Event Monitor

The-"/> Event Monitor is another near real-time view of the events reported by agents. This screen, which is shown in Figure 8-12, also automatically refreshes just as the Status Summary page. You can edit the refresh interval by changing the value from the drop-down box toward the top of the page. The refresh interval options are 15 seconds (default), 1 minute, and 5 minutes. The countdown to the next refresh displays directly above this •drop-down box as an indication of when the refresh will take place.

Figure 8-12. Event Monitor Near Real-Time Data

By default, the Event Monitor displays all events. You can customize this view to display only the events you want as they occur. To see how the current view is filtered, you can examine the filtering values displayed at the top of the screen in the Monitoring Filter section. The filter variables displayed are as follows:

• Displaying You see the number of events displayed. By default, the Event Monitor displays the last 50 events.

• Severity You see the type of events displayed by severity of the events received. By default, it displays all events (Informational through Emergency).

• Host You can display only events related to specific hosts. By default, this is set to All Hosts.

• Rule Module You can display events related to a specific rule module. By default, this is set to All Modules.

• Filter Out Duplicates You can filter duplicate events from the Event Monitor to "clean up" the view. By default, this is set to No.

NOTE

Reported duplicate events are not logged for an hour after the first recorded event. Events are also suppressed if they are logging continuously, but a suppression event is logged to denote this. Verbose logging at the group level overrides both of these suppression mechanisms.

You can edit the Event Monitor view by defining a filter for the view. Click Change next to Monitoring Filter at the top of the page to display the Filter Events pop-up window shown in Figure 8-13.

The Filter Events window enables you at the highest level to select two major options: Filter by Event Set and Define Filter. You learn about event sets later in the "Event Sets" section of this chapter. At this point, you need to learn about the Define Filter option to better understand the filtering methods allowed.

Within the Define Filter section, you have many configurable options. You do not need to set all parameters specifically, because anything that is not changed keeps the default filter settings. The configurable options when defining a filter are as follows:

• Minimum Severity This value is a drop-down box populated with the selection options related to the seven severity possibilities sorted from lowest to highest:

  • Information

  • Notice

  • Warning

  • Error

  • Alert

  • Critical

  • Emergency

  For this option, select the lowest severity you want to view. By default, this is set to Information.

• Maximum Severity As with the Minimum Severity option, this drop-down box lists seven possible severity options. Select the maximum severity setting you want to view. By default, this is set to Emergency.

• Host This option enables you to filter events based on a host or a group of hosts you select. By default, this is set to All. To specify a host or group, click Change. A pop-up window then presents you with two options:

  • Select the Following Host drop-down box

  • Select All Hosts in the Following Group drop-down box

  These lists are prepopulated with hosts and groups the CSA MC knows about including the mandatory groups of All Windows, All Linux, and All Solaris. A displayed host or group is a clickable link to the settings page for that entity. See Figure 8-14 for the Filter Events by Host pop-up window.

  Figure 8-14. Filter Events by Host Window

  

  
  

• Rule Module This is a drop-down box selection tool prepopulated with all CSA rule modules. By default, this is set to All.

• Rule ID This is a text field that you can populate with the specific rule ID for the events you want to see. By default, this is blank.

• Display Last This text field enables you to set the number of events you want to view on the Event Monitor screen. By default, the value is set to 50 events, with a possible maximum of 100 events. The Event Monitor only displays the most current events. To view more events, including historical events, use the event log as an alternative to the Event Monitor.

• Filter Text This is a combination of a text field and an option button selection. The option button enables you to choose Include or Exclude keywords. The text field enables you to filter the view according to a specific combination of characters, phrases, or words. The combined effect of the text field and option button enables you to specify all events where the text either appears or specifically does not appear.

• Filter Out Duplicates This is an option button selection of either Yes or No, which enables you to clean up the view you are presented with by showing only unique events if desired. The default selection is No.

• Monitor button This button applies the filter to the Event Monitor view.

The example in Figure 8-15 shows a filter on the Event Monitor set up to display only the last three events with a severity between Alert and Emergency pertaining to the CSAMC45•.csa.com host. Therefore, the Event Monitor only displays the events as they are reported to the MC from the agents that match the specific filter.

Figure 8-15. Filtered Event Monitor View

NOTE

Remember that as an alternative to the filter you can manually define, you can also select an event set to filter the Event Monitor view. Event sets can be much more granular and might provide the desired view. Event sets are saved and can be reused very easily every time you require that specific filtered view.