66-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Preparing for Event Management
Note You can use EMBLEM message format if you desire; both traditional and EMBLEM formats are
supported. Keep in mind that EMBLEM is not supported by CS-MARS, so do not send
EMBLEM-formatted messages to a CS-MARS server.
For detailed information about the options in the Syslog Servers policy, see Syslog Servers Page,
page 52-21.
Step 3 If you want to configure non-default syslog server settings, such as adding time stamps to syslog
messages, changing the severity level of messages, or suppressing the generation of specific messages
altogether, configure the Platform > Logging > Syslog > Server Setup policy. For detailed information,
see Server Setup Page, page 52-16
Step 4 (Optional)You can configure the Platform > Logging > Syslog > Logging Filters policy to fine-tune
the kinds of messages sent to syslog servers. For detailed information about this policy, see Logging
Filters Page, page 52-7 and Edit Logging Filters Dialog Box, page 52-8.
Following are some tips for configuring this policy:
When adding the logging filter, select Syslog Servers for Logging Destination.
You can create a simple filter based on message severity, or you can configure a much more complex
filter based on event classes. If you elect to use event classes, you can do the configuration directly
in the Logging Filters policy, or you can configure event lists separately in the Event Lists policy
(see Event Lists Page, page 52-4).
Step 5 (Optional) You can configure the Platform > Logging > Syslog > Rate Limit policy to limit the quantity
of messages generated per time interval, either by message severity or message number. This can help
you avoid flooding the syslog server. See Rate Limit Page, page 52-13.
Step 6 (Optional, but recommended) You can configure the Platform > Device Admin > Server Access > NTP
policy to specify a network time protocol server for ASA devices. Using NTP ensures consistent date
and time information for easy event correlation. Specify the same NTP server you use for the Security
Manager server. If you use different servers, ensure the servers are synchronized. See NTP Page,
page 51-19.
Configuring IPS Devices for Event Management
Before you can use Event Viewer to view events generated from an IPS device, you must configure the
Allowed Hosts policy on the device to allow the Security Manager server access to the device. Because
Security Manager also needs to be configured in the Allowed Hosts policy to allow configuration access,
your IPS devices might already be configured correctly. You should also configure the network time
protocol (NTP).
Configure the following policies for IPS devices in Device view to enable effective event management
on those devices:
Platform > Device Admin > Device Access > Allowed Hosts—(Required) Add the Security
Manager server to the table. You can either identify the Security Manager server by its host IP
address (for example, 10.100.10.10), or you can specify the network that it is on (for example,
10.100.10.0/24).
If you are using other event management applications with the device, such as CS-MARS, ensure
that you also add those servers to the policy.