Reporting Data

NOTE: In order to use Reporting Data, your configuration.xml file must be pointing to a Communication Server that has DAS_Binary and DAS_Query connected to it. This will normally be the case, by default, as long as the Communication Server and DAS processes are running.

The Reporting Data tab is a Summary Management Interface for Sentinel. This tab allows you to enable and disable Summaries. Enabling a summary allows aggregation to start computing the counts for that particular summary.

A summary is a defined set of attributes that make up the key for which to compute the number of unique occurrences (event count) by each hour time period (event time). In the case of the EventSevDestPortSummary, when active, it saves the count of events for each unique combination of destination port and severity for an hour time frame. These saved computations of the event data allow for quicker summary reporting and querying. These reports are used by Crystal Reports. For more information, see Crystal Reports for Windows and Crystal Reports for Linux in the Sentinel 6.0 Installation Guide. Certain summaries will need to be active in order for the summary reports to be accurate.

Aggregation is the process of calculating the running count for all active summaries as events flow through the system. These running counts are saved to the database in the respective summary tables.

Summaries Benefits:

Aggregation Benefits:

Reporting Data tab allows you to:

The following are all summaries already defined in the system. It lists the summary name, database table name and it's attributes in a brief description about the summary.

      • Summary Name

      • Table/Description

      • EventSrcSummary

      • EVT_SRC_SMRY_1

      • This summary sums the event count by source ip, source asset information, source port, source user, taxonomy, event_name, resource, Collector, protocol, severity and event time by hour

      • EventDestSummary

      • EVT_DEST_SMRY_1

      • This summary sums the event count by destination ip, destination asset information, destination port, destination user, taxonomy, event_name, resource, Collector, protocol, severity and event time by hour.

      • EventSevDestTxnmySummary

      • EVT_ DEST_TXNMY_SMRY_1

      • This summary sums the event count by destination ip, destion asset information, taxonomy, severity and event time by hour.

      • EventSevDestEvtSummary

      • EVT_DEST_EVT_NAME_SMRY_1

      • This summary sums the event count by destination ip, destination event asset, taxonomy, event name, severity and event time by hour.

      • EventSevDestPortSummary

      • EVT_PORT_SMRY_1

      • This summary sums the event count by destination port, severity and event time by hour.

      • EventSevSummary

      • EVT_SEV_SMRY_1

      • This summary sums the event count by severity and event time by hour.

To disable/enable Summary:

  1. Click Reporting Data in the navigation pane or click Reporting Data button.

  2. To disable a summary, click Active in the Status column until it changes to say InActive.

  3. To enable a summary, click InActive in the Status column until it changes to say Active.

image\ebx_1276353184.gif

To enable Aggregation for Top 10 reports for Crystal Reports:

Enable the following three summaries:

Enable EventFileRedirectService in the das_binary.xml located:

For UNIX:

$ESEC_HOME/config/das_binary.xml

For Windows:

%ESEC_HOME%\config\das_binary.xml

NOTE: To enable the summary you have to set the property "Status" to ON for EventFileRedirect in das_binary.xml

To view information for a Summary:

  1. Click Reporting Data in the navigation pane or click the Reporting Data button.

  2. Click on the "…" button in the Attributes column to see the attributes that makes up a summary.

  3. image\ebx_2137285770.gif

    image\ebx_1641064590.gif

    To check the Validity of a summary:

    1. Click Reporting Data in the navigation pane or click the Reporting Data button.

    2. Select Status.

    3. Choose the summary or summaries you wish to query.

    image\ebx_-2065100911.gif

    1. Select a time interval.

    2. Click Show Graph.

    3. The green bars signify that the summary is complete for that time frame. The red sections signify that the summary is missing data during that time period.

    image\ebx_-669732683.gif

    NOTE: To complete summaries, see "Run EventFiles for a Summary".

    To query the Eventfiles for a summary:

    1. Click Reporting Data in the navigation pane or click the Reporting Data button.

    2. Select Status.

    3. Choose the summary or summaries you wish to query.

    image\ebx_942891527.gif

    1. Select a time interval.

    2. Click Show Event.

    3. The Eventfiles needed to complete the summary display in a list format.

    NOTE: To complete summaries, see "Run EventFiles for a Summary".

    image\ebx_-780666235.gif

    To run Eventfiles for a summary:

    1. Click Reporting Data in the navigation pane or click the Reporting Data button.

    2. Select Status.

    3. Choose the Summary or Summaries you wish to query.

    4. Select a time interval.

    5. Click Show Event.

    6. The Eventfiles needed to complete the summary display in a list format.

    7. Check the Eventfiles that you would like to run so that the summary is complete.

    image\ebx_888613949.gif

    1. Click Process.