66-41
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter66 Viewing Events
Using Event Viewer
Click Start in the toolbar, or select View > Sta rt. The table is refreshed based on your currently
selected time range. For real-time views, the event stream restarts.
Select a different time range using the Time Selector in the toolbar or the View > Mode command.
Select a different time slice using the vertical slider or the pagination controls in the time slider
below the event table. For more information on using these controls, see Time Slider, page 66-23.
Creating Column-Based Filters
You can filter the event table in Event Viewer based on the contents of specific columns. Column filters
are the type of filter contained in the view settings; they define the basic content of the view. Whenever
you apply a column filter, the view settings for the view are updated to include the newly selected filter:
you must save the view before closing it if you want the new filter to become a permanent part of the
view’s definition.
There are many ways in which to define a column filter:
In the View Settings pane, click the Add button. You are first prompted to select the column on
which to base the filter. When you click OK, you are prompted to create the filter.
In the View Settings pane, select a filter and click the Edit button to change it.
In the event table, click the down arrow button in the heading of a column and select any of the
following from the drop-down list:
A specific entry. The drop-down list contains all values currently displayed in the events listed
in the table.
(All). Select (All) to remove a filter from this column. The event table is updated to show the
events that meet your other filter criteria.
(Custom). Select (Custom) to create a filter that might have multiple values, negative values, or
be based on data not currently contained in the column in the current event table. Selecting
(Custom) is essentially the same as creating a filter directly in the View Settings pane.
In the event table, you can right-click a value and select Filter This Value. This action has the same
effect as selecting the value from the drop-down list for the column.
You can alternatively select Filter Not This Value to create a filter that excludes a value,
In the event table, you can right-click a value and select Create Filter from Event. You are
prompted to select the specific columns to include; the column on which you right-clicked is initially
selected, but you can deselect it.
The following procedure explains how to build a custom column-based filter, one in which you are not
simply selecting a value from the column’s drop-down list.
Tips
Column filters are cumulative: for an event to appear in the event table for a view, the event must
meet all column filter criteria. You cannot create a set of OR’ed column filters.
Some columns allow you to select network/host or service policy objects to define the filter criteria.
Selecting policy objects can simplify your filters. However, for a policy object to be selectable in a
filter, the object must be committed to the database. If you create a new object for filtering purposes,
ensure that you submit your changes in Configuration Manager (and if using Workflow mode with
an approver, get the changes approved) before attempting to create the filter in Event Viewer.
When using policy objects, the filtering recognizes whether a device-level override is defined for the
object. For example, if you use a network/host object that contains 10.10.10.10, and Device A has
an override to change the address to 10.10.10.12, events from Device A appear in the list only if the