The REC collects the events from the Juniper device and then reports them up to the ESM. In the ESM view it will display those events.
You can create a new view and drag down a bar chart > then you could select either source user or summary and click next. from there you could add the signature ID in the filter and it would show either the Source Users or total number of that event we have collected.
Thanks for your response but I can't get the Bar display to show me the correct concurrent users, the reason being it counts events as I have indicated above if you look at the PACKET information the number is at the end (bold) below
<134>Juniper: 2013-02-01 08:00:58 System() - Number of concurrent users logged in to the device: 251
It reports 8 events for the users logged in, but rather writes an event with this string in it and the value of concurrent users logged in is 251
If I follow your suggestion it will only count events written and still not adding up to concurrent users.
the only way I managed to get it working is using the Dial with the below options
COUNT (DISTINCT Source User)
Filter - Device Type & Device ID
I have attached a screenshot doing it your method it only counts the events generated which is 9 where actually there is 532 users logged in now
Please see below:
4>Juniper: 2013-02-01 09:00:22 [IP] System() - Number of concurrent users logged in to the device: 532
I still need direction please on how to display this on a Bar
So the bar chart will only display the total number of packets we have received for that specific event (so we have recieved that Concurrent Users 9 times). That section in the packet doesnt look like it is parsed out into a field. What you would need to do is save that packet and log a PER for this field to be parsed out so you can report on it.
You can log your PER here:
McAfee ProductEnhancement Requests: https://mcafee.acceptondemand.com/index.jsp
Thanks for your response Aaron, I will complete the PER and provide feedback on the progress.