EventLog Analyzer processes log data across your network and provides reports on session activity of your network devices and users. You can access these reports by clicking on Activity Monitoring under the Correlation tab.
Activity Monitoring Rules
You can either use the predefined rules in EventLog analyzer to generate reports on session activity or you can build your own rules with individual actions.
Predefined activity rules
- Navigate to Correlation > Manage Rules > Activity Rules.
- Select the predefined rules which you wish to use, click the enable icon, and confirm the same.
Custom activity rules
To open the activity rule builder, navigate to Correlation > Manage Rules > Activity Rules > Create Activity Rule.
- Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.
For each action, specify the time interval within which it is to be followed by the next action, under the Followed by within label. You can specify the time interval in seconds or minutes by using the provided dropdown.
To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.
The first rule starts the session and the last rule ends the session. The duration of the session is the time-interval between the first and the last rule.
- You can also search for actions using the search bar on top of the list.
- You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon on its right.
- To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and enter the number of occurrences and time interval.
Each action in a activity rule corresponds to a log. Logs contain various fields, and each field has a specific value. With advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the log/action and specify a threshold limit on the minimum number of repetitions of the action.
- You can select a filter field from the dropdown list provided. The fields provided in the dropdown may vary based on the action selected.
- You can select the comparison type as equals, not equals, contains, starts with, ends with, link to, or is constant, from the dropdown provided.
Note: When you provide more than one value for an equals comparison, the set of values provided are treated as a list of possible values and the action is accepted if any one value from the list is true. The same holds true for the contains, starts with, and ends with comparisons.
When you provide more than one not equals comparison, the set of values provided need to hold true for the action to be accepted.
The link to comparison type is used to check the value of the selected field against the value of a field in another action (belonging to the same rule or the primary action of the other rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the same.
When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.
Note: At least one field of the starting rule should be linked to a field in the ending rule.
Click the check box corresponding to the field of the second action against which you want to compare the value of the previous action. Click OK to complete linking the two actions.
The is constant option is used to treat the specific field as constant. By selecting this option, a set of repeated actions are accepted by the rule only if this field's value remains constant throughout all the iterations. For instance, if the Target User field is kept as constant, then the action gets triggered only when the value of this field remains constant in all the iterations. The action doesn't get triggered if the event is generated with different values.
Activity Monitoring Reports
- The activity monitoring reports give information on Windows and Unix sessions.
- You can view session activity based on the device or the user.
- The report provides details of the device, user, status, session duration, and the starting and ending time of the session. To know more details of the session, click View History.
- The calendar widget allows you to select the time period for which you wish to review the session activity for your selected devices/users.
- You can also schedule a activity monitoring report.
- The activity monitoring report can be exported in the PDF and CSV formats, by clicking Export as.
The detailed history of a single session looks like this:
Note: Events displayed in the history are included or excluded based on the options that have been checked or unchecked in View logs and Configure Fields.
You can drill down and view the raw logs by clicking Advanced View.