HP IMC User Behavior Auditor

HP IMC User Behavior Auditor

Administrator Guide

Abstract

This guide describes the User Behavior Auditor (UBA), an add-on service module of the HP Intelligent Management Center. UBA is designed for IMC administrators and other networking specialists who collect and analyze network user behaviors.

*5998-3315*

© Copyright 2012, Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Microsoft®, Windows®, Windows® XP, and Windows NT® are U.S. registered trademarks of Microsoft Corporation.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates.

Contents

1 User Behavior Auditor overview...5

Introduction...5

UBA workflow...5

Network flow record collection...7

Device management...7

Probe management...7

Server management...8

Network flow record processing...9

User behavior audit task management...9

Filter strategy management...9

Application management...9

2 UBA menus and commands...10

User Behavior Audit...10

Database Space...11 127.0.0.1...12 Data Export...12 Settings...13 Device Management...14 Probe Management...15 Server Management...15

User Behavior Audit Management...17

Application Management...18

Parameters...19

Filter Strategy...19

3 Configuring UBA for a traffic audit...20

Managing UBA data sources...20

Managing the UBA device list...20

Adding a device into the UBA devices list...20

Managing probes...21

Managing the UBA probe list...21

Adding a new probe...21

Managing UBA servers...22

Managing the UBA server list...22

Modifying a UBA server...22

Managing a filter strategy...24

Viewing the Filter Strategy List...24

Adding a new filter strategy...25

Managing applications...25

Managing the application list...26

Adding a user-defined application...26

Batch importing user-defined applications...27

Modifying an application...28

Setting parameters...29

Managing database storage space...30

Viewing the Database File Usage and Disk Usage...30

Viewing a target server database details...30

4 Monitoring user behavior...31

User behavior audit conditions...31

Quick auditing...33

Task-oriented auditing...34

Managing the audit task list...34

Managing audit tasks...35

Viewing the audit result...36

Querying an audit result...36

Viewing audit results by group...36

Customizing the audit result list...36

Viewing additional audit result records...36

Exporting audit results...37

5 Exporting UBA log files...38

Log file report overview...38

Data export workflow...38

Data export settings...39

Setting log lifetime...40

Setting trigger space alarm conditions...40

Checking log files...40

Configuring the log file audit...40

6 UBA example...42

Scenario description...42

Task analysis...42

UBA deployment...43

UBA configuration...44

Auditing user behavior...46

Creating general audit tasks...47

Creating an NAT audit task...48

Creating an FTP audit task...49

7 Troubleshooting...51

Prerequisites...51

Verify the UBA installation...51

Fail to add a new probe...52

No target log files are available...52

No audit task displays in the navigation tree...52

Database space usage color bar...53

Alarms...53

8 Support and other resources...55

1 User Behavior Auditor overview

The following topics provide an overview of the User Behavior Auditor (UBA) service module, including features and workflow, network flow record collection, and the UBA processing mechanism.

Introduction

UBA (Figure 1) is an add-on service module of HP Intelligent Management Center (IMC). By integrating network Layer 4 to 7 monitoring into the IMC base platform, UBA provides a tool set for administrators to collect and analyze the information related to network user behaviors.

Figure 1 User Behavior Auditor

Network user behaviors are resolved as network flow data in network Layer 4 (transport layer). Generally, devices use logs to record the network flow during a certain time interval. UBA integrates the functions of a network log collector and a data analyzer, which enable UBA to extract network flow records from logs forwarded by the monitored devices. A network flow record at least includes the source and destination IP address, source and destination ports, and Layer-4 protocol (TCP, UDP or ICMP). UBA identifies and classifies the network user behaviors through log analysis, and presents the user behavior audit report in the IMC platform.

UBA provides a strong basis for regulating network users and identifying each user’s requirements to optimize network resources. For example, to improve network usage efficiency, a network administrator can create a UBA audit task to identify the current network usage features, such as frequently used applications (FTP, email, and so on), and which users have accessed online games or visited banned websites.

In UBA, you can define the strategies for retrieving logs and presenting user behavior records, that is, from which devices the logs are retrieved, how the data is analyzed and what data is presented. In addition, UBA provides a number of built-in settings for managing the UBA server, monitored device, and probe, as well as the ability to define filter strategy and applications, which help you customize audit tasks that meet your requirements.

UBA workflow

HP recommends that you use the following workflow (Figure 2) to perform a user behavior audit.

Figure 2 UBA workflow

1. Add a device or a network flow probe.

nl

Configure the source of network flow records, which can be a device or a network flow probe. 2. Create a filter strategy.

nl

A filter strategy defines which logs should be processed or discarded by UBA. You can skip this step if you want to use an existing strategy or not filter any data records.

NOTE: Using a filter strategy, UBA can focus on the logs that you want to process, discarding unneeded or redundant data, which can improve the efficiency of the UBA server. HP

recommends that you create a filter strategy based on your audit purpose, unless you want to process all network flow records.

3. Configure the UBA server.

• Establish communication paths between the UBA server and the devices or probe servers added in step 1.

• Assign a filter strategy to the UBA server. 4. Configure the audit task.

Set the audit conditions according to your audit purpose. 5. View the UBA report.

Network flow record collection

To perform a user behavior audit, you first need to develop a log collection plan to identify the following information:

• Areas of interest for which you want to capture network flow data. This can include business services, applications, or systems, and the underlying technologies that deliver these services, as well as network devices, interfaces, servers, storage, or other network resources.

• Devices that act as the log resources for the UBA task purpose.

• Whether the devices you chose in step 2 are capable of generating network flow records. UBA can analyze the following types of logs forwarded by devices:

◦

Flow log—Supports protocols Flow 1.0/3.0

◦

NAT (Network Address Translation) log—Supports protocol NAT 1.0

◦

NetStream log—Supports protocol NetStream v5/v9

◦

sFlow log—Supports protocol sFlow v5

◦

NetFlow log—Supports protocol NetFlow v5/v9

For devices that are unable to generate the logs mentioned above, you can use probes to analyze the network flow data, and forward DIG logs to a UBA server.

Based on a collection plan, you can configure the devices, probes, and the UBA server in the built-in UBA configuration modules, which are described in the following sections.

Device management

Device management enables you to manage the device, such as a switch, router, or gateway, which supports at least one of the following protocols:

• Flow 1.0/3.0

• NAT 1.0

• NetStream v5/v9

• sFlow v5

• NetFlow v5/v9

In the device management, adding a device as a source of network flow records is the first step in creating a communication path between the device and the UBA server. This enables the device to regularly send the network logs to the UBA server. In addition, device management provides you the ability to view and modify the information of existing devices, or directly remove them.

Probe management

Network flow probe is an alternative solution for collecting network flow records from devices that do not support the Flow 1.0/3.0, NAT 1.0, NetStream v5/v9, sFlow v5, or NetFlow v5/v9 protocols. As shown inFigure 3, a UBA DIG server, which is also called a probe in UBA, is deployed to analyze the network flow mirrored from a router or switch, and then forward the DIG logs to a UBA server via FTP. During DIG logs forwarding, the UBA server acts as an FTP server, and the probe acts as a FTP client that regularly sends the DIG logs to the UBA server.

Figure 3 Collect network flow records from a probe

Probe management enables you to add a probe as a source of network flow records. You can also view and modify probe information, or directly remove a probe. Probe configuration sets the probe information, including probe name, IP address, probe password, and so forth, in Probe Management.

Server management

The UBA server integrates the features of a network log collector and a data analyzer. The UBA server can collect and analyze the Flow logs, NAT logs, NetStream logs, sFlow logs, and NetFlow logs sent from devices, as well as DIG logs sent from a probe via FTP. All the logs are aggregated and analyzed in the UBA server based on the audit tasks requirements, and finally are presented as a user behavior audit report.

As an add-on service module, the UBA server can be installed on the IMC base platform server, or on a remote server in a master/subordinate relationship to the base platform server. Based on the actual IMC deployment, you can install one or more UBA servers to perform a user behavior audit. Each UBA server is added to the server list when the UBA server is installed. When installing the UBA service module, you need to set its IP address, which cannot be modified in the Server Management.

Server Management provides the following configurations:

• Server configuration

Set the basic information about the UBA server, such as server name, listening ports, FTP settings, filter policy.

• User behavior audit configuration

◦

Create communication paths between devices/probes and the UBA server

◦

Configure the intranet network segment information for network flow monitoring and license control

For more information, see “Configuring UBA for a traffic audit.”

Network flow record processing

UBA provides multiple configurations for defining how to process the logs and present an audit report, including:

• User behavior audit tasks management

• Filter strategy management

• Application management

User behavior audit task management

A user behavior audit task defines the purpose of network flow records processing. That is, UBA enables you to define the audit conditions according to your purpose. The general audit conditions include source and destination IP addresses and ports, protocol, application, and device. UBA extracts the data from the collected logs according to audit conditions. Then, UBA analyzes the extracted data packets and summarizes user behavior features in an audit report.

UBA provides multiple audit types to address various user behavior audit demands. Besides the general audit, you can use the following special audits to audit different types of user behaviors:

• NAT audit—Query the information about users who access the Internet.

• Web visiting audit—Query the information about users who access the specified website.

• FTP audit—Query the information about users who use the FTP service.

• Mail audit—Query the information about users who use the mail service. For more information, see “Monitoring user behavior.”

Filter strategy management

A filter strategy defines whether the logs that UBA receives are processed or directly discarded by UBA. Usually, devices generate many logs for recording the network flow. Excessive data greatly affects UBA processing efficiency.

In a filter strategy, you can choose to process or discard logs based on the source/destination IP address or source/destination Layer 4 port number of data packets. You can also choose to process or discard TCP, UDP, ICMP, or IPv6 ICMP data packets.

Only after you assign a filter strategy to a UBA server can a UBA server use it to collect or discard logs. If you use a DIG logs probe to collect network flow records, the UBA server delivers the filter strategy to the probe, which filters the DIG logs before forwarding them to the UBA server.

For more information, see “Configuring UBA for a traffic audit.”

Application management

UBA can use the applications previously defined to identify user behaviors. In UBA, an application is defined with the used protocol and port. When configuring a UBA task, you can select an application as an audit condition. In this way, UBA queries the network flow consistent with the definition of the specified application, and identifies the IP address and other information about the users of the specified application.

UBA includes many pre-defined applications for you to configure audit tasks. You also can customize a user-defined application. Application management provides the ability to view and modify the definition of an application. You can remove user-defined applications only. You cannot remove pre-defined applications.

For more information, see “Configuring UBA for a traffic audit.”

2 UBA menus and commands

This section describes menus and commands in the UBA module. To open the UBA navigation tree (Figure 4), and display UBA options, click Service > Traffic Analysis and Audit.

Figure 4 UBA navigation tree

User Behavior Audit

The User Behavior Audit menu (Figure 5) displays audit conditions, which you can use for log flow processing. It is applicable to any audit condition you need.

Figure 5 User Behavior Audit

Table 1lists available commands in the User Behavior Audit menu and information for using them.

Table 1 User Behavior Audit menu options Description Options

Command

Select the target server from the drop list. 127.0.0.1

Server

Specify audit starting/ending time. 2010-03-11 17:35

Start/End Time

Specify the source IP address that you want to audit. It can be a single IP address or IP segment.

Source Audit Condition

Specify the destination IP address that you want to audit. It can be a single IP address or IP segment.

Destination

Table 1 User Behavior Audit menu options (continued) Description

Options Command

Specify one or more source port numbers that you want to audit. Source Port

Specify one or more destination port numbers that you want to audit. Destination Port

UBA supports four types of protocol: Protocol

• TCP

• UDP

• ICMP

• IPV6 - ICMP

Select one or more applications from the list as an audit condition. Application

Specify IP address for target device. Device

Specify NAT audit conditions:

• NAT IP NAT Condition

Special Audit

• NAT Port

• Operator

Specify Web visiting audit conditions: Web Visiting Audit

• Web Site

• Title

• URL

Specify FTP audit conditions: FTP Audit

• FTP User

• File

• Transfer Mode

Specify mail audit conditions: Mail Audit

• Sender

• Receiver

• Title

Database Space

In the Database Space Usage menu (Figure 6), you can check current database disk usage and usage trend statistics over a specified time period.

Figure 6 Database Space

Table 2lists the available commands in the Database Space Usage menu and a description for using each command.

Table 2 Database Space Usage menu

Description Options

Command

Click to refresh the server list. n/a

Refresh

Click to view space usage details. 127.0.0.1

127.0.0.1

127.0.0.1

When you select the specific server name, the Database Space Details page displays, as shown inFigure 7.Table 3 lists the available commands in the 127.0.0.1 menu.

Figure 7 Database Space details menu

Table 3 127.0.0.1 menu

Description Options

Command

Select a query time period. Time

Query Database Space Usages

Specify the query starting and ending time if you select Customer in the Time drop list.

Start Time End Time

Start query process according to the conditions.

Query

Reset query condition. Reset

Display database storage space trends by a diagram.

n/a Database Space Usage Trend

Display database storage statistics. n/a

Details

Data Export

After the UBA module receives log files, you can export them by using the Data Export function.

Figure 8shows the Data Export Management menu.Table 4 lists the available commands in the Data Export Management menu and a description for using each command.

Figure 8 Data Export Management

Table 4 Data Export Management menu

Description Options

Command

Click to open the Log File Audit window. n/a

Log File Audit

Set the time period of data export. Date of Exported Data

Data Export Log _{Open column list to choose the specific display}

item in the Date of Export Data table. Custom

Select to enable the data export function. Enable Data Export

Modify

Select to enable the data export when the received log packets overflow space limitation and cause a data space alarm.

Trigger Data Export by Data Space Alarm

Specify data export path. Path of Exported File

Settings

The Settings page (Figure 9) displays a typical UBA workflow as an example of a traffic analysis and audit configuration.

Figure 9 Settings

Available menus:

• Guide to Quick Traffic Analysis And Audit Configuration Device Management

◦

◦

Probe Management

◦

Server Management

◦

User Behavior Audit Management

• Settings Database Space

◦

◦

Application Management

◦

Parameters

◦

Filter Strategy

Device Management

The Device Management page provides optional commands to perform routine operations on each device.

Figure 10shows how to add a new device to UBA. The Modify Device menu has the same options. Click Device Resource Info to open the device details page for checking detail parameters of the target device.Table 5lists the available commands in the Add Device menu and a description for using each command.

Figure 10 The Add Device page

Table 5 Add a Device description

Description Options

Command Page

Select the target device from the pop-up device list. Device IP Basic Information Device Management

Specify a name for the device. Name

Describe the device. Description

Align SNMP community with the device.

NOTE: If you specify an incorrect community, a log file collection faliure may occur.

SNMP Community

Specify the SNMP port value. SNMP Port

Specify the source IP address of log. Log Source IP

Validate the NetStream statistics identifier. NetStream Statistics Identifier

Enable the NetStream function. NetStream New Feature

Probe Management

The Probe Management page provides the Layer 7 application traffic collection function for auditing purposes. In this page, you can add, modify, and delete a probe. Figure 11shows how to add a new probe.Table 6lists the available commands in the Add Probe menu and a description for using each command.

Figure 11 Add Probe

Table 6 Probe Management menu

Description Options

Command

Specify a name for probe. Name

Basic Information

Specify an IP address for probe. IP

Describe the probe. Description

Select whether or not to enable the layer 7 application identifier, which can be used to analyze seven-layer traffic in each log file. Enable Layer 7 Application Identification

Input the password, which is configured in advance in the device probe.

Probe Password

Server Management

The UBA module collects log files and sends management messages through local servers. Server Management allows you to configure server parameters for traffic analysis and user behavior audits.Figure 12shows how to modify server configurations.Table 7lists the available commands in the Server Configuration menu and a description for using each command.

Figure 12 Server Configuration

Table 7 Server Configuration using the Server Management menu Description Options

Command

Specify a name for the server. Server Name

Basic Information

Describe the server. Server Description

Specify the IP address of the server. Server IP

Specify the port number, which is used for receiving log packets from the device. Listening Port

Specify the FTP main directory.

NOTE: When the configured probe collects log packets, it uses FTP to share them with the UBA server. FTP Main Directory Specify an FTP username. FTP Username Specify an FTP password. FTP Password

Select a proper strategy for analyzing revived log files. Available options:

Traffic Analysis Log Aggregation Policy

• Aggregation (Rough Granularity)

• Aggregation (Standard)

• No Aggregation (Best Report Timeliness)

NOTE: When No Aggregation is selected, source log packets are not processed by UBA. As a result, the unfiltered log size can grow to a point where the UBA server can fail. Specify whether to enable a filter policy. Filter Policy

Table 7 Server Configuration using the Server Management menu (continued) Description

Options Command

Specify a usage threshold for the database disk. Usage Threshold of the Database Disk (1 – 95%)

Select a proper strategy for dealing with the overflowing data. Available options: When Database Disk Usage Reaches Threshold

• Stop Receiving Logs

• Delete Logs to Release Space

NOTE: For more information, see “Configuring UBA for a traffic audit.” Select the target device that you want to monitor. Device Information

Traffic Analysis Probe Information Select the proper probe to use. Specify an intranet IP address. Intranet Monitor Information

User Behavior Audit Management

User Behavior Audit Management provides five typical audit models for setting corresponding conditions.Figure 13shows five audit types.Table 8lists the available commands in the Select Audit Type menu and a description of each command.

Figure 13 Select Audit type

Table 8 User Behavior Audit Management menu Description Options

Command

Specify general information for the audit. Available options: Add Custom General

Audit

General Audit

• Name

• Server

• Reader

Specify the audit conditions. Available options:

Audit Condition • Source • Destination • Source Port • Destination Port • Protocol • Application • Device

NOTE: For more information, see “Configuring UBA for a traffic audit.”

Table 8 User Behavior Audit Management menu (continued) Description

Options Command

Specify the NAT audit conditions. Available options: NAT Condition

NAT Audit • NAT IP

• NAT Port

• Operator

Specify the web audit conditions. Available options: Web Visiting Condition

Web Visiting Audit • Web Site

• Title

• URL

Specify the FTP audit conditions. Available options: FTP Condition

FTP Audit • FTP User

• File

• Transfer

Specify the mail audit conditions. Available options: Mail Condition

Mail Audit • Sender

• Receiver

• Title

Application Management

The Application Management page (Figure 14) provides the capability to add an application model for auditing. The system provides five types of applications by default. You can also define applications according to your requirements. Table 9lists available commands in the Application Management menu and a description of each command.

Figure 14 Application Management

Table 9 Application Management menu

Description Options

Command

Specify an application name. Application

Application

Select a protocol which used in the application. Protocol

Specify the port value. Port

Select to which layer the application belongs. Application Type

Specify if the application is a pre-defined one. Pre-defined

Add a new application for UBA. Add

Application List Import Import an existing application. Refresh the application list. Refresh

Parameters

You can set parameters for traffic analysis and audit in the Parameters menu. The two available options are:

• Log Lifetime—The number of days that you want to retain UBA logs.

• Max Displayed Entries for Audit—The maximum number of logs to display in the log list.

Filter Strategy

Filter strategy in UBA (Figure 15) enables you to define whether the logs that UBA receives are processed or discarded in the next step. You can process, analyze, or discard the logs at your option. Table 10describes the commands in the Filter Strategy menu.

Figure 15 Add Filter Strategy

Table 10 Add Filter Strategy menu Command Options Description Options

Command

Specify a filter strategy name. Name

Basic Information Description Describe the filter strategy. Discard or receive log flow. Default Policy

Add a new strategy by completing the conditions below:

Add Filter Condition List

3 Configuring UBA for a traffic audit

This section provides instructions on how to set up effective UBA monitoring, which includes configuring devices and probes to forward network source log flow to the UBA module. UBA filters log packets according to user-defined strategies. In addition, UBA allows you to specifically tune UBA log analysis and presentation.

You can configure the UBA module by following this configuration order:

• Managing UBA data sources

• Managing probes

• Managing UBA servers

• Managing filter strategy

• Managing applications

• Setting parameters

• Managing database storage space

Managing UBA data sources

The two types of data source logs are:

• Basic source logs—Record key information of Layer 4, and collected by devices.

• Application source logs—Take Layer 7 datagram information, and collected by probes. Using Device Management, you can view, add, modify, or remove devices that serve as network flow data sources in UBA. Devices that support Flow1.0/3.0, NAT1.0, Netflow v5/v9, sFlow, and NetStream v5/v9 can be data sources in UBA.

Managing the UBA device list

The UBA Device List contains all devices that could be added to UBA as a potential source of network log packets. Adding a device to UBA establishes communication between UBA as the network log packets collector and the devices that generate log packets.

To view the device list:

1. Click Service > Traffic Analysis and Audit > Settings.

2. Click the Device Management icon in the settings portion of the Traffic Analysis and Audit page to open the Device Management page.

The available devices appear in the Device List pane. To view Device Resource Info:

Click the Details icon to open the Device Details page and set the device parameters. For more information, see HP Intelligent Management Center Base Platform Administrator Guide.

To modify a device:

Click the Modify icon to open the Modify Device page. Then specify the parameters, as described in “Adding a device into the UBA devices list.”

To delete a device: Click the Delete icon .

Adding a device into the UBA devices list

To add a new device:

1. In the Device Management page, click Add to open the Add Device page. 2. Complete the following information:

• Device IP—Click Select to open the device resource lists, and select the target device through IP View, Device View, or Custom View.

• Name—After you select the Device IP, the IP address displays automatically in the Name field. Specify a name for the device.

• Description—Describe the device.

• SNMP Community—Align the SNMP community value with the device.

• SNMP Port—Input the port number that is used to communicate and receive data from the device.

• Log Source IP—Input the IP address of the device that sends logs.

• NetStream Statistics Identifier—Make the NetStream statistics identifier valid.

• NetStream New Feature—Enable the NetStream function. This feature is only for HP A series/H3C devices with Comware V5.

3. Click OK.

Managing probes

Using Probe Management, you can collect and analyze DIG flows. Using the DIG log probe, you can mirror traffic flow from a router or switch port to a dedicated UBA DIG sever that collects and analyzes the traffic before forwarding as network flow records to a UBA server.

Managing the UBA probe list

The UBA Probe List contains all probes that could be added to UBA as a potential DIG log source. Adding a probe to UBA establishes communication between the UBA server and DIG log server. To view the probe list:

1. Click Service > Traffic Analysis and Audit > Settings.

2. To open the Probe Management page, in the settings portion of the Traffic Analysis and Audit page click the Probe Management icon .

The available probes appear in the Probe List page. To modify a probe:

Click the Modify icon to open the Modify Probe page, and specify the parameters, which are described in “Adding a new probe.”

To delete a probe: Click the Delete icon .

Adding a new probe

To add a new probe:

1. In the Probe Management page, click Add to open the Add Probe page. 2. Complete the information for the following parameters in this page:

• Name—Specify a name for the probe.

• IP—Specify the probe IP address.

• Description—Describe the probe.

• Enable Layer 7 Application Identification—Select whether or not to enable Layer 7 application identification. If yes, it is applicable for the probe to identify the Layer 7 application logs.

• Probe Password—Input the password that is deployed in the probe device. 3. Click OK.

Managing UBA servers

As the core component of the UBA service module, the UBA server collects and analyzes the logs forwarded from devices or probes, and presents the user behavior audit result.

UBA provides you with the facilities for viewing and modifying the UBA server configuration, including the following information:

• Basic information—Specify the basic information about the UBA server, such as server name, listening ports, and filter strategy.

• User behavior audit—Specify from which devices or probes the UBA server can collect logs, and configure the intranet network segment for network flow monitoring and license control.

Managing the UBA server list

The UBA server list contains all servers you deployed in the UBA service module. In the Server Management page, you can view the server list and UBA details as shown in the following operations.

To view the UBA server list:

1. Click Service > Traffic Analysis and Audit > Settings.

2. To open the Server Management page, in the settings portion of the Traffic Analysis and Audit page, click the Server Management icon .

The available servers display in the Server List menu. To view the UBA server details:

Click the server name of a UBA server to open the Server Details page, and then view the current configuration of the specified UBA server.

To refresh the UBA server list: Click Refresh.

To open the Configuration Deployment Result page and check the deployment result:

Click the Deploy Configuration icon . Check whether the UBA server configurations are deployed in processor and receiver servers and whether the probes are deployed successfully.

NOTE: You cannot remove a UBA server from the server list.

Modifying a UBA server

With UBA Server Management, you can modify the parameters of the specified UBA server. To modify a UBA server:

1. In the Server Management page, click the Modify icon in the Modify field of the UBA server that you want to modify.

This opens the Server Configuration page.

2. In the Basic Information pane, specify the following parameters:

• Server Name—Specify a name for the UBA server. By default, this field parameter is set as the IP address of the UBA server when the UBA service module is installed.

• Server Description—Input a brief description of the UBA server.

• Listening Port—Specify the ports that the UBA server uses to listen for logs forwarded by devices or probes. If you want to set multiple listening ports for the UBA server, the port numbers should be separated with a comma, for example, 1020, 1021, or 1022.

• FTP Main Directory—Specify the root directory for the FTP service running on the UBA server.

• FTP Username—Specify the username of the FTP account used by probes to upload data to the UBA server.

• FTP Password—Specify the logon password of the FTP account used by probes to upload data to the UBA server.

• Traffic Analysis Log Aggregation Policy—Specify the aggregation policy you want to apply to all logs processed by the UBA server. Select one of the following aggregation policies:

◦

No Aggregation (Best Report Timeliness)—Indicates the UBA server does not aggregate data. This option is only suitable for environments that have a priority on report timeliness, and require the most disk space because of the huge number of logs that are generated. HP recommends that you select this option only when you have a critical requirement.

◦

Aggregation (Standard)—Indicates that the UBA server aggregates data at short intervals (five minutes by default). This option is suitable for environments that have a medium number of logs generated. It requires less disk space than the No Aggregation mode and more disk space than the Aggregation (Rough Granularity) mode.

◦

Aggregation (Rough Granularity)—Indicates that the UBA server aggregates data at long intervals (twenty minutes by default). This option is suitable for environments that have a small number of logs generated and requires the least disk space.

• Filter Policy—Specify whether or not to apply a filtering policy to logs directed to the UBA server. Select No Filter or a defined filter strategy from the Filter Policy list.

• Usage Threshold of the Database Disk (1-95%)—Specify a threshold for the percent of the UBA database disk utilization. The range for the usage threshold is 1% to 95%. Input a number from 1 to 95. The percent sign (%) is not required.

• When Database Disk Usage Reaches Threshold—Select an action to be taken if the disk that the UBA database resides on reaches the threshold specified in the parameter Usage Threshold of the Database Disk (1-95%). Available options are as follows:

◦

Stop receiving logs—No longer processes and stores logs until additional disk space is released or added to the database disk or volume.

◦

Delete logs to Release Space—UBA deletes the existing logs, starting with the oldest, until the disk space usage drops below the threshold.

3. Configure device information.

After you add a device to UBA using the steps described in “Adding a device into the UBA devices list,” select the device on the Server Management page. This enables UBA to collect and analyze the logs forwarded by the device. To specify this, click the check box to the left of the specified device in the Device Information pane.

NOTE: You can also disable a device that has worked as a data source for a UBA server. To disable a device, click the check box to the left of the specified device.

4. Configure probe information.

After you add a probe to UBA using the steps described in “Managing probes,” select it on the Server Management page to enable it and to forward the DIG logs to UBA.

In addition, DIG logs forwarded by probes can provide information about Layer 7, which allows UBA to identify the applications or services that a network user accessed. With probe information configured, you can enable special audits for typical services, such as FTP, mail, and web. After you enable one or more special audits, you can create a special audit task to identify which users access a specified service.

NOTE: Only the probe with Layer 7 application identification enabled can support the special audits described above. For more information, see “Managing probes.”

To configure probe information:

a. In the Probe Information pane to the left of the specified probe, click the check box. b. In the Probe Information pane, to enable special audit items, click the check box in the

Enable Special Audit field.

nl

After you enable a special audit, UBA provides the corresponding special audit for you to create an audit task. For example, if you select Web in the Enable Special Audit field, after the probe is deployed successfully, you can create a web visiting audit task to query which users have accessed the specified website or content.

For more information, see “Monitoring user behavior.”

NOTE: You can also disable a probe or a special audit. To disable a probe, click the check box to the left of the specified probe. To disable a special audit, click the check box to the left of a special audit in the Enable Special Audit field.

5. Configure intranet monitor information.

Specify the intranet segment for flow data monitoring and license control. Input the IP segment of the intranet with standard IPv4 and IPv6 format (for example, a001:410:0:1::1/64,

10.153.89.0/24, or 10.153.89.0/255.255.255.0); then click Add. The IP segment appears in the Intranet Information list.

NOTE: To remove an intranet segment from the Intranet Information list, click the Delete icon in the Delete field of the intranet segment you want to remove.

6. To open the Configuration Deployment Result page, click Deploy.

nl

In this page, you can check whether the UBA server configurations you modified are deployed in processor and receiver servers, and whether probes are successfully deployed.

Managing a filter strategy

After log packets are collected by the devices and probes, the UBA server processes them according to the user-defined filter strategy. This function causes UBA to respond at the start of the

data-processing procedure. With specific filter strategies, the server discards target log packets without analyzing them, so that the server is protected from excessive log packet overload. UBA allows you a combination of IP address, port, and protocol for filtering log packets.

Viewing the Filter Strategy List

The filter strategy list contains all filter strategies that are defined by users. In this page, you can view, modify, and delete the target filter strategy.

To view the Filter Strategy list:

1. Click Service > Traffic Analysis and Audit > Settings.

2. Click the Filter Strategy icon in the settings portion of the Traffic Analysis and Audit page.

The available filter strategies appear in the Filter Strategy List page. To view filter strategy details:

1. To open the Filter Strategy Details page, click the filter name. 2. To quit, click Back.

To modify a filter strategy:

Click the Modify icon to open the Modify Filter Strategy page, and then specify the parameters, as described in “Adding a new filter strategy.”

To delete a filter strategy: Click the Delete icon .

Adding a new filter strategy

To add a new filter strategy:

1. In the Filter Strategy List page, click Add to open the Add Filter Strategy page. 2. Complete the information for the following parameters:

• Name—Specify a name for a filter strategy.

• Description—Describe the filter strategy.

• Default Policy—Select Discard or Receive as the UBA default action.

3. In the Filter Condition List pane, click Add to open the Filter Condition Configuration page. 4. Complete the information for the following parameters:

• Policy—Select the filter policy. To discard means if received logs meet the filter strategy conditions, UBA discards those logs without analysis. To receive means if received logs meet the filter strategy conditions, UBA processes and audits them.

• Source Host—Specify the source host IP address for a filter condition. It can be one or more IP addresses, also an IP segment.

• Source Port—Specify the source port number for a filter condition. It can be one or more port numbers.

• Destination Host—Specify the destination host IP address for a filter condition. It is can be one or more IP addresses, and an IP segment.

• Destination Port—Specify the source port number for a filter condition. It can be one or more port numbers.

• Protocol—Select the protocol type from TCP, UDP, ICMP, and IPv6-ICMP. 5. To return to the Add Filter Strategy page, click OK.

NOTE: After adding a new filter strategy by following steps above, you must go to Server Configuration page to select this strategy in order to implement it. For more information, see “Managing UBA servers.”

To sort the filter strategy priority:

1. In the Add Filter Strategy or Modify Filter Strategy page, in the Filter Condition List pane, locate the Sort column.

2. Click the Up or Down icon to move the target filter condition priority up or down. 3. Click OK.

Managing applications

Using UBA, you can view, add, modify, or remove any user-defined application. Likewise, you can view or modify pre-defined (default) applications; however you cannot remove them.

Managing the application list

The application list contains all default and user-defined applications. In the Application Management page, you can perform the following operations.

To view the application list:

1. Click Service>Traffic Analysis and Audit>Settings.

2. To open the Application Management page, in the settings portion of the Traffic Analysis and Audit page, click Application Management.

You can now see all applications as listed in the Application List page. To query applications:

1. Set the following criteria to query the applications you want to view:

• Application—Input the partial or full name of the application you want to view.

• Protocol—Select the Layer 4 transfer protocol, TCP, UDP, or TCP/UDP (both protocols) for the application.

• Port—Input the TCP or UDP port number for the specified Layer 4 application.

• Application Type—Specify the layer of the seven layer OSI Reference model in which this application operates. If the application is a Layer 4 application, select Layer 4. Otherwise, select Layer 7.

• Pre-defined—Specify whether or not the specified application is pre-defined. 2. Click the Query button.

To refresh the application list: Click the Refresh button. To view the application details:

Click the Application field of an application. To remove a user-defined application:

Click the Delete icon for the target application.

Adding a user-defined application

With Application Management, you can customize the following two types of user-defined applications:

• Layer 4 applications—To create a Layer 4 application, you need to specify the port, or port and host IP address that UBA uses to compare the port and host IP address of every packet, thus identifying the application.

• Layer 7 applications—To create a Layer 7 application, you need to specify a regular expression string that UBA uses to compare the information of every packet, such as IP header, thus identifying the application.

To add a user-defined application:

1. In the Application Management page, click Add to open the Add Application page. 2. Complete the information for the following parameters:

• Application—Input a name for the application.

• Description—Input a brief description for the application.

• Protocol—Specify the Layer transfer protocol the application uses. Select TCP, UDP, or TCP/UDP (both protocols) from the Protocol list.

NOTE: If you select TCP/UDP, the system automatically creates two applications specified TCP protocol and UDP protocol. After adding the application successfully, you can view the two applications which have the same name, but different in transfer protocol in the Application List.

3. Select Layer 4 or Layer 7 from the Application Type list.

• If you select Layer 4, complete the information for the following parameters:

◦

Port—Specify the TCP or UDP port number that the application uses. You can input a single port number (for example, 10) or a range of port numbers (for example, 10-20).

◦

Host IP—Specify the host IP address that the application uses. Input a single IP address (for example, 10.110.10.1) or IP segment (for example, 10.110.10.*,

a001:410:0:1::1/64) with standard IPv4 or IPv6 format, and then click Add to the right of Host IP. The IP segment displays in the Host IP List.

NOTE: The IP addresses or address ranges you add to the host IP list cannot overlap. You can remove an IP address or segment from the Host IP list. To do this, select the IP address or IP segment you want to remove, and click the Delete icon to the right of Host IP List.

• If you select Layer 7, complete the information for the following parameters:

◦

Regular Expression—Specify the regular expression string that UBA uses to identify the applications in the Layer 7 portion of each IP packet examined.

◦

Enable—Specify whether or not to enable regular expression matching for the application. Select Yes if you want to enable UBA to compare the content of the IP header of every packet with the regular expression configured in this field. Otherwise, select No.

For more information, see HP Intelligent Management Center Network Traffic Analyzer

Administrator Guide.

4. Click OK to add the application.

Batch importing user-defined applications

With Application Management, you can import user-defined applications from CSV

(Comma-Separated Values) files in batches. A CSV file can record information of applications in plain text, which are separated with a comma. Each line of the file defines one application, including the application name, description, protocol, and port number.

To batch import user-defined applications:

1. In the Application Management page, click Import to open the Import Application page. 2. Click Browser.

The Choose File to Upload dialog box displays.

3. Locate the application definition (CSV) file to import, and then click Open. 4. Click Upload File.

UBA starts to resolve the file contents. The Import Application page is refreshed to display the resolution result in the Application List.

Modifying an application

With Application Management, you can modify different information for pre-defined and user-defined applications. For both types of applications, you cannot modify the protocol and application type.

To modify a pre-defined application:

1. In the Application List, click the Modify icon in the Modify field of the target application. The Modify Application page displays.

2. If the application is a Layer 4 application, you can modify the following parameters:

• Application—Input a name for the application.

• Description—Input a brief description for the application.

3. If the application is a Layer 7 application, in addition to the parameters for Layer 4 application, you can also modify the following parameter:

• Enable—Specify whether or not to enable regular expression matching for the application. Select Yes if you want to enable UBA to compare the content of the IP header of every packet with the regular expression configured in this field. Otherwise, select No. 4. Click OK.

To modify a user-defined application:

1. In the Application List, click the Modify icon in the Modify field of the target application. The Modify Application page displays.

• If the application is a Layer 4 application, you can modify the following parameters:

◦

Application—Input a name for the application.

◦

Description—Input a brief description for the application.

◦

Port—Specify the TCP or UDP port number that the application uses. You can input a single port number (for example, 10) or a range of port numbers (for example, 10-20).

◦

Host IP—Specify the host IP address that the application uses. Input a single IP address (for example, 10.110.10.1) or IP segment (for example, 10.110.10.*,

a001:410:0:1::1/64) with standard IPv4 or IPv6 format, and then click Add to the right of Host IP. The IP segment displays in the Host IP List.

NOTE: The IP addresses or address ranges you add in the Host IP list cannot overlap. You can remove an IP address or segment from the Host IP list. To do this, select an IP address or IP segment you want to remove, and then click the Delete icon to the right of the Host IP List.

• If it is a Layer 7 application, you can modify the following parameters:

◦

Application—Input a name for the application.

◦

Description—Input a brief description for the application.

◦

Regular Expression—Specify the regular expression string that UBA uses to identify the application in the Layer 7 portion of each IP packet examined.

◦

Enable—Specify whether or not to enable regular expression matching for the application. Select Yes if you want to enable UBA to compare the content of the IP header of every packet with the regular expression configured in this field. Otherwise, select No.

2. Click OK.

Setting parameters

UBA provides you with the ability to configure and tune system parameters that define how the logs are preserved and presented in UBA.

To configure system parameters:

1. Click Service > Traffic Analysis and Audit > Settings.

2. Click the Parameter Management icon in the settings portion of the Traffic Analysis and Audit page to open the Parameter Management page.

3. In the Basic Settings pane, configure the Log Lifetime parameter.

Log lifetime indicates for how many days UBA retains the collected logs before sending them to an export file. The logs directed to UBA are saved in the UBA database. This parameter is associated with the Data Export function. If the Data Export is enabled in the data export management, the UBA database sends the logs that have been saved longer than the log lifetime defined here to an export file. Then the database deletes the logs to release storage space. The range for log lifetime is 1 to 1,825 days (5 years). For more information, see “Exporting UBA log files.”

4. After configuring the Log Lifetime parameter, click OK.

5. In the Advanced Settings pane, configure the Max. Displayed Entries for Audit parameter. This parameter indicates how many results UBA displays for a given search or audit. The range for maximum displayed entries is 1 to 100,000.

6. After configuring the Max. Displayed Entries for Audit parameter, click OK.

Managing database storage space

The database space function displays UBA database disk usage and usage trend statistics in a specific time range. You can select different time ranges as a condition to complete the query requirement. UBA provides a configurable database usage threshold in Server Management to trigger the database disk usage alarm. For more information, see “Managing UBA servers.”

Viewing the Database File Usage and Disk Usage

To view the Database File Usage and Disk Usage:

1. Click Service > Traffic Analysis and Audit > Settings.

2. Click the Database Space Usage icon in the settings portion of the Traffic Analysis and Audit page to open the Database Space Usage page.

Data File Usage and Disk Usage data display in the Database Space Usage page.

Viewing a target server database details

To view a target server database details:

1. In the Database Space Usage page, click the server name 127.0.0.1 to open its database space usage detail page.

2. Select the time period that you want to query. Available options are as follows:

• Last 24 hours—Query the database space usage trend for the past 24 hours.

• Last 7 hours—Query the database space usage trend for the past 7 hours.

• Last 30 hours—Query the database space usage trend for the past 30 hours.

• Last 3 months—Query the database space usage trend for the past 3 months.

• Custom—Query the database space usage trend for a user defined time period. If you select this option, the Start Time and End Time are activated for time span setting. 3. Click Query.

The results display in the Database Space Usage Trend pane. You can also check usage detail information in the Details pane.

4. Click Reset to go back to default for the next query.

4 Monitoring user behavior

This information describes how to configure user behavior audit conditions according to your requirements and to view the audit result. For auditing purposes, UBA provides the following modes:

• Quick auditing—Allows you to configure audit conditions and display results in the same page without retaining the audit record. If you want to perform a quick audit without the requirements that go with retaining the audit record, including the audit conditions and results, HP

recommends that you select this mode. For more information, see “Quick auditing.”

• Task-oriented auditing—Based on task management. Before you start an audit, you need to create an audit task used to define the audit conditions. UBA analyzes the network flow data according to the audit task, and then displays the audit result. Task-oriented auditing records the audit conditions and results in an audit task. Task management provides you with the ability to view, add, modify, or remove audit tasks.

If you want to retain the condition configurations and result of a user behavior audit, select this mode. HP recommends that you create some typical audit tasks as templates in order to increase your efficiently in configuring audit conditions for the same types of audit tasks. For more information, see “Task-oriented auditing.”

User behavior audit conditions

For both auditing modes, UBA provides the following audits:

• General audit—Analyze the basic information of flow data, such as source/destination IP address, ports, and transfer protocols. You also can specify one or more applications to identify which users accessed the specified applications.

• NAT audit—Analyze the information about network address translation of flow data to identify which intranet users accessed the external applications.

If you deploy a probe for network flow records collection and enable one or more special audits described below for the probe, you can use the enabled special audits to monitor the corresponding user behaviors:

• Web visiting audit—Specify a website address or content to identify which users accessed the specified website or content.

• FTP audit—Specify the related information about the FTP application, such as user, files, or transfer mode, to identify which users used the FTP service or transferred the specified files.

• Mail audit—Specify the related information of a mail service, such as sender, receiver, or title, to identify which users used the mail service or who transferred the specified mail.

For more information, see “Configuring UBA for a traffic audit.”

Table 11describes all audit conditions that you can use in a user behavior audit.

Table 11 User behavior audit conditions

Value Description

Condition Type

Input a single IP address or IP segment.

nl

Specify the source IP address of the data flow that is analyzed by the UBA server for user behavior reporting. Source

General

Format: IPv4 and IPv6 Examples:

• 10.110.10.1

• 10.110.10.*

• 1.1.1.1-2.2.2.2

• a001:410:0:1::1

Table 11 User behavior audit conditions (continued) Value Description Condition Type • a001:410:0:1::1/64 • a001:410:0:1::1-a001:410:0:1::100

Input a single IP address or IP segment. Format: IPv4 and IPv6

Specify the destination IP address of the data flow that is analyzed by the UBA server for user behavior reporting. Destination

Input a port number or the range of port numbers.

nl

Specify the source port number of the data flow that is analyzed by the UBA server for user behavior reporting. Source port

Examples:

• 10

• 10-20

Input a port number or the range of port numbers. Specify the destination port number of

the data flow that is analyzed by the UBA server for user behavior reporting. Destination

port

Select a transfer protocol from the Protocol list. Value range:

nl

Specify the protocol used for

transferring data flow that is analyzed by the UBA server.

Protocol

TCP, UDP, ICMP, or IPv6 ICMP

nl

Click Select to open the Query Applications pane. Input one or more of the following search criteria: Specify the applications with which

UBA can analyze data flow to identify which users accessed the specified applications.

Application

• Application—Input a partial or complete name for the application(s) you want to search for.

• Pre-define—Select Yes from the Pre-defined list to search the pre-defined applications; select No to search the user-defined applications. To search from all the applications, select Not limited.

Click Query, and then view the applications that meet your search criteria in the

Application List pane. Select the applications you want to add to the audit task, and click OK.

NOTE: You can select up to five applications for an audit.

Input an IP address or IP segment with the standard protocol format of IPv4 or IPv6. Specify the IP address of the devices

from which the flow data analyzed by the UBA server are forwarded. Device

Input an IP address or IP segment with the standard protocol format of IPv4 or IPv6. Specify the IP address of the device for

which the NAT is performed. NAT IP

NAT

Input a port number or the range of port numbers. Examples:

Specify the port number of the device for which the NAT is performed. NAT Port

• 10

• 10-20

Select an operator from the Operator list: Specify the operator used to identify

the cause of terminating a network flow. Operator

• Reserved

• Ended Normally—Indicates the flow ends normally.

• Aged upon Timeout—Indicates the flow is aged due to timeout.

• Aged upon Configuration

nl

Change—Indicates the flow aged due to changing CLEAR/Configuration.

Table 11 User behavior audit conditions (continued)

Value Description

Condition Type

• Aged for Resource Insufficiency—Indicates the flow aged due to the insufficient resource.

• NAT Mapping—Indicates one-on-one NAT mapping. Only the source IP address, transferred IP address, and time fields are valid in the flow records.

• Long-lasting—Indicates the intermediate forwarding records last a long time.

• Removed Due to Substitution—Indicates the flow is removed due to substitution operation.

• Creation Records—Indicates the records of creating a flow.

• Undefined Flows—Indicates a flow that is not defined in the system.

• Others—Other reasons that cause flow termination.

Input a partial or full address of a website.

nl

Specify an address or name of a website to identify who accessed the specified website. Web Site Web visiting Example: nl www.hp.com

Input a partial or full title of a network resource. Example:

nl

Specify a title of a network resource to identify who accessed the specified resource.

Title

news

Input a URI of a network resource.

nl

Specify the uniform resource identifier of a network resource to identify who accessed the specified resource. URI

Example:

nl

mc/style/top.css

Input a partial or full user name for FTP logon. Specify a user name of an FTP service

to identify whether the specified user accessed to an FTP service.

FTP User FTP

Input a partial or full file name. Specify a file to identify who ever

uploaded or downloaded the specified file via FTP.

File

Select Upload or Download from the Transfer Mode list.

Specify the transfer mode of the FTP service.

Transfer mode

Input partial or full address of an email. Specify the email address of the sender

to query the details of the emails sent from the specified address.

Sender Mail

Input partial or full address of an email. Specify the email address of the

receiver to query the details of the Receiver

emails received by the specified address.

Input partial or full title of an email. Specify an email title to query details

of the corresponding email, including sender, receiver, and so forth. Title

Quick auditing

You can use both general and special audit conditions to configure a user behavior audit that meets your requirements.

To configure audit conditions:

1. Click Service > Traffic Analysis and Audit > User Behavior Audit. The User Behavior Audit page displays.

2. Select the IP address or name of the UBA server from the Server list.

If more than one UBA server is installed in your network environment, select the one collecting the logs from the devices you want to monitor.

3. Set the start and end times for the audit task.

You can specify the start and end times by clicking the Select Date and Time icon . A pop-up calendar displays. Select the time from the calendar.

4. If you want to query all the data that meets any one of the audit conditions you configure, click Meet Any. Otherwise, leave the default setting as is.

5. Set the general audit conditions.

Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the condition you select. For the descriptions and value ranges of the general conditions, see the general conditions listed inTable 11. 6. If you want to set special audit conditions, select the check box next to Special Audit to activate

the special audit conditions. 7. Set the special audit conditions.

Select the check box next to the special audit name to open the special audit configuration pane. Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the parameters you select. For more information, seeTable 11.

8. Click Audit.

nl

The audit result displays in the Audit Result pane. For more information, see “Viewing the audit result.”

Task-oriented auditing

UBA uses an audit task to record the audit conditions and results. A typical audit task can be an audit template that enables you to perform the same types of audits without configuring the corresponding conditions.

You can manage user behavior audit tasks and task lists.

Managing the audit task list

UBA classifies audit tasks in terms of audit type and purpose. In User Behavior Audit Management, you can view the audit task list and audit task details.

To view the audit task list:

1. Click Service > Traffic Analysis and Audit > Settings.

2. Click the User Behavior Audit icon in the settings portion of the Traffic Analysis and Audit page.

This opens the User Behavior Audit Management page.

3. View all created audit tasks listed in the Custom Audit List page. 4. Click the Refresh button to update the audit task list.

This enables you to view audit tasks of a corresponding type so you can specify an audit type. 5. Click Service > Traffic Analysis and Audit.

6. From the navigation tree in the left pane, click one of the following type names:

• General Audit

• NAT Audit

• Web Visiting Audit

• FTP Audit

• Mail Audit

IMPORTANT: The Web Visiting Audit, FTP Audit, and Mail Audit are special audits used to monitor Layer 7 applications. These special audit types display in the navigation tree only after you deploy a probe for DIG logs collection and enable the corresponding special audits for the probe. For more information, see “Configuring UBA for a traffic audit.”

7. View the audit task list of the specified type in the Custom Audit List page. To view audit task details:

In the Custom Audit List page, click the Name field of an audit task to view details such as condition configurations and other information.

Managing audit tasks

To add an audit task:

1. In the Custom Audit List page, click the Add button to open the Select Audit Type page. 2. Click the radio button next to the type of audit task you want to create, and then click Next. 3. Configure the basic information for the audit task:

• Name—Input a name for the audit task.

• Server—Select the IP address or name of the UBA server from the Sever list. If more than one UBA server is installed in your network environment, select the one collecting the logs from the devices you want to monitor.

• Reader—Specify the group in which the operators have permission to view the audit task and its result. Click Select to display the Operator Group List. Select the check box of the operator group to which you want to assign the reader authority, and then click OK.

NOTE: You can delete one or more operator groups from the Reader list. Select the operator groups you want to delete from the Reader list, and then click Delete to cancel the reading permission of the users in the specified groups. For more information, see HP Intelligent

Management Center Base Platform Administrator Guide.

4. Set the audit conditions.

Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the conditions you select, seeTable 11. For the general audit conditions, if you want to query all the data that meets any one of the audit conditions you configure, click Meet Any. Otherwise, leave the default setting as is. 5. After configuring audit conditions, click OK to add the audit task.

To modify an audit task:

1. In the Custom Audit List page, click the Modify icon to open the Modify Custom Audit page. 2. Modify the basic information and audit conditions of the audit task.

nl

Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the conditions you select, seeTable 11. For the general audit conditions, if you want to query all the data that meet any one of the audit conditions you have configured, click Meet Any. Otherwise, leave the default setting.

3. Click OK.

To remove an audit task:

In the Custom Audit List page, click the Delete icon to delete the desired audit task.

Viewing the audit result

The methods for viewing an audit result are different for a summary (quick) audit and a task-oriented audit.

To view the result of a quick audit:

Set the audit condition, and then click Audit to see the audit result records listed in the Audit Result pane.

To view the result of a task-oriented audit (there are two ways):

• In the Custom Audit List page, click the Audit icon to open the Audit Result page for the specified audit task.

or

• Click Service > Traffic Analysis and Audit > Settings. From the navigation tree in the left pane, click the Details icon next to the type name of the audit task that you want to view.

The corresponding audit tasks are listed under the type name you clicked. Select the audit task you want to view, and then click the name of the audit task to open the Audit Result page for the specified audit task.

Querying an audit result

The audit result records of the last one hour display in the Audit Result page. You can set the audit time to query the audit result records generated in a specified period of time, as follows:

1. In the Audit Result pane, select a period of time for the audit result query.

• Last 1 hour—View the audit result records generated in the last one hour.

• Last 2 hours—View the audit result records generated in the last two hours.

• Custom—Customize a period of time to query the audit result records. To do this, click Custom, and then populate the start and end times by clicking the Select Date and Time icon . In the pop-up calendar select the time.

2. Click Audit to view the audit result record generated in the period of time you specify.

Viewing audit results by group

In the Audit Result pane, from the Group list, select the parameters that you want to use to group the audit result records. The grouped audit result records display in the Audit Result pane.

Customizing the audit result list

1. In the Audit Result pane, click Custom to open the Column List pane.

2. Select the check boxes of the columns that you want to display in the audit result list. 3. (optional) Reorganize the sequence of the columns displayed in the audit result list.

nl

If you want to reorganize the sequences of the columns displayed in the audit result list, click the Up or Down icon to change the sequence of the specified column.

If you want to apply the default sequences to the columns, click Default. 4. Click OK.

The selected columns display in the sequence that you specified.

Viewing additional audit result records

The Max.Displayed Entries for Audit parameter defines the maximum entries that can be displayed for a given search or audit. If the amount of audit result records for an audit exceeds the value of the system parameter, for example, 100,000, the system displays only 100,000 audit result records in the Audit Result pane.