Scheduling Reports

You can schedule reports to run once or on recurring periods in the future. When the test runs, the results will be saved to the Results tab for the report, and in Analytics > Generated Reports.

Prerequisites

When you schedule a report, you can specify notifications that should be sent for that report. In addition, you should make sure that the d efault settings for notifications for all scheduled reports have been set up.

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. Select the report you want to schedule.
4. Select Schedule this report for:
5. For multi-tenant deployments, select the Organization for which this report should apply.
6. Select the Report Time Range.
7. Select the Schedule Settings.
8. Select the Output Format, whether you want to include the Chart in the output, and the Maximum Rows to Display.
9. Specify the Notifications that should be sent when the report runs.

Click Specify custom notifications if you want to send notifications to specific email addresses.

To copy the report to a remote directory, first define the remote location in Admin > General Settings > Analytics > Report to be copied to this remote location when scheduler runs any report. and then select Copy to a remote directory option.

11. Specify the amount of time the report should be retained after it has run.
12. Click OK.

The report will run at the time you scheduled.

Related Links

Setting Up Email Alert Routing for Scheduled Reports

Viewing Available Reports

1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. For multi-tenant deployments, select the Organization for which you want to view the available reports.
4. Expand the Reports list, and select the subcategory of report you want to view.
5. Select the report you want to view information about. Each report has four information tabs:

Audit

Audit Reports can be used to determine if a device is running the recommended OS and installed software versions, performance metrics are within bounds and harmful events have not triggered.

Creating Audit Report

Running an Audit

Exporting Audit Results

Scheduling an Audit

Creating Audit Report

To create an Audit Report

1. Go to Analytics tab
2. Expand Audit node on the left tree and go to the folder to which the new report will belong. You can also create a new folder first by clicking on the + on top of the left tree.
3. Click New.
4. Enter the following information for an Audit Report
   1. Name: Name of the Audit Report
   2. Description: Description of the Audit Report
   3. Vendor: Select a specific device vendor from the drop down list. The Audit Report will be specific to the chosen device vendor and model
   4. Model: Select a vendor specific model from the drop down list. The Audit Report will be specific to the chosen device vendor and model
   5. Specify Failed Criteria for the Audit Report. A device will fail the audit if any of the specified criteria is matched. i. OS Version Condition:
      1. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
      2. Specify value to be matched: this can be a comma separated list ii. Install Software Condition:
      3. Specify Condition name. This is just for reference purposes.
      4. Specify Install software name – the name has to be exactly identical to the discovered installed software in CMDB > Devices > Installed Software > Name
      5. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
      6. Specify value to be matched: this can be comma separated list

• Rules Condition:
  1. Click … and the Rule selector dialog appears
  2. Select the appropriate Rule folder from the left most tree. If you do not know the specific folder, then choose the top level Rules folder.
  3. Select the rules from the middle section. You can also type a search string. You can expand the window and shrink the left most section to see more of the rule descriptions. The rules in the selected folder will appear in the middle section.
  4. Click Items >> to place the selected rules on the rightmost section 5. Click

1. Report Condition:
   1. Click … and the Report selector dialog appears
   2. Select the appropriate Report folder from the left most tree. If you do not know the specific folder, then choose the top level Reports folder. The reports in the selected folder will appear in the middle section.
   3. Select the reports from the middle section. You can also type a search string. You can expand the window and shrink the left most section to see more of the report descriptions.
   4. Click Items >> to place the selected reports on the rightmost section 5. Click OK.

Audit Policy Criteria Matching Notes

1. For each criteria, only devices in CMDB with vendor and model specified in the Audit Report is considered
2. If any of the criteria matches, then the device fails the audit
3. IN and NOT IN are exact match while CONTAINS and NOT CONTAINS are case insensitive sub-string match
4. For OS Version match, the entered value is compared with the Version column in CMDB > Device.
5. For Installed Software Version match, the entered value is compared with the Version column in CMDB > Device > Installed Software
6. For Rule match, the specified rule must trigger during the time interval specified in the Audit Report. Organization id and access IP of the device is compared to the Organization Id and Host IP in an incident.
7. For Report match, the specified reports run for the time duration specified in Audit Report must have data.

Running an Audit

To run an Audit,

1. Select an Audit Policy
2. Click Run Now
3. In the follow up dialog,
   1. Select the organizations for which to run the audit (meaningful for Service Provider version)
   2. Choose a time window – absolute or relative
   3. Click OK

The Audit Policy check results are displayed in the right bottom pane.

Summary tab shows a high level overview of the Audit Policy check.

 Audit Result Distribution chart shows the device pass/fail distribution for every selected organization.

Failed Criteria distribution chart shows the contribution of each audit criteria to the devices that failed the audit.

Detail tab shows the Audit Policy check for each device matching the vendor, model specified in the policy.

Organization specifies the entity to which the device belongs

Device Name is the host name of the device in CMDB

Audit Status is the Pass/Fail flag

Details specifes the reasons for Audit Policy check failure

Exporting Audit Results

To export an Audit Report,

1. Select an Audit Policy
2. Run the Audit Policy Check. The results will be shown in the bottom right pane.
3. Click Export
   1. Add User Notes
   2. Choose Output Format – PDF or CSV
   3. Click Generate Report – the PDF file will be stored in local disk

Scheduling an Audit

To schedule a report to run at a later time

1. Choose between one of two options
   1. Run this report for – If the ‘Run this report for’ button is selected, a report will be scheduled for the super user, containing data from the organizations selected. The super user will be the owner of the report. The recipients of the report may be defined in the ‘Send Notifications’ section below or in Admin -> General Settings -> Analytics.
   2. Schedule this report for – If the ‘Schedule this report for’ button is selected, multiple reports will be scheduled — one for each selected organization — and containing only that organization’s data. The reports will be owned by the respective organizations. The recipients of the report are taken from Admin -> General Settings -> Analytics. When multiple reports are run in this way the notification recipients cannot be indicated in the ‘Send Notifications’ section below.
2. Select all the Organizations for which to run the Audit Report
3. Select the Report time range
4. Specify Schedule settings – when to run this report
5. Choose Output Format – PDF or CSV
6. Select notification – report recipients and method
   1. If you choose Send default notification, then the settings in Admin > General Settings > Analytics > Alerts to be sent when scheduler runs any REPORT, is used
   2. If you choose Specify custom notifications, then you can specify email addresses
   3. If you choose Copy to a remote directory, then the settings in Admin > General Settings > Analytics > Reports to be copied to this remote location when scheduler runs any REPORT, is used

Visual Analytics

Visual Analytics is an add-on for AccelOps that lets you create custome visualizations of AccelOps report data, as well as dashboards containing multiple visualization charts. AccelOps Visual Analytics has three components:

1. The AccelOps Report Server, which syncs with and replicates AccelOps reports in near-real time.
2. Tableau Server from Tableau Software, which enables the publication and distribution of your visualizations.
3. Tableau Desktop, also from Tabeleau Software, which is your primary tool for creating visualizations.

See Installation and Configuration of AccelOps Visual Analytics for information about setting up AccelOps Report Server. For more detailed information about Tableau Server and Desktop, including installation, configuration, and examples of creating sheets and workbooks, you should consult the Product Support section of the Tableau Software website.

AccelOps Visual Analytics Architecture

Overview and Report Server Architecture

Using AccelOps Report Server with Tableau Software

Overview and Report Server Architecture

With AccelOps Visual Analytics, you can now create visual representations of the data that is stored in AccelOps. This includes:

Structured data stored in the AccelOps CMDB relational PostgreSQL database, such as: Discovered information about devices, systems, applications and users

Identity and location information

Incidents and notifications

Unstructured data such as logs, events, performance metrics etc. that are monitored by AccelOps and stored in the EventDB NoSQL database, which is accessible by Supervisors and Workers over NFS.

In order to provide near real-time visual analytics without compromising the performance of your AccelOps deployment, both structured and unstructured data is exported to a separate virtual machine, the AccelOps Report Server, running PostgreSQL. The Report Server contains two databases that are queried by AccelOps Visual Analytics:

phoenixdb

This database contains the entire AccelOps CMDB and is populated via asynchronous PostgreSQL replication (slony) in near-real time.

reportdb

This database contains the results of event queries

You can find more information about AccelOps Report Server in the topic Report Server Architecture: phoenixdb and reportdb and its related topics.

Using AccelOps Report Server with Tableau Software

AccelOps Report Server integrates with Tableau Software to provide the interface for creating and publishing your data visualizations. Workbooks containing visualizations based on AccelOps data are created using Tableau Desktop, and then are published to Tableau server, where they can be accessed on any Windows or OS X device by users how have been granted permission for viewing or editing them. AccelOps provides some workbooks for visualizations, but you can construct others for custom analytics. You can find more information about workbooks in the section Cre ating and Managing Workbooks.

Installation and Configuration of AccelOps Visual Analytics

Installation and configuration of AccelOps Visual Analytics involves setting up AccelOps Report Server, and then integrating it with Tableau Server and Desktop from Tableau Software. Topics in this section contain setup and configuration instructions for Report Server. For information on setting up and configuring Tableau Server and Desktop, see the online Tableau Software documentation.

Requirements for Visual Analytics Report Server

Setting Up Visual Analytics

Hypervisor Installations for Report Server

Syncing with the Report Server

Requirements for Visual Analytics Report Server

You install Visual Analytics Report Server as an AccelOps node, and these requirements assume that you have already set up and installed AccelOps. If you are working with a fresh install of AccelOps that includes Report Server, see the topics under Installation for complete requirements and installation instructions for the AccelOps Virtual Appliance.

Hardware Requirements for Report Server Nodes

Setting Up Visual Analytics

There are three components to Accelops Visual Analytics:

1. Accelops Report Server
2. Tableau Server
3. Tableau Desktop

Setting up Visual Analytics involves setting up each of those components in order, and establishing the relationship between them.

1. You must first install Report Server as described in Installing and Registering AccelOps Report Server in VMware ESX.
2. After installing Tableau Server on a Windows server, and installing Tableau Desktop on a Windows or Mac OS X device, you then connect the two systems as described in the Tableau Software product documentation.
3. When this connection is established, it automatically triggers the remote registration and configuration of the AccelOps Report Server, including replication of the CMDB and EventDB data from the AccelOps Cluster to the AccelOps Report Server, as well as the user account required for access to the original databases.

Registration of the Report Server and replication of the AccelOps database data may take some time depending on the size of the original CMDB. Registration is complete when the replication process catches up with the latest data in the system. From that point on, replication from the CMDB to Accelops Report Server takes place in near real time, letting you run Visual Analytics queries against CMDB data that has been replicated to the Report Server’s phoenixdb.

You can find full information about setting up all components of AccelOps Visual Analytics in the section Installation and Configuration of

AccelOps Visual Analytics

Hypervisor Installations for Report Server

These topics cover the installation of Report Server in various hypervisor enviroments.

Installing and Registering AccelOps Report Server in Amazon Web Services

Installing and Registering AccelOps Report Server in KVM

Installing and Registering AccelOps Report Server in Microsoft Hyper-V Installing and Registering AccelOps Report Server in VMware ESX

Installing and Registering AccelOps Report Server in Amazon Web Services

Follow the instructions for setting up an AccelOps virtual appliance as described in Setting Up Supervisor, Worker and Collector Nodes in AWS, and then register the Report Server to the Supervisor as described in Installing and Registering AccelOps Report Server in VMware ESX.

Turn on archive mode for Report server CMDB replication

1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system reboot. For example:

/data/replication/archive

2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the first column) the following lines and make sure archive_command points to the correct directory which is created in step 1
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_command and archive_cleanup_command are pointing to the directory created in step 1:
5. On Super, restart postgresql DB ‘service postgresql-9.1 restart’
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB ‘service postgresql-9.1 restart’

Registering Report Server

1. In the Admin tab, select License Management.
2. Under Report Server Information, click Add.
3. Enter the Report Server IP Address, and the Database Username and Password you want to use to administer Report Server.

These are also the credentials that you will use when you set up the Visual Analytics Server to read data from Report Server.

4. Click Run in Background if you want Report Server registration to run in the background for larger installations.

When CMDB size is under 1GB, registration takes approximately 3 minutes to complete.

5. When registration completes, click OK in the confirmation dialog.
6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running.

Installing and Registering AccelOps Report Server in KVM

Follow the instructions for installing an AccelOps virtual appliance as described in Importing a Supervisor, Collector, or Worker Image into KVM, and then register the Report Server with the Supervisor as described in Installing and Registering a Report Server Node in ESX.

Turn on archive mode for Report server CMDB replication

1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system reboot. For example:

/data/replication/archive

2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the first column) the following lines and make sure archive_command points to the correct directory which is created in step 1
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_command and archive_cleanup_command are pointing to the directory created in step 1:
5. On Super, restart postgresql DB ‘service postgresql-9.1 restart’
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB ‘service postgresql-9.1 restart’

Registering Report Server

1. In the Admin tab, select License Management.
2. Under Report Server Information, click Add.
3. Enter the Report Server IP Address, and the Database Username and Password you want to use to administer Report Server.

These are also the credentials that you will use when you set up the Visual Analytics Server to read data from Report Server.

4. Click Run in Background if you want Report Server registration to run in the background for larger installations.

When CMDB size is under 1GB, registration takes approximately 3 minutes to complete.

5. When registration completes, click OK in the confirmation dialog.
6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running.

Installing and Registering AccelOps Report Server in Microsoft Hyper-V

Follow the virtual appliance installing instructions in Installing in Microsoft Hyper-V, and then register the Report Server node with the Supervisor as described in Installing and Registering AccelOps Report Server in VMware ESX.

Turn on archive mode for Report server CMDB replication

1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system reboot. For example:

/data/replication/archive

2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the first column) the following lines and make sure archive_command points to the correct directory which is created in step 1
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_command and archive_cleanup_command are pointing to the directory created in step 1:
5. On Super, restart postgresql DB ‘service postgresql-9.1 restart’
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB ‘service postgresql-9.1 restart’

Registering Report Server

1. In the Admin tab, select License Management.
2. Under Report Server Information, click Add.
3. Enter the Report Server IP Address, and the Database Username and Password you want to use to administer Report Server.

These are also the credentials that you will use when you set up the Visual Analytics Server to read data from Report Server.

4. Click Run in Background if you want Report Server registration to run in the background for larger installations.

When CMDB size is under 1GB, registration takes approximately 3 minutes to complete.

5. When registration completes, click OK in the confirmation dialog.
6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running.

Installing and Registering AccelOps Report Server in VMware ESX

These instructions are for installing Report Server on VMWare ESX, and assume that you have already installed and configured an AccelOps environment. For instructions for a complete AccelOps install, see the topics under Installation.

Installing Report Server

Follow the instructions for installing an AccelOps virtual appliance as described in the topics under Installing a Supervisor, Worker, or Collector Node in ESX and in Configuring the Supervisor, Worker, or Collector from the VM Console.

Turn on archive mode for Report server CMDB replication

1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system reboot. For example:

/data/replication/archive

2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the first column) the following lines and make sure archive_command points to the correct directory which is created in step 1
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_command and archive_cleanup_command are pointing to the directory created in step 1:
5. On Super, restart postgresql DB ‘service postgresql-9.1 restart’
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB ‘service postgresql-9.1 restart’

Registering Report Server

1. In the Admin tab, select License Management.
2. Under Report Server Information, click Add.
3. Enter the Report Server IP Address, and the Database Username and Password you want to use to administer Report Server.

These are also the credentials that you will use when you set up the Visual Analytics Server to read data from Report Server.

4. Click Run in Background if you want Report Server registration to run in the background for larger installations.

When CMDB size is under 1GB, registration takes approximately 3 minutes to complete.

5. When registration completes, click OK in the confirmation dialog.
6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running.

Syncing with the Report Server

Using AccelOps Visual Analytics involves first syncing reports contained in the primary AccelOps application to the AccelOps Report Server.

1. Log in to your Supervisor node.
2. Go to Analytics > Reports > Synced Reports.
3. Select a report.

Currently only reports that contain a Group By condition can be synced. Both system and user-created reports can be synched as long as the contain a Group By condition.

4. Select Sync.

When the sync process initiates, the Supervisor node dynamically creates a table within the Report Server reportdb database. When the sync is established, it will run every five minutes, and the last five minutes of data in the synced report will be pushed to the corresponding table. This lets you run Visual Analytics on event data stored in the Report Server reportdb database.

Working with the Report Server

This section contains information on AccelOps Report Server architecture, viewing and querying CMDB and Event data in contained in the Report Server databases, and database maintenance.

Report Server Architecture: phoenixdb and reportdb

Working with CMDB Data in AccelOps Report Server

Viewing phoenixdb Organization

Querying Incident Data in AccelOps Report Server

Reference: Attribute Columns in the ph_incident_view Table

Sample Incident Queries

Querying Other CMDB Tables in AccelOps Report Server

Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices

Working with Event Data in AccelOps Report Server

Viewing reportdb Organization

Syncing an AccelOps Report with Report Server

Deleting a Report from AccelOps Report Server

Modifying an Existing Report in AccelOps Report Server

Report Server Architecture: phoenixdb and reportdb

AccelOps Report Server contains two databases:

phoenixdb

This database contains the entire AccelOps CMDB and is populated via asynchronous PostgreSQL replication (slony) in near-real time.

reportdb

This database contains the results of event queries.

Topics in this section describe how to view the tables in these databases, and how those tables are organized. For viewing the tables, we recommend using the pgAdmin PostgreSQL database utility, which you can download from the pgAdmin website.

Working with CMDB Data in AccelOps Report Server

Data from the AccelOps CMDB database is populated to the AccelOps Report Server and stored in the Report Server phoenixdb. This section contains information on how to view the organization of phoenixdb, and write queries against the data it contains.

Viewing phoenixdb Organization

Querying Incident Data in AccelOps Report Server

Reference: Attribute Columns in the ph_incident_view Table Sample Incident Queries

Querying Other CMDB Tables in AccelOps Report Server

Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices

Viewing phoenixdb Organization

This database contains the contents of the entire AccelOps CMDB database, including incidents.

1. In the pgAdmin utility, go to File > Add Server.
2. In the New Server Registration dialog, enter connection details for AccelOps Report Server.

For Maintenance DB, select phoenixdb.

For Username and Password, use the read-only user name and password that you created when you provisioned the Report Server.

3. Click OK.

When the connection to the AccelOps Report Server is established, phoenixdb will load in the Object browser. There are approximately

197 tables in phoenixdb, which are replicated from the AccelOps cluster.

4. Select a table to view, then right-click to open the Options
5. In the Options menu, select View Data, and then select an option for which rows you want to view.

For example, to view the contents of the ph_device table, which contains CMDB information about discovered devices, you would select and then right click on ph_device, then select View Data > View All Rows.

You can also use this method to examine Views and other objects in the phoenixdb database.

Querying Incident Data in AccelOps Report Server

There are two ways to look at the incident data inside AccelOps Report Server:

Incident Tables (ph_incident and ph_incident_detail)

Contains the incidents

Incident View (ph_incident_view)

This is a database view that adds other context to the incident tables by joining with other tables in the database. Added information includes location and business service. Some information is parsed out for easier query, such as host names and IP address fields from incident_source, and incident_target fields in ph_incident are parsed out as separate fields in ph_incident_view.

This topic describes how to view the data contained in Incident View.

1. Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb database in AccelOps Report Server.
2. Go to Views > ph_incident_view > Columns to view the table columns.
3. Go to Views > ph_incident_view > View Data > View Last 100 Rows to view the incidents.

Reference: Attribute Columns in the ph_incident_view Table

Sample Incident Queries

Show Incident Categories with Severity and Frequency Occurrence Show Incident Location

Show Incident Categories with Severity and Frequency Occurrence

This query will show which parts of the infrastructure are triggering events.

1. Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb in AccelOps Report Server.
2. Under Views, select ph_incident_view.
3. In pgAdmin, click on the SQL icon in the menu bar to open the SQL query window.
4. Enter this SQL query:

COUNT(*)

5. When the query executes, you will see a list of matching incidents in the Output Pane. Show Incident Location
6. Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb in Accelops Report Server.
7. Under Views, select ph_incident_view.
8. In pgAdmin, click on the SQL icon in the menu bar to open the SQL query window.
9. Enter this SQL query:

COUNT(*)

(*) DESC;

5. When the query executes, you will see a list of incidents and their locations in the Output Pane.

Querying Other CMDB Tables in AccelOps Report Server

Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices

Querying Device Vendor and Model Distribution for Discovered Devices

Querying Discovered Devices

Working with Event Data in AccelOps Report Server

Data from the AccelOps EventDB database is populated to the AccelOps Report Server and stored in the Report Server reportdb. This section contains information on how to view the organization of reportdb, and write queries against the data it contains.

Viewing reportdb Organization

Syncing an AccelOps Report with Report Server

Deleting a Report from AccelOps Report Server

Modifying an Existing Report in AccelOps Report Server

Viewing reportdb Organization

This database contains the reports that are synched from the AccelOps cluster.

1. In the pgAdmin utility, go to File > Add Server.
2. In the New Server Registration dialog, enter connection details for AccelOps Report Server.

For Maintenance DB, select reportdb.

For the Port enter 30000 (default port used for the reported).

For Username and Password, use the read-only user name and password that you created when you provisioned the Report Server.

3. Click OK.

When the connection to the Report Server is established, reports will load in the Object browser.

4. Select a table to view, then right-click to open the Options
5. In the Options menu, select View Data, and then select an option for which rows you want to view.

Syncing an AccelOps Report with Report Server

1. Log in to AccelOps.
2. Go to Analytics > Reports.
3. Select a report.

Any reports with a Sync checkbox can be synced. Run the report to make sure it contains some data.

4. For each report you want to sync, select the Sync
5. Click OK.
6. After several minutes, follow the instructions in Viewing reportdb Organization to view the reportdb database.
7. Under Tables, you should now see the synced reports.

Table Structure for Synced Reports

When you sync an AccelOps report to AccelOps Report Server, two pairs of tables are created in reportdb, one pair for each organization in the case of AO-SP. For each organization, multiple tables are created:

1. A parent table containing data for all months: the table name is of the form <Report Name>_<ID>_<custId>
2. A child table for the current month: <Report Name>_<ID>_<custId>_<yYYYYmMM> where YYYY is the year and MM is the month.

Queries should be written using the parent table. To see data in the parent table, follow the instructions in  Viewing reportdb Organization . The re portdb database fields are generated from the display fields in AccelOps report definitions. Only the field report_time is added to the Report Server table definitions to capture the time when the particular report is generated. For example, if you synced the report Network Devices by CPU, Memory, you would see these fields:

Deleting a Report from AccelOps Report Server

1. Log in to AccelOps.
2. In Analytics > Reports > Synced Reports, select the report you want to delete.
3. In the Sync Details dialog, clear the Sync option for the report, and then click OK.

The report will no longer be synced with Report Server. You can verify this by making sure the Sync option is not selected for the report on the Analytics > Reports > Synced Reports page. You can now delete the report from AccelOps Report Server.

4. Log in to AccelOps Report Server via SSH and navigate to the directory /opt/phoenix/deployment/jumpbox.
5. Run the py command, along with the table name and date as arguments, to delete the report.
6. After you have deleted the table containing the report information, you will need to delete the parent table, which will now be empty of content, using the same py command.

Modifying an Existing Report in AccelOps Report Server

Suppose a system report is synced and exported to AccelOps Report Server. When you modify that report in AccelOps, you must rename it, at which point it becomes a user report. When you then sync that report for Accelops Report Server, a new table is created on the AccelOps Report Server.

Suppose now that you have a user-defined report that is already synced to the AccelOps Report Server, but you modify it inline in AccelOps, which means that you have changed the report conditions without changing the report name. This will cause a change in the table, but a new table will not be created. Here are some examples of inline modifications, and how they affect the structure of the table as well as the data collected in the table:

Installing and Configuring Tableau Server

Prerequisites

Installation

Activation

Configuration

Prerequisites

Before you begin installing Tableau Server, make sure you have read the section on Tableau Server in Requirements for Visual Analytics Report Server. This contains information on the Administrator Account and Ports that you will need during the configuration process. You may want to also consult the Tableau Server Administration Guide before you begin the installation process.

Installation

1. Download the installation file from Tableau Software.
2. Double-click the installation file to launch the Setup Wizard.
3. When the Setup Wizard launches, click Next to begin the installation process.
4. Enter a Destination Location where you want to install the server files, and then click Next.
5. When the system verification process completes, click Next.
6. Enter a location for the Start Menu folder, or use the default location, and then click Next.
7. Click Install to complete the installation process.
8. Click Next to begin the server activation process.

Activation

1. If you are evaluating Tableau Server, click Start trial now. Otherwise, click Activate the product to enter a license key.
2. If you enter a license key, click Activate.
3. Click Continue to launch the Tableau Server configuration process.

Configuration

1. In the Configuration dialog, enter a User Name and Password for the domain admin account that you will use to administer the Tableau Server.
2. If necessary, enter a Gateway port through which you will connect to the server over HTTP.
3. Click OK.

The initialization process will launch and complete within several minutes.

4. Click Finish to complete the configuration process.
5. Launch the Tableau Server user interface by entering the URI for the server in a browser window.

The URI will be be in the format of http://<Windows_Server_IP_Address>:<Port_Number_Used_In_Step_2> 6.  Sign in to the server by entering the credentials for the domain admin account that you created in Step 1, and then click Sign In.

7. Click the Admin tab and select Maintenance.
8. Under Status, check to make sure that all systems are up and running.

You are now ready to install Tableau Desktop. After you have completed the Desktop installation process and connect to Report Server for the first time to create a sheet, as described in Creating a Single Sheet Workbook, you will also establish the connection between AccelOps Report Server and Tableau Server.

Creating and Managing Workbooks

This section contains information on using Visual Analytics Desktop to create sheets and workbooks that are based on AccelOps reports, and then publishing them for others to use.

Viewing Workbooks

Creating and Publishing Workbooks

Creating a Single Sheet Workbook

Creating a Multiple Sheet Workbook

Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server Adding Users to Workbooks

Viewing Workbooks

1. Log in to Visual Analytics Server.
2. Click the Content tab and select Workbooks.
3. Click on a workbook.

The workbook along with the various worksheets are displayed.

4. Select a workbook or worksheet.
5. You will be prompted for credentials that will allow the workbook or worksheet to access database information. Enter the Admin credential that you used to set up Accelops Report Server and click OK.
6. When your credential is accepted, the chart associated with the selected workbook or worksheet will be displayed.

Creating and Publishing Workbooks

Workbooks are collections of AccelOps reports that have been synced to AccelOps Report Server, and which are then the basis for charts and dashboards that can be published to Visual Analytics Server for access by other users. Information in this section describes how to create single and multiple sheets of report information, and then make them accessible to other users.

Creating a Single Sheet Workbook

Creating a Multiple Sheet Workbook

Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server

Creating a Single Sheet Workbook

These instructions demonstrate how to create a single-sheet workbook that will chart the CPU and memory utilization trend for various servers. This example uses the Servers by CPU, Memory report and its associated table, but any report with a table in the reportdb database can also be used. The Tableau Desktop online Help also contains extensive information about building sheets and workbooks with the Tableau Desktop editor, which powers the AccelOps Visual Analytics Desktop.

Prerequisites

Procedure

Create the Sheet

Create the Workbook

Publish the Workbook

Prerequisites

Follow the instructions in Syncing an AccelOps Report with Report Server to sync the report you want to use for your worksheet.

You will need to know the name of the parent table for your synced report. Follow the instructions in Viewing reportdb Organization to find the table that corresponds to your report.

Procedure

Create the Sheet

1. Launch Tableau Visual Analytics Desktop.
2. Connect to AccelOps Report Server with the Username and Password that you used during Report Server installation. For Database, enter reportdb. For Port, enter 30000.

Connecting to Port 30000

It’s important to make sure you enter the correct port to connect to the reportdb database. If you leave this option blank you will connect to the default PostgreSQL database port, which will connect you with phoenixdb instead of reportdb. For more information about the databases contained in Report Server, see Report Server Architecture: phoenixdb and reportdb.

3. Under Tables, select the parent table for your report.

For the steps following, we will use the Servers by CPU, Memory table and its associated columns.

4. Drag the table to the View pane and click Update Now.

The data in the table will load into the pane below. Note that the table columns match closely to the Report Display Columns in AccelOps.

5. For Connection, select Live.
6. Click Go to Worksheet.

In the worksheet view you will see that a set of Dimensions and Measures are populated for the table.

7. Under Measures, select Report Time and drag it to the Dimensions section to create Report Time as a calculated measurement.
8. Under Dimensions, right-click on Report Time to edit the calculation formula and convert it to a human-readable format from UNIX time. The formula should look like DATEADD(‘second’,INT([Report Time]),#1969-12-31 16:00:00#)
9. Drag Report Time from Dimensions to Columns.
10. Under Columns, right-click on Report Time and select Exact Date.

You should now see dates and time increments in your chart as the X-axis.

11. Under Measures, select and drag AVG(cpuUtil) and AVG(memUtil) to Rows.
12. Set the aggregation of both AVG(cpuUtil) and AVG(memUtil) to AVG. For example, AVG(AVG(cpuUtil)) and AVG(AVG(memUtil)).

You should now see both measures on the Y-axis of your chart.

13. Under Dimensions, drag Host Name to the Color section under Marks. Each host will be assigned a color and added to the chart.
14. Change the chart display name for AVG(cpuUtil) and AVG(memUtil) by clicking on each in the Y-axis to launch the Edit Y-Axis dialog.

You can now edit the Title and Range, as well as other attributes, for each measure.

15. Under Data, click on the data source to open the Options menu, then click Refresh.
16. Rename the sheet by clicking on the data source to open the Options menu, then select Rename and enter a new name.

Your sheet is now complete. Hover your mouse over a trend line to view information about a specific host.

Create the Workbook

1. Click the Dashboard tab on the bottom of the Sheet editor to open the Dashboard
2. Under Dashboard, select an appropriate Size and screen resolution.
3. Under Dashboard, select the sheet and drag it into the display pane.
4. Open the Dashboard options menu and select Rename.

Change the name of the dashboard from Server CPU/Memory Trend to Server Performance.

5. In the File menu, select Save. Publish the Workbook
6. In the Server menu, select Sign In…
7. Enter the IP address and port number for the Visual Analytics Server.
8. Enter the Username and Password for the Visual Analytics Server admin user, and then click Sign In.
9. In the Server menu, select Publish Workbook.
10. Enter attributes for the workbook, such the associated Project, Name, View Permissions, and Views to Share.

See Adding Users to Workbooks for more information about user permissions for workbooks.

6. Click Publish.

Creating a Multiple Sheet Workbook

These instructions demonstrate how to create a multiple-sheet workbook that will contain a set of charts related to Network Health. This example uses the Network Devices by Ping RTT, Network Interfaces By Utilization, and Network Devices By CPU, Memory reports, but any report with an associated table and views in the reportdb database could be used. The Tableau Desktop online Help also contains extensive information about building sheets and workbooks with the Tableau Desktop editor, which powers the AccelOps Visual Analytics Desktop.

Prerequisites

Procedure

Create a View

Create a Workbook that Uses the View

Create the Workbook

Publish the Workbook

Prerequisites

Follow the instructions in Syncing an AccelOps Report with Report Server to sync the reports you want to use for your worksheet. You will need to know the name of the parent table for your synced reports. Follow the instructions in Viewing reportdb Organization to find the table that corresponds to your report.

Procedure

Create a View

Each report you want to include in your workbook corresponds to a table in the AccelOps reportdb. These tables need to be joined to cross-link the information that will appear in your workbook. In the case of a Network Health workbook that includes the sheets Network Devices by Ping RTT, Network Interfaces By Utilization, and Network Devices By CPU, Memory, the joining keys are host name and time.

1. Follow the instructions in Viewing reportdb Organization to find the parent tables for the reports you want to join.

For each report there is one parent table and multiple child tables containing data for a particular month.

2. Create a SQL statement in pgAdmin to join the tables.

In this example data is captured for one day. This enables quick generation of the data visualization.

SELECT cpu.report_time, cpu.”hostName”, cpu.”hostIpAddr”, cpu.”AVG(cpuUtil)”, cpu.”AVG(memUtil)”,        uptime.”SUM(sysDownTime)”, uptime.”AVG(avgDurationMSec)”, uptime.”LAST(sysUpTime)”,        uptime.”SUM(pollIntv)”, util.”intfName”, util.”intfAlias”,        util.”AVG(inIntfUtil)” AS “totalAvgInIntfUtil”, util.”AVG(outIntfUtil)” AS “totalAvgOutIntfUtil”,        util.”AVG(recvBitsPerSec)” AS “totalAvgRecvBitsPerSec”,        util.”AVG(sentBitsPerSec)” AS “totalAvgSentBitsPerSec”,        util.”AVG(outQLen)”, util.”AVG(intfSpeed64)”

FROM “Network Devices By CPU, Memory_1278492569_1” cpu,

“Network Devices by Ping RTT_2021056235_1” uptime,

“Network Interfaces By Utilization_382117475_1″ util

WHERE ((cpu.report_time * 1000)::double precision * ’00:00:00.001′::interval + ‘1969-12-31 16:00:00-08’::timestamp with time zone) >= (now() – 1::double precision * ‘1 day’::interval)      AND ((uptime.report_time * 1000)::double precision * ’00:00:00.001′::interval + ‘1969-12-31 16:00:00-08’::timestamp with time zone) >= (now() – 1::double precision * ‘1 day’::interval)      AND ((util.report_time * 1000)::double precision * ’00:00:00.001′::interval + ‘1969-12-31 16:00:00-08’::timestamp with time zone) >= (now() – 1::double precision * ‘1 day’::interval)      AND cpu.report_time = uptime.report_time AND cpu.”hostName” = uptime.”hostName” AND uptime.report_time = util.report_time AND uptime.”hostName” = util.”hostName”;

3. Click the Play icon in pgAdmin to execute the query.

Make sure the output pane contains data that is the result of the query execution.

4. Modify the SQL statement to create a view.

Add this command at the top of the SQL statement:

Add this command at the bottom of the SQL statement:

Your complete SQL statement should look like this:

CREATE OR REPLACE VIEW ph_network_health_view AS

SELECT cpu.report_time, cpu.”hostName”, cpu.”hostIpAddr”, cpu.”AVG(cpuUtil)”, cpu.”AVG(memUtil)”,        uptime.”SUM(sysDownTime)”, uptime.”AVG(avgDurationMSec)”, uptime.”LAST(sysUpTime)”,        uptime.”SUM(pollIntv)”, util.”intfName”, util.”intfAlias”,        util.”AVG(inIntfUtil)” AS “totalAvgInIntfUtil”, util.”AVG(outIntfUtil)” AS “totalAvgOutIntfUtil”,        util.”AVG(recvBitsPerSec)” AS “totalAvgRecvBitsPerSec”,        util.”AVG(sentBitsPerSec)” AS “totalAvgSentBitsPerSec”,        util.”AVG(outQLen)”, util.”AVG(intfSpeed64)”

FROM “Network Devices By CPU, Memory_1278492569_1” cpu,

“Network Devices by Ping RTT_2021056235_1” uptime,

“Network Interfaces By Utilization_382117475_1″ util

WHERE ((cpu.report_time * 1000)::double precision * ’00:00:00.001′::interval + ‘1969-12-31 16:00:00-08’::timestamp with time zone) >= (now() – 1::double precision * ‘1 day’::interval)      AND ((uptime.report_time * 1000)::double precision * ’00:00:00.001′::interval + ‘1969-12-31 16:00:00-08’::timestamp with time zone) >= (now() – 1::double precision * ‘1 day’::interval)      AND ((util.report_time * 1000)::double precision * ’00:00:00.001′::interval + ‘1969-12-31 16:00:00-08’::timestamp with time zone) >= (now() – 1::double precision * ‘1 day’::interval)      AND cpu.report_time = uptime.report_time AND cpu.”hostName” = uptime.”hostName” AND uptime.report_time = util.report_time AND uptime.”hostName” = util.”hostName”;

grant select on ph_network_health_view TO public;

5. In pgAdmin, click the Play icon to execute the statement.
6. Using pgAdmin, navigate to the Views and make sure the ph_network_health_view has been created.
7. Right-click on ph_network_health_view to open the Options menu, then select View Data > View Last 100 Rows to make sure the view contains data.

Create a Workbook that Uses the View

1. Launch AccelOps Visual Analytics Desktop.
2. Connect to AccelOps Report Server with the Username and Password that you used during Report Server installation. For Database, enter reportdb. For Port, enter 30000.
3. Under Tables, enter the name of the view you created in the search box to locate the view.

4. Drag the view into the Join pane and click Update Now. The data in the view will load into the pane below.

5. For Connection, select Live.
6. Click Go to Worksheet.

In the worksheet view you will see that a set of Dimensions and Measures are populated for the view.

An example worksheet showing CPU and Memory Utilization with several Dimensions and Measures populated from the original table.

7. For each report in your workbook you can now create an individual sheet, as described in Creating a Single Sheet Workbook.

Create the Workbook

1. Click the Dashboard tab on the bottom of the Sheet editor to open the Dashboard
2. Drag each sheet you’ve created into the Join

An example of three worksheets loaded into the Dashboard Join pane.

3. Under Dashboard, select an appropriate Size and screen resolution.
4. Open the Dashboard Options menu and select Rename.
5. In the File menu, select Save. Publish the Workbook
6. In the Server menu, select Sign In…
7. Enter the IP address and port number for the Visual Analytics Server.
8. Enter the Username and Password for the Visual Analytics Server admin user, and then click Sign In.
9. In the Server menu, select Publish Workbook.
10. Enter attributes for the workbook, such the associated Project, Name, View Permissions, and Views to Share.

See Adding Users to Workbooks for more information about user permissions for workbooks.

6. Click Publish.

Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server

You can use any of the workbooks provided by AccelOps, which are attached to this page, to create visualizations of AccelOps data.

1. Download a workbook attached to this page to your local device where Tableau Visual Analytics Desktop is installed.
2. In Visual Analytics Desktop, go to File > Open….
3. Browse to the file you downloaded and open it.
4. You can make any changes you want to the workbook, but you can upload it to the server and start using it as is. Follow the instructions in the Publish the Workbook section of Creating a Single Sheet Workbook to publish to the Tableau Visual Analytics Sever, and add user permissions as described in Adding Users to Workbooks.

Drag and drop to upload or browse for files

Adding Users to Workbooks

Only the workbook publisher can give access to specific users during report creation time. As the AccelOps Visual Analytics Server Administrator, you can add users to the system and view which workbooks users can access.

Adding Users to Visual Analytics Server

Viewing User Access to Workbooks

Adding Users to Visual Analytics Server

1. Log in to AccelOps Visual Analytics Server.
2. In the Admin tab click Users.
3. Click Add.
4. Enter the user name as it appears in Active Directory.
5. Select the License Level for the user and assign User Rights as necessary.
6. Click OK.

Viewing User Access to Workbooks

1. Log in to Visual Analytics Server.
2. In the Admin tab click Users.
3. Select a user name to see the workbooks that the user can access.

Real Time Performance Probe

This section describes how to probe monitored devices for real time performance metrics.

Available metrics

GUI launch locations

Running a real time probe

Example – Real time Interface Statistics Display

Available metrics

CPU utilization

Memory utilization

Network interface statistics

Uptime

Disk utilization

SNMP Ping Statistics

Process Utilization

GUI launch locations

Real time Performance Metrics option is available from the following GUI locations

CMDB > Device > IP Address > Right click

CMDB > Device > Interfaces > Name > Right click

Incident > Incident Source and Incident Target > Right click

Running a real time probe

From any of the above locations, select Real Time Performance Metrics

Select the parameters

Select Job Name as the metric of interest

Select polling Frequency in seconds

Select the number of Runs as the number of times the device will be polled

Select the Collector which should communicate to the device

Depending on the job name, you may also need to select a Filter. For example, select Interface Name for Network Interface Statistics.

Example – Real time Interface Statistics Display

Viewing and Searching Incidents

The Incident Dashboard displays incident information for your IT infrastructure based on the filter conditions you set. You can also view incidents grouped by incident attributes, use values in incident attributes to refine your searches, view information about rules that triggered incidents, and use incident information to create rule exceptions and event dropping rules.

List View of Incidents

Searching for Incidents by Incident Attributes

Using Group By Attributes to View Incidents

Device Risk View of Incidents

Calendar View of Incidents

Fishbone View of Incidents

List View of Incidents

There are two ways you can view the incidents that are occurring in your IT infrastructure.

The Incidents tab, shown in the screenshot for this topic, where you can view incidents and incident details

Dashboard > Incident Dashboard, which includes the same incident summary and user interface controls found in the Incidents tab, but which also provides other views of incidents, including a fishbone view of incidents in your infrastructure, a topology view with the number and severity of incidents overlaid on devices, a calendar view, and a location view that includes both a summary view of incident source and target IP locations and a map view, along with the number and severity of incidents for that location overlaid on the map.

In both locations you can filter the incidents in the dashboard, find out more information about sources and targets of incidents, customize the dashboard layout, and manage the rules associated with incidents.

Incident Attributes

Incident Dashboard User Interface Controls

Incident Dashboard Filter Controls

Incident Management Controls

Contextual Menus

Incident Details

Incident Details

Triggered Events

Related Incidents

Incident Attributes

An Incident has the following attributes.

Incident Dashboard User Interface Controls

This screenshot shows the Incidents tab with the major user interface controls outlined in red.

Incident Dashboard Filter Controls

The filter controls let you control which incidents are shown in the dashboard.

Incident Management Controls

Contextual Menus

Clicking on an item within a column of the incident summary will open a contextual menu, with options depending on whether the incident attribute you selected includes an IP address (Source IP or Target IP, for example), or some other kind of incident attribute. Shared between both menus are an Add to Filter option, which enables you to select a result attribute and add it to the Filter By conditions. Both menus also include most of the same options available in the Incident Management controls to edit and add exceptions to rules. The IP address contextual menu provides options to view more information about the associated device, with many of the same options you would find in the Analysis menu used in search summary dashboards.

This screenshot shows the IP contextual menu open after selecting an IP address in the Incident Source column of the Incidents tab.

Incident Details

The Incident Details pane at the bottom of the Incidents Dashboard provides you with information about a selected incident in three areas: Incide nt Details, Triggered Events, and Related Incidents.

Incident Details

The Incident Details include the ID of the incident, specific details about the event that triggered the incident, and the definition of the rule associated with the incident.

Triggered Events

The list of events that triggered the incident. For columns containing an event type, or host or  IP information, click on an item to open a contextual menu and view more information about it.

Related Incidents

Use this menu to view related incidents based on the Source, Target, Rule Name, or Reporting IP associated with the selected incident.

Searching for Incidents by Incident Attributes

As your review incidents in your dashboard, you may want to build searches based on attributes from selected incidents. For example, you may want to use the value for the Incident Target attribute in an incident as a filter condition to find similar or related incidents, and then add more conditions based on the results of that search.

1. Log in to your Supervisor node.
2. Go to Incidents.
3. In the Incident Dashboard, select an incident.
4. Click on the attribute value for the selected incident that you want to add to the Filter By condition to open the Options menu, and then select Add to Filter.

The type of search will change to Advanced, and the attribute value you selected will be added to the Filter By conditions.

5. Click in the Filter By Conditions field to open the Conditions Builder and add other incident attributes.
6. Click Refresh when you’re done creating filter conditions to see the results.

Using Group By Attributes to View Incidents

The Incident Dashboard presents a view of all incidents based on the filter conditions you select. However, there may be situations in which you want to view incidents grouped on incident attributes like Incident Source, Incident Target, Severity, or Incident Name. Once incidents are grouped by their attributes, you can view Incident Details for the entire group.

1. Log in to your Supervisor node.
2. Go to Incidents.
3. In the Group By menu, select the attributes you want to use to group the incidents, and then click Refresh.

The Incident Dashboard will refresh and display incidents grouped according to the attributes you selected, with a COUNT(Matched Events) column that indicates how many incidents are in each group.

4. Select a group and then click on it to open the Options
5. In the Options menu, select Show Incident Details for This Group.

The Incident Dashboard will refresh to show all incidents in the selected incident group, and you can use the Contextual Menus to find out more information about them.

Device Risk View of Incidents

Viewing Devices Sorted By Risk

1. Go to Incident tab
2. Set Group By to Host Risk Score.
3. Left pane shows Devices Sorted By Risk
4. Right pane shows incidents for the device selected in left panel

Calendar View of Incidents

The calendar view of incidents provides a summary view of the number of incidents that have occurred on a calendar day, grouped by severity. Clicking a group loads a summary of those incidents.

This screenshot shows the calendar view of incidents for the month of February 2015.

Fishbone View of Incidents

The fishbone view of incidents presents a view of networks and devices in those networks, along with the incidents triggered for those devices over the last 24. This view is derived from the Network Segments in the CMDB, with the devices associated with those segments overlaid. The numbers and colors for each device indicate the number and severity of incidents associated with that device.

Clicking on an incident  number will show you a summary of those incidents. Clicking on Last Seen, First Seen, Incident Name, or Incid ent Details in that summary will let you select Incident Details to view more information. Clicking on any IP addresses associated with the device will open a contextual menu that will let you find out more information about that device.

Clicking on an IP number or hostname in the fishbone view will let you view the Quick Info for that device, or you can select Topology to view it within the context of your network topology.

Hovering your mouse cursor over a device or incident number will show you the IP address and host name for that device, as well as the type of device.

This screenshot shows an example fishbone view of network segments, devices, and associated incidents.

Incident Notifications

The sending of notifications when an incident occurs is handled by Notification Policies, which you can see listed in the Analytics > Incident Notification Policies page. Instead of having notifications set for each rule, you can create a policy and have it apply to multiple rules.

When viewing the notification policies, think of  the columns on the page as representing a series of “If … and … then” statements that lead to the notification action. For example, you could read the table columns as a sentence:

“IF Incident Severity is X1 AND Rule is X2 AND Time Range is X3 AND Affected Items includes X4 AND Affected Organizations is X5, THEN take the actions specified in the ACTION column.”

When AccelOps evaluates whether a notification action should be triggered based on the notification conditions, it evaluates all notification policies, and will trigger the actions of all policies that meet the condition, instead of just the first policy that meets the conditions. This means that the order of policies in the list doesn’t matter, and that you can write policies with overlapping conditions that could also, for example, include different actions.

See also the topics under Incident Notification for more information about the methods that are available for sending notifications from AccelOps, including the AccelOps API.

Creating an Incident Notification Policy

Sending Email and SMS Notifications for Incidents

Customizing Email Templates for Notifications

Setting Scripts as Notification Actions

Example of a Windows Restart Script as a Notification Action Incident XML File Format

Viewing Incident Notification History

Creating an Incident Notification Policy

Prerequisites

Make sure you have enabled the settings for sending email or other notification actions as described in Setting Up Routing Information for Reports and Incident Notifications.

You should read the introductory topic on incident notifications to understand how policy conditions are processed..

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Click New.
4. Select the Incident Severity.

Only incidents matching the severity level you select will trigger a notification.

5. For Rules, click … and select the rule or rules you want to trigger this notification.
6. Set a Time Range during which this notification will be in effect.

Notifications will be sent only if an incident occurs during the time range you set here.

7. For Affected Items, click … and use the CMDB Browser to select the devices or applications for which this policy should apply.

Instead of individual devices or groups, you can apply the notification policy to an IP address or range by clicking Add under IP/Range. You can also select a group, and then select the Not option to explicitly exclude that group of applications or devices from the notification policy.

8. For multi-tenant deployments, select the Organizations to which the notification policy should apply.

Notifications will be sent only if the triggering incidents affect the selected organization.

9. Select the Actions to take when the notification is triggered.

See the topics under Sending Email and SMS Notifications for Incidents, Creating Tickets In FortiSIEM In-built Ticketing System, Creatin g Inbound Policies for Updating Ticket Status from External Ticketing Systems, and Setting Scripts as Notification Actions for more information about notification actions.

10. Enter any Comments about the policy.
11. When you are finished creating the notification policy, select Enabled to make it active in your deployment.
12. Click Save.

Sending Email and SMS Notifications for Incidents

When you set actions for an incident notification, one option is to send an email or SMS message to groups or individuals, and you also have an option to specify a template that should be used in the email.

Prerequisites

Procedure

Related Links

Prerequisites

Make sure the email gateway has been configured for your deployment.

You should also have set up any email templates that you want to use for notifications.

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Select the policy that you want to set up the email or SMS notification for.
4. Under Actions, next to the email/sms notification table, click … .
5. For multi-tenant deployments, select the Organization that contains the individuals or groups you want notified.

Under Folders, you will see the user groups for that organization listed.

6. In the Folders pane, select a group.

In the Items pane, you will see a list of users for that group.

7. Select a group and click Folder >> to add a group to the Notification Actions list, or select individual users and click Items >>.
8. Under Notification Actions, select the Method, Email or SMS, that you want to use sending the notification.
9. Select an Email Template if you are sending an email notification. If you leave this blank, the default email template will be used.

Related Links

Setting Up the Email Gateway

Setting Scripts as Notification Actions

Customizing Email Templates for Notifications

Email templates for incident notifications are based on incident variables that you put into the subject and body of the template, which are then populated with the actual attribute values in the incident.

Incident Attribute Variables

Example Email Template

Template

Generated Email

Creating an Email Template

Incident Attribute Variables

These are the incident attribute variables you can use for your email template.

$organization

$status

$hostName

$incidentId

$incidentTime

$firstSeenTime

$lastSeenTime

$incident_severityCat

$incident_severity

$incident_incidentCount

$ruleName

$ruleDescription

$incident_source

$incident_target

$incident_detail

$affectedBizService

Example Email Template

This example first shows a template with the incident attribute variables, and then an email based on this template with the variables populated from an incident.

Template

Email Subject:

$ruleName was triggered at $incidentTime

Email Body:

The host, $incident_target, was being scanned by $incident_source starting at $firstSeenTime and ending at $lastSeenTime. There were $incident_incidentCount hits.

Please investigate and report as necessary.

Generated Email

Subject: Server Memory Warning was triggered at Jan 10 22:43 UTC

Body: The host, Host IP: 192.168.1.23 Host Name: QA-V-WIN03-ORCL, was being scanned by 10.1.1.1 starting at Jan 10 22:05 UTC and ending at Jan 10 22:11 UTC. There were 2 hits.

Please investigate and report as necessary.

Creating an Email Template

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Incident Email Templates.
3. Click Add.
4. For multi-tenant deployments, select the organization for which you are creating the email template.
5. Enter a Name for the template.
6. Enter the Email Subject and Email Body.

You can select attribute variables from the Insert Content menu to enter into your template, rather than having to type them out by hand.

7. Click OK.

be used. To set an email template as default, select the template in the list on the Incident Email Templates page, and then click Set as Default. For multi-tenant deployments, to select a template as default for an organization, first select the organization, then set the default email template for that organization.

Setting Scripts as Notification Actions

One of the actions you can specify for an incident notification is to execute a script. For example, suppose you are monitoring Windows services that are in Auto mode, and you have rules that will trigger an incident if one of those services is stopped. The notification action for that incident can include the running of a script by AccelOps that will re-start the service, as shown in the example scripts in this topic.

How Script Notification Actions are Processed

1. When you specify the notification action as a script, you must provide the full path to the script in the notification policy settings, for example /tmp/Myscript.py.
2. You must write the script so it expects the incident XML file to be located in the same directory as the script, for example /tmp if the script location is /tmp/Myscript.py.
3. When a notification policy is triggered by an incident, the policy actions are handled in sequential order, so if there are multiple script actions, the first one will be processed before the second one.
4. When the script action is processed, the AccelOps notification module will first generate an incident XML file and put it in the same directory as the script. AccelOps will then call the script with the XML file name as an argument.
5. When the script returns, the incident XML file that was created by AccelOps is deleted, so there is no confusion with the next script action which involves a new incident XML file and is processed only after the previous script action is complete.

Setting a Script Notification Action

1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Select the notification policy where you want to add the script action.
4. Under Actions, next to the Methods table, click … .
5. Under Run Script, click Add.
6. For Script Name, enter the name of the script and the absolute directory path to it.
7. Click OK.

Example of a Windows Restart Script as a Notification Action

This topic provides an example of a script that could be used as a notification action, following the example of re-starting a Windows service that has stopped an triggered an incident as described in Setting Scripts as Notification Actions.

This example requires two scripts: one located on the Windows server that hosts the service, and a script on the AccelOps Supervisor host machine that will be triggered by the incident notification and will execute the Windows server script.

Windows Script

AccelOps Script

Windows Script

1. Create a script named installWinexeSvc.bat for starting the remote winexe provider service.

This script, restartWinService.py, reads the incident XML file, parses out the target IP and stopped service, and issues a winexe command to restart the service.

#!/usr/bin/python importos, re, sys, time importxml.dom.minidom iflen(sys.argv) != 2:

print “Usage: parseTargetIP.py incident.xml”    exit() else:

fileName = sys.argv[1] print “parsing incident xml file : “, fileName #os.system(“cp “+ fileName + ” “+ fileName + “.txt”) # /incident/incidentTarget/entry[@attribute=’hostIpAddr’] doc = xml.dom.minidom.parse(fileName) nodes = doc.getElementsByTagName(‘incidentTarget’) ifnodes.length < 1:

print “no incident Target found!” else:

targeNode = nodes[0] targetIP = “” fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “hostIpAddr”:

targetIP = node.firstChild.data iftargetIP == “”:

print “no incident target found!” # trim IP, e.g. 10.1.20.189(SH-Quidway-SW1) targetIP = re.sub(r’\(.+\)’, “”, targetIP) print “restart service for target IP: “, targetIP # parse process name nodes = doc.getElementsByTagName(‘incidentDetails’) ifnodes.length < 1:

print “no incidentDetails found!” else:

targeNode = nodes[0] fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “serviceName”:

targetService = node.firstChild.data ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

# ########################################################################

######################## # stop the service stopCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc stop “+ targetService + “‘” ret = os.system(stopCmd)

print “stop service with return code ,”, ret print “waiting service stop” time.sleep(10) ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

#

########################################################################

######################## ## start the service startCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc start “+ targetService + “‘”

Incident XML File Format

This topic includes an example of the XML file that is generated for incidents, and descriptions of its contents.

Example Incident XML File

XML Tag and Attribute Definitions

Example Incident XML File

<?xml version=”1.0″ encoding=”UTF-8″ ?> <incident incidentId=”5672″ ruleType=”PH_RULE_AUTO_SRVC_DOWN” severity=”10″ repeatCount=”1″ organization=”Super” status=”Cleared”>   <name>Auto Service Stopped</name>   <description>Detects that an automatically running service stopped.

Currently this works for windows servers and is detected via

WMI.</description>

<displayTime>Fri Jun 29 15:51:10 PDT 2012</displayTime>

<incidentSource>

</incidentSource>

<incidentTarget>

<entry attribute=”hostIpAddr” name=”Host IP”>172.16.10.15</entry>

<entry attribute=”hostName” name=”Host Name”>QA-V-WIN03-ADS</entry>

</incidentTarget>

<incidentDetails>

<entry attribute=”serviceName” name=”OS Service

Name”>Spooler</entry>

<entry attribute=”servicePath” name=”OS Service

Path”>C:\WINDOWS\system32\spoolsv.exe</entry>

</incidentDetails>

<affectedBizSrvc>Auth Service</affectedBizSrvc>

<identityLocation>

</identityLocation>  <rawEvents>

[SrvcDown]

[PH_DEV_MON_AUTO_SVC_START_TO_STOP]:[eventSeverity]=PHL_INFO,[fileName]= phPerfJob.cpp,[lineNumber]=6005,[hostName]=QA-V-WIN03-ADS,[hostIpAddr]=1 72.16.10.15,[serviceName]=Spooler,[servicePath]=C:\WINDOWS\system32\spoo lsv.exe,[serviceDesc]=Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,[phLogDetail]=  </rawEvents>

</incident>

XML Tag and Attribute Definitions

Viewing Incident Notification History

There are two ways you can view the notification history for an incident.

1. In the Incident Notification Status column of the Incident Dashboard.
2. Click on an incident in the Incident Name column of the Incident Dashboard, and then select View Notification History from the Option s