69-28
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
The following topics explain event lookup in more detail:
Viewing CS-MARS Events for an Access Rule, page69-28
Viewing CS-MARS Events for an IPS Signature, page69-30
Viewing CS-MARS Events for an Access Rule
From the Firewall > Access Rules policy in Security Manager, you can select an access rule and view
related event information in CS-MARS. You can view real-time or historical events matching the rule,
the traffic flow, the source address, or the destination address. You can view events for any device that
supports access rules, including ASA, PIX, FWSM, routers, and switches.
Firewall access rules are presented in the form of an ordered list or table. When deployed, this policy
becomes an access-control list (ACL), with each entry in the list known as an access-control entry
(ACE). (For more detailed information, see Understanding Access Rules, page 16-1.)
When deciding whether to forward or drop a packet, a device tests the packet against each access rule in
the ordered listed. If you enable logging for an access rule, the results of the test are recording according
to your per-rule log settings. Some devices, such as ASA, generate log entries for denied access even if
you do not configure logging explicitly. For information on creating access rules, including logging
options, see Configuring Access Rules, page 16-7.
You can query CS-MARS for real-time or historical events related to an access rule for the following
types of traffic. To use the commands, right-click the rule and select them from the context menu.
Flow—A traffic flow is defined by the rule’s source and destination IP addresses, protocol, and
ports. The reported flow events include connection set-up and tear-down. Logging need not be
enabled for the access rule to record this information.
To view flow-related events, use the following right-click commands:
Show Events > Realtime > Matching this Flow—To view real-time query results in
CS-MARS for events matching this traffic flow. You can change the query criteria in the
CS-MARS window at any time, applying new parameters to alter the real-time results.
Show Events > Historical > Matching this Flow—Opens the historical query criteria page in
CS-MARS with fields populated based on the selected rule’s traffic flow. Edit the rule
parameters and query criteria as desired, and click Apply to continue. Next, in the Query
window, you can submit the query or save it for later submission and re-use.
Rule—If logging is enabled for the rule (in the Advanced and Edit Options Dialog Boxes,
page 16-15), the device sends syslog messages to CS-MARS to record the logged events (assuming
CS-MARS monitors the device). This query includes the access-rule parameters, including available
keyword information. Reported events do not include connection set-up and tear-down.
To view rule-related events, use the following right-click commands:
Show Events > Realtime > Matching this Rule—To view real-time query results in CS-MARS
for events matching this rule (flow parameters plus keywords); results begin scrolling within
five seconds. You can change the query criteria in the CS-MARS window at any time, applying
new parameters to alter the real-time results.
Show Events > Historical > Matching this Rule—Opens the historical query criteria page in
CS-MARS with fields populated based on the access rule (flow parameters plus keywords). Edit
the rule parameters and query criteria as desired, and click Apply to continue. Next, in the
Query window, you can submit the query, or save it for later submission and re-use.
Source or Destination—If you right-click the Source or Destination cell in an access rule entry, you
also can choose to view real-time or historical events matching the rule’s source or destination IP
address.