Status Summary

The Status Summary screen is a very common view used when you want to get a quick high-level assessment of the health of your agent architecture. As shown in Figure 8-2, the Status Summary page presents a great amount of information, which is viewable in a single compact screen. This page is divided into three sections:

• Network Status

• Event Counts per Day

• Refresh

Figure 8-2. Status Summary Screen

NOTE

Events are only added to the event log if the rule that triggered on the remote host was set to log. There could be far more actions occurring on the remote agents than seen at the CSA MC if many of the events have logging disabled.

Network Status

The Network Status section is minimized, by default, to display only a few of the important rows. By clicking the plus sign (+), you can expand the section to list several other rows. All numbers are clickable links to either events or hosts that are filtered to show only the information pertaining to the description. The full list of information displayed on this screen is as follows:

• Events Recorded in the Past 24 Hours This option displays the number of events that have occurred in the past 24 hours. This is not the number of events in the last •24-hour clock period but the past 24 hours since the page was refreshed or auto-refreshed.

• Active Hosts with Current Configuration This option displays the number of hosts running a current policy that has reported into the CSA MC within the last polling interval set for the host. The number is a link to the filtered hosts list view containing only these hosts.

• Active Hosts Running an Old Configuration This option displays the number of hosts with an old policy that need an update. These hosts have reported into the CSA MC within the last polling interval set for the host.

• Active Hosts Running Old Software These hosts are hosts that have polled in within the last poll interval but are running old agent software. These agents have software updates configured for them but have either not yet been notified of the update or have not installed the update. The number is a link to the filtered hosts list view containing only these hosts.

• Active Hosts with Software Updates Pending These agents have polled within the last polling interval and have been informed of the software update but have not installed the update yet. The number is a link to the filtered hosts list view containing only these hosts.

• Unprotected Hosts This is the number of hosts that are either not a member of any groups or are in groups without attached policies.

• Hosts Running in Test Mode This is the number of hosts currently running in Test Mode, which are not actively protected by all policies assigned to the host.

• Hosts with Unsupported Platform This is the number of hosts running on operating systems not officially supported by CSA.

• Hosts Without Cisco Trust Agent Installed This is the number of hosts within your deployment that are running the CSA but are not running the Cisco Trust Agent (CTA). The CTA is a component of the Cisco Self-Defending Network Initiative that allows for posture assessment of the local machine before the network admits the device for connectivity.

• Hosts Not Actively Polling (Status Unknown) This is the number of hosts that have not polled within the stated polling interval for the hosts.

• Hosts Without Application Deployment Investigation Data Upload This is the number of hosts that have run application data investigation but have not yet sent the information to the CSA MC.

• Groups with No Policies Attached This is the number of groups that have not been assigned policies. When you click the icon to the right of the number, the list of groups displays in a pop-up menu without redirecting you to a new filter view, as shown in Figure 8-3. The groups displayed in this window are clickable.

  Figure 8-3. Groups with No Policies Attached Pop-Over

  
  
  

Event Counts per Day

The Event Counts per Day portion of the Status Summary screen shows you a graphical representation of the number and type of events your architecture has had over the past few days. With this view, you can see whether your daily event count is spiking and in need of further investigation. You can also see within this representation the relationship between the event severities.

The first piece you need to understand when interpreting graphical data is the legend. The legend is to the right of the daily bars in the bar chart. The four colors used are mapped to event severity as follows:

• Error and Above The events grouped together in this category are Error, Alert, Critical, and Emergency. These events are more impacting than the lower severities and are colored red to stand out.

• Warning Warning events are colored orange.

• Notice Notice severity events are colored yellow.

• Informational Informational events are colored green.

When interpreting the graphical view, you also need to understand the axis labels. The x-axis across the bottom of the graphic represents days. Each bar represents a 24-hour period starting and ending at midnight on the date listed below the bar. The month is also listed just below the days. These dates are clickable links that take you to a filtered view of the event log containing only those particular days events. The y-axis has only one number listed at the top of the axis. This number is the maximum number of events received on any of the displayed days. The number is listed here to give you an understanding of the scale related to the bar charts. If the y-axis is labeled at 15,000 events and you have 2 days represented where 1 of the days is half the size of the other day, you might want to look at the events much closer to understand why you had 7,500 more events on that day. However, if the number listed as the scale is 30, you might not be as worried because the difference between the 2 days is only 15 events.

NOTE

Placing your cursor over the date below the bar chart without clicking causes a small text message to pop up displaying the number of events on that particular day, which might not easily be discernable from the chart itself.

The final piece of the graphic to understand is the information related to the bars themselves. The entire bar for a given day displays the number of events logged over that particular 24-hour period in relation to the other days displayed and the day displayed with the most events logged. Within a particular bar, the types of events are colored as per the legend and stacked to form the bar with the lower-severity events at the bottom and the higher-severity events at the top of the bar. This view enables you to get quick security health-check information about the deployment. Another great feature of this graphical view is that the bars themselves are also clickable links that redirect you to a filtered view of only the events from that day matching that particular severity group. This function can make your administration of the product more efficient by saving you the time it would normally take to create the filter necessary to view this information. For example, Figure 8-4 shows a filtered view of a single day in the event log as would display after clicking the link associated with the date below any particular bar in the summary window.

Figure 8-4. Single Day Filtered View of the Event Log

Refresh

The Refresh portion of the Status Summary screen is located at the bottom of the page. From here, you can set the automatic refresh rate of the Status Summary screen. By default, it is set to refresh the information every minute. You can view the countdown to when the next refresh will occur, refresh immediately by clicking the Refresh link, or change the refresh interval to 30 seconds, 1 minute, or 5 minutes. The auto-refresh of this screen makes the data available close to real-time values, and therefore this has become a popular screen displayed around the clock in many NOCs and SOCs.