Embed Size (px)
DESCRIPTION
Symantec Endpoint Protection collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.
Citation preview
1
MODULE 19: ADVANCED MONITORING AND
REPORTING
2
MONITORING THE HOME AND MONITORS PAGE Symantec Endpoint Protection collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.
You can use the reports and logs to determine the answers to the following kinds of questions:
■ Which computers are infected? ■ Which computers need scanning? ■ What risks were detected in the network?
3
MONITORING THE HOME AND MONITORS PAGE Logging on to reporting from a stand-alone Web browser
You can access the Home, Monitors, and Reports page functions from a stand-alone Web browser that is connected to your management server.
You can perform all the reporting functions from a stand-alone Web browser.
However, all of the other console functions are not available when you use a stand-alone browser.
4
ANALYZING AND MANAGING LOGS You can generate a list of events to view from your logs that are based on a collection of filter settings that you select.
Each log type and content type have a default filter configuration that you can use as-is or modify.
You can also create and save new filter configurations. These new filters can be based on the default filter or on an existing filter that you created previously.
If you save the filter configuration, you can generate the same log view at a later date without having to configure the settings each time.
You can delete your customized filter configurations if you no longer need them.
5
ANALYZING AND MANAGING LOGS Because logs contain some information that is collected at intervals, you can refresh your log views.
To configure the log refresh rate, display the log and select from the Auto-Refresh list box at the top right on that log's view.
Reports and logs always display in the language that the management server was installed with.
To display these when you use a remote Symantec Endpoint Protection Manager console or browser, you must have the appropriate font installed on the computer that you use.
6
ANALYZING AND MANAGING LOGS Logs contain records about client configuration changes, security-related activities, and errors.
These records are called events. The logs display these events with any relevant additional information.
Security-related activities include information about virus detections, computer status, and the traffic that enters or exits the client computer.
Logs are an important method for tracking each client computer’s activity and its interaction with other computers and networks.
7
ANALYZING AND MANAGING LOGS You can use this data to analyze the overall security status of the network and modify the protection on the client computers. You can track the trends that relate to viruses, security risks, and
attacks. If several people use the same computer, you might be able to identify
who introduces risks, and help that person to use better precautions.
You can view the log data on the Logs tab of the Monitors page.
8
ANALYZING AND MANAGING LOGS The management server regularly uploads the information in the logs from the clients to the management server.
You can view this information in the logs or in reports. Because reports are static and do not include as much detail as the logs, you might prefer to monitor the network by using logs.
9
ANALYZING AND MANAGING LOGS Saving and deleting custom logs by using filters You can construct custom filters by using the Basic Settings and Advanced Settings to change the information that you want to see.
You can save your filter settings to the database so that you can generate the same view again in the future.
When you save your settings, they are saved in the database.
The name you give to the filter appears in the Use a saved filter list box for that type of logs and reports.
10
ANALYZING AND MANAGING LOGS Viewing logs from other sites If you want to view the logs from another site, you must log on to a server at the remote site from the Symantec Endpoint Protection Manager console.
If you have an account on a server at the remote site, you can log on remotely and view that site's logs.
If you have configured replication partners, you can choose to have all the logs from the replication partners copied to the local partner and vice versa.
If you choose to replicate logs, by default you see the information from both your site and the replicated sites when you view any log. If you want to see a single site, you must filter the data to limit it to the location you want to view.
11
ANALYZING AND MANAGING LOGS Running commands from the computer status log
From the Computer Status log, you can take the following kinds of actions on
client computers: ■ Run scans or cancel scans. ■ Restart the computers. ■ Update content. ■ Enable or disable several of the protection technologies.
12
ANALYZING AND MANAGING LOGS You can also right-click a group directly from the Clients page of the Symantec Endpoint Protection Manager console to run commands.
From the Command Status tab, you can view the status of the commands that you have run from the console and their details. You can also cancel a specific scan from this tab if the scan is in progress.
You can cancel all scans in progress and queued for selected clients. If you confirm the command, the table refreshes and you see that the cancel command is added to the command status table.
13
ANALYZING AND MANAGING LOGS If you run a Restart Client Computer command from a log, the command is sent immediately.
Users that are logged on to the client are warned about the restart based on the options that the administrator has configured for that client.
You can configure client restart options on the General Settings tab.
14
CONFIGURING AND VIEWING NOTIFICATIONS Notifications alert administrators and computer users about potential security problems.
Some notification types contain default values when you configure them.
These guidelines provide reasonable starting points depending on the size of your environment, but they may need to be adjusted. Trial and error may be required to find the right balance between too many and too few notifications for your environment.
Set the threshold to an initial limit, then wait for a few days.
After a few days, you can adjust the notifications settings.
15
CONFIGURING AND VIEWING NOTIFICATIONS For virus, security risk, and firewall event detection, suppose that you have fewer than 100 computers in a network.
A reasonable starting point in this network is to configure a notification when two risk events are detected within one minute.
If you have 100 to 1000 computers, detecting five risk events within one minute may be a more useful starting point.
You manage notifications on the Monitors page. You can use the Home page to determine the number of unacknowledged notifications that need your attention.
16
CONFIGURING AND VIEWING NOTIFICATIONS How notifications work Notifications alert administrators and users about potential security problems.
For example, a notification can alert administrators about an expired license or a virus infection.
Events trigger a notification. A new security risk, a hardware change to a client computer, or a trialware license expiration can trigger a notification.
Actions can then be taken by the system once a notification is triggered. An action might record the notification in a log, or run a batch file or an executable file, or send an email.
17
CONFIGURING AND VIEWING NOTIFICATIONS Establishing communication between the management server and email servers
For the management server to send automatic email notifications, you must configure the connection between the management server and the email server.
18
CONFIGURING AND VIEWING NOTIFICATIONS Viewing and acknowledging notifications You can view unacknowledged notifications or all notifications. You can acknowledge an unacknowledged notification. You can view all the notification conditions that are currently configured in the console.
19
CONFIGURING AND VIEWING NOTIFICATIONS Saving and deleting administrative notification filters
You can use filters to expand or limit your view of administrative notifications in the console. You can save new filters and you can delete previously saved filters.
20
CONFIGURING AND VIEWING NOTIFICATIONS Setting up administrator notifications You can configure notifications to alert you and other administrators when particular kinds of events occur. You can also add the conditions that trigger notifications to remind you to perform important tasks. For example, you can add a notification condition to inform you when a license has expired, or when a security risk has been detected.
When triggered, a notification can perform specific actions, such as the following:
■ Log the notification to the database. ■ Send an email to one or more individuals. ■ Run a batch file.
21
CONFIGURING AND VIEWING NOTIFICATIONS Setting up administrator notifications You choose the notification condition from a list of available notification types. Once you choose the notification type, you then configure it as follows: ■ Specify filters. Not all notification types provide filters. When they do, you can use the filters to limit the conditions that trigger the notification. For example, you can restrict a notification to trigger only when computers in a specific group are affected.
■ Specify settings. All notification types provide settings, but the specific settings vary from type to type. For example, a risk notification may allow you to specify what type of scan triggers the notification.
■ Specify actions. All notification types provide actions you can specify.
22
CREATING AND REVIEWING REPORTS Configuring reporting preferences You can configure the following reporting preferences: ■ The Home and Monitors pages display options ■ The Security Status thresholds ■ The display options that are used for the logs and the reports, as well as legacy log file uploading
23
CREATING AND REVIEWING REPORTS The following categories of reports are available: ■ Quick reports, which you run on demand. ■ Scheduled reports, which run automatically based on a schedule that you configure.
Reports include the event data that is collected from your management servers as well as from the client computers that communicate with those servers.
You can customize reports to provide the information that you want to see.
The quick reports are predefined, but you can customize them and save the filters that you used to create the customized reports. You can use the custom filters to create custom scheduled reports.
When you schedule a report to run, you can configure it to be emailed to one or more recipients.
24
CREATING AND REVIEWING REPORTS A scheduled report always runs by default. You can change the settings for any scheduled report that has not yet run.
You can also delete a single scheduled report or all of the scheduled reports.
You can also print and save reports.
25
CREATING AND REVIEWING REPORTS Running and customizing quick reports Quick reports are predefined, customizable reports. These reports include event data collected from your management servers as well as the client computers that communicate with those servers.
Quick reports provide information on events specific to the settings you configure for the report.
You can save the report settings so that you can run the same report at a later date, and you can print and save reports.
26
CREATING AND REVIEWING REPORTS Saving and deleting custom reports You can save custom report settings in a filter so that you can generate the report again at a later date.
When you save your settings, they are saved in the database.
The name that you give to the filter appears in the Use a saved filter list box for that type of logs and reports.
27
CREATING AND REVIEWING REPORTS Creating scheduled reports Scheduled reports are the reports that run automatically based on the schedule that you configure.
Scheduled reports are emailed to recipients, so you must include the email address of at least one recipient.
After a report runs, the report is emailed to the recipients that you configure as an .mht file attachment.
The data that appears in the scheduled reports is updated in the database every hour.
At the time that the management server emails a scheduled report, the data
in the report is current to within one hour.
28
CREATING AND REVIEWING REPORTS Editing the filter used for a scheduled report You can change the settings for any report that you have already scheduled.
The next time the report runs it uses the new filter settings.
You can also create additional scheduled reports, which you can base on a previously saved report filter.
29
CREATING AND REVIEWING REPORTS Printing and saving a copy of a report You can print a report or save a copy of a Quick Report. You cannot print scheduled reports. A saved file or printed report provides a snapshot of the current data in your reporting database so that you can retain a historical record.
30
INTRODUCING IT ANALYTICS The IT Analytics Symantec Endpoint Protection Pack is an advanced reporting solution that leverages business intelligence capabilities and robust graphical reporting to provide a unified and comprehensive view of the clients, alerts, and scan activity.
