66-43
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter66 Viewing Events
Using Event Viewer
The items listed in the available values column are determined by the values currently present in the
events listed in the events table. For address and service fields, the list also includes policy objects.
If there are a lot of available values, you can search for the desired value by typing into the edit box
above the list; the list is filtered as you type. Click the down arrow next to the Q to change how your
search string is evaluated for matches.
You can also select, or deselect, values using the following techniques:
Type the item into the edit box above the selected values list and click the + button. This
technique is useful if there is a large number of available values, or if you want to filter on a
value that is not present in the current events list.
Double-click an item in either list to move it to the other list.
Click the double-arrow buttons to move all items, regardless of your selection.
Note In a limited number of cases, the Custom Filter dialog box contains a single list. For
example, the dialog boxes for the Event Type ID and Device columns contain single
selectors. In these cases, make your selection using the check boxes next to the items;
selecting a folder selects all items in the folder.
Filter on IPv6 Addresses—For columns that contain addresses, use this option to toggle between
listing IPv4 and IPv6 addresses and network/host objects in the available values column. You can
filter on either IPv4 addresses or IPv6 addresses, but not both, in a single view.
Condition, Not—Defines the condition applied to the selected items, typically “is in.”
To create a negative condition, so that selected values define the events to not include in the events
table, select the Not option.
Step 3 Click OK.
The view settings are updated to include the new filter, and the events table is updated to show only those
events that satisfy all filters.
Filtering Based on a Specific Event’s Values
You can base a new filter on information contained within an event, or a single cell within an event, by
right-clicking and choosing a filter command. When you filter using these commands, a column filter is
added to the view settings. You can do the following:
To create a filter based on multiple values in the selected event, select Create Filter from Event,
then select from the dialog box the values on which to filter. The dialog box lists only those columns
that are displayed in the table; the current values are shown in parentheses. For an explanation of the
columns, see Columns in Event Table, page66-16.
To filter on only the value in the cell on which you right-click, select Filter This Value.
To filter to exclude the value in the cell on which you right-click, select Filter Not this Value. All
events that do not contain the selected value in this column, including all empty cells, are shown in
the table.
To filter on the flow of the selected event, based on source, source service, destination, and
destination service, select Filter This Flow.