Event Analysis Reporting

Installation Requirements

The PortalGuard Event Analysis Reporting feature has the following requirements:

  • Microsoft IIS 6.0 or higher
  • Microsoft SQL Server 2005 or later (Express and “full” versions are supported)
    • SQL Server authentication type must be enabled
    • SQL Server must be accessible via TCP/IP
  • Microsoft .NET 2.0 or later is installed on the SQL Server

Furthermore, the Event Analysis Reporting feature runs on the following platforms:

  • Microsoft Windows Server 2003 or later

If you have a platform not listed here, please contact us at sales@pistolstar.com to see if we have recently added support for your platform.

IIS Installation

When installing the PortalGuard server, ensure the “Event Analysis Reporting” feature is enabled for installation. NOTE: This does require the “Administrator Dashboard” parent feature to be installed as well.

Create ASPNET Database for Profiles

1. From a DOS prompt, change directory to the Microsoft .NET Framework folder, e.g.:

cd “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727”

2. Run the following command:

aspnet_regsql.exe -A p -S <SQLSERVER> -U <DBA_ACCT> -P <DBA_PW>

Where the following values are substituted for your environment:

o <SQLSERVER> - The name of your SQL Server

o <DBA_ACCT> - The name of a SQL administrator account that can create new databases on the SQL Server

o <DBA_PW> - The password for the SQL administrator account

A full example of this command is:

aspnet_regsql.exe -A p -S balvenie -U sa -P password

Install SQL

1. Follow the steps in Chapter 5’s PortalGuard SQL Backend to install and configure the SQL support.

Create Additional User in SQL

Create an additional user on the SQL server named “pg_profileuser”. This is a low privilege user only used for maintaining “favorite” reports.

1. In the Object Explorer in Microsoft SQL Server Management Studio, expand the “Security” folder then right-click the “Logins” folder and choose the “New Login…” item

2. On the “Login - New” dialog:

a. Enter “pg_profileuser” as the “Login name”

b. Choose the “SQL Server authentication” radio button

c. Enter a password for the user

d. Uncheck the “Enforce password policy” checkbox

e. Set the “Default database” drop-down to “aspnetdb”

f. Click the “OK” button to create the login

3. In the Object Explorer, expand the following folders: “Databases” -> “aspnetdb” -> “Security”, then right-click the “Users” folder and choose “New User…”

4. Set the “User name” and “Login name” fields to “pg_profileuser, check the “aspnet_Profile_BasicAccess” item at the top of the Role Members list and click the “OK” button to create the user for this database.

Create Event Analysis Reports User Account

In order to allow reports to be generated on a scheduled basis and on demand by users of the application, a single identity must be created that will be used to update the report files. This user can be a domain account if the PortalGuard server is a member of an Active Directory domain or it can be a locally defined Windows account on the PortalGuard server.

If creating an Active Directory domain account, the user should only be a member of the “Domain Users” group. If creating a local account, it should only be a member of the “Users” group. In both cases, the account’s password must be set to NOT expire as shown in the two screenshots below.

Windows 2003

 

Windows 2008

This user must then be given explicit rights to the folder containing the report files.

1. Open Windows Explorer and navigate to:

C:\InetPub\PortalGuard\PG_Dashboard\reports

2. Right-click the folder and choose Properties, then go to the Security tab

3. Click the Edit button, then the Add… button to either type in or browse for the new user

4. Once the user is added, highlight their entry in the Permissions dialog and check the “Allow - Modify” checkbox in the Permissions frame

5. Click Apply to save the change, then click the Advanced button

6. Click the Change Permissions… button, check the “Replace all child object permissions…” checkbox then click OK and accept any dialogs that appear

7. Click OK on the Advanced and Properties dialogs to close them and save the changes

Schedule Reports Creation Agent

The Event Analysis Reports are updated automatically by a nightly scheduled task. This task must be created using the “Scheduled Tasks” wizard under Start-> All Programs -> Accessories -> System Tools.

1. Double-click the “Add Scheduled Task” item

2. Click Next on the intro dialog and click the “Browse…” button on the next dialog to find the file:

C:\Program Files\PistolStar\PortalGuard\bin\Reports_Agent.exe

3. Set a descriptive name and select the “Daily” radio button

4. Set the start time for 12:10AM, choose the “Every Day” radio button and it should start immediately.

5. On the credentials screen, enter the username and password for the Event Analysis Reports user account that was created above.

6. Click Next, then click the Finish button.

Update Bootstrap Configuration

1. On the PortalGuard server, launch the PG_Config editor from the desktop shortcut.

2. Click the Edit Bootstrap button.

3. On the “Log/Audit” tab, ensure the “Report Data Collection & Credibility-Based Auth” checkbox is checked.

4. Click the “Services” tab and in the “Event Analysis Reports Identity” grouping, enter the domain, username and password of the Windows user account you created in the “Create Event Analysis Reports User Account” section.

NOTE: If the user is defined locally on the PortalGuard server (as opposed to an Active Directory domain account), enter a period (“.”) for the “Domain” field value as shown below.

5. Click the “Save” button to commit the changes and then apply them to the PortalGuard server’s runtime configuration.

Add <profile> Element To web.config

  1. In a text editor, open the file “C:\InetPub\PortalGuard\web.config”
  2. Search for the text “</system.web>”
  3. Add a blank line above this tag and paste the following text on that blank line:

<profile defaultProvider="PGProfileProvider">

<providers>

<add name="PGProfileProvider" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="PGConnection" />

</providers>

<properties>

<add allowAnonymous="false" defaultValue="" name="Favorites" readOnly="false" serializeAs="Xml" type="System.Collections.Specialized.StringCollection" />

</properties>

</profile>

The results should appear like the screenshot below:

  1. Now search down in the file for the “</configuration>” tag. This should be the last line in the file
  2. Add a blank line above that tag and paste in the following 3 lines of text:

<connectionStrings>

<add connectionString="Server=<SQLSERVER>;Database=aspnetdb;User ID=pg_profileuser;Password=<PASSWORD>;Connect Timeout=10" name="PGConnection" />

</connectionStrings>

In the string template above, you MUST replace <SQLSERVER> with the network name of your SQL Server and <PASSWORD> with the password you set for the low privilege pg_profileuser account.

The results should appear like the screenshot below:

  1. Save the changes

Restart the IIS Server

Whereas most PortalGuard settings take effect immediately, a few in the steps above do require the IIS server to be restarted. This is most easily done by opening a DOS prompt and entering the command “iisreset”.

Using the Event Analysis Reporting Feature

To access the PortalGuard Event Analysis Reporting feature, simply open a browser and access the URL:

http://<your-portalguard-server>/PG_Dashboard/reports/jump.aspx

NOTE: Substitute the hostname or IP address of your PortalGuard server in the URL above.

When prompted by the PortalGuard UI, log in with an account that was authorized in the Update web.config File section. The Event Analysis Reporting start page opens:

Generating Event Analysis Reports

Use the Event Analysis Reports to help you detect event patterns and relationships that will result in a better configured environment.

There are three methods you can use to generate reports:

  • Quick Links: Use the links on the left side of the start page to specify a time frame for your report.
  • Select a date from the calendar: Simply click a date link in the calendar.
  • Go to Single Report: Select a topic, timeframe, and year from the pulldowns and click Submit.

Quick Links or Calendar Selection

When you use Quick Links or select a calendar date, the Authentication Audits matrix appears, as shown below.

Click any of the highlighted links in the matrix to automatically generate a report similar to the following:

To see a report based on the same criteria, but for a longer or shorter period of time, select a different timeframe. Note that the question you chose from the matrix appears at the top of the report. Below the question, you have the option of generating reports for the previous or next period, depending on the timeframe you chose.

To return to the inital page, click Jump Page at the top right corner. To return to the Authentication Audits page, click Matrix.

Go to Single Report

You can generate a report for a single timeframe (for example, day, month, or quarter) by selecting a topic from the pulldown, specifying a timeframe, and choosing a year. Click Submit to generate the report.

In the following example, we selected a report showing all the blocked users for the month of November.

When you click Submit, a report appears that lists the type, frequency, and percentage of total logins for each type for the time period you selected.

To see a report based on the same criteria, but for a longer or shorter period of time, select a different timeframe from the pulldown at the upper right corner. Note that the name of the report appears as a question above the data . Below the question, you have the option of generating reports for the previous or next period, depending on the timeframe you chose.

To return to the inital page, click Jump Page at the top right corner. To return to the Authentication Audits page, click Matrix.