en-US
search-icon

Analyzer 8.3 Admin Guide

Console

Configuring Log Settings

This chapter describes how to configure Log Settings. This includes adjusting settings on deleting log messages after a certain period of time, and setting criteria for viewing logs.

This chapter includes the following sections:

Configuring Log Settings

In the Console > Log > Configuration screen, you can delete or archive Analyzer log messages. The Archive process archives the data to the “archivedLogs” directory as per the Archive Log Schedule, before the data is deleted from the database.

* 
NOTE: For UMH deployments, to offload the archived log files to a local drive, login to the /appliance management interface, then navigate to the System > File Manager page.

To configure Log settings, select between the following options:

Delete Logs Older Than — Select the month, day, and year, and then click Update.
Enable Archive — Select this check box to enable Analyzer log message archiving.
Archive Analyzer log messages for — Select the number of months to archive log messages.
Maximum Log Message Files — Select the maximum number of monthly archive files kept in the achivedLogs folder.
Delete Data Every — Select a reoccurring day and time to delete data.
Archive Format — Select the type of format to archive the Analyzer log messages. Choose between CSV or HTML.
Update — Click Update after your settings are selected.
* 
NOTE: The archive process first archives the data to the archivedLogs directory as per “Archive Log Schedule” and then the data is deleted from the database.

Configuring Log View Search Criteria

SonicWall Analyzer log keeps track of changes made within the Analyzer management interface, logins, failed logins, logouts, password changes, scheduled tasks, failed tasks, completed tasks, raw syslog database size, syslog message uploads, and time spent summarizing syslog data.

To view the SonicWall Analyzer log, complete the following steps:
1
Click the Console tab, expand the Log tree, and click View Log. The View Log page displays.

2
Each log entry contains the following fields:
#—specifies the number of the log entry.
Date—specifies the date of the log entry.
Message—contains a description of the event.
Severity—displays the severity of the event (Alert, Warning, or FYI).
SonicWall—specifies the name of the SonicWall appliance that generated the event (if applicable).
User@IP—specifies the user name and IP address.
3
To narrow the search, configure some of the following criteria:
* 
TIP: You can press Enter to navigate from one form element to the next in this section.
Select Time of logs — displays all log entries for a specified range of dates.
SonicWall Node — displays all log entries associated with the specified SonicWall appliance.
Analyzer User — displays all log entries with the specified user.
Message contains — displays all log entries that contain the specified text. This input field provides an auto-suggest functionality that uses existing log message text to predict what you want to type. It fills in the field with the suggested text and you can either press Tab to accept it or keep typing. Different suggestions appear as you continue to type if log messages match your input.
Severity — displays log entries with the matching severity level:
All (Alert, Warning, and FYI)–where FYI mean “For Your Information”
Alert and Warning
Alert
Select the Match case check box to make the SonicWall Node, User, and Message contains search fields case sensitive.
Select one of Exact Phrase, All Words, or Any Word.
Exact Phrase matches a log entry that contains exactly what you typed in the Message contains field
All Words matches a log entry that contains all the words you typed in the Message contains field, but the words can be non-consecutive or in any order
Any Word matches a log entry that contains any of the words you typed in the Message contains field
4
To view the results of your search criteria, click Start Search. To clear all values from the input fields and start over, click Clear Search. To save the results as an HTML file on your system, click Export Logs and follow the on-screen instructions.
5
To configure how many messages are shown per screen, enter a new value between 10 and 100 in the Show Messages Per Screen field. (default: 10). Click Next to display the next page, or click Previous to display the preceding page.
6
To jump to a specific message, enter the message number in the Go to Message Number field.

Configuring Console Management Settings

This chapter describes the settings available on the Console panel in the Management section. The following sections are found in this chapter:

Configuring Management Settings

On the Console > Management > Settings page, you can configure email settings, set the system debug level, synchronize model codes information, and configure password security settings.

This section describes the following Settings topics:

GMS Settings

The GMS Settings allow you to show or hide the SMA tab. This section is only visible to administrators @LocalDomain, such as Super Admins.

Configuring Email Settings

An SMTP server and an email address are required for sending Analyzer reports.

If the Mail Server settings are not configured correctly, you cannot receive important email notifications, such as:

System alerts for your SonicWall Analyzer deployment performance
Availability of product updates, hot fixes, or patches
Scheduled Reports
To configure these email settings, complete the following steps:
1
Click the Console tab.
2
Expand the Management tree and click Settings. The Settings page displays.

3
Enable or disable any SMA appliances to be managed. (Firewall is enabled by default). The deployed servers must be restarted after any changes are made in order for them to take effect.
4
Type the IP address of the Simple Mail Transfer Protocol (SMTP) server into the SMTP Server field. This server can be the same one that is normally used for email in your network. Type in the SMTP Port number to use for email service.
5
Click Use TLS if you would like to use Transport Layer Security (TLS) for your mail server connectivity, such as for Gmail or Office365. TLS ensures privacy between you and communicating applications on the Internet, and that no third-party can eavesdrop or tamper with your messages.
6
If the SMTP server in your deployment is set to use authentication, click Use Authentication. This option is necessary for all outgoing GMS emails to properly send to the intended recipients. Enter the username in the User field, and enter/confirm the password in the Password and Confirm Password fields. This is the username/password that is used to authenticate against the SMTP server.
7
Enter the email account name and domain that appears in messages sent from the SonicWall Analyzer into the Sender e-Mail Address field.
8
Enter the email account name and domain that appears in messages sent from SonicWall Analyzer into the Administrator e-Mail Address field. You can use User Authentication for this user by checking the box.
9
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Configuring System Debug Level

SonicWall Analyzer provides the System Debug level option to control the debug messages sent to the log file.

To configure this setting, complete the following steps:
1
Select a debug level from the System Debug level drop-down list. The range is 0-3 where a level of 0 provides no debug log messages and a level of 3 provides the maximum number of debug messages.
2
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Enforcing Password Security

SonicWall Analyzer supports enforced password rotation for enhanced security compliance.

To enable and configure enforced password rotation, complete the following steps:
1
Select the Enforce Password Security check box.
2
In the Number of days to force password change field, enter a value. The default is 90. SonicWall Analyzer prompts the administrator to change the admin account password after the specified number of days.
3
When finished in the Settings page, click Update. To clear the screen settings and start over, click Reset.

Show Legacy Reports

After the upgrade to Analyzer 8.0, new reports can only be generated using the new Analyzer reporting infrastructure. Old ViewPoint reports can be viewed under legacy reports session (it is not possible to view both 8.0 and pre-8.0 reports in the same session). Reports generated by pre 8.0 releases of SonicWall Analyzer are still available for viewing. Analyzer 8.0 Reporting is not compatible with earlier versions, but reports generated by earlier versions are still accessible under the Analyzer reporting Infrastructure.

To view legacy reports, complete the following steps:
1
Select Show Legacy Reports.
2
Log out of SonicWall Analyzer.
3
Log back in to SonicWall Analyzer using administrator credentials.

Synchronizing Model Codes

The Sync Model Codes feature accommodates new SonicWall product introductions without the need for Analyzer update. When SonicWall updates the corporate server (MySonicWall) with a new product code, it then becomes available to Analyzer. The task is scheduled to run every 24 hours and is also available manually.

To synchronize model codes immediately, complete the following steps:
1
On the Console > Management > Settings page, click Sync Model Codes information now. A short time later the page is updated to display the synchronization status at the top.

Configuring Management Alert Settings

The Alert Settings page specifies which email addresses receive email alerts and notifications during specific times.

To configure the alert notification settings, complete the following steps:
1
Click the Console tab, expand the Management tree and click Alert Settings. The Alert Settings page displays.

2
Configure the email address(es) that receive notifications and the times that they receive them:
Schedule 1 — Specifies who receives notifications during the first weekday schedule. Enter one or more email addresses (separated by commas) and specify the start and end time for the shift.
Schedule 2 — Specifies who receives notifications during the second weekday schedule. Enter one or more email addresses (separated by commas) and specify the start and end time for the shift.
Schedule 3 — Specifies who receives notifications during the third weekday schedule. Enter one or more email addresses (separated by commas) and specify the start and end time for the shift.
Saturday — Specifies who receives notifications on Saturday. Enter one or more email addresses (separated by commas) and specify the start and end time for the shift.
Sunday — Specifies who receives notifications on Sunday. Enter one or more email addresses (separated by commas) and specify the start and end time for the shift.
3
Select whether the email alert is to be sent as HTML, Plain Text, or Plain Text (Pager). The Pager setting sends a very short email to ensure that the email is not cut off by the character limits of some pagers.
4
When you are finished, click Update. The settings are saved.

Configuring Management Sessions

The Sessions page of the Management section of the Console allows you to view session statistics for currently logged in users and to end selected sessions.

Managing Sessions

On occasion, it might be necessary to log off other user sessions.

To do this, complete the following steps:
1
Click the Console tab, expand the Management tree and click Sessions. The Sessions page displays.

2
When more than one session is active, a check box is displayed next to each row. Select the check box of each user to log off and click End selected sessions. The selected users are logged off.

Configuring Management Schedules

The Schedules page of the Management section of the Console allows you to view schedule group statistics for currently logged in users. The Group Schedules table displays all your predefined and custom schedules. In the Group Schedules table, there are four default group schedules from which to choose: Daily 24x7, Weekdays 24x7, 8x5 Work Hours, and Weekend Hours.

A group schedule can include multiple day and time increments for rule enforcement with a single schedule. If a schedule includes multiple day and time entries, a right-arrow button appears next to the schedule name. Clicking the Expand icon expands the schedule to display all the day and time entries for the schedule.

You can modify these group schedules by clicking the Edit icons in the Configure column to display the Edit Schedule Group window.

Adding Schedule Groups

To create a schedule group, complete the following steps:
1
On the Console > Management > Schedules page, click Add Schedule Group. The Add Schedule Group page is displayed.

2
Enter a descriptive name for the group schedule in the Name field.
3
Enter a group schedule description in the Description field.
4
Click Visible to Non-Administrators if you would like to make the schedule viewable by the public.
5
By clicking once on the desired Schedule time descriptions, use the arrow keys to move them into the right field. These are the parameter that will be used in your schedule group range.
6
Click Update to group the entries into one named schedule.

Deleting Schedule Groups

To delete a schedule group, complete the following steps:
1
Select the check box next to the name of the group you would like to delete.

All subordinate check boxes are selected when you click the Schedule Name. Expand the group arrow if you would like to delete individual entries from the group.

2
Click Delete Schedule Group(s)/Remove Schedule(s) from Group.
3
Confirm the deletion by clicking OK on the window that appears.

Managing Schedules

The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are several default schedules you can use or modify.

You can modify these schedules by clicking the Edit icons in the Configure column to display the Edit Schedule window.

Adding Schedules

To create a schedule, complete the following steps:
1
On the Console > Management > Schedules page, click Add Schedule. The Add Schedule page is displayed.

2
Enter a descriptive name for the schedule in the Name field.
3
Enter a schedule description in the Description field.
4
Click Visible to Non-Administrators if you would like to make the schedule viewable by the public.
5
Click Disable to take the schedule offline but still available for use later when activated.
6
Click Invert to
7
Select one of the following radio buttons for Schedule:
One-time occurrence – For a one-time schedule at the configured Date and Time.
Recurrence – For schedules that occur repeatedly during the same configured hours and days of the week, with no start or end date. When selected, the fields under Recurring become active, and the fields under Once become inactive.
8
For a One-time Occurrence, configure the starting date and time by entering the Month, Day, and Year (mm/dd/yyyy) and the Hour, and Minute in the fields. The time is represented in 24-hour format.
9
If the fields under Recurrence, select the check boxes for the days of the week to apply to the schedule or select All.
10
Under Recurrence, type in the time of day for the schedule to begin in the Start Time field. The time must be in the 24-hour format, for example, 17:00 for 5 p.m.
11
Under Recurrence, type in the time of day for the schedule to stop in the End Time field. The time must be in the 24-hour format, for example, 17:00 for 5 p.m.
12
Click Add.
13
Click Update to add the schedule to the Schedule List.

Deleting Schedules

You can delete custom schedules, but you cannot delete the default Work Hours, After Hours, or Weekend Hours schedules.

To delete individual schedule objects that you created, perform the following steps:
1
To delete existing days and times from the Schedule List, select the row and click Delete Schedule(s). Or, to delete all existing schedules, click the check box next to Name and then click Delete Schedule(s).

Managing Reports in the Console Panel

This chapter describes how to configure reporting settings on the Console panel. These include how often the summary information is updated, the number of days that summary information is stored, and the number of days that raw data is stored.

The following sections are included in this chapter:

Summarizer

This section contains the following subsections:

About Summary Data in Reports

These reports are constructed from the most current available summary data. In order to create summary data, the Analyzer Reporting Module must parse the raw data files.

When configuring Analyzer Reporting using the screens on the Console panel under Reports, you can select the amount of summary information to store. These settings affect the database size, be sure there is adequate disk space to accommodate the settings you choose.

Additionally, you can select the number of days that raw syslog data is stored. The raw data is made up of information for every connection. Depending on the amount of traffic, this can quickly consume an enormous amount of space in the database. Analyzer creates a new two GB database for raw syslog data everyday. Be very careful when selecting how much raw information to store.

Configuring the Data Deletion Schedule Settings

Syslog files sent from SonicWall appliances are stored on the system, and are consolidated into the syslog database. The Summarizer processes the syslog data and stores the processed data in the summary database. After the configured period of syslog storage, the syslog data can be periodically deleted from the system. This is necessary, as the syslog files and database can consume a lot of space on the file system.

This section of the Summarizer page also provides a way to delete summarized data for a certain date. For example, if summarized data is kept for a long time, such as 90 days, then you could use this option to remove some summarized data from a particular date within the 90 day period if the stored data was becoming too large.

* 
TIP: Run your database maintenance jobs soon after the completion of the scheduled tasks configured on this page for summarizing data and deleting old syslog data.

Analyzer requires large amounts of disk space for raw data storage. In previous versions, the maximum raw syslog database size was 2 GB. Analyzer now provides enhanced database capacity by creating a new 2 GB database everyday. Each file name includes the date it was created for easy reference. Raw syslog data is used to create Custom Reports for Firewall and SMA appliances.

To configure the syslog and summarized data deletion settings, complete the following steps:
1
On the Console panel, navigate to Reports > Summarizer.

2
Under Data Deletion Schedule, select the day and time for deletion in the hour and minute widget. Syslog data is deleted at this time only after being stored for the number of days configured. You specify how long to keep the date in Data Storage Configuration. This field allows you to specify the data address of the Summarizer, how long to keep reporting data (in months), and how long to keep the raw syslog data (in months)
3
Click Update to the right of this field.

Configuring Data Storage

To set the amount of time that reporting data and raw syslog data is stored, complete the following steps:
1
Click the Summarizer at: drop-down menu, then select the desired summarizer IP address.

2
Click the Keep Reporting Data for drop-down menu, then select the number of months to archive the data. Reporting data can be archived for a minimum of one month and a maximum of 36 months.
3
Click the Keep Raw Syslog Data Files for drop-down menu, then select the number of months to archive the data files. To disable the archiving of raw syslog data files, set the value to zero. The maximum amount of time to store raw syslog data files is 36 months.
* 
TIP: If you would like to store data for longer than 36 months, you can create scheduled scripting to move data that has been processed and stored in “//syslog/ArchivedSyslog/*.zip …” to a mapped network shared folder for long-term storage.

Configuring Hostname Resolution

Hostname Resolution in the Reports > Summarizer page is configured for source IP addresses with missing hostnames while inserting the data in the database. This means that the reports shows both the initiator IP address and the initiator hostname in the reports whenever applicable.

Enabled Reverse Hostname Resolution — Reverse hostname resolution is disabled by default, enable this option for Analyzer to lookup for missing hostnames.
* 
NOTE: Enabling hostname lookup increases the time taken to process syslogs. All syslogs that need resolution are processed separately in parallel to normal syslog processing. This might slow down summarizer and increase memory and consume more CPU cycle. Also the memory and CPU are also be impacted further by changing the default configurations of Lookup thread count, Scan every, Refresh Resolved Hostname Cache every. Any changes to the Hostname Resolution Configuration take effect during the next summarizer run.
Refresh Resolved Hostname Cache every — The hostname that is looked up for an IP address is cached. This time indicates how long the hostname is kept in the cache, after that, it again looks up the hostname for that IP address.
Scan Every — Analyzer dumps syslogs with missing hostnames to a particular folder. This time indicates how long it waits to scan the folder for new files.
Lookup thread count — Signifies how many threads are processing the lookup in parallel. The larger the number, the faster the processing.
* 
NOTE: Increasing this number also increases the load on the summarizer instance.
Update — Click this button when you are finished configuring the settings.
Enable Public IP Host-name Resolution — Public IP hostname resolution is disabled by default, enable this option for Analyzer to lookup for missing public IP hostnames.
Time out value for resolution — Select the timeout period (in milliseconds) if the hostname is not resolved.

Configuring the Packet Data Viewer

In Console > Reports > Summarizer, you can enable or disable the Packet Data Viewer for signature alerts by clicking the check box.

Syslog Exclusion Filter

The Syslog Exclusion Filter allows you to select what fields and operators to use for filtering the syslog database. It is picked up by the Summarizer every 15 minutes and applied to the global syslog settings.

The Syslog Exclusion Filters function in a manner similar to applying an exclusion filter to a single Firewall or SMA appliance, but are applied to all Analyzer appliances, or all appliances in a Firewall or SMA group.

To add a filter, complete the following steps:
1
Click Reports > Syslog Filter.

2
Click Add a Filter. The Add Filter menu comes up.

3
Select the syslog field name, and an operator and value, for the field you wish to exclude. Then select the level of Deployment: Appliance, Agent, or full Deployment.

If you select Appliance, you are prompted for the type of appliance: Firewall or SMA. If you select Agent, you are prompted to select from a list of SGMS agents.

4
Click Update.

You can also click on the pencil in the Configure column to edit an existing filter setting. If no values appear in the Configure column, the filter is a default system filter. These defaults cannot be configured or deleted.

Syslogs are stored in the database without filtering, so the filters in the Syslog Exclusion Filter apply only to values displayed in Reports.

Email/Archive

The Console > Reports > Email/Archive page provides global options for setting the time and interval for emailing/archiving scheduled reports, and global settings for the Web server, logo, and PDF sorting options.

Configuring Email/Archive Settings

To configure Email/Archive and Web server settings, complete the following steps:
1
Click the Console tab, expand the Reports tree and click Email/Archive. The Email/Archive page displays.
2
To set the next archive time, enter the date and time in the Next Scheduled Email/Archive Time fields and click Update.
3
To specify the day to send weekly reports, select the day from the Send Weekly Reports Every list box and click Update.
4
To specify the date to send monthly reports, select the date from the Send Monthly Reports Every list box and click Update.
5
If the Web server address, port, or protocol has changed since SonicWall Analyzer was installed, the new values are automatically appear in the Email/Archive Configuration section. These settings can be modified on the System Interface, and cannot be modified here.
6
Under Logo Settings, you can select a logo to be used on reports. By default, the SonicWall logo is used. To select another logo, click Browse next to the Logo File field or type the path and filename into the field, and then click Update.
7
Under Storage Configuration, select how many days to store Universal Scheduled Reports (USR) then click Update.

USR schedules are managed under the Dashboard Tab. For more information on USR scheduling, refer to Using the Universal Scheduled Reports Application.

* 
NOTE: High-traffic systems can generate reports that consume large amounts of memory, disk space and CPU time. Set your Number of Days to Archive and Scheduled Archive Time accordingly.

Managing Legacy Reports

Reports generated by pre-8.0 releases of SonicWall Analyzer are still available for viewing, but require careful management. SonicWall Analyzer 8.0 Reporting is not compatible with earlier versions, but reports generated by earlier versions are still accessible under the current reporting structure.

Because it is not possible to view both 8.0 and pre-8.0 reports in the same session, we advise creating a separate Login for accessing Legacy reports. This allows switching back and forth, as you can only view 8.0 or pre-8.0 reports in a session. By creating a separate login, you can switch between viewing modes.

1
Create a new User or Administrator login. An Administrator login (with a name like Admin_Legacy) is recommended, as this login has full privileges. For more information on configuring Legacy reports for new user, refer to the Console Management section.
2
Log in to the Management > Users > Action Permissions tab.
3
Set flag in the check box for Show Legacy Reports.
* 
NOTE: This check box is only available if SonicWall Analyzer 7.0 Reports exist in the system.

4
Log out, log back in using the new Login created in Step 1.

If Legacy Reports are no longer needed, you can delete them.

5
Go to Reports > Summarizer.
6
Under the Data Deletion Schedule, you see a box for Delete 6.0 Reporting Data Immediately. Click Delete to delete the Legacy reports.

* 
NOTE: If you delete pre-8.0 reporting data, the Legacy data check boxes under the Action Permissions and Summarizer tabs are no longer available, going forward.

Using Diagnostics

This chapter describes the diagnostic information that SonicWall Analyzer provides and summarizer status information.

This chapter includes the following sections:

Configuring Debug Log Settings

Setting debug levels allows for faster troubleshooting of potential application issues. This action creates debug log files on all the systems in this deployment and could hamper application performance and also fill up disk space. You should reset to “No Debug” for normal operation as soon as the potential issue has been resolved.

* 
NOTE: The debug level should only be set based on guidance from SonicWall Technical Support.The higher the debug level, the more the system resources that are used up to generate debug data and in turn lower the overall system performance.
To set the debug level when instructed by SonicWall Technical Support, complete the following steps:
1
Click the Console tab, expand the Diagnostics tree and click Debug Log Settings. The Debug Log Settings page displays.

2
Click the System Debug Level drop-down, then select one of the following:
Level 1 (Codepath)
Level 2 (Simple)
Level 3 (Logic)
Level 4 (Detailed)
Level 5 (Highly Detailed)
3
Click Update.

Summarizer Status

The Summarizer Status page displays overall summarizer utilization information for the deployment including database and syslog file statistics, and details on the current status of the summarizer.

The Summarizer Status screen provides performance metrics for your network administrator to plan, design, and expand your Analyzer server deployment. This feature has information on the Syslog Collector and Summarizer metrics. The metrics displayed are daily averages collected over the last seven days.

You can receive alert emails when Summarizer Status shows any abnormalities.

To reach the Summarizer Status screen, navigate to the Console panel of Analyzer and then to Diagnostics > Summarizer Status.

The Summarizer Status page is divided into a section showing the overall deployment-wide summarizer status and sections with details for each summarizer. See the following sections:

Summarizer Status Over 7 Days

The Summarizer Status Over 7 Days section displays overall summarizer utilization information for the deployment including database and syslog file statistics. Results are calculated over the last 7 days.

Summarizer Utilization

The top Summarizer Utilization section shows the average utilization of the summarizer over the applicable time period. The Dial Charts show the percent of total capacity used by the Summarizer. The following metrics are also displayed in the Summarizer Utilization section:

Summarizer: Displays the IP address of the Summarizer.
Estimated Capacity (million syslog/day): The estimated capacity of the system. This is calculated by taking the (average load per day) and dividing it by the (time spent), assuming that the Summarizer was to constantly summarize 24 hours (as in the case of a dedicated Summarizer).
Average Load (million syslog/day): The number of incoming syslogs per day.
Reporting Database Size: Displays the size of the reporting database in gigabytes.
Raw Data Directory Size: Displays the size of the raw syslog directory in gigabytes.
Estimated Cache Size: Displays the estimated size of the cache in gigabytes.
Backup Directory Size: Displays the size of the backup directory in gigabytes.
Status: Displays the status of the Summarizer. There are three different status notifications:
OK: The system is operating normally.
High Capacity: The average load is greater than 90 percent of capacity.
Low Disk Space: There is less that 5GB of space left on the disk.
Deployment Status

The Deployment Status tells you how the deployment should be sized if it is not performing well. You might need to reassign some units to a different agent, add another agent, or add more disk space.

Details for Summarizer at <IP Address>

This sections details the Summarizer Utilization for the applicable IP address.

Summarizer Utilization

The Summarizer Utilization section for a specific summarizer shows not only the information at deployment level, but also provides granular details of the summarizer’s operation and current status for each individual summarizer.

Average Summarizer Utilization: The average percentage of Summarizer utilization.
Peak Summarizer Utilization: The percentage of peak Summarizer utilization.
Estimated Capacity (million syslog/day): The estimated capacity of the system. This is calculated by taking the (average load per day) and dividing it by the (time spent), assuming that the Summarizer was to constantly summarize 24 hours (as in the case of a dedicated Summarizer).
Average Load (million syslog/day): The number of incoming syslogs per day.
Average Run Time Per Day: The total amount of time spent generating summarization statistical data and results over the time period of one day.
Average Syslog Summarized (million/day): The total number of syslogs summarized, displayed in millions per day.
Average Syslog Summarized Per Minute: The average number of syslogs summarized per minute over the applicable time period.
* 
NOTE: Not all syslogs are summarized. Some syslogs are discarded based on criteria defined at the Console > Reports > Syslog Filter and Unit > Reports > Configuration > Syslog Filter pages.
Data File Information

This section displays syslog file details for the selected summarizer.

The Data File Information table is divided into three columns:

Data File Type: The type of files being reported on.

There are five main data file types:

Reporting Database Files: The files in the reporting database.
Backup Files: The backup snapshot.
Unprocessed Files: The data files in the summarizer’s processing queue.
Archived Files: The processed data files.
Bad Files: Data files with processing errors.
File Stats: The number of syslog files in the category and their size in Megabytes.
Oldest: The date and time on the oldest file in the category.
Summarizer Process Details

The Summarizer Process Details section shows what tasks the summarizer is performing at the moment the Console > Diagnostics > Summarizer Status page displays. Refresh your browser display or leave the page and return to it to update the information.

If the summarizer is currently running, the page displays the thread, appliance identifier, file being used, and state of the summarizer.

If the summarizer is currently idle, the page displays the last run time and next run time.

Syslogs sent by appliances that are not under Reporting and Management

Appliances that are no longer managed by Analyzer might still send syslog messages, impacting the performance of the summarizer. The syslogs from such appliances are dropped and not stored in archivedSyslogs or badSyslogs folders.

This feature displays a list (refreshed every 12 hours) of the appliances that are still sending syslogs messages even though they are no longer managed Analyzer, as well as appliances that are incorrectly configured:

If your Analyzer has a list of appliances in these fields, try the following to correct the issue:

Log in to the appliance and disable the syslogs.
If you do not have access to the appliance, use the rules to the gateway to block the serial numbers.
To fix the misconfigured appliances, log in to the appliance and change the Analyzer settings.

Granular Event Management

This chapter describes how to configure and use the Granular Event Management (GEM) feature in a Analyzer environment.

This chapter contains the following sections:

Granular Event Management Overview

Granular Event Management (GEM) provides a customized and controlled manner in which events are managed and alerts are customized and enabled. On the Console panel, GEM allows you to systematically configure each sub-component of your alert in order for the alert to best accommodate your needs.

The GEM alert has multiple sub-components, some of which have further subcomponents. It is not necessary to configure all sub-components prior to creating an alert.

Severities: Severity is used to tag an alert as Critical, Warning, Information, or a custom severity level. You can create your own preferred severities and assign the order of importance to them from lowest to highest. When using a custom severity, you must define it before creating a threshold that uses it.
Thresholds: A threshold defines the condition that must be matched to trigger an event and send an alert. Each threshold is associated with a Severity to tag the generated alert as critical, warning, or information.

One or more threshold elements are defined within a threshold. Each threshold includes the following elements:an Operator, a Value, and a Severity. When a value is received for an alert type, the GEM framework examines threshold elements to find a match for the specified condition. If a match is found (one or more conditions match), the threshold with the highest severity containing a matching element is used to trigger an event.

Schedules: You can use Schedules to specify the day(s) and time (intervals) in which to generate an alert. You can also invert a schedule, which means that the schedule is the opposite of the time specified in it. For example:
Generate an alert during weekdays only, or weekends only, or only during business hours.
Do not generate an alert during a time period when the unit, network, or database are down for maintenance.

What is Granular Event Management?

The purpose of Granular Event Management is to provide all the event handling and alerting functionality for Analyzer. The Analyzer management interface provides screens for centralized event management on the Console panel, including screens for Events > Threshold, Schedule, and Alert Settings. The panel also provides an Events > Alert Settings screen where you can enable or disable alerts.

You can enable or disable an alert at the global or unit level in Analyzer. At the global level, the alert is then applied to all units. Whenever you add a new unit to Analyzer, the alerts set at the global level are applied to the new unit.

Benefits

Granular Event Management offers a significant improvement in control over the way different events are handled. You now have more flexibility when deciding where and when to send alerts, and you can configure event thresholds, severities, schedules, and alerts from a centralized location in the management interface rather than configuring these on a per-unit basis.

How Does Granular Event Management Work?

The Granular Event Management framework provides customized event handling for specific alerts about database and database log size, and security service subscription licenses. For a list of the predefined alerts, see Using Granular Event Management.

Using Granular Event Management

For convenience and usability, a number of default settings are predefined for severities, schedules, thresholds, and alerts. You can edit the predefined values to customize the settings for thresholds and schedules. The predefined defaults for the Console panel are as follows:

GEM Predefined Default Objects 

Panel

Screens

Predefined Default Objects

Console

Events > Schedule

Schedule Groups:

 

 

24x7

 

 

Weekdays 24 hours

 

 

8x5

 

 

Weekend

 

 

Schedules:

 

 

Schedule: admin

 

 

Database Backup

 

 

Monday 24 hours

 

 

Monday business hours

 

 

Tuesday 24 hours

 

 

Tuesday business hours

 

 

Wednesday 24 hours

 

 

Wednesday business hours

 

 

Thursday 24 hours

 

 

Thursday business hours

Console

Event > Alert Settings

Database Info

 

 

Database Size Status

 

 

System Files Backed-Up Status

 

 

Disk Space Utilization Status

About Alerts

The Events > Alert Settings screens are available in the Console and Firewall panels. You can enable or disable alerts on these screens.

The GEM framework provides different types of alert types for the respective areas of the Analyzer application:

Firewall panel: Alert settings for Reporting
Console panel: Alert settings for the Analyzer application

GEM Alert Types 

Panel location

Available Alert Types

Console

Backed up Syslog Files

 

New Firmware Availability

 

Bandwidth Usage (Billing Cycle)

 

Bandwidth Usage (Daily)

Firewall

Anti Virus License

 

CFS License

 

Warranty License

 

Anti Spyware License

 

Intrusion License

 

VPN Tunnel Status

 

Agent Quota Reached

 

Agent Unsuccessful Backups

 

Appliance Capacity Status

 

CPU Status

Configuring Granular Event Management

To set up the GEM environment after installing Analyzer, start with the Events screens on the Console panel. You should examine the Threshold and Schedule screens and make any necessary configuration changes. Then you can enable alerts in the Events screens on the Console panel and Firewall panel.

See the following section:

Configuring Events on the Console tab

In the Events screens on the Console tab, you can configure the frequency of subscription expiration and task failure notifications, as well as severities, thresholds, schedules, and alerts for handling events.

See the following sections:

Configuring Event Thresholds

In the Events > Threshold screen, you can view existing event thresholds and configure their elements, and add custom thresholds. A threshold defines the condition for which an event is triggered. Predefined thresholds have names similar to predefined Alert Types. Each threshold can contain one or more threshold elements. An element consists of an Operator, a Value, and a Severity.

The following tasks are described in this section:

Editing an Threshold Element
To edit an existing element of a Threshold, complete the following steps:
1
On the Events > Threshold screen, click the Edit icon located in the Configure column in the element row.

The Edit Threshold pop-up window displays:

2
In the Operator field, select from the drop-down menu the type of operator to apply to your threshold element.

3
In the Value field, enter the value for your threshold element.
4
In the Description field, enter the description for your threshold element.
5
In the Severity field, select the severity priority from the drop-down menu. These are color coded for your easy reference on the Events > Threshold screen.

6
To disable the threshold element, click the Disable check box. See Enabling/Disabling Thresholds and Threshold Elements.
7
Click Update.
Enabling/Disabling Thresholds and Threshold Elements

The GEM feature provides a Disable check box that allows you to disable or enable thresholds or individual elements within that threshold. If it is needed again, you can simply enable it.

You can disable a threshold by disabling all its elements. You can also disable individual elements within a threshold.

To enable or disable Thresholds and/or their elements, complete the following tasks:
1
On the Console panel, navigate to the Events > Threshold screen. On this screen, you are able to view existing Thresholds. You can also view existing elements within those thresholds by clicking the expand button by a threshold. You have the following two options for the enabling/disabling feature:
You can enable or disable a Threshold by disabling/enabling all the elements that exist within it.
You can enable/disable the individual elements within a Threshold.
2
To enable or disable a threshold and/or elements, click Edit , which is on the element level.
3
Select Disable to disable the element or de-select Disable to enable the element.

4
Click Update.

Configuring Event Schedules

The next component on the Console panel is Events > Schedule. In this screen, you can add, delete, or configure schedules and schedule groups.

Schedule groups are one or more schedules grouped within an object. Administrators and Owners can edit these objects. Other users should be able to view or use them only if Visible to Non-Administrators is selected.

The following tasks are described in this section:

Adding an Event Schedule

In Events > Schedules you can add, delete, or configure schedules. You see your schedules and schedule groups, their descriptions, and whether they are enabled. You can also individually delete one schedule or schedule group at a time by selecting the trash-icon on the right side for each row. For quick reference, you can hover your mouse over the descriptions to quickly view the type of schedule and the days and times when it is active.

To add an event schedule, complete the following steps:
1
On the Events > Schedules screen, click Add Schedule.
2
In the Name field, enter a name for the schedule.
3
In the Domain field, click the drop-down list and select a name. This function is for Super Admins only.
4
In the Description field, add a description for the schedule.
5
Select Visible to Non-Administrators if you want the schedule to be visible and usable by non-administrators.
6
To temporarily disable a schedule, select Disable.
7
Click Invert to create a schedule that is “off” during the dates and times that you specify.
8
In the Schedule field, you can create one or more schedules. For each schedule, configure either:
One Time Occurrence
Fill in the Date and Time fields.
Recurrence
Fill in Days, Start Time, and End Time fields.
9
Click Add to add this schedule to the Schedule List text box.

10
To delete an entry from the Schedule List text box, select the entry that you want to delete, and then click Delete. Click Delete All to delete all entries.
11
Click Update when you are finished.
Editing an Event Schedule

To edit an existing schedule, click the Edit icon on the right side of the Events > Schedule screen. The screen and procedure for editing are the same as those for adding a schedule. See Adding an Event Schedule Group.

Adding an Event Schedule Group

You can combine several schedules into a schedule group on the Events > Schedule screen.

To add a schedule group, complete the following steps:
1
On the Events > Schedule screen, click Add Schedule Group.
2
Enter the name of your schedule group in the Name field.
3
Enter a description of your schedule group in the Description field.
4
Click Visible to Non-Administrators to allow this schedule group to be viewed and used by non administrators.
5
Click Disable to temporarily disable the schedule group.
6
In the Schedules field, select the schedule(s) to add to your schedule group, and then use the arrow buttons to move the selected schedule into or out of the group. To move multiple schedule groups and/or schedules all at once, hold the CTRL button on your keyboard while making your selections.

7
Click Update.
Editing an Event Schedule Group

To edit an existing schedule group, click the Edit icon on the right side of the Events > Schedule screen. The screen and procedure for editing are the same as those for adding a event schedule group. See Adding an Event Schedule Group.

Deleting a Schedule or Schedule Group

You can delete schedules or schedule groups, or you can remove schedules from schedule groups.

* 
NOTE: Deleting a Schedule or Schedule Group that is in use is not permitted. A message displays when this action is performed.
To delete an event schedule, schedule group, or remove a schedule from a schedule group, complete the following steps:
1
Navigate to the Events > Schedule screen.
2
Click the check boxes of the schedule groups or schedules that you want deleted. When you click the schedule group check box, the schedules within that schedule group are deleted as well.
3
To remove a schedule from a schedule group, click the expand button on the schedule group, and select the schedules you wish to remove within that group.
4
To delete the selected schedule group(s) or remove the selected schedules from a group, click Delete Schedule Group(s)/Remove Schedules from Group.
5
To delete the selected schedule(s), click Delete Schedule(s).

Enabling or Disabling Alerts on the Console Panel

The Console > Events > Alert Settings screen provides predefined alerts that apply to Analyzer as a whole. You can hover your mouse over these to display information about them or click the arrow to display more information about the alert. You can enable or disable these alerts by selecting or clearing the check box in the Enable column for the alert, then clicking the Enable/Disable Alert(s) link.

Add Alert

In the Add Alert panel you can enter an alert name and description, select the options for visible to non-administrators and disable, and enter the polling interval.

To add an alert, complete the following steps:
1
Navigate to the Events > Alert Settings page.
2
Click the Add Alert link.
3
Enter a name and description for your alert.
4
Enable Visible to Non-Administrators if you want your Alert to be visible to non-administrators.
5
Enable the Disable check box to disable this Alert.
6
Enter a Polling Interval value (in seconds: 60-86400)
Alert Type

In the Alert Type panel you can select an alert type from the provided list and view the definitions of each alert type.

To configure an Alert Type, complete the following steps:
1
Click the Alert Type drop-down list and select an alert type.

Most of the Alert Types require you to edit content. Editing Contents allows you to pick additional information, in a granular fashion, on which the alerting has to be performed.

* 
NOTE: When an alert type is selected, a description for that alert is displayed in the Alert Type panel.
2
Click the Edit Content link. The Edit contents for alert type: Data usage (Daily) pop-up window displays.
3
Click the Threshold drop-down list and select a threshold.
* 
NOTE: You can create a new threshold on-the-fly by clicking the icon. Only one new threshold can be created in this feature.
4
Click Update. To reset the settings, click Reset.
Destination / Schedule

In the Destination / Schedule panel you can add up to five destinations and set a schedule for each.

To add a destination and set a schedule, complete the following steps:
* 
NOTE: Every selected destination is required to have a schedule set.
1
Click the Add Destination link under the Destination/Schedule section. The Destination field designates where you want alerts to be sent. You have a maximum number of five destinations.

2
Click the Schedule drop-down list, then select a schedule type. The Schedule field designates the frequency of when you want alerts to be sent to the destination(s).

3
Click Update to finish adding an alert.
Enabling/Disabling Alerts
To enable or disable an alert, complete the following steps:
Enabling a Alert
1
Select Enabled of the alert(s) you wish to enable.
2
Click Enable/Disable Alert(s) link. A confirmation window displays. Click OK to enable/disable.

Disabling an Alert
1
Deselect Enabled of the alert(s) you wish to disable.
2
Click the Enable/Disable Alert(s) link. A confirmation window displays. Click OK to enable/disable.

Deleting Alerts
To delete an alert, complete the following steps:
1
Select the check box(s) of the Alert(s) you wish to delete.
2
Click the Delete Alert link. A confirmation window displays.

3
Click OK to delete.
* 
NOTE: You can also delete an alert by clicking the Delete icon under the Configure section of the alert you wish the delete.
Editing Alerts

After an alert is created, you can go back and edit it at any time.

To edit an alert, complete the following steps:
1
Click the Configure icon of the alert you wish to edit.

The Edit Alert page displays.

2
Refer to the section Add Alert and follow the configuration procedures to edit your existing alert.

Viewing Current Alerts

You can view a list of current alerts on the Events > Current Alerts page of the panel. Select a global view or unit to view current alerts for your selection.

Configuring User Settings

This chapter describes how to configure the user settings that are available in the Console panel on the User Settings > General page that provides a way to change the Analyzer administrator password, the Analyzer inactivity Timeout, and pagination settings.

To configure the user settings that are available in the Console panel on the User Settings > General page, complete the following steps:
1
Enter the existing SonicWall Analyzer password in the Current Password field.
2
Enter the new SonicWall Analyzer password in the New Password field.
3
Reenter the new password in the Confirm New Password field.
* 
NOTE: Password fields are grayed out for users on a Remote Domain.
4
The Inactivity Timeout period specifies how long SonicWall Analyzer waits before logging out an inactive user. To prevent someone from accessing the SonicWall Analyzer UI when SonicWall Analyzer users are away from their desks, enter an appropriate value in the Inactivity Timeout field. You can disable automatic logout completely by entering a “-1” in this field. The minimum is five minutes and the maximum is 120 minutes.
5
Select a value between 10 and 100 in the Max Rows Per Screen field. This value applies only to non-reporting related paginated screens.
6
When you are finished, click Update. The settings are changed. To clear all screen settings and start over, click Reset.
* 
NOTE: The maximum size of the SonicWall Analyzer User ID is 24 alphanumeric characters. The password is one-way hashed and any password of any length can be hashed into a fixed 32 character long internal password.

 

Using Analyzer Help

To access the Analyzer online help, click Help in the top-right corner of the Analyzer user interface.

SonicWall Analyzer online help provides context-sensitive conceptual overviews, configuration examples, and trouble shooting tips.

This contains the following sections:

About Analyzer

The Console > Help > About page displays the version of Analyzer being run, who the Analyzer is licensed to, database information, and the serial number of Analyzer.

To access the Analyzer online help, click Help in the top-right corner of the Analyzer user interface.

Tips and Tutorials

Tips and tutorials are available in some pages of the user interface, and are denoted by a “Lightbulb” icon:

To access tips and tutorials:
1
Navigate to the page where you need help.
2
If available, click the Lightbulb icon in the upper right corner of the window. Tips, tutorials, and online help are displayed for this topic.