Anonymous_User Absent Member.
Absent Member.
353 views

Reporting in SLM 1.1


Hi,
I'm using Sentinel Log Manager 1.1
I'm able to capture access gateway events. I have to create a report
based on for specified user ids with fields last successful login, ip
address and target application accessed. I'm able to run a generic
report. But i'm facing few issues -

1. How to give user id as input ? I'm running a report based on date
input. It is giving me all successful login of all users during that
time period. I can see the search query in report template. Do i need to
create separate report template for every user or there is some better
way ?

2. Right now i'm getting all successful login event events for the
user. How can i filtered out last successful login event for user ? I
couldn't find the way in configuration. Do i need to learn lucene
language to achieve this ?

3. The data which i want to show is coming in ExtendedInformation
attribute. But i don't want to show complete extended information, i
want to parse that information and show only relevant information. Again
i need to learn lucene ?

For eg : Extended information -> Value2=0; Value3=0; JCC
Device ID=ag-3994412863167286; MIMEtype=unknown; Event Identifier=3906;
Target=Branding_URLs;

and i want to show only this part Target=Branding_URLs


--
nikhilchawla
------------------------------------------------------------------------
nikhilchawla's Profile: https://forums.netiq.com/member.php?userid=125
View this thread: https://forums.netiq.com/showthread.php?t=3002

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Reporting in SLM 1.1

Hi,


>>> On 11.09.2012 at 17:34,

nikhilchawla<nikhilchawla@no-mx.forums.netiq.com>
wrote:

> Hi,
> I'm using Sentinel Log Manager 1.1
> I'm able to capture access gateway events. I have to create a report
> based on for specified user ids with fields last successful login, ip
> address and target application accessed. I'm able to run a generic
> report. But i'm facing few issues ‑
>
> 1. How to give user id as input ? I'm running a report based on date
> input. It is giving me all successful login of all users during that
> time period. I can see the search query in report template. Do i need to
> create separate report template for every user or there is some better
> way ?


You'll have to create your own report using the plugin SDK:
http://www.novell.com/developer/develop_to_sentinel.html

Create a new parameter to ask for a space separated list of userids. To
search for events initiated by user1 or user2 you can then use a lucene
query like "sun:(user1 user2)".

>
> 2. Right now i'm getting all successful login event events for the
> user. How can i filtered out last successful login event for user ? I
> couldn't find the way in configuration. Do i need to learn lucene
> language to achieve this ?


You can't do such complex queries in Lucene. You have to fetch all login
events and figure out which one was the latest in Jasper.

>
> 3. The data which i want to show is coming in ExtendedInformation
> attribute. But i don't want to show complete extended information, i
> want to parse that information and show only relevant information. Again
> i need to learn lucene ?
>
> For eg : Extended information ‑> Value2=0; Value3=0; JCC
> Device ID=ag‑3994412863167286; MIMEtype=unknown; Event Identifier=3906;
> Target=Branding_URLs;
>
> and i want to show only this part Target=Branding_URLs


You need to customize the collector, so that this information is put into
one of the CustomerVarNNN fields:
www.novell.com/developer/plugin-sdk/collector_customization.html

Norbert

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Reporting in SLM 1.1


Thanks Norbert for the reply.

But i didn't understand this :
You have to fetch all login
events and figure out which one was the latest in Jasper.

You mean i have to use jasperSoft IReport for this ? If yes, then what
will be the data source in that case and which query language i'll be
using ?

And one more thing -
In Login Success events, currently i'm getting Access Gateway's IP as
source IP rather than machine IP. Whereas in URL access events, i'm
getting machine IP as source IP. I understand the logic that request is
being forward to Identity server from access gateway for authentication.
But is there any way to get Machine's IP as source IP instead of Access
Gateway's IP.

And i'm not getting Login failure events in SLM 1.1. I have verified
that this event is enabled for auditing but still this event is not
coming in SLM 1.1. Any idea what can be the reason ?


--
nikhilchawla
------------------------------------------------------------------------
nikhilchawla's Profile: https://forums.netiq.com/member.php?userid=125
View this thread: https://forums.netiq.com/showthread.php?t=3002

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Reporting in SLM 1.1


Hi nikhilchawla,

If I may answer for Norbert here:

- Norbert is correct, adding a custom parameter (filtering based on a
user-specified set of user IDs) to a report is something that the web UI
does not currently support directly, you have to create a custom report.
That said, if a report existed that was a lot like the report you needed
except for that one detail, and it was marked as a template in Sentinel,
then you could run a search for the users of interest, then do "Save as
report" to generate a report with just those IDs. "Save as report"
currently requires you to actually save the report, but you could just
delete it after running it and extracting the results.
- Now, to actually create the parameter you will need to use iReport,
define a report parameter, and then construct a little XML snippet to
create the Web UI components that will actually set that parameter
inside the report. This is unfortunately not terribly well documented
right now (we're in the process of adding some SDK UI elements to make
this easier), but there are plenty of examples in the SDK.

- As for the "last successful login", you actually have two options on
how to do this: (a) you can create an RDD to extract a summarized set of
data to a Postgres SQL table, and then use a SQL-style report (which
will support more advanced queries) to get the values you need, or (b)
you can use the regular Lucene query, and then use Jasper iReport
features to "summarize" the data and extract the most recent value.
- Overall it might be easier to just sort the data by date, so that
the interesting values are at the top - wouldn't that achieve the same
result?

For these sorts of custom dev questions, I might recommend that we move
the discussion over to the 'Plug-in SDK'
(https://forums.netiq.com/forumdisplay.php?75-DEVELOPERS-Plug-in-SDK)
forum, which is more focused on this sort of thing.

And finally - which Access Gateway product are you referring to?
Novell's? What do you mean by "machine IP" (we use the terms "Source
IP", "Target IP", "Observer IP" and "Reporter IP" - all of which are
"machine IPs". We may need some actual sample input data and some
screenshots of your output.
Ditto for failed logins - try a Raw Data Tap on the Event Source node,
make sure the events are actually getting to Sentinel. If not, then
you'll probably need to ask the Access Gateway people. If yes, then
we'll probably need to do some troubleshooting,,,


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=3002

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Reporting in SLM 1.1

Hi,

>>> On 17.09.2012 at 18:34, DCorlette<DCorlette@no-mx.forums.netiq.com>

wrote:

> Hi nikhilchawla,
>
> If I may answer for Norbert here:
>
> ‑ Norbert is correct, adding a custom parameter (filtering based on a
> user‑specified set of user IDs) to a report is something that the web

UI
> does not currently support directly, you have to create a custom report.
> That said, if a report existed that was a lot like the report you needed
> except for that one detail, and it was marked as a template in Sentinel,
> then you could run a search for the users of interest, then do "Save as
> report" to generate a report with just those IDs. "Save as report"
> currently requires you to actually save the report, but you could just
> delete it after running it and extracting the results.
> ‑ Now, to actually create the parameter you will need to use iReport,
> define a report parameter, and then construct a little XML snippet to
> create the Web UI components that will actually set that parameter
> inside the report. This is unfortunately not terribly well documented
> right now (we're in the process of adding some SDK UI elements to make
> this easier), but there are plenty of examples in the SDK.
>
> ‑ As for the "last successful login", you actually have two options on
> how to do this: (a) you can create an RDD to extract a summarized set of
> data to a Postgres SQL table, and then use a SQL‑style report (which
> will support more advanced queries) to get the values you need


RDDs are only available in Sentinel 7, not in SLM.

, or (b)
> you can use the regular Lucene query, and then use Jasper iReport
> features to "summarize" the data and extract the most recent value.
> ‑ Overall it might be easier to just sort the data by date, so that
> the interesting values are at the top ‑ wouldn't that achieve the same
> result?
>
> For these sorts of custom dev questions, I might recommend that we move
> the discussion over to the 'Plug‑in SDK'
>

(https://forums.netiq.com/forumdisplay.php?75‑DEVELOPERS‑Plug‑in‑SDK
)
> forum, which is more focused on this sort of thing.
>
> And finally ‑ which Access Gateway product are you referring to?


I'd guess Novell Access Manager. There have been some issues with the
existing collector. You should contact support to get the latest build.

Norbert


> Novell's? What do you mean by "machine IP" (we use the terms "Source
> IP", "Target IP", "Observer IP" and "Reporter IP" ‑ all of which are
> "machine IPs". We may need some actual sample input data and some
> screenshots of your output.
> Ditto for failed logins ‑ try a Raw Data Tap on the Event Source node,
> make sure the events are actually getting to Sentinel. If not, then
> you'll probably need to ask the Access Gateway people. If yes, then
> we'll probably need to do some troubleshooting,,,


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.