Category list

Security Monitor Event Viewer

[ LiB ]

Security Monitor Event Viewer

Finally, you will learn about the heart of Security Monitor, the Event Viewer. The Event Viewer is a kind of spreadsheetWindows Explorer hybrid, allowing you to drill down through a hierarchical structure while filtering and sorting columns as in a spreadsheet. The final result is the Event Viewer "drillsheet," which displays groups of similar event records on a single row of a grid, making it easier for you to detect and analyze patterns in your traffic analysis.

The Event Viewer contains a grid plane and can read and display both real-time and historical data from the Security Monitor database. You can configure the grid plane interface to display events from monitored devices according to your requirements.

The Event Viewer is a very robust and powerful tool to analyze IDS alerts and events; we cannot hope to cover all its capabilities within the scope of this book. However, we cover the general capabilities. For you to appreciate the full extent of Event Viewer, you need to work with it in a live environment with real events to filter and analyze.

To launch the Event Viewer and view select events, follow these simple steps:

Navigate to Monitor, Events to display the Events page; choose an event type from the Event Type drop-down menu.
Select the Event Start Time and Event Stop Time to view security events. Click the Launch Event Viewer action button to display the Event Viewer drillsheet.

Event Viewer Options

Figure 15.6 shows the Event Viewer drillsheet window.

Figure 15.6. The Security Monitor Event Viewer window, on the Monitor, Events page.

graphics/15fig06.jpg

Configuring the Event Viewer involves understanding the key TOC options listed in Table 15.10.

Table 15.10. Security Monitor Event Viewer TOC Options

Option	Description
Moving columns	Changes the default order of fields with an alarm entry
Deleting rows and columns	Removes an alarm from the Event Viewer grid, columns, or the Security Monitor database
Collapsing columns	Reduces the number of lines displayed on the Event Viewer grid
Setting the event expansion boundary	Automatically expands more fields than the default setting
Expanding columns	Expands the amount of alarm detail shown on the Event Viewer grid plane
Suspending and resuming new events	Provides the capability to suspend and resume the Event Viewer in displaying new alarms
Changing display preferences	Provides different preference settings that you can use to customize the Event Viewer
Creating graphs	Creates a graph of the data, or a subset of the data, shown in Event Viewer
View option	Enables you to access the context buffer, hostnames, network security database, and statistics

We now highlight key features of the Security Monitor Event Viewer. For a comprehensive explanation of all Security Monitor Event Viewer's capabilities, go to http:/www.cisco.com/en/US/products/sw/cscowork/ps3991/products_user_guide_chapter09186a008018d934.html.

Moving, Collapsing, and Expanding Columns

Event Viewer is a flexible and powerful tool allowing you to analyze traffic and events from a variety of perspectives. On the grid plane, you can change the order of the columns, thereby changing the way they are summarized when you expand and collapse columns.

By expanding columns, you can increase the level of detail on the grid plane by allowing individual events to be expanded. Expanded fields are white; the first entry in the expanded column contains the actual value of the field, and the rows beneath it with the same values are blank. In Figure 15.6, you can see that the IDS Alarm type field is expanded, with rows 1 through 4 having the same value; however, only row 1 show the IDS Alarm Type value of IDS IDIOM.

By collapsing columns, you can consolidate multiple rows in the grid plane into one row, which summarizes the data according to the selected column. Collapsed fields have a gray background and contain either the actual summarized value, if they are the same for this group of alarm events, or a + , if there is more than one value for the fields of the collapsed column.

Changes made to the Event Viewer grid plane by moving, collapsing, and expanding columns are not persistent; that is, by default they are not saved and are not retained for your next Event Viewer session.

Deleting Rows and Columns

Event Viewer allows you to delete rows and columns from the Event Viewer grid that you're currently viewing, or in a row, you can delete permanently from the database. In this case, the row does not appear again when you open another instance of Event Viewer. When you delete a single row, which is an alarm event or event group, you have the option to delete the row from the current grid or the database. When you delete a column, because a column represents a field in the database and not a record or group of records, the deletion is only effective for this grid.

Suspending and Resuming New Events

It's easy to imagine a scenario where you're studying a curious series of flood events, for example, that might have originated from a malicious attack. Your analysis, however, is interrupted by the continuous flux of new incoming alarms, making it difficult for you to analyze a snapshot of the potential attack. In this case, you can use the Event Viewer's Suspend New Events option from the TOC to freeze your Event Viewer window.

You can then resume real-time alarms with the Resume New Events option for the TOC. As you would expect, the Suspend and Resume options are a toggle feature; only one option is available at a time. Also, when you suspend alarms, you can be reassured that events are still being logged to the database, even though they are suspended from being displayed in your Event Viewer window.

Changing Display Preferences

The Event Viewer allows you to customize your interface settings by clicking Preferences from the TOC. A pop-up window with the Event Viewer preferences appears. The preference settings fall into six categories, as described in the subsections that follow.

Actions

The Actions group box in the Preference pop-up window allows you to set the following values:

Command Timeout Determines how long, in seconds, the Event Viewer will wait for a response from a sensor before concluding that it has lost communications with the sensor.
Time to Block Specifies how long, in minutes, the sensor blocks traffic from the specified source when you issue a block command from the Event Viewer TOC. This timeout value only applies to blocks that are manually generated from Event Viewer. The default value is 1440 minutes (one day), with the allowable range from 1 to 525,600 minutes (one year).
Subnet Mask Defines the network portion of the IP address that will be used to block a range of addresses. The default value is a Class C 255.255.255.0 mask.

When you issue a block command from the Event Viewer of Security Monitor, the default subnet mask is a Class C, 255.255.255.0 , mask.

Cells

You can specify whether certain cells will be blank or filled in by selecting the Blank Left or Blank Right check boxes in the Cells section of the Preferences pop-up window:

Blank Left Controls whether values that are suggested by a cell above a row are filled in on the subsequent rows in Event Viewer.
Blank Right Affects how the collapsed cells are displayed in the Event Viewer. If selected, a + sign appears in a collapsed cell even if all the values of the collapsed cell are the same.

Sort By

Similar to that in a spreadsheet, the Sort By command allows you to sort the events according to either Count or Content:

Count Events are sorted according to the count of alarms listed in the first column of each row.
Content Events are sorted alphabetically by the first field that is unique.

Boundaries

The Boundaries group box allows you to set the Default Expansion Boundary and the Maximum Events per Grid:

Default Expansion Boundary Specifies the default number of columns in which the cells of a new event are expanded. By default, only the first field of an event is expanded.
Maximum Events per Grid As you would expect, this setting defines the maximum number of alarms that can be displayed in a single Event Viewer grid plane. The default value is 50,000.

Event Severity Indicator

By default, event severity is indicated by color , where informational is blue, low is green, medium is yellow, and high is red. If you select the Icon option, a low severity alarm will have no icon, a medium will have a yellow flag, and a high severity alarm will have a red exclamation point.

Database

Here you can configure whether the Event Viewer will automatically retrieve events from the database. If you select the Auto Query Enabled check box, you can then configure how frequently the Event Viewer automatically retrieves events from the database. You can also manually retrieve events from the database by clicking Refresh on the TOC.

Creating Graphs

Event Viewer allows you to create graphs of your data, either by the number of events per child (the events in the column to the right of the selected node) or by the number of events per unit time. You determine which type by selecting the By Child or By Time option from the TOC. In both cases, the event severity is indicated by the color of each bar. Figure 15.7 shows an example of a graph created using the By Child option.

Figure 15.7. A graph created using the Graph, By Child option in Security Monitor Event Viewer.

graphics/15fig07.gif

It should be noted that although Security Monitor's little brother IDS Event Viewer (IEV) can create real-time graphs, the graphs within Security Monitor's Event Viewer are a static snapshot and cannot be updated dynamically.