RSA envision

TELUS
Version 1.0

Table of Contents
RSA envision
Login Screen
Overview
Dashboard Screen
Manage User Screen
Manage Authentication Server Screen
Manage Groups Screen
Manage Site Log in Screen
Setup Access Denied Screen
Display License Information
System Performance Screen
Managed Monitored Devices
Manage Device Group Filters
Device Types
Services
Manage Collector Service
Setup DNS Resolver Service
Setup DHCP Polling Service
Setup Site Communication
Scheduler Service
Device Services
Asset Collector Service
Universal Device Collection
Dashboard Items
Watchlists
Task Viewer
Event Explorer
Best Practices
Vulnerability and Asset Management
Alerts
Enterprise Dashboard
Views
Real-Time Detail
Import / Export Views
Output Actions
Output Actions Templates
Correlation Alert / Rules
Correlation Classes
Import / Export Correlation Rules
Adding / Modifying Correlation Rules
Setup Alerter Service
Setup Alerter History
Analysis
Event Viewer
Query Tool
SQL Statements / Syntax
Reports
Reporting Module
ADHOC Reports
Compliance Reports
Scheduled Reports
Reports Folder
Setup Reports

3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

18
19
20
21
22
23
25
27
28
29
30
35
36
39
41
43
44
45
49
51
52
53
56
58
61
62
63
65
66
70
71

RSA enVision is a feature-rich compliance and security application. It allows you

to automatically capture and analyze log information from your network, security,
application, operating and storage environments. enVision's LogSmart Internet
Protocol Database (IPDB) provides the only architecture proven to automatically
collect and protect All the Data, from any network device, without filtering or
agents. It gives you a true picture of how your network is being used, and by
whom. It independently monitors your network to verify security policies, to
generate alerts for possible compliance breaches, and to analyze and report on
network performance.
enVision is tightly coupled with the underlying appliance operating system and
hardware, and together they comprise a highly scalable platform that provides
guaranteed levels of performance, plus the ability to grow over time.

1. EnVision Login Screen.

-

To access the EnVision Web UI, open up Internet Explorer and type the enVision site name or
the IP address of the appliance on the address bar. Plus the port 8443 at the end of the address
separated by a colon : TELUS uses HTTPS web communication for the appliance.
https:\\sarsaenv.araneta:8443
Or
https:\\ 172.17.127.41:8443
Specify user credential to access the EnVision System. Default password for the enVision
Administrator is as follows:
Username: administrator
Password: administrator
For Security purposes, it is strongly advised to change the Administrator Password. And DO NOT
disable the account for failsafe reasons.

Overview

1.1. RSA enVision Dashboard screen.

To display dashboard items, select the corresponding items on the left pane. Depending on the
user accessing the envision GUI, It will show different items thats associated with the user.

2.

Manage Users Screen

To add / delete or modify a user, Go to the Overview Tab, and then click on system Configuration
and expand the Users module. Select the Manage Users to arrive at the screen.
Click ADD to add a user.
Click BULK ADD to add large number of users using Active Directory / LDAP integration.
Tick the check box of a user then click DELETE to remove a user.
Tick the checkbox of a user and click on MODIFY to re-configure the attributes of a user.
Click REPORT to view the list of existing and available users in a HTML Report Type.

3. Manage Authentication Servers screen

To add Authentication Servers such as Active Directory or LDAP authentication, youll have to specify a
Domain User Administrator credential per server. You need to specify this if you are adding a User that
needs to reference the credential from a Domain Controller or LDAP.

Click ADD to add Authentication Servers

Tick the checkbox of an Authentication Server and Click DELETE to remove it.

4. Manage Groups Screen

To modify or add an Envision User Group, refer to the screen above. Click on a particular User group to
view its attributes.
If you are adding a User to particular group, that User will eventually inherit the groups attributes upon
being a member of it.
To override any attributes that a group might have on a specific user, click the checkbox for Override
Default.

10

5. Manage Site Log In Permissions

To configure which User group will be granted access to enVision, refer to the screen above.
To View the details on which Permissions does a group has, click on the Manage Module and Tool
Permissions.
To Modify the Settings of Event Explorer log in permissions, click on Manage Event Explorer Permissions.

11

6. Set up Access Denied screen.

Refer to the screen above to configure envision on what to do on Access Failure Scenarios.

12

7. Display License Information.

To view the License Details for TELUS enVision, click the Display License Information on the Left pane of
the screen.

13

8. System Performance Module Screen

The Screen above shows the current Status of TELUSs enVision with details about Collection from
different transport protocols such as:
-

Syslog (For UNIX and Network devices)

Trapd/SNMP (Anti-Viruses and Security Devices)
Windows (Application, System and Security Events from Windows Hosts)
LEA (Checkpoint Firewall), ODBC (Databases)
SDEE, (Cisco IDS/IPS)
File Reader (Flat File collection, ex. TXT, LOG, etc.)

Also Shows the Usage of the Web Server Activity which hosts the enVision UI, alerting and reporting.
The Analysis disk Storage which envision uses for Reporting and Event Viewing.
The DB Server Activity of enVision which is the IPDB (Internet Protocol Database.)
Alerter Latency for the Time Latency of an Alert View before it is triggered.
The Event Storage Capacity which shows you the Disk repository usage.

14

9. Manage Monitored Devices

Displays the Devices in which enVision are currently collecting from. Regardless whether it is
supported and recognized as is or identified as Unknown.
You can sort the details either by IP address, Name, Device Type, Site Node or Status.
If a Device is identified as Unknown, the collection state is automatically set to Candidate, which
means only a few events were parsed and is not collecting events continuously from it.
The collection state of an unknown device is only set to Active if the device is subject for UDS.
(Universal Device Support) only this way can you extract an ample amount of events to be used for
UDS development.
Note: It is not advisable to manually add a device, thus leaving envision without the assurance of
collecting events from it. It is by best practice to configure the device first to send events to envision
and have it recognize the device automatically.

15

10. Manage Device Group Filter:

Use this screen to add and manage Devices groups using STATIC and DYNAMIC selection.

11. Manage Device Attributes Definition:

- Manage additional Devices Information and Details used for Asset Inventory.
12. Import / Export Devices Attributes:
- Open a file which holds the Devices information and details and add it to envision. You can also
export the existing information to a flat file for future safekeeping.
13. Manage Device Types:
- Indicate which devices will be covered for event collection, reporting and alerting of EnVision.
Default configuration has all the devices selected. Un-tick specific device to unselect it.
Refer to the next screenshot.

16

17

14. Services -> Manage Services screen

Start, Stop and Restart a particular service. It can be one at a time or a whole selection of services.
Specify whether you want enVision to log the status and activities of the service. This can be useful if
you want an alert on any activity that the service might take and have it also displayed in a report.
Edit also the logging level of the services.
15. Manage Collector service
- Edit the configuration of the NIC Collector service. Change the default UDP ports which envision
use for Syslog event collection. You can also specify additional ports for use and enable whether
envision will support Syslog NG headers.
- Configure the auto-discovery feature of enVision for new devices.
- Enable Real-time DNS Resolution of the devices upon discovery. (dependent on the DNS server)
- Specify the sampling period for a number of events that envision use to discover new devices.
(Leave default)

18

16. Setup DNS Resolver Service

- Configure the Hostname resolution feature of enVision. This applies to the information on
events.
- Configure the Label on what envision will display every time the DNS service cannot resolve the
addresses. Default: UNKNOWN, you can change this if needed.

17. Setup DHCP Polling Service

- enVision has four polling intervals it uses to resolve the DHCP addresses. The administrator
defines the polling rates for each IP address range on the Set up DHCP Polling Service window.
enVision assigns a polling interval to each hostname:

Poll Rate

Consists of...

Resolution done by...

Discovery

Entire defined DHCP address space IP Address, with a default resolution interval
of 180 minutes. This is done to identify new
- all addresses are included.
hostnames added to the DHCP range.

Slow

Hostnames that do not change

DHCP addresses frequently.

Hostname, with a default resolution interval of

60 minutes.

Mid

Hostnames that change DHCP

addresses regularly.

Hostname, with a default resolution interval of

15 minutes.

Rapid

Hostnames that change DHCP

addresses frequently.

Hostname, with a default resolution interval of

1 minute. If a new Hostname is detected as
being part of the DHCP address space, it is
automatically added to the Rapid poll rate.

18. Set Up Site Communication

- Modify the existing IP addresses that enVision uses for site communication such as Web
Interface and log collection. Change only of necessary.

19. Scheduler Service

- The NIC Scheduler Service allows you to run reports, graphs and system events at a specified
time. It can also be used to schedule any executable process such as scripts and binaries that is
stored INSIDE enVision directory folders.

19

20. Device Services

Some devices have device-specific services in enVision. Set up the options for the device-specific
service for the device in enVision.
The system includes the following device-specific services: (refer to enVision Online help)
Service
FW-1 LEA Client Service

Device(s)
Check Point Provider-1
Check Point FW1/VPN-1/SmartDefense
Apache
Blue Coat Systems CacheOS
Blue Coat Systems SGOS
Cisco Access Control Server
Cisco Content Engine
IBM iSeries
IBM Mainframe ACF2*
IBM Mainframe DB2 UDB*
IBM Mainframe RACF*

File Reader Service

IBM Mainframe Top Secret*

Juniper Networks Steel-Belted Radius
Microsoft Exchange Server
Microsoft IIS
Microsoft ISA Server
Network Appliance NetCache
Nortel Alteon Switch Firewall
Oracle
RSA Security
Tripwire Enterprise
Other Devices that writes its logs to a flat file (.log, .w3c, .txt, .unx. etc).

Secure SDEE Collection Service

Cisco Adaptive Security Appliance

Cisco Secure IDS
ActivIdentity
ISS SiteProtector

ODBC Service

McAfee ePolicy Orchestrator

Microsoft SQL Server
Oracle

Windows Service

McAfee VirusScan Enterprise

Microsoft Windows

20

21. The NIC Asset Collector service

-

Collects asset information (such as operating system, service ports, etc.) and asset vulnerability
from third party vulnerability assessment tools and asset tracking tools.

You can view, add, modify and delete configurations associated with the Asset Collector service.
RSA does not support using both the legacy NIC Vulnerability Service and the NIC Asset Collector
Service

22. Universal Device Collection

Universal Device Collection allows enVision to collect from any device or application that logs via SNMP
and File Reader. The three methods of Universal Device Collection are:
File Reader
ODBC
SNMP Traps

21

23. Dashboard Items -> Manage Dashboard items

-

The Dashboard has standard Dashboard reports and graphs as dashboard items. You can also
create your own Dashboard reports.

The administrator can modify various parameters involved with running the reports and graphs.
The administrator can set permissions for each of the dashboard items. Other parameters are
set on the reports themselves.

When a report is created, it has the following defaults associated with it:

Time Span

1 hour - summary table reports

10 minutes - detailed table reports
You cannot change these values.

Enabled
Refresh rate

Off
1 minute - summary table reports
10 minutes - detailed table reports

22

No one would love me if they knew, all the things I hide.

And

24. Watchlists

Watchlists are a named collection of strings that represent a list of like-values. You can use watchlists as
a shortcut to filtering the events in enVision on which you want to alert or report.
You configure watchlists using the enVision user interface. You can add values to a watchlist individually
or in bulk using the import facility.
You can use watchlists to filter events in reporting (using runtime parameters referred to in the WHERE
criteria) and in alerting (using a correlated rule or single event filtering). Filtering is performed by
comparing an event variable against items in the watchlist.
When you update a Watchlist, enVision immediately applies this change to the Alerter and views
without requiring you to stop and restart the NIC Alerter service or any related views. This means you
can update Watchlist information while the NIC Alerter service and views are running.

23

25. Task Viewer

The Task Triage feature allows you to group events into tasks for the purpose of investigation.
You display and work with the tasks in the Event Explorer application.
In addition, you can use the OverviewTask ViewerBrowse Tasks window to review the status of
tasks, and you can report on Task Triage data through Standard Task Triage Reports or Task Triage
Dashboard Report.
You can create tasks in either the:
enVision Web UI by using the:

Task Create output action associated with an Alerter View for a correlated alert. The
task created from the Alerter will have an attached trace log file that contains a list of
the event messages that led to the firing of the alert. The initial owner of the Alertergenerated task is the task-dispatchers user group. enVision comes with a default Task
Create output action that you can use when creating a view.

Task Escalate output action to escalate tasks to an external application (such as a thirdparty ticketing system).

enVision Desktop Client (Event Explorer) while viewing event data within a table or chart as
event messages of interest are discovered

Event Explorer provides task workflow management operations such as viewing and editing task data,
acknowledging new tasks, assigning a task to other users and changing the state of the task.
In Event Explorer, you display the tasks on the Task Triage panel. You view individual tasks in the Task
Editor window. You can modify a task, attach files to a task, change its owner and close or delete a task.
You can also escalate a task to an external application such as a ticketing system.
Your administrator needs to assign the appropriate Event Explorer permissions to your user profile in
enVision. These settings control whether or not a user can:
access Event Explorer (Allow Event Explorer Access permission)
delete a task in Event Explorer (Allow Task Deletion permission), or
escalate tasks in Event Explorer (Allow Task Escalation permission)

24

26. Best Practices

Use the Best Practices tool to access:
Best practice documents, for issues such as compliance regulations.
enVision online Help.

25

27. VAM ( Vulnerability and Asset Management)

enVision's Vulnerability and Asset Management (VAM) feature provides unified management of your
assets and vulnerability incident analysis, using the following:
Asset database (ADB).The ADB is a unified view of assets created by merging data from
supported vulnerability assessment (VA) tools and imported asset information from asset
tracking tools. This view of the assets provides security managers with insight into their
operations.
Vulnerability Knowledge Database (VDB). The VDB is an embedded repository of vulnerability
information as derived from the National Vulnerability Database (NVD). This greatly expands
and improves the incident analysis that you can perform through enVision and enables enVision
to automatically correlate security incidents.

26

The VAM feature allows you to perform the following for assets and vulnerabilities:
Event analysis.
Alerting.
Reporting.
Incident response.
Browse assets and vulnerabilities.

27

Alerts

28

28. Enterprise Dashboard

Use the Enterprise Dashboard tool in the Alerts module to monitor the peak status information of
multiple views concurrently from a single screen.
Enterprise Dashboard features include:
Easy to use and intuitive map-based interface.
Ability for administrator to choose unique map for each collection. Administrators can upload
their own custom maps.
Hierarchy of views and collections (groups of views) allow for the custom display of multiple
view statuses simultaneously.
Drill-down capability allows you to go from a high-level display to detailed information within
Enterprise Dashboard or start the Real-Time Details tool in the Alerts module to display detailed
information about the current view.
Information area displays detailed alert status information for any item.
Flexibility to display status information for multiple views on the same screen.
User restriction to specific views applied for all Enterprise Dashboard collections.
Administrators can customize the way that alert information is categorized and displayed - this allows
you to display alerts from multiple views in a way that fits your monitoring needs.
Enterprise Dashboard allows users to monitor multiple views at once, and quickly drill-down into a view
to display detailed information.
Users are limited to the views for which they have access (as defined through user permissions for each
view). If a user displays a collection that contains a view they do not have access to, no information
about that view is visible to them. The alert severity status for that collection is calculated as if the
restricted view did not exist.

29

29. Views
A view defines the devices, messages, correlated alerts and user-defined criteria, within a single site, for
which enVision issues alerts. The NIC Alerter Service analyzes incoming event messages and generates
alerts based on the views. Devices may exist in multiple views, so a series of events by a single device
may fire alerts in multiple views.
You can have up to 64 views enabled at one time.
The administrator creates and modifies views using the Manage Views window in the Alerts module.
Alerts display on a view-basis on the Real-Time Details window in the Alerts module. You can display
details about the alerts on the Alert History window.
You can optionally assign output actions for individual alerts (such as SMTP, SNMP, text file, or instant
message). Each view has specific users allowed to monitor the alerts for the view. Alert data is available
for real-time and historical analysis in any site in the NIC Domain.

30

The peak status information of multiple views display on a collection-basis (group of views) on the
Enterprise Dashboard window in the Alerts module. A view may only exist in a single Enterprise
Dashboard collection.
If a user or user group has access to a view, but does not have access to some of the devices within that
view, the view is displayed as if the devices did not exist.
Alert data is available for real-time and historical analysis.
The NIC view, NIC_View, allows you to monitor the system health - alerting you of possible issues within
the enVision software environment.
You cannot modify or delete the NIC_View view But You can disable the NIC_View view.
The NIC_View view monitors all devices on its site. The NIC_View view uses a series of correlation rules
to alert on NIC events that are an Alert level 0 to 4. The NIC_View view is comprised of the following
correlation rules:
NIC_ALERTER
NIC_APPSERVER
NIC_COLLECTOR
NIC_CROSSPLATFORM
NIC_DBMLSYNC
NIC_DNS
NIC_EAMANAGER
NIC_FORWARDER
NIC_LOCATOR
NIC_LOGGER
NIC_NSSERVER
NIC_PACKAGER
NIC_SCHEDULER
NIC_VAM
30. Real-Time Detail
- To display real time alerts on the Real Time Details tool:

Click AlertsReal-Time Detail and select a view.

enVision displays the Real-Time Details window.

Select the type of alerts to display from the Show drop-down list.
enVision displays the status of the NIC Global Alerts categories, the status of each of the
alert levels, and the status of the selected alert category.

31

As the various alerts occur, enVision changes the color of the associated gauge and updates the
count displayed under the gauge. The gauges change color based on severity levels.

Proceed according to the following table:

To

Click on

Display a list of all the alerts currently Alert count value under the gauge for the level or category
in the database that are associated
(the count associated with the gauge must be greater than
with a level or category.
zero). The system displays the alerts for the level or category
on the Alert History window.
Reset the color of the alert indicator
and severity levels

(Recalculate). The system recalculates the severity

levels and sets the alert indicators back to green.

Periodically, enVision resynchronizes the alerts (stored NIC events in the event database) so that only
the more recent alerts display in the Real-Tim e Detail tool and History tool.

32

Use the Real-Time Details window to visually monitor alerts in the incoming events for available views.
You can access resolution history for the alerts on the Alert History window.
The number of alerts available to monitor in the Real-Time Details window is dependent on the options
set for alert synchronization.
Field

Description

Show

Select the sections of the window you want to display from the drop-down list.
Values are:
Global Alerts, Alert Levels and Alert Details
Global Alerts and Alert Details (default)
Global Alerts and Alert Levels
Alert Levels and Alert Details
Global Alerts
Alert Levels
Alert Details

Resolve IP
Addresses

Select the check box to display the Resolved Name in the Top Source and Top
Destination drop-downs.
Click to recalculate all current severity levels and reset all severity level gauges to
low (green).

Global Alerts / Levels

Gauges

Gauges display the current severity levels for each NIC Category alert. The arrows
on each gauge indicate the peak value. The alert count for each category displays
below the gauge.
The gauges and arrows change color to indicate the severity level:
- Low (green)
- Guarded (blue)
- Elevated (yellow)
- High (orange)
- Red (severe)
Click on the alert count value under the gauge for the level or category (the count
associated with the gauge must be greater than zero). The system displays the
alerts for the level or category on the Alert History window.
Global Alerts default categories are: Attacks, Recon (Reconnaissance), Content,
Auth (Authentication), User, Policies, System, Config (Configuration), Network,
and Other.
Levels default alert levels are: Level 0-1, Level 2, Level 3, Level 4, Level 5, Level 6,
Level 7.

Alert Details
Note: Click on a column heading to sort by column. EnVision continues to sort alerts in this order until
you close the Real Time Details window.

33

Field
Rank

Current
Severity
Trend
Count
Alert
Category

Top Device
Class

Description
Displays the alert categories ranked by severity level from highest to lowest.
Peak Severity
Displays the highest alert severity level to date, based on the current alert
synchronization, for the alert category. Click on the light to reset the severity
level for that alert class and category.

Displays the alert severity level based on alerts generated over the last interval for the
alert category. Click on the light to reset the severity level for that alert class and
category.
Displays the current trend of the alert severity level - has it gone up or down over the
last interval.
Displays the number of alerts for the alert category included in the current evaluation,
based on all the current alert synchronization, for the alert category.
Displays the alert category. Select an alert category to display the Alert Browser
window.
Click to display a tool tip with the following information about the latest event
received: source device, source asset, destination asset and message content.
Displays the device class contributing the most alerts to the alert category.
Click on the device class to display a drop-down box with the device class, alert count,
latest source address, latest destination address, and latest message displayed. In the
drop-down box you can:
Click X to close the drop-down box.
Click the device class to display the Alert History window, with the alerts
meeting the search criteria matching the alert class and alert category of the
device class you selected.

Top Source
Asset

Displays the source asset contributing the most alerts to the alert category.
Click on the source asset to display a drop-down box with the following information
about the top five source assets:
Source IP Address - When event thresholds are set, the source IP address
displays the IP address of the message that caused the system to generate the
alert.
Resolved Name - The resolved name displays if available.
Count - The count displays the number of alerts for each unique source IP
address. For example, If the system generates five alerts from the same source
IP address then the Top Source Asset drop-down contains one source IP address
with a count of five.

34

In the drop-down box you can:

Click X to close the drop-down box.
Click a source address to display the Alert History window, with the alerts
meeting the search criteria matching the alert category and source IP address
of the source asset you selected.

Top
Displays the destination asset contributing the most alerts to the alerts to the alert
Destination category.
Asset
Click on the destination asset to display a drop-down box with the following information
about the top five destination assets:
Destination IP Address - When event thresholds are set, the destination IP
address displays the IP address of the message that caused the system to
generate the alert.
Resolved Name - The resolved name displays if available.
Count - The count displays the number of alerts for each unique destination IP
address. For example, If the system generates ten alerts from different
destination IP addresses then the Top Destination Asset drop-down contains five
different destination IP addresses, each with a count of one. EnVision displays
the top five destination IP addresses sorted by count. If the count is the same
enVision sorts based on IP address.
In the drop-down box you can:
Click X to close the drop-down box.
Click a destination address to display the Alert History window, with the alerts
meeting the search criteria matching the alert category and IP address of the
destination asset you selected.

35

31. Import / Export Views

You can import and export views that consist solely of correlated rules.
The view is not enabled upon import - to use the view you must enable the view on the Manage Views
window

36

32. Output Actions

Use the Output Action feature to configure output options for alerts. You set up output actions in the
Manage Output Actions window.
Output action types are:
Type
Text File

Use to
Send alerts to a text file in the directory you specify.
enVision writes all alerts associated with the Text File output action for that view to
the file name you specify. The format is identical to the received message.
enVision continues to add alerts to this file over time so the file continues to
grow until you delete it. You are responsible for the back up and deletion of this file.

37

Type
SNMP

Use to
SNMP (Simple Network Management Protocol)
Send alerts through SNMP traps.

SMTP

SMTP (Simple Network Management Protocol)

Send alerts through email (SMTP).
You can also send generated reports to a defined e-mail address or addresses (up to
five). enVision allows for the e-mail delivery of scheduled and ad hoc reports.

AIM

Send alerts through AOL Instant Messenger (AIM).

enVision sends 1 message every 5 seconds. The NIC Alerter Service adds the message
to a queue to be sent. For example, a burst of 12 messages in one second will take
one minute to send out.

Syslog

Forward a syslog message from a source device to an external syslog server in its
original format.
Note - Multiple Appliance Site: The A-SRV forwards the syslog messages.
This feature is useful when:
A system other than enVision requires the syslog message, but it cannot
handle the load. In this case, enVision performs syslog events filtering.
A system other than enVision requires the syslog message and the source
device does not support multiple destinations.
Note: You cannot use the Syslog output action with correlated rule events.

Run Command

Task Triage

Launch a command. The run command output action creates an output module that
launches a single command immediately. You can specify the executable name and a
list of parameters to pass to the command. enVision generates a NIC log event that
states the command has started, and whether or not it was successful.
Creates a Task Triage task with an attached trace log file containing a list of event
messages that fired the alert. Also, you can assign the Task Triage output action only
to a correlated rule associated with the Alerter View. You can have only one Task
Triage output action within a NIC Domain. In Task Triage, the initial owner of the
Alerter-generated task is anyone in the task-dispatchers group.
Caution! Do not delete the Task Triage output action after it has been created. Tasks
created by the Alerter rely on the existence of a Task Triage output action for critical
setting information.

38

Type

Use to

SNPP

SNPP (Simple Network Paging Protocol)

Send alerts through SNPP to a cell phone or pager (this means the output message is
limited to 128 characters).

You can assign an output action to:

Alerts:

A specific device class/alert/alert severity level combination within a view in the Manage
Views - Add/Modify Output Action Information window. (Exception: You cannot assign
the Task Triage output action using this method.)

A specific message in a view by clicking the ON/OFF link in the Output Actions Per Alert
column in the Manage Views - Customize Alert Configuration Window.

A report to send generated reports through email. enVision uses the SMTP output actions only
as a template to pre-fill the email options. (Exception: You cannot assign the Triage output
action using this method.)
Depending on the output action you selected, you can apply different output action templates to the
output.
You can assign an output action template to a text file output action. An output action template
specifies the format and fields for the alert output.

39

33. Output Action Templates

An output action template specifies the format and fields for the alert output. You can use an output
template for multiple types of output actions.
You can create custom output action templates, use the NIC-defined output action templates, or modify
the NIC-defined output action templates.
There are four NIC-defined templates:
Template Name

Use for

Short Format

Delivery methods that restrict the amount of information that can be

displayed, such as Instant Messenger, mobile email, pagers and mobile
phones. The template contains fields that convey the most important
information in the shortest amount of text.

Most Common Fields

Standard email delivery. This template contains the most-commonly-accessed

40

Template Name

Use for
alert fields.

Long Format

Workflow integration with other computer systems. This template contains all
fields available for output.

SNPP

SNPP (Simple Network Paging Protocol) delivery method. This template is

designed for a pager with limited display room. As a result, enVision only
selects the Message ID field for output (the output message is limited to 128
characters).

You can configure the output action template to generate output in either ASCII text string (simple
delimited fields) or HTML (using a simple a table so the columns line up) format.

41

34. Correlation Rules

A correlated alert or Correlation Rule is a combination of alerts from various devices that occur within a
specified period of time.

Each correlated alert is set up as a correlation rule. The rule identifies a set of events from a device type
and defines a set of specific conditions to be met. When the defined conditions are met, the system
generates a correlated alert. Each correlated alert has its own message ID and message text, as defined
in the correlation rule.
Correlation classes define a set of alert categories and a label for the class; these are used during alert
monitoring. Each correlation rule is assigned to a correlation class.
There are system defined correlation rules, assigned to the system correlation class Correlation Rules.
You can create additional correlation rules and classes as needed.
The administrator includes a correlation class in a view so that it can be monitored and alerted on.
Monitor correlated alerts in the same manner that you monitor system and device alerts.

42

Each correlated alert is set up as a correlation rule. The rule identifies a set of events and defines a set of
specific conditions to be met.
When the defined conditions are met, enVision generates a correlated alert. Each correlated alert has its
own message ID and message text, as defined in the correlation rule.
There are system-defined correlation rules. In addition, you can create your own correlation rules.
A correlation rule is made up of correlation circuits. Correlation circuits are made up of correlation
statements.
A correlation statement defines a set of events from one or more devices, based on a set of device
types, with a threshold limit and optional statement filters and cache variable comparisons. Correlation
statements are identified by a user-defined statement label. For example here is a statement, STMT1:
Device Type

Message ID

Cisco PIX Firewall 106006

Threshold
Consider if 10 events come in within 60 seconds

(enVision does not populate the Alerts table with individual events within a threshold. For example, if 10
events occur within one second, enVision does not populate the Alerts table with the first 9.)
You may want to set up composite events so enVision sends you all of the events, within a configurable
limit, that are associated with the correlated rule.
A correlation circuit is a combination of correlation statements combined using operators. Correlation
circuits are identified by a user-defined circuit label. For example, here is a circuit, FR897:
Operator Within (seconds)

Statement Label
STMT1

And not

STMT5

You define the logic that defines when the correlation rule triggers an alert by combining circuits.
Correlation rules are identified by a user defined message ID. For example, here is the logic for a userdefined correlation rule PIXROUT2:
Operator Within (seconds)

Circuit Label
FR897

Followed by3

IDSN761

And

SPR419

43

35. Correlation Classes

A correlation class defines a set of rules and a label for the class. You assign correlation rules to a
correlation class

44

36. Import / Export Correlation Rules

You can import correlation rules (XML files) into your system.
To import a correlation rule:
1. Click AlertsAlert ConfigurationCorrelated AlertsImport/Export Correlation Rules.
enVision displays the Import/Export Correlation Rules window.
2. Click the Import radio button in the Operation field.
3. Type the directory containing the XML files to import in the Directory field - OR - click to browse
and select the directory from which you want to import.
4. Click Update List.
enVision displays XML files located in the specified directory.
5. Select a class name from the Class drop-down list to indicate where the correlated rules are to
be stored.
6. Select the check box in the Select column next to each XML file you want to import.
7. Click Apply.

45

37. Adding / Modifying Correlation Rules

Warning: RSA recommends that you do not include NIC System device message 919010 in either your
views or in a correlation rule (where the selection criteria results select the 919010 alert message ).
Message 919010 alerts on alerts generated. If you add this message to your view or your correlated rule,
you will be alerting on alerts, and potentially creating a never-ending loop of alerts. If you do select this
message (or create a correlation rule that will include this message), you must set up appropriate
thresholds to limit the number of alerts generated by this message.
To add a correlation rule:
1. Click AlertsAlert ConfigurationCorrelated AlertsManage Correlation Rules.
enVision displays the Manage Correlation Rules window.
2. Click Add.
enVision displays the Manage Correlation Rules - Add/Modify Rule window.
3. Complete the top portion of the window.
4. Optional. Add cache variables (to use with statement filters).
a. Click Manage Cache Variables.
enVision displays the Manage Cache Variables window.
b. Click Add.

46

enVision adds a cache variable entry.

c. Complete the entry.
d. To add another cache variable, repeat steps b and c.
e. Click Apply.
5. Add a circuit:
a. In the Correlation Rule Logic section click Add Circuit.
enVision displays the Add/Modify Circuit Definition window.
b. Type the name of the circuit in the Circuit label field.
c. Add a statement:
a. Click Add Statement.
enVision displays the Add/Modify Statement window.
b. Complete the Statement label and Threshold definition fields.
iii.

Select the devices to associate with the statement:

A. Click the radio button to determine how to select devices and either
Select devices by Device Class/Type or Select devices by Device Group.
Depending on the option you chose in Step A, enVision displays either
the Device Class/Type or Device Groups selection.
B. Click the arrow to open the section.
C. Click Add.
enVision adds a device selection entry.
D. In step A, if you selected the:

Select devices by Device Class/Type radio button:

1. Select the Device Class/Type.
2. Click

under IP Address List/Mask.

enVision displays the Select IP Addresses popup window.

3. Complete the window and click Select.

Select devices by Device Group radio button and select the

Device Group from the drop-down list.

E. To add another device to the statement, repeat steps A through D.

iv.

Select the events for the statement:

47

Note: If you are doing Multi-threading, you should consider appending your event selection in the
Add/Modify Statement window based on the variables you want to use in multi-threading. For example,
you can use the AND operator and select the variable you want to assure you have selected only events that
contain at least that specific variable :

A. Click the arrow to open the Event Selection section.

B. Click Add.
enVision adds an event selection entry.
C. Select the Event Type and Comparison values from the drop-down lists.
D. Click on

under Value.

enVision displays theSelect Event IDs popup window.

E. Complete the window and click Select.
F. To add another event selection entry, repeat steps A though E and
select the appropriate Operator from the drop-down list to connect the
entries.
v.

Optional. Set up statement filters:

A. Click Set Filters.
enVision displays the Set Statement Filter window.
B. Click Add Filter.
enVision adds a filter entry.
C. Complete the filter.
D. To add another filter, repeat steps B and C and select the appropriate
Join expression from the drop-down list to connect the entries.
E. Click Apply.

vi.

Optional. Associate cache with variables:

A. Click Set Cache.
enVision displays the Associate Cache with Variable window.
B. Complete the window and click Apply.

48

vii.

Click Apply.
enVision saves the statement.

d. To add another statement, repeat step c (add a statement).

e. Complete the Operator and Within (seconds) fields to connect the statements into a
circuit.
f.

Use the Order arrows as necessary to position the statements in the correct order.

6. To add another circuit:

a. Repeat step 5 (add a circuit).
b. Complete the Operator and Within (seconds) fields to connect the circuits correlation
rule logic.
c. Use the Order arrows as necessary to position the circuits in the correct order.
7. Click Apply.
enVision saves the correlation rule and displays the Manage Correlation Rules window.

49

38. Setup Alerter service

Use the Set Up Alerter Service window to specify the processing options for the NIC Alerter Service.
Field

Description
Alert posting - minimum count:
Specify the Alert posting - minimum count setting in combination with
the Alert posting - maximum time setting to control the flow of alert
postings to the Task Triage server.

Manage Task Triage

The enVision Alerter manages a buffer of fired alerts to post to the Task
Triage server. The Alert posting - minimum count setting is the alert
count at which the Alerter posts buffered alerts to the Task Triage
server. If the total alerts in the buffer reaches this minimum count, the
Alerter posts these alerts. At this point, enVision resets the counter and
restarts the timer for buffering (defined in the Alert posting - maximum
time field).
Valid values are 1 through 200. The default value is 10.
Alert Posting - minimum time:
Specify the time in seconds at which the enVision Alerter posts buffered
alerts to the Task Triage server.
If this timer expires and there are any alerts in the buffer, the Alerter
posts these alerts even if the number of buffered alerts is less than the
Alert Posting - Minimum Count value. At this point enVision restarts the
timer and resets the counter for the Alert Posting - Minimum Count.

50

Field

Description
Valid values are 10 through 300. The default value is 60.

Manage Device Asset

Values

Refresh rate
Select the refresh rate for the recalculation of the asset values. Values
are:
Update asset values when Alerter Service is restarted.
Update asset values every n minutes.

Manage Alerts
Synchronization

Indicate when the alerts are resynchronized.

Alerter service
Select to re-synchronize the alerts when the NIC Alerter Service is
restarted.
Maximum number of alert events to monitor
Select to re-synchronize the alerts when the specified number of alerts is
reached.

Manage Restart of Alerter Indicate the default check box settings for restarting the NIC Alerter Service
Service/Views
and views.
Default view action
Select to start/restart a view after a configuration change to the view.
You can override this on the Manage Views window for an individual
view while modifying a view. (The configuration changes for the view do
not take effect until the view is restarted).
Show message
Select to display a message box after a configuration change (other than
a change to a view), to remind you that the NIC Alerter Service must be
restarted. You can override this on the individual windows on which you
make the modification. (The configuration changes you selected on the
window do not take effect until the service is restarted).
Restart Alerter Service

Select to start/restart the NIC Alerter Service. The options you selected on
the window do not take effect until this occurs.

Apply

Saves the information and restarts the service (if selected).

51

39. Setup Alerter History

Use the Set Up Display Options window to control the window refresh rate, the column display order
and the sort order of the data on the Alert History window in the Alerts Module.
Field

Description

Dynamic refresh

Select the Refresh the alerts every check box to automatically refresh the
data on the History window. Type the time increment and select Seconds
or Minutes from the drop-down list to specify how often the automatic
refresh occurs. Valid values are 1 through 999 minutes. The default value is
5.

Row count

Type the number of rows that display per page. Valid values are 5 through
999. The default value is 20.

Column display order

Select a column header and use the up and down arrows to arrange the
order in which the columns display on the History window.

Column sort precedence

Select a column from the drop-down list by which to sort the data. Select
Descending or Ascending from the associated drop-down list to indicate
whether the selected column should be sorted in descending or ascending
order.
The system displays the window sorted by Timestamp by default.

Apply

Saves the information.

52

Analysis

53

40. Event Viewer

Use the Event Viewer tool in the Analysis module to:
Graph events for analysis. You can graph:

Events by event type.

Event types by time.

View incoming data.

The Event Viewer translates the timestamp on the events to the local time of the client running Internet
Explorer.

54

To graph events by event type:

1. Click AnalysisEvent Viewer Graph ViewEvents by Event Type.
enVision displays the Graph Events by Event Type window.
2. Select the time range from the Timeframe drop-down list.
3. Select the time zone from the Time zone drop-down list.
4. Select the site from the Site drop-down list.
5. Select the device type from the Device Type drop-down list.
6. Select the device from the Device drop-down list.
7. Select the type of events to include from the Event Types drop-down list.
8. Optionally, select the Display Advanced Graph Options checkbox. Proceed as follows:
a. Select the type of graph to create, Bar or Line from the Graph Type drop-down list.
b. Select the data type from the Data Type drop-down list.
c. Select the value to display on the Y Axis from the drop-down list: Events, Size or EPS.
9. Click Update Now.
enVision displays the graph.
A tool tip for each bar on the graph displays the event ID associated with the bar and the
number of events, size or EPS associated with the event ID, depending on the value you selected
in the Y Axis field (Events, Size or EPS

To graph events types by time:

1. Click AnalysisEvent Viewer Graph ViewEvent Types by Time.
enVision displays the Graph Events Types by Time window.
2. Select the site from the Site drop-down list.
c. Select the device type from the Device Type drop-down list.
d. Select the device from the Device drop-down list.
e. Select the type of events to include from the Event Types drop-down list.

55

f.

Select the time range from the Time drop-down list.

g. Select the time zone from the Time zone drop-down list.
h. Optionally, select the Display Advanced Graph Options checkbox. Proceed as follows:
a. Select the type of Automatic Updates: Update on selection change and/or Update every
5 minutes.
b. Select the type of graph to create, Bar or Line from the Graph Type drop-down list.
c. Select the data type from the Data Type drop-down list.
d. Select the value to display on the Y Axis from the drop-down list: Events, Size or EPS.
e. Select the time value to display on the X Axis from the drop-down list.
9. Click Update Now. The system displays the graph.
A tool tip for each bar on the graph displays the time interval, event ID associated with the bar
and the number of events, size or EPS associated with the event ID, depending on the value you
selected in the Y Axis field (Events, Size or EPS).
10. Optionally, click a value in the Event Types table (to the right of the graph) to change the graph
to only display information for that specific event type. (To reset the graph to include the top 14
event types, click Update.)
11. Optionally, right-click on a bar to display a menu.
Click

To

Zoom In

Zoom in on a time range. The graph displays a time range 50% smaller
than the original (for example, if you originally had a graph showing 1
hour, Zoom In displays a graph showing 30 minutes). The point on the
graph which you selected Zoom In becomes the midpoint of the new
graph.

Zoom Out

Zoom out on a time range. The graph displays a time range 50% larger
than the original (for example, if you originally had a graph showing 30
minutes, Zoom out displays a graph showing 1 hour). The point on the
graph which you selected Zoom Out becomes the midpoint of the new
graph.

Scroll Left

Scrolls the graph display to the left.

Scroll Right

Scrolls the graph display to the right.

View Events

Mark the starting and ending points on the graph, to display a list of
Event ID, Date/Time, Device and Event.

56

41. Query Tool

Use the Query tool in the Analysis module to create and run queries on data .
Create a new query or run a query you saved from a previous session. You can save the results of
queries that you run in a comma-separated file (.csv file). You can import the .csv file into other
applications, such as Microsoft Excel.
Note: The Query Tool is very useful if for creating Alerts and Reports from Scratch. This is where you
base the information you want get from an alert or a report.

57

To create a query:
Click AnalysisQuery Create New Query.
enVision displays the Create New Query window.
Warning: When you perform a query on the Alert Notes table, enVision selects (checks) the Date/Time
column (and only the Date/Time column) by default. If you run the query with just the Date/Time
column checked, enVision does not find any data. You must make sure that the Date/Time column and
at least one other column is checked before you run a query on the Alert Notes table.

Click Save to save the query.

Click
on the Query menu to refresh the menu and display the new query in the menu.
enVision displays the Save Query window.
Click Run.

enVision finds the records that match the filter information you entered and displays the information on
the Query Results window.
Optionally, click Save All to save the query results in a .csv file in the
\piquery\user_ID\query_name\query_name directory (the administrator defines the location of this
directory on the Set Up Directories window).
Example - Create a Query
Here is a sample query. This query searches the database and display all HTTP, SMTP, and POP3 traffic
from firewall devices.
Query the FireWall Accounting table this table contains the connection message, from which address,
bandwidth, duration and port-specific information can be derived.
Include the ForeignPort field in the query - this field contains the connection port of the foreign host
involved in a particular network event.
To further narrow the query results, include the following criteria for the ForeignPort field:

80 (ForeignPort 80 is the port for HTTP traffic destined to outside web servers)
25 (ForeignPort 25 is the port for SMTP traffic destined to outside email servers)
110 (ForeignPort 110 is the port for POP3 email traffic).

Only include the last 4 hours of information in the query results.

58

SQL statement syntax is very important.

Strings in SQL Statements
Values that are an IP Address, a date, a time, and so forth are called strings.
Enclose strings in single quotes.
Strings are case-sensitive.
You can use the SQL operators AND, OR, and NOT with strings. (Reports module only.)
Note: Values that are numbers (such as ports) are not considered strings.
DeviceAddress
For the DeviceAddress field, the address is considered a string. Enclose the entire value in single quotes
when the string is part of an SQL statement.
For example: DeviceAddress = '123.123.1.1'
DeviceHostName
For the DeviceHostName field, the host-server-name is considered a string. Enclose the entire value in
single quotes when the string is part of an SQL statement.

59

For example: DeviceHostName = 'host-server-name'.

IP Addresses
IP addresses are considered strings. Enclose all strings in single quotes when the string is part of an SQL
statement.
For example: ForeignAddress = '123.123.123.123'
Date and Time Formats
Dates and times are considered strings. Enclose all dates and time in single quotes when the string is
part of an SQL statement. Use the correct date and time formats and use the format consistently. You
must use date and time together in a Date/Time SQL statement.
For example: Date/Time >= '10-24-06 9:00' AND Date/Time <= '10-24-06 13:00'
Dates in strings can appear in the following formats:
mm-dd-yy
mm-dd-yyyy
mm/dd/yy
mm/dd/yyyy
Month dd, yy
Month dd, yyyy
Times in strings can appear in the following 24-hour formats:
hh:mm:ss
hh:mm
Apostrophes
Apostrophes within strings must appear as ' '.
For example, Patriot's S% would appear in a string as: LIKE 'Patriot' 's S%'

60

Special Sequences
Three special sequences are recognized:
\n represents a newline character.
\\ represents a single (\).
\xDD represents the character with hexadecimal code DD.
Troubleshooting
Check the SQL statement syntax.
Replace any double spaces between words, operators, and symbols with a single space.
Delete any extra spaces or carriage returns from the end of the sql statement.

61

Reports

62

42. Reporting Module

The Reports module consists of the following tools:
Tool

Use the tool to...

Scheduled Reports

Display generated scheduled reports.

Ad Hoc Reports

Create, modify and/or run reports.

Report Configuration

Manage running reports, manage scheduled reports, schedule reports,

manage report folders, and set up reports options.

Use the Reports module to generate reports. You can create tabular reports and graph reports.
The Reports module has standard network security and traffic analysis reports and graphs. You can copy
and modify these reports, or create your own custom reports to meet your specific reporting needs.

63

You can run reports ad hoc or schedule the reports to run at specific times. You can create report folders
in which to store generated scheduled reports; this allows you to provide specific clusters of reports to
specific key personnel.
The administrator selects the file format of the report results. The results can be displayed in a browser,
saved as a CSV file, and/or saved as a PDF file.
Important: You must register the appropriate Unicode font to generate PDF reports with embedded
localized report headings and event data.
You can create a bind report - a group of reports that can be scheduled to run as a single report.
Note: The administrators can perform all functions within the Reports module. To provide users access
to the Reports module, the administrator assigns users to a user group with permissions for the Reports
module. To limit user access to reports or to override the user group permissions, the administrator
assigns report permissions for specific device classes.
Note: The Create New Report menu item only displays for users or users within a user group with the
Administrator Report Permission set (on the Manage Report Permissions window).
Important: The system considers all traffic inbound unless you configure each local IP address to
distinguish between inbound and outbound messages. If you do not perform this task, the system's
outbound reports (HTTP, FTP, TELNET, SMTP) will not report traffic correctly.

64

The Reports module has standard network security and traffic analysis reports and graphs. Reports are
organized by device class. Reports are available for:

Compliance
Correlated alerts
Host devices
Network devices
Security devices
Storage devices

Task Triage -Limitations and rules governing standard Task Triage reports:

You cannot bind them.

You cannot specify device groups or a time range in the Run/Copy/Modify/Delete Report window for
them.
VAM (Vulnerabilities and Asset Management) -Limitations and rules governing standard VAM reports:

You cannot bind them.

You cannot specify device groups or a time range in the Run/Copy/Modify/Delete Report window for
them.
When you select a report, enVision displays the Run/Copy/Modify/Delete Report from which you run
the report and specify runtime parameters (if any).

65

Compliance Reports:
enVision has standard compliance reports for various compliance issues.

BASEL II
Bill 198
Federal Information Security Management Act of 2002 (FISMA)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
National Industrial Security Program Operating Manual (NISPOM)
North American Electric Reliability Council (NERC)
Payment Card Industry (PCI) Data Security Standard
Sarbanes-Oxley Act of 2002 (SOX)
Statement on Auditing Standards (SAS) No. 70 (SAS 70)

66

43. Scheduled Reports

You can schedule reports to run automatically at a particular time. Optionally, you can also select for a
report to be run on a specific day, on a specific date in a month, and/or run in specific months. You can
specify the amount of previously collected data that is to be included in the report.
Important! You must be an administrator to schedule a report.
The scheduled report process allows multiple reports to run simultaneously. Bind reports can run all
reports within the bind simultaneously, however only one bind can be run at a time.
The administrator sets up options for storing and saving results for scheduled reports on the Set Up
Reports window. The administrator can override these options for an individual report on the Schedule
Reports window.
Schedule reports using the Schedule Reports window in the Reports module.
Note: If a report result set has been restricted (due to the result set size), the following message displays
on the report: Returned X of Y results (where X is the number of rows displayed in the report and Y is

67

the total number of rows that met the report query criteria). If the result set size is greater than the
recommended result set size (defined in the Set Up Reports window), and the option for Return all
results has been selected for the report, the system saves the report as a CSV file, and an HTML file
including the max acceptable number of rows.
Use the Schedule Reports window to schedule the generation of a report, graph or bind.
Important! You must be an administrator to schedule a report.
Field

Description

Task type

Displays the task type: Report

Site

Displays the site name where this report will run.

Node

Displays the node name where this report will run.

Task name

Type a unique name for this task.

Report name

Click

Device groups

Select the device groups that define the devices for the data to be included
in the report results. Options are:

to select a report to schedule.

Device Groups
Select one or more device groups to include in the report results.
Select NIC_ALL to include all the devices you have permission to see. Note:
NIC_ALL does not allow you to access all devices currently being analyzed.
Runtime parameters

Enter a value to be applied against the runtime parameters when the

report is run.
Note: The runtime parameter field remains blank if you did not create a
parameter definition for this report.

Folder name

Select a folder from the drop-down list. The Scheduler Service includes this
report in the selected folder. The default folder is Default.

Time Range

Define the time range for the data to be included in the query results.
Options are:
Relative - select to run a report for a relative time
Previous - Type the number of previous minutes, hours, days, weeks, or

68

Field

Description
months. Valid values are 1 through 9,999 (up to 10 years).
Select Minute(s), Hour(s), Day(s), Week(s), or Month(s) from the drop-down
list.
Use last complete hour - Select the checkbox to calculate the time. If the
checkbox is not selected, the default assumes that a month is the past 30
days.
The start time is rounded down to the last full unit of the selected time.
Start for last complete day: 12:00AM to 11:59 PM for the previous day
Start for last complete week: 12:00AM Sunday to 11:59 PM Saturday for
the previous week
Start for last complete month: 12:00AM of the first day of the previous
month to 11:59PM of the last day of the previous month
Custom - Select to run a report for a specific time range. If you select this
option, the report will only run one time.
From - To - specify the time range for the report. The time is based on a 24hour clock. Click the icon to display the calendar to select the date and
modify the time.
Selected - displays the time range you specified.

Email Options

Click
to display the Scheduled Report Email Delivery Options popup
window. Use this window to select an existing SMTP output action to use
for report delivery and/or the user can enter the email address information
for a specific report.
Warning: The Email link only works if the location of the report is under
webapps directory (that is, if the report does not show up in the calendar,
the link to it will not work).

Result Set Size

Specify the size of the result set and output actions.

Return the _X_ _Y_ results
X - drop-down selection. Valid selections are first or last.
Y - result set size. Valid values are 1 to the size defined in the Set Up
Reports window. The default is the result set size defined on the Set Up

69

Field

Description
Reports window.

Return all Results

Returns all results. If the result set size is greater than the recommended
result set size (defined on the Set Up Reports window), the file is saved as
CSV (if the option to Save results as an HTML file is selected, the HTML file
created is limited to the maximum number of rows).
Display Options

Save results as an HTML file

Select to save the report as an HTML file. Selected by default. To display the
reports in the web browser from enVision, you must select this option.
Saves results as a CSV File
Select to save the results to a CSV file. If the Save results as a CSV file is
selected on the Set Up Reports window, this checkbox is selected by
default.
Save results as a PDF file
Select to save the results to a PDF file. This check box is selected by default
if the Save results as a PDF file check box is selected on the Set Up Reports
window.
Important: You must register the appropriate Unicode font to generate PDF
reports with embedded localized report headings and event data.

Directory path

Type or click to select the directory path to which the folder will be added.
If a path is not selected, the default value is
e:\installdir\webapps\pi\pireport
Note: If you specify a directory here, you will not be able to display the
scheduled report on the Scheduled Reports window.

Enabled

Select the check box to enable the task. The Scheduler Service only
processes enabled tasks.

Schedule

Click to schedule the task. The task displays on the Manage Scheduled
Reports window.

70

Field

Description

Schedule Immediate

Click to schedule the task for immediate processing.

enVision runs the report once with no recurrence. Here are the advantages
of scheduling a report to run immediately as opposed to running it as an adhoc report:
enVision sends the report's results to a calendar.
If you run this report as an ad-hoc, enVision deletes it as soon as you log
out.
You can schedule the report to run as part of a bind.
You can only run ad-hoc reports individually.

Set Recurrence

Click to display the Set Recurrence window to indicate when and how often
the task is to be run.

Cancel

Cancels the changes to the window.

44. Reports Folder

Create report folders to provide specific scheduled reports and exported database tables to specific key
personnel.
Add folders on the Manage Folders window. You can specify a folder when you schedule a report or
database export task. As the system generates the scheduled task, it adds it to the assigned folder.
You access the reports in the folders by selecting the folder on the Display Schedule Report Results
window.
You can manage the security for report folder access though a web server, such as Microsoft Internet
Information Systems or Apache Software Foundation's Apache HTTP Server.

71

45. Setup Reports

Report directory

Type (or click

to select) the default directory in which to store the report
results for scheduled reports. The subdirectories in this directory are
named based on the time the report results file was generated.
Note: enVision appends pireport to the end of the default directory you
selected and names the subdirectories based on the time the report results
file was generated.
(You can also specify this directory on the Set Up Directories window.)

Recommended result set

size

Define the maximum result set size for a report. Valid values are 1 to
500,000. The default is 5,000.

Report rows

Select the check box to save the results as a CSV file.

PDF generation

Select the check box to save the results as a PDF file.

Important: You must register the appropriate Unicode font to generate PDF
reports with embedded localized report headings and event data.

DNS resolution

Select the check box to enable DNS resolution processing for all reports.
Selected by default.
If this option is selected, you can override it (turn it off) for individual
reports on the Create/Modify Report - Select Additional Report Options
Window.
If the Resolve hostnames check box on the Set Up DNS Resolver Service
window is not selected, the system will not perform any DNS resolution
processing and this field is not enabled.

Report logging

Select the check box to enable logging. If this is selected, the NIC Web
Server service creates a log file of performance information in the
envision/logs nsdatabase.log file. The system continues to add to this file.
Select this check box when you are asked to by NIC technical support, to
determine the cause of issues occurring during reporting.

Apply

Saves the information.