66-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter66 Viewing Events
Preparing for Event Management
Ensuring Time Synchronization
Standard network management practice includes consideration of time differences and network device
synchronization. Typically, this includes the use of a Network Time Protocol (NTP) server. Event Viewer
is most easily used with a common time standard. However, it is worth noting that you can view the time
an event is received by Security Manager (Receive Time), and for IPS devices, the time the event was
generated by a device (Generation Time).
Whenever possible, configure the Security Manager server and the devices it is monitoring with the same
NTP server.
Configuring ASA and FWSM Devices for Event Management
Before you can use Event Viewer, or any other application that analyzes syslog events, to view events
generated from an ASA (including ASA-SM) or FWSM device, you must configure the logging policies
on the device to generate and transmit syslog messages.
Note A cluster device with a Virtual IP address (beginning with Security Manager version 4.4) can be added
if configured in both Security Manager and on the virtual device.
Tip Although you can configure devices individually to specify the appropriate logging configuration, it is
likely that more than one ASA or FWSM device in your network would use the same logging
configuration. Although this topic describes how to configure an individual device, you can also create
shared policies and assign them to multiple devices. For more information about configuring and
assigning shared policies, see Creating a New Shared Policy, page 5-51 and Modifying Policy
Assignments in Policy View, page 5-51.
Besides the logging configuration described here, you can also configure logging for individual access
control entries when you configure them either in firewall policies or ACL policy objects. The default is
to log denied access only, but you can configuring ACL logging options to provide increased logging.
Note To reliably report events from contexts in multiple-context mode, Cisco Event Viewer requires an IP
address for the management interface of each context.
Step 1 (Device view) Select the ASA or FWSM device or security context, then select Platform > Logging >
Syslog > Logging Setup from the Policies selector.
In the policy, select Enable Logging. You can configure other options as needed. For detailed
information about the options, see Logging Setup Page, page 52-10.
Step 2 Select Platform > Logging > Syslog > Syslog Servers.
Add the Security Manager server’s IP address to the syslog servers table. Configure the server to use the
UDP protocol. The default port, 514, is correct unless you configure a different port on the Security
Manager Administration Event Management Page, page 11-22.
If you are using other event management applications, such as CS-MARS, also add those servers to this
policy.