...
Table 40.3 lists the reports provided by the reporting server, report categories, and the source type, data source type (file or script-based), and queue data update frequencies for each report:
Anchor | ||||
---|---|---|---|---|
|
Report Category | Reports | Source Type | Data Source (file-based or scriptbased) | Update Frequency |
---|---|---|---|---|
Device | Inactive IP Addresses | ib:reserved2 | file-based (syslog) | Rotates at 120 MB; retains one older copy; queued data is between 120 MB and 240 MB |
Port Capacity Utilization by Device Port Capacity Trend Port Capacity Delta by Device | ib:reserved2 | file-based (csv) | Overwritten every 6 hours | |
End Host History | ib:discovery:end_host _activity | file-based (csv) | Overwritten every 24 hours | |
DHCP Performance | DHCP Message Rate Trend | ib:dhcp:message | file-based (csv) | Overwritten every 1 minute |
DHCPv4 Usage Trend DHCPv4 Range Utilization Trend | ib:dhcp:range | file-based (csv) | Overwritten every 1 hour | |
DHCP Lease History | DHCP Lease History DHCP Top Lease Clients | ib:dhcp:lease_history | file-based (syslog) | Rotates at 120 MB; retains one older copy; queued data is between 120 MB and 240 MB |
Top Devices Identified Device Trend Device Class Trend Top Device Classes | ib:dhcp:lease_history | file-based (syslog) | Based on summary search report, which is updated during the 16th and 46th minutes of each hour | |
Top Devices Denied an IP Address | ib:dhcp:lease_history | file-based (syslog) | Based on summary search report, which is updated during the 19th and 49th minutes of each hour | |
Device Fingerprint Change Detected | ib:dhcp:lease_history | file-based (syslog) | Executed every 24 hours | |
DNS |
Performance | DNS Response Latency Trend | ib:dns:perf | script-based | Executed every 1 |
minute |
DNS Record |
Scavenging | DNS Scavenged Object Count |
Trend | ib:dns:reclamation | file-based |
(csv) | Updated whenever |
reclamation tasks |
are executed |
DNS Query |
Capture | DNS Domain Query Trend DNS Domains Queried by Client Top DNS Clients by Query Type Top DNS Clients Querying MX |
Records | ib:dns:capture | file-based |
(csv) | Updated whenever |
the Data Collection |
VM collects capture |
query data from a |
Grid member | |||
DDNS | DDNS Update Rate Trend | ib:ddns | file-based |
(syslog) | Rotates at 120MB; |
retains one older |
copy; queued data is |
between 120MB and |
240MB. |
DNS Traffic |
Control | DNS Traffic Control Resource Availability Trend | ib:dns:reserved | file-based |
(csv) | Based on summary |
search report, which |
is updated once per |
six hour at 47th |
minute of each hour. |
With each execution, |
it summarizes raw |
events indexed from |
370 minutes ago to |
10 minutes ago. | ||
DNS Traffic Control Resource Availability Status | ib:dns:reserved | file-based |
(csv) | Based on summary |
search report, which |
is updated once per |
six hour at 47th |
minute of each hour. |
With each execution, |
it summarizes raw |
events indexed from |
370 minutes ago to |
10 minutes ago. | ||
DNS Traffic Control Resource Pool Availability Trend | ib:dns:reserved | file-based |
(csv) | Based on summary |
search report, which |
is updated once per |
six hour at 23rd |
minute of each hour. |
With each execution, |
it summarizes raw |
events indexed from |
370 minutes ago to |
10 minutes ago. | ||
DNS Traffic Control Resource Pool Availability Status | ib:dns:reserved | file-based |
(csv) | Based on summary |
search report, which |
is updated once per |
six hour at 23rd |
minute of each hour. |
With each execution, |
it summarizes raw |
events indexed from |
370 minutes ago to |
10 minutes ago. | ||
DNS Traffic Control Response Distribution Trend | ib:dns:reserved | file-based |
(csv) | Based on summary |
search report, which |
is updated once per |
six hour at 37th |
minute of each hour. |
With each execution, |
it summarizes raw |
events indexed from |
370 minutes ago to |
10 minutes ago. |
DDI |
Utilization | DHCPv4 Usage Statistics DHCPv4 Top Utilized Networks | ib:dhcp:network | file-based |
(csv) | Overwritten every 1 |
hour | ||
IPAM Network Usage IPAM Top Networks | ib:ipam:network | file-based |
(csv) | Overwritten every 1 |
hour | ||
DNS Zone Statistics Per DNS View | ib:dns:view | file-based |
(csv) | Overwritten every 24 |
hours | ||
DNS Statistics per Zone | ib:dns:zone | file-based |
(csv) | Overwritten every 24 |
hours |
System |
Utilization | CPU Utilization Trend Memory Utilization Trend Traffic Rate by Member | ib:system | script-based | Executed every 1 |
minute | ||
License Pool Utilization | ib:system | file-based |
(csv) | Overwritten every 24 |
hours |
System |
Capacity | System Capacity Prediction | ib:system_capacity: |
objects | Updated whenever |
there is relevant |
event occurs | ||||
DNS Query | DNS Replies Trend | ib:dns:stats | script-based | Executed every 1 |
minute | |
DNS Cache Hit Rate Trend | ib:dns:query:cache_ |
hit_rate | script-based | Executed every 1 |
minute | |||
DNS Query Rate by Query Type | ib:dns:query:qps | script-based | Executed every 1 |
minute |
DNS Query Rate by Member DNS Daily Query Rate by Member DNS Daily Peak Hour Query Rate |
by Member | ib:dns:query:by_ |
member |
ber
script-based | Executed every 1 |
minute | |
DNS Top Clients | ib:dns:query:top_ |
clients | script-based | Executed every 10 |
minutes | |
DNS Top Requested Domain Names | ib:dns:query:top_ |
requested_domain_names | script-based | Executed every 10 |
minutes |
DNS Top Clients Per Domain DNS Top NXDOMAIN / NOERROR |
(no data) DNS Top SERVFAIL Errors Received DNS Top SERVFAIL Errors Sent DNS Top Timed-Out Recursive |
Queries | ib:dns:reserved | script-based | Executed every 10 |
minutes |
DNS Query Trend per |
Group
IP Block Group | ib:dns:reserved | script-based | Executed every 5 minutes | |
Security | DNS Top RPZ Hits | ib:dns:reserved | script-based | Executed every 10 minutes |
DNS Top RPZ Hits by Clients | ib:dns:reserved | script-based | Executed every 10 minutes | |
Top DNS Firewall Hits | ib:dns:reserved | script-based | Executed every 10 minutes | |
Malicious Activity by Client | ib:dns:reserved | script-based | Executed every 10 minutes | |
DNS Firewall Executive Threat | ib:dns:reserved | script-based | Executed every 10 minutes | |
FireEye Alerts | ib:syslog | script-based | Updated immediately when alerts are logged in the syslog. | |
Threat Protection Event Count By Severity Trend Threat Protection Event Count By Member Trend Threat Protection Event Count By Rule Threat Protection Event Count By Time Threat Protection Event Count By Category Threat Protection Event Count By Member | ib:reserved1 | file-based (csv) | Overwritten every 5 minutes. | |
DNS Top Tunneling Activity DNS Tunneling Traffic by Category Top Malware and DNS Tunneling Events by Client | ib:reserved1 | file-based (csv) | Overwritten every 5 minutes. | |
Network User | User Login History | ib:reserved1 | file-based (csv) | |
Ecosystem Subscription | Subscription Data | ib:reserved1 | file-based (csv) | Updated whenever there is an event received from the vendor that NIOS subscribes. |
Ecosystem Publication | Publish Data | ib:reserved1 | file-based (csv) | Updated whenever there is a relevant RPZ, IPAM, and DHCP lease event occurs. |
Cloud | VM Address History | ib:reserved2 | file-based (csv) | Updated immediately when there is a change related to the VM IP address. Rotates at 300MB and retains one older copy. |
Audit Log | Audit Log Events | ib:audit | file-based (audit log) | Updated immediately when the audit log is updated. |
Syslog | Syslog Events | ib:syslog | file-based (Syslog) | Updated immediately when alerts are logged in the syslog. |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
- From the Administration tab -> Reporting tab, click Grid Reporting Properties from the Toolbar.
- In the Grid Reporting Properties editor, select the Reporting Clustering tab and complete the following:
- Single Indexer: Select this to configure only one reporting server. This is the default reporting cluster mode.
- Single-Site Cluster: Select this if you want to configure two or more reporting servers in the same site (location). The data is replicated on multiple reporting servers. You can upgrade your configuration to the multi-site clustering mode, but you cannot revert this configuration to a singer indexer mode.
- Multi-Site Cluster: Select this if you want to configure multiple reporting servers at different sites (locations). You must assign the ReportingSite extensible attributes to all the reporting members that you have configured in the same site within the cluster. You can configure the same ReportingSite extensible attribute with multiple reporting members. The reporting members that are configured with the same
...
- ReportingSite extensible attributes are tagged to the same site. Click the Add icon and select the ReportingSite extensible attribute that you have configured on the reporting member. The first site that you add is considered to be the primary site, which functions as the search head. You can change the order of the sites by clicking the up and down arrows.
For more information about the reporting cluster type, see Reporting Cluster Modes.
...
Note: Your multi-site configuration is invalid if you do not add the correct ReportingSite extensible attribute values to the reporting members. You can validate your configuration as described in Validating Reporting Clustering Configuration9.
...
3. Click Save & Close.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
...
After you have configured the reporting cluster mode, you can verify its validity. Whenever you make changes to the reporting configuration through Grid Manager or hardware replacement, make sure that you validate the configuration.
When you verify a multi-site cluster configuration, NIOS validates the following:
- The extensible attribute ReportingSite is specified for all reporting members.
- The set of extensible attributes configured in the GridReportingProperties editor equals to the set of ReportingSite extensible attributes defined for the reporting members.
- For each ReportingSite extensible attribute, the number of reporting peers must be greater or equal to the replication factor in each site.
- For each ReportingSite extensible attribute, the search factor must be less than or equal to the replication factor in each site.
To verify the reporting cluster-mode configuration:
- From the Grid tab -> Grid Manager tab, click the Reporting service.
- In the vertical Toolbar, click Verify Cluster Configuration.
The Verify Reporting Cluster Configuration dialog box displays an error message if the configuration is invalid. Make sure that you associate the ReportingSite extensible attributes with all the reporting members that you have configured. - Click OK to close the dialog box.
...