You can start device managers for all devices both static and dynamic IP addresses that are supported by Security Manager. You can run multiple device managers at the same time, but only one device manager per device. However, multiple Security Manager clients can each be running a device manager for the same device.
Each device manager opens in a separate window, and you can switch between Security Manager and the device manager windows at any time. When you exit Security Manager, all device manager windows are closed. Note Generally, the credentials supplied when the device was added to the Security Manager inventory are used to start the device manager. Some versions of SDM require that you enter a user name and password when the device manager is started.
If valid device credentials are not available when starting a device manager, an error message is displayed. Choose Device Properties from the Tools menu, or simply double-click the device in the Device selector to open the Device Properties page, then select Credentials to add credential information for the selected device. Step 1 In Device View, select a device and then do one of the following:. You are warned that a Security Manager-launched device manager cannot make any configuration changes.
You can select Do not show this again in the dialog box to turn off this warning for subsequent device-manager launches. Step 2 When you launch a device manager from Security Manager, the device manager service, xdm-launcher. You may have to expressly allow this action, if your installed anti-virus and intrusion-prevention software e.
A progress bar is displayed; the device manager windows opens when the start operation is complete. A set of access rules is associated with each device interface.
These rules are presented in the form of an ordered list or table. This list is often referred to as an access-control list ACL , with each rule in the list known as an access-control entry ACE. When deciding whether to forward or drop a packet, the device tests the packet against each access rule in the order listed.
When a rule is matched, the device performs the specified action, either permitting the packet into the device for further processing, or denying entry. If the packet does not match any rule, the packet is denied. Activity on your firewall or router can be monitored through syslog messages.
If logging is enabled on the device, whenever an access rule that is configured to generate syslog messages is matched—for example, a connection was attempted from a denied IP address—a log entry is generated. Note For the device to generate log entries, logging must be enabled on the device on the Logging Setup Page, page K , and the individual access rules must be configured to generate log messages when they are matched in the Advanced and Edit Options Dialog Boxes, page I You can monitor syslog messages in device managers launched from Security Manager, and for certain device managers, you can look up the access rule in Security Manager that generated a particular message from the monitoring window.
The access rule that triggered the syslog entry is highlighted in Security Manager on a first-match basis, even if there are multiple matches. You can select a syslog message displayed in either window and navigate to the access-control rule in Security Manager that triggered the message, where you can update the rule as necessary. The Real-time Log Viewer is a separate window that lets you view syslog messages as they are logged.
The separate Log Buffer window lets you view messages present in the syslog buffer. You can look up access rules associated with the following syslog message IDs:. This message appears even when logging is not enabled for the rule.
This message provides more information than message , which logs only denied packets. For more information about starting device managers, see Starting A Device Manager.
Step 3 In the ASDM window, click the Monitoring button to display the Monitoring panel; click Logging in the left pane to access the log-viewing options.
Step 5 Click the View button to open the selected log-viewing window. Note The View button is not displayed if logging is not enabled on the device. Each syslog message listed in the window includes the following information: message ID number, date and time the message was generated, the logging level, and the network or host addresses from which the packet was sent and received.
Step 6 To view the access rule that triggered a specific syslog message, select the message and click the Show Rule button in the ASDM toolbar or right-click the message and choose Go to Rule in CSM from the pop-up menu. The Security Manager client window is activated and the Access Rules page appears with the rule highlighted in the rules table. If the syslog entry was triggered by an access rule not referenced in the current Security Manager activity, an error message appears.
In an SDM device manager launched from Security Manager, you can view a log of events categorized by security level under the Syslog tab of the Logging window. You can select a syslog message and navigate to the access-control rule in Security Manager that triggered the message, where you can update the rule as necessary.
The router contains a log of events categorized by severity level. The Syslog tab displays the router log, even if log messages are being forwarded to a syslog server. On Cisco IOS devices, syslog messages are generated for access rules configured with the log or log-input keywords.
The log keyword produces a message when a packet matches the rule. The log-input keyword produces a message that includes ingress interface and source MAC address, in addition to the packet's source and destination IP addresses and ports. When identical packets are matched, the message is updated at five-minute intervals with the number of packets permitted or denied in the previous five minutes.
Step 3 In the SDM window, click the Monitoring button to display the Monitoring panel; click Logging in the left pane to access the log-viewing options. Step 4 To view the access rule that triggered a specific syslog message, select the message and click the Go to Rule in CSM button above the table of log messages. In addition to the device summaries displayed in the Inventory Status Window, page C , Security Manager lets you add and configure "status providers" that collect information about various events from external sources.
Specifically, you can configure Security Manager to collect and display information from up to five Cisco Performance Monitor servers. Additionally, you can configure the same status provider to send event details to multiple Security Manager servers. Your Security Manager license grants you the right to download, install and use Performance Monitor. For Performance Monitor information to be collected and reported in Security Manager, you must perform the following general steps:.
See Adding Devices to the Device Inventory, page for specific instructions. Note that you can check Security Manager's connection with the currently selected device at any time by clicking the Test Connectivity button on the Credentials page of the Device Properties window.
Devices in the Security Manager inventory must be configured to allow access by Performance Monitor, and to provide essential information by means of SNMP traps, syslog messages and device polling.
Refer to Preparing Devices for Monitoring for more information. This procedure establishes communications between Security Manager and the Performance Monitor server, and is described in Configuring Status Providers. You can register up to five Performance Monitor servers in Security Manager. Security Manager establishes an SSL connection with each registered Performance Monitor, and after authenticating the Performance Monitor credentials, Security Manager begins to receive status reports.
If a device is deleted from Performance Monitor but is still available in Security Manager, or if you exclude the device from Performance Monitor polling, the device health and performance reports are no longer available in Security Manager.
To enable status reporting, devices in the Security Manager inventory must be configured to allow access by Performance Monitor, and to provide essential information by means of SNMP traps, syslog messages, and device polling.
Refer to the "Bootstrapping Devices" section of the User Guide for Cisco Performance Monitor for additional information about these steps. Confirm that an administrative user account exists on the SSL module, and configure an enable password. Enable SNMP and set up community strings. SNMP is required for polling and monitoring. Enter the actual numeric IP address of the server on which you installed Performance Monitor.
SNMP is required for validation, polling, and monitoring. Configure syslog traps. Note Performance Monitor stops polling all devices that are enabled for monitoring when one device takes more than 30 seconds to return results. When Performance Monitor tries to retrieve the output of show commands from devices using HTTPS, retrieval of a single show command on a device might take more than 30 seconds, causing stoppage of polling.
You can change the polling timeout value in Performance Monitor. A device must be added to the inventories of both Security Manager and Performance Monitor before its status can be displayed in Security Manager's Inventory Status window. In Performance Monitor, a device is either a physical node in the network, or it is a virtual node that is defined by a physical node.
In either case, the device must have a static IP address. End-of-Sale Product Part Number. Product Description. Replacement Product Part Number. Replacement Product Description. Product Migration Options. For More Information. The last day to download the affected product s is December 31, Creating a View.
Step 4 Configure refresh cycle settings and database archival settings and verify application settings. Configuring Refresh Cycle Settings. Configuring Data Archival Settings. Specifying Web Browser Application Location. Specifying Ethereal Application Location. Changing the Auto Refresh View Setting. Step 5 View the events and individual alarms. Viewing Event Data. Working with Alarms. Step 6 Maintain the database by importing, exporting, and deleting event data.
You must be logged in to the host as a user with administrative privileges to install IDS Event Viewer. Step 2 Click Next to proceed with the setup program. Otherwise, click Browse to locate a different folder, and then click Next.
Step 4 Click Next to proceed with the setup program. Step 5 Click Next to proceed with the setup program. Step 6 Click Next to proceed with the setup program. Click OK to reboot the host. You cannot upgrade from version 3. Instead, you must uninstall 3. Step 2 Select Automatic , and then click Next. Step 3 Click Finish to continue with the uninstallation.
If you are uninstalling 3. To complete the uninstallation of 3. You can upgrade IDS Event Viewer to the latest version and apply signature updates to keep your software current. Tip To ensure you receive notification anytime an update is available, sign up for the Active Update notification service.
Tip To ensure you can download software, apply for a Cisco. If you have a previous version of IDS Event Viewer installed, refer to the following procedure before you attempt to upgrade to the latest release. Instead, you must complete these tasks to install the latest version:. To upgrade to version 4. Decide if you want to backup any existing alarm tables. The installation program converts the alarm tables from the version 4.
All data is preserved during the conversion. However, if the tables cannot be converted and the upgrade fails, the backup alarm tables are copied back to the respective directories and version 4. Click Next to proceed with the setup program. If you want to back up existing alarm tables before the conversion begins, select Backup alert tables. Click Next to proceed with the upgrade. Any notes in the NSDB are preserved during the upgrade.
Note If there are tables that cannot be converted, an error message appears and lists the tables that you must delete before attempting the 4. Reboot to complete the upgrade. IDS Event Viewer enables you to view alarms for up to five sensors at a time.
This section includes the following procedures:. Step 2 Complete the following fields in the Device Properties panel:. Note The information you provide in the Device Properties panel should match the settings you entered during initial configuration of the sensor. If you have set up a user account with Viewer access for IDS Event Viewer, specify the username and password for that account. Step 3 To specify the communication protocol IDS Event Viewer should use when connecting to the sensor, select the Use encrypted connection https or Use non-encrypted connection http radio button.
Step 4 To specify what alerts to pull from the sensor, follow these steps:. To pull the latest alerts from the sensor, select the Latest Alerts check box. To pull alerts from the sensor eventStore, deselect the Latest Alerts check box and specify the following:. IDS Event Viewer will receive alerts from the sensor, beginning with the first alert that matches the criteria you specified.
Step 5 To exclude alarms of a certain severity level, select one or more of the following:. Alarms that match the severity level s you selected are not pulled from the sensor eventStore and will not appear in the Statistical Graph.
IDS Event Viewer sends a subscription request to the sensor. This request remains open until you modify the device properties or delete the device. Note If you specified https as the communication protocol, IDS Event Viewer retrieves the certificate information from the sensor and displays the Certificate Information dialog box. You must click Yes to accept the certificate and continue the https connection between IDS Event Viewer and the sensor. Step 7 Repeat Steps 1 through 3 for any additional sensors you want to monitor up to 5.
Note If IDS Event Viewer cannot connect to the sensor, a red X appears next to the device name to indicate that no connection is present. To edit properties for an existing sensor in the Devices folder, follow these steps:. Step 1 Expand the Devices folder to view the list of sensors. Step 2 Right-click the sensor you want to edit, and then click Properties. Step 3 Select and edit the properties you want change, and then click Update to save your changes.
After you remove a sensor from the Devices folder, the IDS Event Viewer terminates the connection to that sensor and no longer receives events from that sensor. Step 2 Right-click the sensor you want to delete, and then click Delete Device. Step 3 Click Yes to delete the sensor from the Devices folder. To review the version information and connection status for a sensor, follow these steps:. Step 2 Right-click the sensor for which you want to review status information, and then click Device Status.
IDS Event Viewer will return one of the following connection status responses:. Check communication parameters. Is the web server running? IDS Event Viewer server program may not be running. Step 2 Double-click the sensor you want to manage.
The browser application opens and connects to the IP address for this sensor, using the port number and encryption specified in the Device Properties panel. Filters enable you to customize and refine your view of event data by specifying alarms to exclude from your view.
IDS Event Viewer ships with a default filter; however, you can create and store user-defined filters in the Filters folder. These filters can later be applied to any default or user-defined view. You can create a filter to include or exclude alarms that match a specified trait, such as severity, signature, or time. Step 2 To name the filter, type an alpha or numeric text string up to 64 characters in the Filter Name field. Step 3 To filter alarms by severity, select the By Severity check box under Filter Functions and select one or more of the following severity level check boxes: Informational , Low , Medium , or High.
Step 4 To filter alarms by source address or destination address, select the By Src Address or By Dst Address check box, respectively, under Filter Functions and perform the following steps:. To include an IP address or range, select the Included radio button. To exclude an IP address or range, select the Excluded radio button. The IP address is added to the group of addresses excluded or included depending on what you selected by this filter.
The IP address range is added to the group of addresses excluded or included depending on what you selected by this filter.
Step 5 To filter alarms by signature name, select the By Signature Name check box under Filter Functions and follow these steps:. To locate a signature, click one of the following tabs:.
You can select an attack category, such as Denial of Service, to exclude all signatures contained in that category. You can expand each protocol category to view the individual signatures contained in that category. You can select an entire protocol category, such as UDP signatures, to exclude all signatures contained in that category.
You can expand each operating system category to view the individual signatures contained in that category. You can select an entire operating system category, such as Windows NT, to exclude all signatures contained in that category. You can expand each service category to view the individual signatures contained in that category.
You can select an entire service category, such as DNS, to exclude all signatures contained in that category. To exclude individual signatures, expand the appropriate signature category and select the desired signatures. Step 6 To exclude alarms by sensor, select the By Sensor Name check box under Filter Functions and choose a sensor from the Devices folder.
Enter a valid numerical start date, beginning with the 4-digit year, and then the 2-digit month and day in the Start Date field. Enter a valid start time, beginning with the 2-digit hour, and then minute and seconds in the Start Time field. Tip is the equivalent to p. Enter a valid numerical end date, beginning with the 4-digit year, and then the 2-digit month and day in the End Date field.
Enter a valid end time, beginning with the 2-digit hour, and then minute and seconds in the End Time field. Repeat Step 7 to add additional time periods. Step 8 To exclude alarms by status, select the By Status check box under Filter Functions and select one or more of the following status level check boxes:. Step 9 To save the filter, click OK. To edit the properties for an existing filter in the Filters folder, follow these steps:. Step 1 Expand the Filters folder to view the list of defined filters.
You can use the Report Manager application to generate reports on botnet activity. There are predefined reports that show the top infected hosts, the top malware ports, and the top malware sites. You can open the report by double-clicking it or by right-clicking and selecting Open Report.
Step 3 Optional Customize the report to select the desired time range and devices to include in the report. For more information, see Editing Report Settings. If you want to save your custom settings to generate the report again in the future, click Save As to create a custom report. For more information, see Creating Custom Reports.
Step 4 Click Generate Report to retrieve the collected information and display the graphs and tabular data. For more information, see Opening and Generating Reports. If you want to generate the report on a regular basis, you can configure a schedule as described in Configuring Report Schedules.
However, any configuration changes that you perform in ASDM are considered out-of-band changes by Security Manager and are overwritten the next time you deploy configurations from Security Manager. You are warned that you cannot make configuration changes. Click Yes to continue. This page also allows you to manually start a database download or to purge the dynamic database. Stop traffic from your network to the botnet control site. The following procedure explains the process in more detail.
Step 1 You see syslog events that indicate that packets are traveling to or from an objectionable address, typically message numbers or Tip Messages are for greylisted traffic. You might want to first determine if the greylisted traffic is truly objectionable before stopping the traffic.
You have these options for stopping the botnet traffic if the ASA is not already dropping it because of a drop rule:. For example, if the botnet site is The first command blocks all incoming traffic from the botnet command center, the second blocks traffic from the infected computer just to the botnet site.
Creating an access rule is not the preferred method because it creates a permanent rule, whereas botnet sites are transient. Using the Botnet Traffic Filter to dynamically block botnet traffic is a better fit for this type of network attack compared to traditional access rules. Step 3 Shut down network access for the infected computer. There might also be wireless access for the computer, so completely shutting down network access might not be a simple task.
Step 4 Inform the owner of the victim computer that it is infected and dispatch IT personnel to disinfect the computer. Tools and techniques for disinfecting a computer are outside the scope of this document. An IPS appliance or service module IPS device triggers an alarm when a given packet or sequence of packets matches the characteristics of known attack profiles defined in the IPS signatures.
False positives benign triggers occur when the IPS reports certain benign activity as malicious. Because each event requires human intervention to diagnose, spending your time analyzing false-positive events can significantly drain resources. Due to the nature of the IPS signatures that are used to detect malicious activity, it is almost impossible to completely eliminate false positives without severely degrading the effectiveness of the IPS or severely disrupting the computing infrastructure of an organization such as hosts and networks.
Customized tuning when an IPS is deployed minimizes false positives. Periodic re-tuning is required when the computing environment changes for example, when new systems and applications are deployed. IPS devices provide a flexible tuning capability that can minimize false positives during steady-state operations. An example of a false-positive is a network management station that periodically builds a network discovery map by running ping sweeps.
You have the following options to remove false-positive IPS events from the event table in Event Viewer:. By filtering out the events, you do not stop their generation, but you also do not see them in the table. Because they are still available you can remove the filter , you can see the events if some particular network behavior requires that you examine activity from the excluded host. There are two main drawbacks to using this technique:. The procedure below shows how to filter out events from sources that you identify as clean.
Event action filter rules are the easiest way to stop generating events, and are thus preferable to editing signatures or creating custom signatures, which is a more difficult task. If you exclude a host in an event action filter rule, the IPS device does not generate alarms or log records when the host triggers the event.
Because you can target specific signatures, rather than making a blanket-exclusion of all events from a host, you can eliminate only those events that you are certain are benign. For example, the following event filter rule removes the Produce Alert action from the ICMP Network Sweep with Echo signature for the network management station The network management host is identified as the attacker address; the action specified in an event filter rule is actually the action that is removed from the event.
Note that if you create an event action override rule to add other alert-producing actions to ICMP Network Sweep with Echo events, you must also remove the override action in this rule. For more information about configuring event action filter rules, see Configuring Event Action Filters. The following procedure shows how to use filtering in Event Viewer to remove false positives from the events list.
You do not need to add or remove filters from your views. Click OK to create the object. Click Close to close the Policy Object Manager window. Keep in mind that all of your configuration changes are submitted, not just the new policy object. If you are using Workflow mode, you must submit your activity and have it approved, if necessary.
Tip Event Viewer can see only those policy objects that have been submitted to the database, so you must submit your changes before you can create a filter using the object. If you later change the object, you must also submit your changes for the filter to use the new definition of the policy object. Step 4 Create a custom view that filters out the network management station:.
Double-click the predefined view that you want to use as the basis of your custom view, for example, All IPS Events. Double-clicking the view in the Views list opens the view. If you already have a custom view that you want to update, open it. Click the down arrow button in the title of the Source column in the events table and select Custom to open the Custom Filter for Source dialog box.
In the Custom Filter for Source dialog box, select the policy object you created and click the right-arrow button to move it to the selected list. Also, select the Not option next to the Condition option. The following illustration shows how the dialog box should look. Click OK. The filter is added to the view settings and is used to remove events from the table.
You are prompted for a view name and description; enter the information and click OK. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Updated: January 1, Chapter: Viewing Events. Viewing Events. Historical View An historical view is one that displays events from a selected period of time for example, the last 10 minutes and does not automatically update as new events are collected.
Tune Signatures —After setting a view of all IPS messages, or all IPS messages of a given category, you might decide that an event is actually a false positive. You can then cross launch into the associated policy and either tune the signature to exclude the host or lessen the reported severity of the particular event.
Validate Policy Deployment —After deploying a new or changed policy, you might want to confirm that it is operating effectively by selecting events corresponding to the given policy. For example, you could identify firewall-deny messages triggered by the new policy. Real-Time View A real-time view displays events as they are received and automatically updates the Event Table in waterfall fashion. Validate Device Activity —You can examine a device in your network and determine whether it is present and whether it is sending events.
On a properly tuned IPS sensor, this should be a manageable flow of events to watch in a real-time view. Views and Filters When you view events in Event Viewer, you open a view.
Time filters —You can use time filters to limit the events that are loaded into your client as well as to limit the events displayed in the Event Table. With time filtering you can select predefined values, such as the last hour , or specify a particular time range by dates and times. Column filters —You can use column filters to filter events based on a particular value of an event.
For example, you could filter on a particular source or destination, or both. For certain columns you can also filter on a range of values or on a policy object. Column filters are part of the view settings for a view. Quick filters —You can use quick filters to execute a text-based filter on events listed in the event table. The search is not column-sensitive, showing all events in which the string appears in any column.
You can use the Quick Filter drop-down list shown as a magnifier to modify the scope of the filter. The View Settings pane at the top of the Event Monitoring window updates with each additional filter choice you make to show the current aggregate filter definition of the view selected.
Policy Navigation You can navigate from a particular event to the policy within Security Manager that governs that event. However, the following access limits are imposed: You must have system administrator, network administrator, or approver privileges to select or deselect devices for monitoring.
See Selecting Devices to Monitor. You must have system administrator privileges to change the Event Management administrative settings page, where you enable or disable the service and configure storage location and other settings, as described in Starting, Stopping, and Configuring the Event Manager Service and Event Management Page If you use ACS to control access to Security Manager, you can also control the following: You can control access to the Event Viewer application using the View Event Viewer privilege.
Using this privilege, you could prevent certain users from accessing Event Viewer, or create roles that allow access to Event Viewer without allowing access to Report Manager. A user must have this privilege to select devices for monitoring as described in Selecting Devices to Monitor. The default ACS roles that have this permission are system administrator, network administrator, approver, security administrator, and security approver.
You can control the use of the policy lookup feature. Users must have View Device privileges to the device, and also View privileges to the firewall or IPS policy, to perform policy lookup. Users can view events on devices only if they have at least View privileges to the device.
You can control access to the Event Management administrative settings page, where you enable or disable the service and configure storage location and other settings, as described in Starting, Stopping, and Configuring the Event Manager Service and Event Management Page.
The user must have Admin privileges to access this page or any other administrative settings page. All default ACS roles except help desk can view the page, but only system administrators can change settings. For more information on creating column filters, see Creating Column-Based Filters. Deeply Parsed Syslogs The structure and contents of standard syslogs and the elements comprised by each are detailed in the System Logs documentation for the device and software version you are using.
You are prompted to log in. Event Viewer is opened using the same user account that you used to log into the other application. Tip You can double-click in the view list to open the view and replace the view that is displayed.
Tip From the Event Details dialog box you can print the event details or you can copy one or more of the detail rows to your clipboard. You can also scroll through the events list using the Next and Previous buttons. View List The left pane of the Event Viewer main window displays a list of available views as shown in the following illustration. Event Table Toolbar The following illustration and table explain the elements in the toolbar that resides immediately above the event table in Event Viewer.
Tip You cannot save your selection. The next time you open the view, you need to reselect your option if you want something other than the default. Columns in Event Table The following table lists alphabetically, and describes, all the columns that you can display in a view in Event Viewer. To select which columns to display in the open and active view, do one of the following: Preferred method.
Click the Column Chooser icon in the far right of the event table header row see Event Monitoring Window. The Choose Columns to Display dialog box that opens lists the columns in alphabetical order.
Also, you can click Revert to return to the default column selection for the view. Time Slider The time slider resides below the events table when you are using an historical view; it is not used with real-time views.
Details Tab —Displays all available fields for the selected event. The fields are presented in alphabetical order. Explanation Tab —Displays a generic explanation for this event type. Related Threats Tab —Displays threats correlated to the event. IPS Events only.
Recommended Action Tab —Displays a generic recommendation for an event of this type. Syslogs only. Trigger Packet Tab —Displays trigger packet data. IPS events only. Preparing for Event Management Before you can view events generated from a device, you must configure the device to work with Event Viewer.
Ensuring Time Synchronization Standard network management practice includes consideration of time differences and network device synchronization. You can either identify the Security Manager server by its host IP address for example, The alert status icon color indicates the following: Green dot—There are no problems.
All events are being processed normally. Yellow dot—There are some warnings, for example, low severity events are being dropped. Orange dot—There are more serious issues, for example, low and medium severity events are being dropped.
Red dot—There is a critical situation, for example, high severity events are being dropped or there is a significant problem with the system, such as problems with the syslog port or with the event data store location. Disconnected network wire—The Event Manager service is disabled, either intentionally or due to some server problem; no events are being stored or retrieved.
The bar is color-coded to indicate the throttle level: Green—Not in throttle mode. Yellow—Low severity events are being dropped. Red—High severity events are being dropped. Event Server Alerts —These messages indicate specific status problems that you might need to address.
Table explains the messages that you might see with possible solutions. Copy button —Click the Copy button to copy the information to the clipboard.
The copied information includes HTML markup. You can paste the information into an HTML file. Using Event Viewer Use Event Viewer to help troubleshoot network problems involving monitored devices. Opening Views You can open up to four historical views and one real-time view in Event Viewer. To open a view so that it replaces the currently active open view, do one of the following in Event Viewer: — Double-click the view in the views list. Floating and Arranging Views You can open up to four historical views and one real-time view at one time.
Customizing the Event Table Appearance You can customize the appearance of predefined or custom views in the event table to meet your requirements. You can do the following to customize the event table: Create column filters to limit the type of events listed.
Use the down arrows in the column heading to define the filter as described in Creating Column-Based Filters. Create color rules to highlight events based on severity, as described in Configuring Color Rules for a View. Change which columns appear in the table by clicking the Column Selector icon to the right of the table heading row, as described in Columns in Event Table. Change the width of a column by clicking the right edge of the column heading and dragging it to the desired size.
Change the order of the columns by clicking the column heading and dragging the column to the position you want. Sort the events list by a column by clicking the column heading. The column sorts based on a three-click cycle: ascending, descending, and default order which is by event reception time.
Configuring Color Rules for a View You can use color rules to color-code events shown in the event table based on the severity of the event. Creating Custom Views A custom view is one in which you define the filters in the view settings. Right-click the custom view in the view list and select Edit. Switching Between Real-Time and Historical Views You can update the events table for any view using either real-time or historical time periods.
For help in locating the control on the toolbar, see Event Table Toolbar. All options other than Real Time are historical views. Saving Views If you edit the settings for a view, you must save it to make those changes permanent. Deleting Custom Views You can delete custom views, but you cannot delete predefined views. To delete a custom view, do one of the following: Select it in the view list and click the Delete trash can button above the list.
Right-click it in the view list and select Delete. You are asked to confirm your deletion. Filtering and Querying Events There are many options for filtering the events that appear in the event table. Using the Time Slider with Filtering You can use the vertical slider control in the time slider to change the start time for the events shown in the event table.
The table is refreshed based on your currently selected time range. For real-time views, the event stream restarts. Select a different time slice using the vertical slider or the pagination controls in the time slider below the event table. For more information on using these controls, see Time Slider. Creating Column-Based Filters You can filter the event table in Event Viewer based on the contents of specific columns. There are many ways in which to define a column filter: In the View Settings pane, click the Add button.
You are first prompted to select the column on which to base the filter. When you click OK , you are prompted to create the filter.
In the View Settings pane, select a filter and click the Edit button to change it. In the event table, click the down arrow button in the heading of a column and select any of the following from the drop-down list: — A specific entry. In the event table, you can right-click a value and select Filter This Value. This action has the same effect as selecting the value from the drop-down list for the column. You can alternatively select Filter Not This Value to create a filter that excludes a value, In the event table, you can right-click a value and select Create Filter from Event.
Tips Column filters are cumulative: for an event to appear in the event table for a view, the event must meet all column filter criteria. Selecting policy objects can simplify your filters.
However, for a policy object to be selectable in a filter, the object must be committed to the database. If you create a new object for filtering purposes, ensure that you submit your changes in Configuration Manager and if using Workflow mode with an approver, get the changes approved before attempting to create the filter in Event Viewer.
You can filter on the contents of most but not all columns. If a column does not have a down arrow, you cannot filter on it. The filter icon a funnel appears in the heading of a filtered column.
For a description of the available columns, see Columns in Event Table. The Add Custom Filter to a Column dialog box opens. Select the column on which to base the filter and click OK. In the View Settings pane, select a filter you want to change and click the Edit button. From the drop-down list for a column, select Custom. Right-click any cell in the desired column and select Custom Filter. You can do the following: To create a filter based on multiple values in the selected event, select Create Filter from Event , then select from the dialog box the values on which to filter.
The dialog box lists only those columns that are displayed in the table; the current values are shown in parentheses. For an explanation of the columns, see Columns in Event Table. To filter on only the value in the cell on which you right-click, select Filter This Value. To filter to exclude the value in the cell on which you right-click, select Filter Not this Value. All events that do not contain the selected value in this column, including all empty cells, are shown in the table.
To filter on the flow of the selected event, based on source, source service, destination, and destination service, select Filter This Flow. Filtering on a Text String Use the quick filter to search for text strings in events. Clearing Filters When you apply filters to the event table, non-matching events are not displayed. You can clear filters one at a time or clear all filters: To clear a single filter, so any of the following: — Select the filter in the View Settings pane and click Delete.
To clear all filters, right click in the events table and select Clear all filters. Performing Operations on Specific Events You can operate upon a single event in the event table in a variety of ways, which include the following: Right-click —Right-clicking a single event in the event table opens a context menu with commands that you can use on the event.
Hold the Ctrl key to select additional events, or hold the Shift key to select a range of events. Double-click an event —Double-clicking a single event in the event table opens the Event Details dialog box, which shows the event information in an easier-to-read format. From the Event Details dialog box, you can print the displayed details or copy some, or all, of the details to the clipboard for pasting into another program.
You can use the Next and Previous buttons to scroll through the events listed in the event table. For information on the meaning of the attributes, see Columns in Event Table. Event Context Right-Click Menu When you right-click an event in the Event Table, a context menu appears that provides commands that you can use with the selected event.
Table Event Context Menu Command. Examining Details of a Single Event Each event contains a lot of specific information in many separate fields. When you want to see the complete details of an event, you can use either of the following: Event Details pane —Select the event and open the Event Details pane below the event table.
The Event Details pane organizes the information in tabs. For more information about this pane, see Event Details Pane. Event Details dialog box —You can open this dialog box by double-clicking the event, or by right-clicking the event and selecting Show All Details. The information is presented as a flat list and shows the information that would be shown on the Details tab in the Event Details pane.
The Event Details dialog box includes the following controls: — Print button—Click this button to print the information. Next, Previous buttons—Click these buttons to scroll through the events currently displayed in the event table. Next moves up and Previous moves down in the table. Copying Event Records You can copy single events, multiple events, all events, or even the contents of a single cell to the clipboard. You can do the following from the event table: Copy selected events —To copy one or more selected events, right-click in the event table and select Copy Selected Events.
The event you right-click does not matter, the copied events are those that are selected highlighted in the table. Copy the contents of a single cell —To copy the contents of a single cell in one event, right-click the cell and select Copy Cell. You cannot copy cell contents if there is more than one event selected in the table.
0コメント