Console_Reports_Summarizer_Snwls
This section contains the following subsections:
• About Summary Data in Reports
• Summarizer Settings and Summarization Interval for CDP
• Configuring the Data Deletion Schedule Settings
• Configuring Hostname Resolution
These reports are constructed from the most current available summary data. In order to create summary data, the Analyzer Reporting Module must parse the raw data files.
When configuring Analyzer Reporting using the screens on the Console panel under Reports, you can select the amount of summary information to store. These settings affect the database size, be sure there is adequate disk space to accommodate the settings you choose.
Additionally, you can select the number of days that raw syslog data is stored. The raw data is made up of information for every connection. Depending on the amount of traffic, this can quickly consume an enormous amount of space in the database. Analyzer creates a new 2 GB database for raw syslog data everyday. Be very careful when selecting how much raw information to store.
Summarizer Settings and Summarization Interval for CDP
SonicWALL CDP appliances send their syslog packets to Dell SonicWALL Analyzer via UDP packets. When summarization is enabled, the Summarizer will process those files and store the data in the summary databases at the interval you specify.
See the following sections:
• Enabling Report Summarization for CDP Appliances
• Setting the Reports Data Summarization Interval
Enabling Report Summarization for CDP Appliances
To globally enable the summarization of report data, which is necessary for viewing reports, perform the following:
1. On the Console panel, navigate to Reports > Summarizer.
2. Under Summarizer Settings, select the Enable Report Summarization checkbox.
3. Click Update.
Setting the Reports Data Summarization Interval
The Summarizer will process syslog data sent from SonicWALL CDP appliances and store the processed data in the summary databases at the interval you specify. When a CDP appliance is configured to communicate with Analyzer, you need to verify that the summarizer is scheduled to collect and process data for this unit at an appropriate interval.
To configure the summarization interval, perform the following steps:
1. Click the Console tab, expand the Reports tree and click Summarizer. The CDP Summarizer page displays.
2. Under Reports Data Summarization Interval, important information about the Summarizer is displayed. Use the Summarize every pull-down lists to specify how often in hours and minutes the Analyzer Reporting Module should process syslog data and update summary information.
3. Click the Update button to the right of this field.
4. To specify the next summarization time, enter a date in the form mm/dd/yyyy in the Next Scheduled Run Time field, and select the hour and minute values from the pull-down lists.
5. Click the Update button to the right of this field.
To update the summary information now, click the Summarize Now button. Dell SonicWALL Analyzer will automatically process the latest information and make it available for immediate viewing.
For more information about using and verifying the Summarize Now option, see Using Summarize Now.
Note This will not affect the normally scheduled summarization updates on Analyzer.
The Summarize Now feature allows the administrator to create instant summary reports without affecting the regularly scheduled summary reports. You can use Summarize Now to test that the Summarizer is gathering data for a managed unit. The SonicWALL Analyzer Summarize Now feature is located in the Console tab under Reports > Summarizer. The SonicWALL Analyzer Summarizer creates summary reports by default every 8 hours. Summary reports can be configured by the administrator to occur every 15 minutes to every 24 hours.
To use the Summarize Now feature, perform the following tasks:
1. Click the Console tab, expand the Reports tree and click Summarizer. Click the Summarize Now button to summarize data immediately.
2. You will see a pop-up window verifying that you want to summarize the data now. Summarizing data using Summarize Now is a one-time action and will not affect the scheduled summary. Click OK to continue.
To verify summarization, navigate to Log > View Log in the left pane. Search for the message Report Data Summarized to verify that the Summarize Now action has completed.
5. When Summarize Now has completed, click the Firewall tab at the top of the screen. In the left-most pane, click GlobalView or click an appliance.
Note You may see incomplete data if you view the Summary section of a selected report before the Summarize Now process is complete. Wait for the Report Data Summarized message to be displayed in Log > View Log.
6. In the center pane, click a report to expand it, then click the Summary option underneath it. For example, click Capacity, then click Summary to review the summarized CDP capacity usage data.
Navigate to the Summary section of other reports in the center pane to see other summarized data.
Configuring the Data Deletion Schedule Settings
Syslog files sent from SonicWALL appliances are stored on the system, and are consolidated into the syslog database. The Summarizer processes the syslog data and stores the processed data in the summary database. After the configured period of syslog storage, the syslog data can be periodically deleted from the system. This is necessary, as the syslog files and database can consume a lot of space on the file system.
This section of the Summarizer page also provides a way to delete summarized data for a certain date. For example, if summarized data is kept for a long time, such as 90 days, then you could use this option to remove some summarized data from a particular date within the 90 day period if the stored data was becoming too large.
Tip Run your database maintenance jobs soon after the completion of the scheduled tasks configured on this page for summarizing data and deleting old syslog data.
Analyzer requires large amounts of disk space for raw data storage. In previous versions, the maximum raw syslog database size was 2 GB. Analyzer now provides enhanced database capacity by creating a new 2 GB database everyday. Each file name includes the date it was created for easy reference. Raw syslog data is used to create Custom Reports for Firewall, SRA, and CDP appliances.
To configure the syslog and summarized data deletion settings, perform the following:
1. On the Console panel, navigate to Reports > Summarizer.
2. Under Data Deletion Schedule, select the day and time for deletion in the hour and minute widget. Syslog data will be deleted at this time only after being stored for the number of days configured. You specify how long to keep the date in Data Storage Configuration.This field allows you to specify the data address of the Summarizer, how long to keep reporting data (in months), and how long to keep the raw syslog data (in months)
3. Click the Update button to the right of this field.
Sets the amount of time that reporting data and raw syslog data is stored.
1. Click the Summarizer at: drop-down menu, then select the desired summarizer IP address.
2. Click the Keep Reporting Data for drop-down menu, then select the number of months to archive the data. Reporting data can be archived for a minimum of 1 month and a maximum of 36 months.
3. Click the Keep Raw Syslog Data Files for drop-down menu, then select the number of months to archive the data files. To disable the archiving of raw syslog data files, set the value to zero. The maximum amount of time to store raw syslog data files is 36 months.
Tip If you would like to store data for longer than 36 months, you can create scheduled scripting to move data that has been processed and stored in “//syslog/ArchivedSyslog/*.zip …” to a mapped network share for long-term storage.
Configuring Hostname Resolution
Hostname Resolution in the Reports > Summarizer page is configured for source IP addresses with missing hostnames while inserting the data in the database. This means that the reports will show both the initiator IP address and the initiator hostname in the reports whenever applicable.
• Enabled Reverse Hostname Resolution — Reverse hostname resolution will be disabled by default, enable this option for Analyzer to lookup for missing hostnames.
Note Enabling hostname lookup will increase the time taken to process syslogs. All syslogs which need resolution will be processed separately in parallel to normal syslog processing. This might slow down summarizer and increase memory and consume more CPU cycle. Also the memory and CPU will also be impacted further by changing the default configurations of Lookup thread count, Scan every, Refresh Resolved Hostname Cache every.
Any changes to the Hostname Resolution Configuration will take effect during the next summarizer run.
• Lookup thread count — Signifies how many threads are processing the lookup in parallel. The larger the number, the faster the processing.
Note Increasing this number will also increase the load on the summarizer instance.
• Scan Every — Analyzer dumps syslogs with missing hostnames to a particular folder. This time indicates how long it waits to scan the folder for new files.
• Refresh Resolved Hostname Cache every — The hostname that is looked up for an IP address will be cached. This time indicates how long the hostname is kept in the cache, after that it will again lookup the hostname for that IP address.
• Update — Click this button when you are finished configuring the settings.
• Enable Public IP Host-name Resolution — Public IP hostname resolution will be disabled by default, enable this option for Analyzer to lookup for missing public IP hostnames.
• Time out value for resolution — Select the timeout period (in milliseconds) if the hostname is not resolved.
When the NMM option is enabled, the GMS creates NMM files that are sent with the syslog messages.
