66-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Introduction to Event Viewer Capabilities
This section briefly describes some key activities that Event Viewer can facilitate.
This section contains the following topics:
Historical View, page66-2
Real-Time View, page 66-2
Views and Filters, page66-3
Policy Navigation, page 66-3
Understanding Event Viewer Access Control, page66-3
Scope and Limits of Event Viewer, page 66-4
Deeply Parsed Syslogs, page 66-6
Historical View
An historical view is one that displays events from a selected period of time (for example, the last 10
minutes) and does not automatically update as new events are collected. You must refresh the view to
see newer events.
Consider the following activities among the many possibilities for employing Event Viewer with an
historical view:
Troubleshoot Connectivity—When a report comes in that a user cannot reach a particular server,
you can set an historical view (for example, the last 10 minutes) that displays all events that affect
that user’s IP address as a source or destination. Then, you can go from a particular displayed event
to the policy denying that user’s access to the resource.
Tune Signatures—After setting a view of all IPS messages, or all IPS messages of a given category,
you might decide that an event is actually a false positive. You can then cross launch into the
associated policy and either tune the signature to exclude the host or lessen the reported severity of
the particular event.
Also consider creating an event action filter to modify how the alert is handled. Frequently, event
action filters are a better way of dealing with false positives than editing the actual signature. For
more information, see Configuring Event Action Filters, page 39-4.
Validate Policy Deployment—After deploying a new or changed policy, you might want to confirm
that it is operating effectively by selecting events corresponding to the given policy. For example,
you could identify firewall-deny messages triggered by the new policy.
Real-Time View
A real-time view displays events as they are received and automatically updates the Event Table in
waterfall fashion. Keep in mind that the term “real-time” is not precise. System latency and other factors
prevent true real-time system response.
Consider the following activities among the many possibilities for employing Event Viewer with a
real-time view:
Investigate Attacks in Near Real-time—By isolating details of a particular source IP address, or
a source/destination pair, Event Viewer can provide details about attacks on your monitored devices,
or attacks that are going through those devices.
Validate Device Activity—You can examine a device in your network and determine whether it is
present and whether it is sending events.