2.2 Managing Reports

Reports help you analyze events to assess your compliance regulatory requirements, security best practices, and corporate IT policies. You can use reports to demonstrate compliance and manage information security risk.

Reports emphasize the event data and help you analyze events such as user account visibility, detection of possible security violations, account compromises, network security problems, and any other undesired activities. By analyzing reports, you can configure appropriate correlation rules and actions to prevent any possible non-compliance activities and vulnerabilities.

Consider a scenario where you have an IT policy that states to remove access rights of all employees to information and information processing facilities upon termination of their employment. To view all deleted, and disabled user accounts, and revoked accesses, you can run a report that displays the desired information in a few clicks. You can also schedule the report to run periodically at specific intervals.

You can generate various types of Change Guardian reports for administration and auditing purposes. When you run a report, you can accept or customize the default options, including:

  • The frequency you want to run the report

  • The name for the report

  • A date range for events

  • A specific event type

  • A specific policy

  • View all events, only managed events, or only unmanaged events

  • View all change events, only successful change attempts, or only failed change attempts

  • View events of a specified severity range

  • Send the report to a specified email address

    For information about setting up email notifications, see Configuring Email Server to Receive Email Alerts in the Change Guardian Installation and Administration Guide.

This chapter provides information about the following:

2.2.1 Creating Reports

A report is a template that is combined at run-time with a number of criteria, such as time parameters, user security filters, other filter criteria for the events to be displayed in the report. A single report may have numerous associated report results. Reports can range from a simple list of events to multiple graphs and tables.

You can manage the reports and report results in the Reports and Searches panel. To manage reports, you must have the Manage Reports permission.

You can also create new reports in the following ways:

  • Using an Existing Report: You can create a new report based on existing reports. These reports include predefined criteria for the events to be displayed in the report. To create a new report, select the report based on which you want to create a new report, click Create report, and then add additional criteria to suit your requirements.

    NOTE:You can create new reports only from reports created by users in the same role as yours.

  • Using a Search Query: You can save your search query as a new report.

    NOTE:While saving a search query, ensure that you select the relevant option under Based On. Each option under Based On creates filters in the search query.

2.2.2 Scheduling Reports

To view the report result, you must run the report. All reports have a sample report result. You can use the sample report to preview how the actual report result looks like when you run the report. To run the report, you must have the Run reports permission.

You can run the report immediately or schedule it to run periodically. Click the Run icon and specify the appropriate information to schedule a report. By default, Change Guardian saves the report in the PDF format.

Reports run asynchronously.Therefore, you can simultaneously perform other tasks while the report generation is in progress. If the Change Guardian server is restarted while the report generation is still in progress, you can either cancel or reschedule report generation. If you reschedule the report, it runs with the same parameters that you used initially. If you schedule a report with a relative time setting, such as Week to Date, the time period for re-running the report is based on the current date and time and not the date and time when you initially scheduled the report.

NOTE:The report data in the PDF file will be different than the data in the reports that are run with the Now option. The report data in the PDF file are for the time range that you specified while scheduling a report definition. When you schedule a report definition with the Now option, the report includes events from midnight to the time you scheduled the report definition.

Scheduling Reports Across Change Guardian Servers

You can schedule reports on Change Guardian servers distributed across different geographic locations. For more information, see Data Federation in Change Guardian Administration Guide.

Saving Reports in the CSV Format

You can also save a report in the CSV format along with the existing PDF format. This requires additional configuration in the Change Guardian server. Only users in the administrator role can perform the additional configuration. For more information, see Generating a Report in CSV Format.

Generating a Report in CSV Format

By default, Change Guardian generate reports in PDF format. You can also generate reports in CSV format by making additional configurations to the Change Guardian server.

To generate a report in CSV format:

  1. Log in to the Change Guardian server as root user.

  2. Change to novell user:

    su novell

  3. Change directory:

    cd /etc/opt/novell/sentinel/config/

  4. Open the file for editing:

    vi obj-component.JasperReportingComponent.properties

  5. Edit the following entries:

    • reporting.csv.enable=true

    • reporting.csv.outputdir= <the directory where the reports must be stored>

    The novell user must have read and write permissions on the specified directory.

  6. Change to root:

    su root

  7. Restart the Change Guardian server.

When you generate a report, it is stored in the CSV format in the directory specified in the reporting.csv.outputdir attribute.

2.2.3 Working with Reports

The data that you view in reports depends on the security filter applied to your role. For example, if the security filter for your role is set to view events of severity 1 to 3, your report results will include only those events, although the report parameters allow severity 4 and 5 events also.

As you work with reports, you can perform several tasks including the following:

  • Finding Reports: Change Guardian provides a large number of reports. You can use one of the following ways to easily find the reports you are interested in:

    • Using a particular keyword in the report name or description.

    • Using Tags.

    • Viewing reports belonging to a specific category: Scheduled or Unread.

  • Grouping: To simplify report management as the number of reports grows over time, by default, Change Guardian groups the reports by Category.

    You can change the grouping to None if you want to list all your reports and searches under one heading. To change the grouping, click More options, select Group by, and then select the necessary option.

  • Tagging: You can associate reports with existing tags. When a tag is set on a report, the report results associated with the report inherit the tag by default.

  • Marking reports and searches as Favorites: You can mark the most frequently used reports and searches as Favorites to make them easier to find. You can also store them in folders to locate and manage them easily.

  • Drilling down into the reports to further analyze the data: You can view events directly for a report without scheduling the report. The search results provide a preview of what to expect when you generate a report and the ability to investigate further. To view events for a report, click Search Events.

  • Sharing reports with other roles: The Share functionality allows you to share reports with other roles and also control who can access your reports.

    For example, the out-of-the-box report templates are accessible to all Change Guardian users. Consider a scenario where you have several groups in your organization such as system administrators, database administrators. Because of the sensitivity of the audit data available in the report results when you run the out-of-the-box report templates, you may want to ensure that these administrators do not gain access to any unauthorized data. In such a scenario, you can restrict the report templates visibility only to you, to users in your role, or to users in selected roles.

    NOTE:Only users in the Administrator role can restrict the visibility of the out-of-the-box reports.

    For example, consider a scenario where there is a dedicated audit team in your organization whose primary job is to analyze and validate the accuracy of reports. You may want them to only view your reports but not modify or delete reports. In such a scenario, you can share your reports with the audit team. The audit team will only be able to view or run the reports depending on the permission they have. However, they will not be able to modify or delete reports.

    To share reports, you must have the Share reports permission. To share reports with users in other roles, you must have the Manage roles and users permission in addition to the Share reports permission. You can share only the reports that you create. You cannot share reports that other users have shared with you. To share a report, select the report you want to share, click the Share icon, and select the relevant sharing option.

    The events in the report results that users, with whom you have shared reports, can view depend on the permission their role has. For example, if their role has permission to view only events of severity 4 and 5, the report results include only those events.

    If the user account of a report owner is deleted, reports that are set as Private are deleted. The ownership of all the shared reports is transferred to the admin user. If that report owner had shared any reports with you, you can no longer view those shared reports unless the admin user shares those reports with you.

2.2.4 Rebranding Reports

Change Guardian delivers an out-of-the-box Change Guardian white label report template. By customizing this template, you can rebrand the reports with your own header, footer, and logo. Only users in the administrator role can customize the Change Guardian white label report template.

To customize the template, perform the following:

  1. In the Reports and Searches panel, select the Change Guardian White Label Template report definition, and then click Export.

  2. Save the file to your local computer.

  3. Create a new folder.

  4. Extract the file contents to the new folder by using any ZIP extraction tool.

  5. In the new folder, open the resources folder. In this folder, you can modify the following files:

    • Header/Footer.jrxml: Contains the report layout descriptions. You can modify the layout offields, text, or images in the header and footer, but you must ensure that the overall size ofthe header and footer does not change. You can manually edit the XML file or use iReport tomodify them.

    • Header/Footer*.properties: Contains the text in the layout file, which localized into various languages. You can modify the strings that appear in the header or footer by editing this file. Ensure that the new strings do no exceed the space allocated to them. For information about editing the.properties file, see Oracle Java documentation.

    • Logo.jpg: Contains the logo that appears in the footer. You can replace this file withanother image. Ensure that the size of the new image is exactly the same size of theexisting image.

  6. Use a ZIP tool to re-zip the modified report template.

  7. In the Reports and Searches panel, click Import reports or searches, browse to this zip file, and then click Import.

    NOTE:If the folder structure is different than the original ZIP file, the import process displays an error. Ensure that you do not modify the folder structure after making the changes.

  8. Schedule any report definition and view the report to ensure that the changes are applied correctly.

2.2.5 Running Reports in a Federated Setup

To run reports in a distributed environment, select the data source server from which you want to view reports and specify the report parameters. For more information, see Understanding Data Federation.

To run reports:

  1. Log in to the authorized requestor sever as a user with Search Remote Data Sources permission.

  2. From the Reports section, select the report you want to run, then click Run.

  3. Click the Data sources link.

  4. Select the data source servers from which you want to view reports, then click OK.

  5. Specify parameters based on which to generate the report.

  6. Click Run.

    A report results entry is created and listed under the selected report.