67-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 67 Managing Reports
Working with Reports in Report Manager
The device list is pre-filtered to show devices of the appropriate type only. For example, if you are
editing the settings for a firewall report, IPS devices do not appear in the list of selectable devices.
• Time—To change the time span used to select events and data to include in the report. The time is
based on the Security Manager server time. You can select one of the following options to define the
time span:
–
Last 1 Hour—The last full one hour on the zeros, for example, if the current time is 11:45 AM,
the Last 1 Hour report shows data from 10:00 to 11:00.
–
Last 1 Day—The last full day, from midnight to midnight. For example, if the current day is
Tuesday, the Last 1 Day report shows data from Monday.
–
Last 1 Week—The previous Monday through Sunday.
–
Last 1 Month—The previous month. For example, if the current date is September 29, the Last
1 Month report shows data from August.
–
Custom—Use the Start Date and End Date calendars to select the desired starting and ending
times for the report. Click the down arrow, select the desired day and time, then click OK in the
calendar widget. Reportable data is kept for 90 days, so you cannot select a date more than 90
days into the past. Additionally, you cannot specify a time if you select a start date more than
five days into the past. If you select the current date for the start date, you can also specify
minutes for both starting and ending dates, but because report data is aggregated every 15
minutes at 00, 15, 30, and 45 minutes past each hour, minute entries are rounded to the nearest
of these figures. The allowed time selection is based on how data is aggregated, as explained in
Understanding Report Manager Data Aggregation, page 67-4.
• Criteria—To change the other criteria used to define the report. The attributes available on the
Criteria settings page are variable. In some cases, there are no selectable criteria. Following is a list
of the possible criteria:
–
Top (All “Top” reports.)—The number of items targeted by the report to include. For example,
the Top 10 firewall destinations returns the 10 most frequent destinations for firewall events in
the configured time range. Select 10, 20, 25, or 50.
–
Service (Firewall reports except Botnet)—The services to include in the report. To specify
services, click the Edit button next to the field and select the desired service policy objects. You
can select multiple objects.
–
Source IP, Destination IP (Firewall reports except Botnet)—The source and destination IP
address fields are separate, but they are functionally the same. They define the IP addresses for
sources or destinations to include in the report. You can enter individual addresses, such as
10.100.10.10, or address ranges, such as 10.100.10.10-10.100.10.20. Both IPv4 and IPv6
addresses are accepted. Separate multiple addresses with commas.
You can click the Edit button next to the field to open a dialog box where you can more easily
create complex lists of addresses and address ranges. However, you cannot use network/host
objects to define addresses.
Note Do not specify values for all of the Service, Source IP, and Destination IP criteria in a
single report. You can specify the criteria on which the report is based (for example,
Service for the Top Services report) plus one other criteria. If you specify all three
values, the report will always contain no data.
–
Permit/Deny (Firewall reports except Botnet)—The action reflected in the event, either
permitting the matching traffic (Permit), denying the matching traffic (Deny), or either (All).
The default is All.