Event Log

The event log provides historical views of logged events from the most current to the oldest. These views can prove useful when attempting to understand what is impacting your user environment as well as when tuning and enforcing policy. By default, the event log shows all events recorded that have not been purged. Just as with the near real-time view provided by the Event Monitor, you can filter the event log to provide a concise view of the information you want to see. Figure 8-5 shows a sample Event Log screen.

Figure 8-5. The Event Log Viewer

NOTE

The event log database access is also available to third-party applications via database access using an ODBC DSN of CSCODSN. Detailed database schema and view information is located in the CSA documentation. Only qualified individuals should attempt communication with the CSA SQL database because any incorrect statements or actions could cause database loss or corruption.

Filtering the Event Log

You can set the event log filter to display only the events you want to see. The current filter parameters display at the top of the Event Log screen. At the top of the filter parameters, an indicator describes which events, by event number, you are currently viewing. Adjacent to this is the Change Filter option. The following list describes the current filter parameters:

• Filter by Event Set This option is the same as described previously in the "Event Monitor" section. Event sets are described later in this chapter.

• Define Filter This section provides customizable filtering parameters. The majority of the parameters available to filter this view, which is shown in Figure 8-6, are described as follows and are illustrated in Figure 8-7:

  • Start Date and End Date You can format specific start date as hh:mm:ss with AM/PM as options. If you do not specify AM/PM, then hh should be in the 24-hour format. Both minutes and seconds are optional, with only hours required.

    You can format specific start date with month and day information as mm/dd/yy (day and year are optional) or as monthname dd, yy (day and year optional).

    Alternatively, you can use relative time, which uses the following keywords: ago, today, now, last, yesterday, day, week, month, year, hour, minute, or second.

    Example 1:

    Start Date = 22 hours ago

    End Date = 13 minutes ago

    Example 2:

    Start Date = yesterday

    End Date = 3 minutes 5 seconds ago

    Example 3:

    Start Date = 10/05/2000 22:04:00

    End Date = now

  • Minimum Severity This value is a drop-down box populated with the selection options related to the seven severity possibilities, sorted from lowest to highest:

    Information

    Notice

    Warning

    Error

    Alert

    Critical

    Emergency

    For this option, choose the lowest severity you want to view. By default, this is set to Information.

  • Maximum Severity As with the Minimum Severity option, this drop-down box lists seven possible severity options. Choose the maximum severity setting you want to view. By default, this is set to Emergency.

  • Host This option enables you to filter events based on a host or group of hosts you choose. By default, this is set to All. To specify a host or group, click Change. A pop-up window then presents you with two options: Select the Following Host drop-down box and Select All Hosts in the Following Group drop-down box.

    These lists are prepopulated with hosts and groups the CSA MC knows about, including the mandatory groups of All Windows, All Linux, and All Solaris. A displayed host or group is a clickable link to the settings page for that entity.

  Figure 8-6. Filtered Event Log View

  
  
  

  Figure 8-7. The Event Log Filter

  

  
  

• Rule Module This is a drop-down box selection tool prepopulated with all CSA rule modules. By default, this is set to All.

• Rule ID This is a text field that you can populate with the specific rule ID for the events you want to see. By default, this is blank.

  • Events per Page Defaults to 50, with no defined maximum.

  • Filter Text Include or exclude events that contain the text specified.

  • Filter Out Duplicates You have the option to filter any duplicate events and only show the original and not the recurring messages for the same event.

  • View button View the event log after applying the filter.

NOTE

When you apply the filter using relative times, the displayed filter parameters at the top of the Event Log view translate that information to specific dates and times relative to the date and time on the CSA MC server.

Interpreting and Using the Event Log

The events held within the event log and presented by either the Event Log Viewer or the Event Monitor must be interpreted in order for the information to prove useful to you.

Figure 8-8 shows a sample event log with several events. This section discusses the information presented in a single event.

Figure 8-8. Events as Displayed in an Event Log

Events in the database are separated by alternating colors to help you better understand where one event ends and another begins. From left to right, each single event is separated into columns, as follows:

• # This is a number associated with each event in order relating only to events in the current filtered view. The events with higher numbers occurred more recently than those with lower numbers.

• Date This shows the date and time the event occurred on the agent machine. When events occur on the agent-protected machine that cannot be transmitted to the MC because of reachability issues, the events are stored and transmitted with the correct time stamp when reachability is again possible.

• Host This is the host that reported the event. The host is a clickable link directly to the host configuration page.

• Severity This indicates the severity level of the logged event.

• Event This contains the specific event information, which you learn more about in the next section.

Understanding Event Field Information

The Event field in the various log views contains a great deal of information, including links to policy-tuning options. If the particular event occurred in Test Mode, it will be prepended by TESTMODE and can be filtered using the include/exclude text-filtering option. The event itself is then explained in simple terms with necessary variables such as IP address, port number, and filename information included. Below each event are clickable options that become available depending on the type of rule that triggered the event. The options are as follows, which you learn about in the next sections:

• Details

• Rule Number

• Wizard

• Find Similar

Details

When you choose the Detail option, you see a new window with very detailed information about the specific event, as shown in Figure 8-9. The field options differ slightly per rule type you view. A few of the common fields and descriptions are as follows:

• Description Describes the specific policy rule

• Module Specifies the rule module that includes the rule

• Event Text Provides the information displayed in the Event field

• Event Time Shows the date and time the event occurred

• Code Lists the code associated with the triggered rule, which would be useable by TAC in a troubleshooting situation

• PInt Indicates the rule number that triggered the event

• PString Shows the variable used in the Event field relating to what triggered the event

• Time Shows the number of seconds since the agent machine booted

• Type Indicates the type of event such as FILE, APICALL, and TDI

Figure 8-9. Event Details View

The detailed view displays several other fields. These fields become available depending on the type of rule that triggered the event. For example, for file events, you see fields relating to the file accessed and operation performed or attempted, whereas network operations include information regarding the IP addresses and ports involved. This information will be a great help for Cisco Technical Assistance Center (TAC) support staff when assisting you with troubleshooting rule behavior.

Rule Number

The Rule Number option is a clickable link in the Event field. This option directs you to the specific rule that triggered this event so that you can view and possibly configure it appropriately.

Event Wizard

The Event Wizard is an invaluable option when tuning deployed rules. This option launches a pop-up window titled Event Management Wizard, as shown in Figure 8-10. This wizard assists in creating exception rules to override specific rules, exception rules that prevent logging of specific events, or behavior analysis jobs that can provide detail about the process that triggered the event. All in detail in Chapter 12, "Creating and Tuning Policy."

Find Similar

The Find Similar option is a quick way to isolate a type of specific event to view. When this option is clicked, a pop-up window appears with some simple filtering options, as shown in Figure 8-11:

• Same Host Check this box to find events from the same host.

• Same Policy Rule Check this box to find events triggered by the same policy rule

• Same Severity Level Check this box to find events of the same severity •level.

• Same Type Check this box to find events of the same type rule.

• Same Time Frame Check this box and set the time entry to find the matching events within a specific timeframe both before and after the selected event.