Chapter 8. Monitoring CSA Events
| < Day Day Up > |
| This chapter covers the following topics:
As the Cisco Security Agent (CSA) hosts deployed throughout your enterprise architecture begin to protect systems from malicious code, worms, viruses, unauthorized user interaction, and other various policy violations, the CSA Management Console (MC) begins to receive events regarding the various issues. These events are correlated in a central repository on the CSA MC known as the event log. These events provide the security operations team with great insight into their environment. From here, they can see what is currently or has already impacted their environment and tighten current policies or create new policies to allow or disallow specific actions. It is extremely important for the CSA administrator to understand how to use and interpret the event log to efficiently and effectively deploy policies to remote agents as well as react appropriately to malicious events. In many cases, however, this information is used purely for reporting because the malicious actions are noted in the event log as prevented and no further action is required. The CSA MC offers you several ways to view and sort events in the database. Options for viewing events include summarized views most often used in NOCs or SOCs (network/security operation centers), live event views, and historical views. All of these methods provide for sorting and filtering such that the only data presented at any given time is what is required. To view events, either historically or live, you start with the Events section of the CSA MC. Events is located on the top navigation bar. Placing your cursor over Events or clicking Events presents a drop-down menu for navigation, as shown in Figure 8-1. The Events menu options are as follows:
Figure 8-1. Top-Level Events Menu Throughout this chapter, you will explore the various ways to view and use the Events menu to ensure a successful CSA architecture. |
| < Day Day Up > |
