Creating and Running Queries
The Query Wizard is a powerful tool that allows you to select exactly which events and actions you wish to examine and to specify the format of the printed or displayed output. You create query definitions using a series of parameter screens covering the various components.
To open the Query Wizard within Firewall, select 1. Work with Queries from the Reporting menu (STRFW > 41 > 1), as shown in Creating and Running Firewall Queries and Reports.
The Work with Queries screen appears.
| Work with Queries Position to . . . . Subset by type . . . by text . . . . . Type options, press Enter. by classification. C=Compliance,.. 1=Select 3=Copy 4=Delete 5=Run 6=Print 7=Rename 8=Run as batch job 9=Explanation S=Schedule X=Export G=Group summary Opt Query Type Description Class. AA_DBOPEN 00 AAA 49 AAAAANET 08 TELNET-Telnet Device Initialization AAAAFSRV 06 FILSRV-File Server AAFILSRV 06 FILSRV-File Server CPYCPSGN 32 TCPSGN-TCP Signon Server EVGENY1 01 MZDBOPEN 00 R6 06 TEST 03 TSTDB 45 Test lllll T50 50 More... F3=Exit F4=Prompt F6=Add New F7=Un/Fold F8=Print F12=Cancel |
The body of the screen lists existing queries. After the Opt field for entering options, it has the following fields:
Query
A unique name for the query
Type
The query information type. Press the F4 key for a list of available query types.
Description
A free-form text description of the query
Class.
Letters or digits for classifications of queries. Predefined values include
- C: Compliance (SOX/ISO17799/PCI, etc)
- U: User
- O: Object
- S:System Values
- N: Network
You can freely define meanings for the digits 0 through 9.
To add a new query, press the F6 key. The Add Query screen appears, as shown in Adding and Modifying Queries.
To view or modify further information on a query, type 1 in the Opt field for the query and press Enter. The Modify Query screen appears, as shown in Adding and Modifying Queries.
To view or modify the classification and explanation of a query, type 9 in the Opt field for the query and press Enter. The Query Explanation and Classification screen appears. Enter classification characters (as shown for the Class field above) in the Classification list field. Enter a free-form explanation of the query in the Query explanation field, which is printed on output reports that include headers.
To view or modify summaries included in the query output, type G (for Group Summary) in the Opt field for the query and press Enter. The Modify Query Summary Definitions screen appears, as shown in Modifying Query Summary Definitions.
To copy information from one query to another, type 3 in the Opt field for the query and press Enter. The Copy Query window opens. The read-only From field shows the name and description of the original query. Enter the name and a free-form description for the new query in the To fields.
To rename a query, type 7 in the Opt field for the query and press Enter. The Rename Query window opens. The read-only From field shows the name and description of the original query. Enter the new name and description for the query in the To fields.
To delete a query, type 4 in the Opt field for the query and press Enter. The Delete Query window opens. Press Enter to confirm the deletion or the F12 key to cancel it.
To run a query interactively, type 5 in the Opt field for the query and press Enter. The
To run a query interactively and print the output, type 5 in the Opt field for the query and press Enter. The
To run a query as a batch job, type 8 in the Opt field for the query and press Enter. The
To schedule a query to run regularly as part of a report group, type S in the Opt field for the query and press Enter. The Schedule Query screen appears, as shown in Scheduling Queries.
To export a query definition, type X in the Opt field for the query and press Enter. A confirmation line stating that the definition has been exported appears at the bottom of the screen. After you have finished working with this screen and press F3 to exit, the Export iSecurity Query Definitions screen appears. You can specify whether to export the definition to a particular system, a group of systems, or to all. If you set the field to *NONE, it is exported to a save file with a name indicated on the last line of that screen.