The Change Guardian Data Federation feature enables you to search for events, view alerts, and run reports not only on your local Change Guardian server, but also on other Change Guardian servers distributed across the globe. When data federation is enabled, you can perform a search or run a report on one server and have it automatically run a search or report across the selected remote servers.
For information about reports and alerts in a data federated environment, see Running Reports in a Federated Setup and.
In a distributed environment, you can search for events on the selected data source servers and also the local server.
To search for events:
Log in to the authorized requestor server as a user with Search Remote Data Sources permission.
Click New Search.
Click the Data sources link under the Search field.
Select the data source server on which you want to perform a search, then click OK.
Specify the search criteria in the search field, then click Search.
If you do not specify any search criteria, the authorized requestor server runs a default search for all events with severity 0 to 5.
The Search Results page displays the events from the selected data source servers and the local server, based on the search criteria you specified. The search results are filtered through a combination of the security filter and permissions of the logged-in user and the security filter and permissions of the search proxy role on the data source servers.
NOTE:For the data source servers search results are based on the role of the authorized requestor server and not on the role of the logged-in user that is performing the search.
The Extended Status page displays the progress and status of a search query. To access the Extended Status page, click the Displaying N of M events from X data sources link from the refinement panel.
The extended status page displays the following information:
Data Source Name: The name of the data source server, if specified. If you did not specify a name, it displays the IP address or the DNS name of the data source server.
Events Available: The number of events that were retrieved from the data source server out of the total number of events that matched the search criteria.
Retrieval Rate (EPS): An approximate rate with which the events were retrieved from a specific data source server.
Status: Any of the following status of the search queries and error messages, if any:
Running: Indicates that the search is still running on the data source server.
Buffering events for display: Indicates that the search is completed, but the authorized requestor server is retrieving events from the data source server and buffering them for display.
Paused buffering events for display: Indicates that the search is completed, but the authorized requestor has paused retrieving events from the data source. When the authorized requestor has buffered enough pages ahead, it pauses so that events are not buffered unnecessarily.
Searching, paused buffering events for display: This is similar to pausing and buffering events for display, except that the search is not yet complete on the data source server.
Done buffering: Indicates that the search is complete on the data source server, and the result is retrieved by the authorized requestor and queued for display.
Each event displays information about the data source server from which the event is retrieved. To view details about events, click the All link to expand event results.
If the role of your security filter is set to view all event data, the get raw data link is displayed. Click this link to view non-internal events.