page display options Definition

Basic reporting tasks Using the home page

To customize the home page display

Using Security Response links

1 - Low 2 - Medium 3 - High 4 - Extreme

Security Response links on the reporting home page What appears

Table 2-3 Link

About using the Past 24 hours filter in reports and logs

Using reports Reports overview

Using reports Reports overview

Figure 3-1 shows a sample report. Figure 3-1 Sample report

Saving report configuration settings

Using reports Reports overview

Using reports Reports overview

Printing and saving reports

Using reports Creating risk reports

Creating risk reports

Types of risk reports Description

Risk detection reports include the following:

Using reports Creating risk reports

Table 3-1 Risk report type

Types of risk reports (continued) Description

Basic filter settings for risk reports

Using reports Creating risk reports

Table 3-2 Setting

Basic filter settings for risk reports (continued)