User Guide for Cisco Security Manager 4.0.1
Viewing Events
Downloads: This chapterpdf (PDF - 1.62MB) The complete bookPDF (PDF - 24.15MB) | Feedback

Viewing Events

Table Of Contents

Viewing Events

Introduction to Event Viewer Capabilities

Historical View

Real-Time View

Filters

Predefined and Custom Views

Time Filters

Column Filters

Quick Filters

Drilling Down with Filters

Policy Navigation

Scope and Limits of Event Viewer

Deeply Parsed Syslogs

Comparing Event Viewer, CS-MARS, and Performance Monitor

Understanding the Event Viewer Interface

File Menu

View Menu

View Selector

Event Monitoring Window

View Tabs

View Settings Pane

Toolbar Elements

Event Table

Time Slider

Event Details Pane

Managing the Event Manager Service

Starting, Stopping, and Configuring the Event Manager Service

Selecting Devices to Monitor

Monitoring Event Data Store Disk Space Usage

Archiving or Backing Up and Restoring the Event Data Store

Using Event Viewer

Preparing for Event Management

Ensuring Time Synchronization

Configuring ASA Devices for Event Management

Configuring IPS Devices for Event Management

Using Event Views

Opening Event Viewer

Opening and Switching Views

Working in the Event Table

Customizing the Event Table Appearance

Configuring Color Rules for a View

Using the Time Slider

Creating a Custom View

Editing a View's Content

Deleting a View

Floating a View

Arranging Views

Performing Operations on Specific Events

Right-Click Menu

Copying Event Records

Saving Events to a File

Event Filtering and Querying

Event Time Filtering

Updating the Event Table

Filtering Based on a Specific Event's Values

Clearing Filters

Filtering on a Text String

Using the Column Filters

Using Custom Column Filters

Looking Up a Security Manager Policy from Event Viewer

Examples of Event Analysis

Help Desk: User Access To a Server Is Blocked By the Firewall

Monitoring and Mitigating Botnet Activity

Understanding the Syslog Messages That Indicate Actionable Events

Monitoring Botnet Using the Security Manager Event Viewer

Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM)

Mitigating Botnet Traffic

Removing False Positive IPS Events from the Event Table


Viewing Events


Monitoring events in your network can be likened to drinking from a fire hose. The volume can be overwhelming. The Event Viewer feature, introduced in Security Manager 4.0, enables you to selectively monitor, view, and examine events from ASA and IPS devices. Because you can filter the stream of events provided by Event Viewer, you can quickly select the view or even the particular event you require at the moment. Further, the views you select can be saved and recalled as needed.

This chapter contains the following topics:

Introduction to Event Viewer Capabilities

Understanding the Event Viewer Interface

Managing the Event Manager Service

Using Event Viewer

Examples of Event Analysis

Introduction to Event Viewer Capabilities

Event Viewer monitors your network for syslog (system log) events from ASA devices and SDEE (Secure Device Event Exchange) events from IPS devices. Event Viewer collects these events and provides an interface by which you can view them, group them, and examine their details.


Note Event Viewer, as a feature within Security Manager, is more focused on troubleshooting than as a dedicated monitoring application. Users with requirements for greater event monitoring, correlation, and analysis performance are encouraged to explore the applicability of the Cisco Security Monitoring Analysis and Response System (MARS) to their network management. For more details, see Comparing Event Viewer, CS-MARS, and Performance Monitor.


This section briefly describes some key activities that Event Viewer can facilitate.

This section contains the following topics:

Historical View

Real-Time View

Filters

Policy Navigation

Scope and Limits of Event Viewer

Deeply Parsed Syslogs

Comparing Event Viewer, CS-MARS, and Performance Monitor

Historical View

An historical view is one that displays events from a selected period of time (for example, last 10 minutes) and does not automatically update.

Consider the following activities among the many possibilities for employing Event Viewer with an historical view:

Troubleshoot Connectivity—When a report comes in that a user cannot reach a particular server, you can set an historical view (for example, the last 10 minutes) that displays all events that affect that user's IP address as a source or destination. Then, you can go from a particular displayed event to the policy denying that user's access to the resource.

Tune Signatures—After setting a view of all IPS messages, or all IPS messages of a given category, you may decide that an event is actually a false positive. You can then cross launch into the associated policy and either tune the signature to exclude the host or lessen the reported severity of the particular event.

Validate Policy Deployment—After deploying a new or changed policy, you may want to confirm that it is operating effectively by selecting events corresponding to the given policy. For example, you could identify firewall-deny messages triggered by the new policy.

Real-Time View

A real-time view displays events as they are received and automatically updates the Event Table in waterfall fashion. Keep in mind that the term "real-time" is not precise. System latency and other factors prevent true real-time system response.

Consider the following activities among the many possibilities for employing Event Viewer with a real-time view:

Investigate Attacks in Near Real-time—By isolating details of a particular source IP address, or a source/destination pair, Event Viewer can provide details about attacks on your ASA and IPS devices, or attacks that are going through those devices.

Validate Device Activity—You can examine a device in your network and determine whether it is present and whether it is sending events.

View High Threat IPS Events—You can filter a view to display all events that exceed a certain threat level. On a properly tuned IPS sensor, this should be a manageable flow of events to watch in a real-time view.

Filters

Using filters is key to getting the most from Event Viewer. You can distill from all the events being received a view of only the information that you need or want. Further, the filters you assign can be aggregated to filter a view that you have already filtered. You can use the predefined views that are part of Event Viewer (see Predefined and Custom Views) and add sets of filters as custom views. This section introduces the filtering capabilities within Event Viewer. For more information, see Event Filtering and Querying.

This section contains the following topics:

Predefined and Custom Views

Time Filters

Column Filters

Quick Filters

Drilling Down with Filters

Predefined and Custom Views

Event Viewer filters the events displayed and enables you to move from the general to the specific, and back. You can use the Event Viewer interface to define and record a set of filters called a view. Then, by recalling a particular view, you can examine events of interest in a manner that meets your requirements.

Event Viewer includes a number of predefined views, which are shown in the selector pane. The predefined views cannot be altered or deleted, but each can be used as the basis for your own custom views.

You can create custom views by applying filters to any existing view and then saving the result. A custom view can include multiple filter settings and Event Table arrangements.

For more information, see Creating a Custom View.

Time Filters

You can use time filters to limit the events that you load into your client as well as to limit the events displayed in the Event Table. With time filtering you can select predefined values, such as the last hour, or specify a particular time range by dates and times.

For more information, see Event Time Filtering.

Column Filters

Column filters enable you to filter events based on a particular value of an event. For example, you could filter on a particular source, or destination, or both. For certain columns you can also filter on a range of values.

For more information, see Using the Column Filters or Using Custom Column Filters.

Quick Filters

Quick filters enable you to execute a text-based filter on event data that has been loaded into the Event Viewer client. A quick filter can locate a particular string of characters within the event data of multiple columns or all columns.

You use the Quick Filter drop-down list (shown as a magnifier) to modify the scope of the filter.

For more information, see Filtering on a Text String.

Drilling Down with Filters

Aggregating additional filters allows you to become more and more selective—to "drill down"— until you can view a particular event or set of events that meet your requirements.

The View Settings pane at the top of the Event Monitoring window updates with each additional filter choice you make to show the current aggregate filter definition of the view selected.

Policy Navigation

Event Viewer enables you to navigate from a particular event to the policy within Security Manager that governs that event. For more information, see Looking Up a Security Manager Policy from Event Viewer.

Scope and Limits of Event Viewer

Table 59-1 provides details on the functional scope and limits of Event Viewer:

Table 59-1 Event Viewer Scope and Limits 

Item
Description

ASA Devices

Event Viewer collects and displays events for the following ASA devices:

8.0.x, 8.1.x, 8.2, and 8.3.

Event collection may operate for older ASA devices, but such support is not officially claimed or tested.

IPS Devices

Event Viewer collects and displays events for the following IPS devices:

6.1.x, 6.2.x, and 7.0.

Event collection may operate for older IPS devices, but such support is not officially claimed or tested.

Event Data Store Size

The limit for event storage is set in Security Manager's Event Data Store Disk Size. For more information, see the Event Management Page

Note After the Event Data Store is 90 percent filled, newest events replace oldest events.

Event Limit

The limit for events displayed in Event Viewer is set in Security Manager's Event Data Pagination Size. For details, see the Event Management Page

Device Groups

You can employ device groups within Event Viewer.

Policy Objects

You can employ policy objects such as network/host objects and services within Event Viewer.

RBAC

Any user who can access Security Manager can access Event Viewer. However, only users with access to the associated device can use the event-to-policy function.

In an ACS-RBAC environment, any user with view privileges on devices can view the devices to which he has access in accordance with the Manage Monitored Devices page. However, only the users with modify privilege on a device can enable/disable monitoring on that device.

Event Details

The event details parsed and displayed for a certain event, or event type, vary. For details on the hundreds of syslogs that are deeply parsed in Event Viewer, see Deeply Parsed Syslogs.

Views

A single Event Viewer client has a load limit of four historical views and one real-time view.

Clients

A Security Manager server, with one event viewer per client, can open a maximum of five event viewer clients.


Deeply Parsed Syslogs

The structure and contents of standard syslogs and the elements comprised by each are detailed in Cisco Security Appliance System Log Messages, Version 7.2.

Syslogs other than those listed here are presented as RAW syslogs. The All Device Events view presents all events from all monitored devices. Only deeply parsed syslogs present the full content carried by the syslog.

The deeply parsed syslogs in Security Manager are detailed in Table 59-2.

Table 59-2 Deeply Parsed Syslogs 

Syslog Category
Syslog ID
Total Number of Syslogs

Flow, Session Syslogs

110002-110003, 209003-209005, 302003-302004, 302009-302010, 302012-302018, 302020-302021,302303-302304, 302033-302034, 303002-302005, 313001, 313004, 313005, 313008, 324000-324006, 337001-337009, 431001-431002, 407001-407002, 416001, 418001-418002, 419001-419003, 424001-424002, 450001, 448001, 609001-609002

47

Botnet

338001-338004, 338101-338104, 338201-338202, 338301

11

ACL

106100, 106023, 106002, 106006, 106018

5

Denied Firewall

106001, 106007, 106008, 106010-106017, 106020-106022, 106025-106027

12

AAA

109001-109010, 109012, 109016-109020, 109023-109029, 109031-109035, 113001-113025

44

Inspect

108002-108007, 303004-303005, 400000-400050, 406001-406002, 415001-415020, 500001-500005, 508001- 508002, 608001-608005, 607001- 607003, 703001-703002, 726001

99

NAT

201002-201006, 201009-201013, 202005, 202011, 305005-305012

21

IPSec VPN

402114-402122, 602103-602104, 602303-602304, 702305, 702307

15

Failover (HA)

101001-101005, 102001, 103001-103007, 104001-104004, 311001-311004, 709001-709007, 210001-210022

49

SSL VPN

725001-725009, 725012-725013, 716001-716020, 716023 -716039, 716041-716060, 722001-722023, 722026-722044, 722046-722051, 723001-723002, 723009-723012, 723014, 724001-724004

122


Comparing Event Viewer, CS-MARS, and Performance Monitor

The Cisco Security Management Suite of applications includes many different tools that you can use to monitor and deal with events. The main tools are the Security Manager Event Viewer, Cisco Security Monitoring, Analysis and Response System (CS-MARS), and Performance Monitor, but you can also use the syslog facilities included with the individual device managers (which you can open through Security Manager).

Each application offers different capabilities, and CS-MARS offers the most extensive features. The following table is meant to help you compare the abilities of each tool so that you can select the tool that best fits your needs. You can always use more than one application, of course.

Table 59-3 Comparing Event Viewer, CS-MARS, and Performance Monitor 

Capability
Event Viewer
CS-MARS
Performance Monitor

General device support.

For specific information on models and operating system versions, see the supported devices document for each application on Cisco.com.

ASA devices

Yes

Yes

Yes

IPS devices and service modules

Yes

Yes

No

IOS IPS devices

No

Yes

No

PIX firewalls

No

Yes

Yes

FWSM

No

Yes

Yes

IOS routers

No

Yes

Yes

Catalyst switches

No

Yes

No

Content switching modules (CSM)

No

No

Yes

SSL modules

No

No

Yes

Non-Cisco devices

No

Yes

No

Provide a sessionized view of a traffic flow across multiple devices (supported devices only).

By filtering on traffic flows only.

Yes

By filtering only.

Allow easy navigation between a device event and the configuration policy in Security Manager directly related to the event (access rules and IPS signatures only).

ASA devices

Yes

Yes

No

IPS devices and service modules

Yes

Yes

No

IOS IPS devices

No

Yes

No

PIX firewalls

No

Yes

No

FWSM

No

Yes

No

IOS routers

No

Yes

No

Catalyst switches

No

Yes

No

Allow easy navigation between an access rules or IPS signatures device policy in Security Manager and events that are directly related to it.

No

Yes

No

Provide reporting capabilities.

CSV or HTML of events list; no graphics or true reports.

Extensive, including graphical charts (bar, pie, graphs).

Extensive, graphical.

Create and save custom queries or views.

Yes

Yes

No (filtering only)

View real time and historical events.

Yes

Yes

Yes

Show device status from within Security Manager.

Yes

No

Yes (Tools > Inventory Status)

Analyze things other than device events, such as performance and throughput.

No

No

Yes

Acknowledge an event, marking it so that others know it is being dealt with.

No

No

Yes

Clear an event from the event browser after resolving the problem.

No

No

Yes

Configure e-mail notifications for events.

No

Yes

Yes


Related Topics

Starting Device Managers

Integrating CS-MARS and Security Manager

Viewing Inventory Status

Understanding the Event Viewer Interface

This section describes the Event Viewer interface.

The Event Viewer display contains three major elements:

(1) Menu bar

(2) Event Monitoring window

(3) View selector

This section details each of these areas.

This section contains the following topics:

File Menu

View Menu

View Selector

Event Monitoring Window

File Menu

The following table describes the commands on the File menu.

Table 59-4 File Menu 

Command
Description

New View

Creates a view based on the All Device Events view tab.

Alternatively, click the New button (+) in the view selector, or use the keyboard shortcut Ctrl + N.

Name—A unique name for the new view to be displayed in the navigation tree. This field has a limit of 255 characters.

Description—A user-defined description of the new view. This field has a limit of 1024 characters.

Open View

Opens an existing view on a new tab. You are prompted to select the view to open.

Select File > Open View. Or use the keyboard shortcut Ctrl+O, select a view, and click OK.

Note You can open at most four historical views and one real-time view.

Tip You can double-click in the view selector to change the view that is displayed.

Save

Saves changes made to the active view, including filters (for custom views), preferences such as column width and order, the time range, and color rules.

Save As

Saves as a custom view the changes you have made to the displayed view.

Close View

Closes the displayed view.

Close All Views

Closes all open views.

Exit

Closes Event Viewer. Exiting the application closes any floating Event Viewer window that is open.


View Menu

Table 59-5 View Menu 

Command
Description

Mode

From the submenu, specify time intervals of event data to load into your Event Monitoring client. The choices are the following:

last 10 minutes

last 1 hour

last 12 hours

last 1 day

last 1 week

is today

is yesterday

is on . . . (Opens a calendar on which you click to specify a date)

is between (Opens two calendars on which to specify a date/time begin and end range)

Real Time (Sets the mode to display events as they are received)

Alternatively, click the Time Range icon on the toolbar.

Customize Column

From the dialog box that appears, click to select the columns you want to include in the view. For details on the columns available, see Table 59-7.

Start

Initiates retrieving events to update the current view's Event Table. The Event Table then displays events received from the moment you clicked Start back to either the limit of the time mode or the Event Table pagination limit.

Alternatively, click the Start icon from the toolbar, or use the keyboard shortcut Ctrl + T.

Stop

Stops event retrieval. The Event Table then displays the events received until the moment you clicked Stop.

Alternatively, click the Stop icon from the toolbar, or use the keyboard shortcut Ctrl + P,

Show View Settings

Opens the View Settings pane, which displays the filters and color settings for the current view. You can alter these settings using the View Settings pane.

Alternatively, click the Show View Settings icon from the top of the View Settings pane:

Tip You can expand or collapse the View Settings pane by clicking the double arrow icon on the top right of the View Settings pane.

Show Event Details

Opens the Event Details pane and displays the selected event's details.

Alternatively:

Click the expand icon (+) on the left of the Event Details pane title bar.

Double-click an event in the Event Table to display the Event Details data in a pop-up window.

Tip From the Event Details pop-up window you can print the event details or you can copy one or more of the detail rows to your clipboard.

Show Event Store Disk Usage

Opens a window that displays the amount of disk space used as well as the age of the oldest event stored.

Alternatively, use the keyboard shortcut Ctrl + P.

Manage Monitored Devices

Allows you to select/deselect which devices, or groups of devices, can have events displayed in Event Viewer. For more information, see Selecting Devices to Monitor.

Note By default, any ASA/IPS device added in Security Manger is monitored.

Reset Layout

Re-establishes the width of the View Selector to its original setting after it has been hidden or manually narrowed or widened


View Selector

Use the view selector on the left to select views to open in the Event Table and to choose, define, or edit the custom views that you create. A view is a recorded set of filters, column set, color rules along with default time window.

Figure 59-1 View Selector

At the top of the view selector are three buttons that perform as follows:

Command
Description

New

Enables you to define a new custom view. Clicking this button opens the New View dialog box where you name and describe the new view.

Note This same icon, in the View Settings pane, is used to create a filter.

Edit

Enables you to edit a custom view. Clicking this button opens the Edit View dialog box where you can change the name or description of the custom view. This function is not available for predefined views.

Delete

Enables you to delete a custom view. (You cannot delete a predefined view.) Clicking this button opens a confirmation dialog box.



Tip You can reduce the view selector to a bar with details hidden, or prevent the selector from being hidden, by using the push pin at the top of the selector to pin it in place.


Right-clicking a view in the selector opens the View Operations menu.

The menu choices have the following effect:

Menu Choice
Description

Open

Open view in the highlighted tab or replace currently highlighted view with selected view. A save/discard pop-up window appears if the open view has unsaved changes (as opening a view causes any unsaved changes to the currently open view to be lost). If the selected view is already open, the view is highlighted.

Open in New Tab

Open view in a new tab.

Save As . . .

Save the view preferences as a custom view.

Edit

Edit the view name or description. (Custom views only)

Delete

Delete selected view. (Custom views only)

View Description

See the description of the view.


Event Monitoring Window

The Event Monitoring window is the central element of Event Viewer where you can view, select, and filter events.

Figure 59-2 Window Key

1

View Tab

7

Filtered Column Icon

2

View Settings Pane

8

Time Slider

3

Filter Toolbar with Add/Edit/Delete Buttons

9

Event Details Pane

4

Settings (Filters) Listing Area

10

Column Selector Icon

5

Filter/Color Rules Toggle

11

Open View List

6

Toolbar

12

Number of Loaded Events


Key interface elements are further described in the sections that follow.

This section contains the following topics:

View Tabs

View Settings Pane

Toolbar Elements

Event Table

Time Slider

Event Details Pane

View Tabs

Within the Event Monitoring window, each open view is represented by a tab (see [1] in Figure 59-2). You click a tab to see the associated view in the Event Table.


Note You can open at most four historical views and one real-time view.



Tip You can arrange two views to be seen next to each other. For details, see Arranging Views.


View Settings Pane

The View Settings pane (see [2] in Figure 59-2) displays all the filter elements used on the current event view. To operate on a filter element, select it in the View Settings pane. Once selected, the filter element may be edited or deleted.

Toolbar Elements

The elements of the toolbar above the Event Table, shown here, are detailed in Table 59-6

Table 59-6 Toolbar Element Icons and Descriptions 

Name
Icon
Description

Search Within Results Field

(Quick Filter)

 

 

 

This tool is also known as the Quick Filter. Use it to search for a word/phrase as well as to limit the scope of the search to certain columns. Further, you can select whether the search term used should be considered case sensitive, whether wildcards may be used, and whether a match may be partial, case sensitive, exact, or anywhere within a string. This search operates only on the selected view and within the data loaded. For more information, see Filtering on a Text String.

Time Selector

You use the time selector to do the following:

Filter the events shown in the Event Monitoring pane according to their Receive Time value. (See Applying the Event Time Range Filter.)

Select between a Real Time view or historical views. (See Setting Real-Time or Historical Views)

Determine the time interval loaded in the client. The interval is displayed in a manner similar to this:

Save

Click Save to save changes to the current view.

(Alternatively, use the drop-down list and select Save As to save changes as a new custom view. For more information, see Creating a Custom View.)

Start

Click Start to reload or restart the listing of events in the Event Table.

 

Stop

Click Stop to halt the listing of events in the Event Table. If you are in a real-time view, the Time Selector indicates the time stopped as well as the time interval that is loaded. Clicking on stop can also halt a query and display the set of events currently loaded in event viewer.

Clear

Click Clear to empty the Event Table.

Event Enumerator

The number shown on the right of the toolbar indicates how many events are loaded onto the Event Viewer client. The number grows as events are loaded until either all events matching the filter criteria are displayed, or the pagination limit is reached, whichever is lowest.


Event Table

The Event Table refers to the main portion of the Event Viewer window where rows present the events received and columns detail various aspects of each event.

The columns that make up the Event Table can be hidden, resized, reordered, and sorted upon. These columns are detailed in Columns in Event Table. For details on arranging the view in the Event Table see Customizing the Event Table Appearance.


Note The columns applicable to a particular device vary, as does the presence or absence of event data for a particular event type.


The number of events that are loaded from the event server in response to a query is limited by the pagination size, which is set as part of the Event Management Page. A change in pagination size takes effect only after the Event Monitoring window is closed and then reopened.

Events from devices that have since been deleted, as well as events from devices for which you do not have viewing permission, are displayed in historical and real-time views. However, the events from deleted devices are marked under the Device column as "Not Available" and right-click filtering on a Device cell is not allowed for these events.

Columns in Event Table

Table 59-7 lists alphabetically, and describes, all the columns that appear in all views presented in the Event Viewer window.


Note Most columns other than Description, Event Name, and Receive Time include a filtering function. For more information, see Using the Column Filters.


Table 59-7 Event Viewer Column Descriptions 

Column Label
Description

AAA Group

AAA Group Policy.

AAA Server

The server that handles user requests for access; it performs authentication, authorization, and accounting.

AAA User

AAA username.

ACE Hash1

Hashcode1 of ACE.

ACE Hash2

Hashcode2 of ACE.

ACL Name

Name or ID of the ACL.

Action

Action performed on the flow. For example: Terminated, denied etc.

Alert Details

Details regarding the alerts.

App Name

Name of the application originating the event.

App Stop Reason

A string explaining how or why the application was shut down.

App Version

Version of the application originating the event.

Attack Relevance Rating

A numerical value used to indicate an attack's relevance to its destination target or targets.

Backplane Interface

Identifies the backplane interface only when the backplane interface differs from the physical interface.

Botnet Category

Category showing the reason a domain name is blacklisted, for example, botnet, Trojan, spyware, and so on.

Botnet Domain

Domain name or IP address in the dynamic filter database to which the traffic was initiated. It can be black listed, white listed or grey listed.

Build Time

Date and time of software build.

Build Type

Typically this is a string such as "release" or "debug." In some cases, it is the ID of the builder of the application.

Byte Count

Bytes in the data transfer of the connection.

Call Id

Peer's Call ID for the session to which this packet belongs.

Class Map

Class map name.

Connection Duration

The lifetime of the connection.

Connection ID

A unique identifier.

Connection Limit

Maximum number of connections or sessions.

Connection Termination Value

A factor for which the connection is terminated, for example, incorrect version or invalid payload-type.

Current Connection Count

The number of current connections.

Description

For syslogs this shows the raw message, for IPS it shows description of the event.

Destination

IP Address/hostname of traffic destination (ASA)/attack target (IPS). It may be multi-valued.

Destination Address(IPv6)

IPv6 address of attack target. Present when participant's address is IPv6.

Destination Context Data

Context buffer indicating the data that was sent just prior to, and immediately after, the alert was triggered. Base64-encoded representation of the stream data that was sourced by the target.

Destination Interface

Destination Interface.

Destination Locality

Identifies whether the target address is located inside or outside of a given network as specified by the intrusion.

Destination OS

Target's operating system information.

Destination OS Relevance

A numerical value indicating the relevance of the destination target OS value.

Destination OS Source

Source of Target OS data. Possible values include learned, imported or configured.

Destination Service

Destination port. It may be multi-valued.

Device

Source of the event; usually the device ID.

Direction

Direction of the traffic as inbound or outbound.

Event ID

A unique sequential number for each event, assigned internally.

Event Name

A user-friendly name given to the event.

Event Summary

Specifies that this is a summary alert, representing one or more alerts with common characteristics. The numeric value indicates the number of times the signature fired since the last summary alert with a matching initialAlert attribute value.

Event Type ID

For ASA, the syslog ID.

For IPS, this value could be:

A combination of Sig Id & Sub-Sig ID (for IPS Alert Events)

IPS Status (for IPS Status Events)

IPS Error (for IPS Error Events).

Execution State

Execution status of the application.

Final Alert

Applies to a summary alert, representing one or more alerts with common characteristics. It indicates whether this is the last event alert containing the same value in the initialAlert attribute.

Generation Time

Represents device local event generation time (available only for IPS events).

Global Correlation Audit Mode

A "true" or "false" value that indicates whether the alert was handled with audit mode processing.

Global Correlation Deny Attacker

A "true" or "false" value that indicates whether a deny-attacker action occurred (or would have occurred) because an internal override was exceeded due to the calculated risk rating.

Global Correlation Deny Packet

A "true" or "false" value that indicates whether a deny-packet action occurred (or would have occurred) because an internal override was exceeded due to the calculated risk rating.

Global Correlation Modified Risk Rating

A "true" or "false" value that indicates whether the risk rating was adjusted by adding the "reputationRiskDelta" due to the risk rating.

Global Correlation Other Overrides

A "true" or "false" value that indicates whether any other defensive actions were taken because an override threshold was exceeded due to the calculated risk rating.

Global Correlation Risk Delta

A value from 0 to 99 that indicates how much the risk rating was increased due to the reputation score. If audit-mode is enabled, then it indicates how much the risk rating would have been adjusted had audit-mode not been enabled.

Hit Count

The number of times the flow was permitted or denied by the ACL entry in the configured time interval. The value is 1 when the ASA generates the first syslog message for a particular flow.

Hit Count Info

ACL Hit Count information, for example First hit.

Host ID

Globally unique identifier for the host that originated the event.

ICMP Code

Code of the ICMP type. For example, ICMP Type 3 and Code 0 is Net Unreachable or Code 1 is Host Unreachable.

ICMP Type

Type of ICMP message. For example, 3 for Destination unreachable, 8 for Echo.

Initial Alert

This field applies to a summary alert, representing one or more alerts with common characteristics. The value of InitialAlert provides the eventId of the last non-summary evIdsAlert with the same characteristic (sigid/subsigid).

Ip Log ID

IP Log Identifier that uniquely identifies (with host-scope) an iplog document.

IpLog Address

Identifies the IPv4 address associated with the IP log.

IpLog Address(IPv6)

Identifies the IPv6 address associated with the IP log. Present if this log is associated with an IPv6 address.

IpLog Alert Reference

The global event ID of the evAlert event that triggered the log to be initiated.

IpLog Begin Time

Start of the time range that is currently available in the log document.

IpLog Bytes Captured

Total bytes captured. Note that some packets that were captured may have already been deleted from the log due to memory limitations.

IpLog Bytes Remaining

Bytes remaining until the log will be terminated.

IpLog End Time

End of the time range that is currently available in the log document.

IpLog Minutes Remaining

Minutes remaining until the log will be terminated.

IpLog Packets Captured

Total packets captured and logged.

IpLog Packets Remaining

Packets remaining until the log will be terminated.

IpLog Status

A string that represents the log status.

IPS Category

The SEE event category.

IPS User

Name of a user's account. Identifies the user initiating the operation.

License Limit

Maximum number of licenses.

List Name

The list that includes the domain name, administrator whitelist, blacklist, or IronPort list.

Login Action

The login action that occurred: loggedIn, loggedOut or loginFailed.

Malicious Host

Hostname of the malicious host.

Malicious IP

IP address of malicious device.

Max Connection

Maximum number of NAT connections.

MaxEmbryonic Connection

Maximum number of embryonic connections.

NAT Destination

Translated/Natted destination IP.

Host name of the translated destination.

NAT Destination Service

Translated/Natted destination port.

NAT Global IP

Global Address.

NAT Source

Translated/Natted source IP.

Host name of the translated source.

NAT Source Service

Translated/Natted source port.

NAT Type

Type of NAT, for example Static or Dynamic.

New Time

The time to which the device clock was changed.

New Version

System software version after an upgrade installation.

No.

The number of the event (row) in the current display. (See Event ID for a unique numerical designation of an event.)

Old Time

The device clock time prior to a change.

Old Version

System software version before an upgrade was uninstalled.

Operation Successful

Indicates whether an operation was successfully performed.

Package File

Name of package file to be auto-downloaded and installed.

Physical Interface

Identifies the physical interface only if physical interface is different from the respective value in the Interface column.

Policy Map

Policy map name.

Protocol

The L3 or L4 protocol.

Protocol Version

The protocol version.

Protocol (Non L3)

Some non-L3 / -L4 protocol seen in the event, such as TACACS, RADIUS, FTP, or H245.

Reason

A rationale associated to certain events. For example, a connection teardown may have an associated reason.

Receive Time

Time the event was received by Security Manager.

Reputation

The attacker's reputation score in the range -10.0 to +10.0. A lower (more negative) score indicates a greater likelihood that the host is malicious.

Result Status

Status attribute that indicates whether the operation successfully completed.

Risk Rating

Value that represents the calculated risk associated with the event.

Security Context

Identifies the security context with which the named interface, specified in corresponding Interface column, is associated.

Sensor Event ID

Serial number for an event, which is guaranteed unique within the scope of the originating host.

Severity

IPS or ASA severity values.

Sig Details

Details of the reported signature that was triggered and resulted in the generation of the alert.

Sig ID

The Sig ID value is used by the alert originator to identify the activity. It identifies the pre-defined signature defined for this activity.

Signature Version

Identifies the version of the signature definition used to generate an alert.

Source

Source of the event. This may be multi-valued.

Source Address(IPv6)

IPv6 address of attacker. Present if this participant's address is IPv6.

Source Context Data

Context buffer indicating the data that was sent just prior to and immediately after the alert was triggered. Base64-encoded representation of the stream data that was sourced by the attacker.

Source Interface

Source Interface.

Source Locality

Identifies whether the attacker address is located inside or outside of a given network, as specified by the intrusion detection device's configuration.

Source Service

Source port.

SSO Server

Single Sign-On (SSO) server name.

SSO ServerType

Single Sign-On (SSO) server type, for example, SiteMinder.

Sub SigId

The sub-sig ID value is used by the alert originator in combination with the signature ID (sigId) to identify the activity.

Summary Type

Defines the common characteristics of all alerts in a summary alert.

Target Value Rating

Identifies the asset values associated with targets identified in alerts.

Threat Level

Shows one of the following values: none, very-low, low, moderate, high, or very-high, if any Threat Level pertains.

Threat Rating

The threat rating of the event, if any.

TimeZone

A string that identifies the local time zone at the originating host's location.

Translated Call ID

Peer's Translated Call ID for the session to which this packet belongs.

Trigger Packet

Single, complete packet (in base64 binary format) that triggered the alert.

Truncated

Indicates whether the trigger packet contained in the event is truncated or not.

TunnelType

The VPN tunnel type.

Type

The AAA Type, for example authentication, authorization or accounting.

Upgrade Name

The name of the upgrade package that was uninstalled.

URI

URI of auto-upgrade server directory.

UTC Offset

The offset attribute of Sensor Local Time indicates the number of minutes that must be added to the UTC time to convert to local time at the originating host.

Virtual Sensor

The name of the virtual sensor associated with the event.

VLAN Id

VLAN number associated with packets involved in the activity that triggered the alert.

VPN Group

VPN Group Policy.

VPN IPSec SPI

IPSec Security Parameter Index.

VPN User

Username.

Watchlist Delta

The amount that the risk rating value was increase due to the source of the activity associated with the alert being on a watchlist.


Time Slider

The Time Slider displays the events per second (EPS) trend over the selected time period, as shown in Figure 59-3. You can use the vertical slider to change the start time for the events shown in the Event Table. Moving the vertical slider triggers a reload of the Event Viewer client from the server. For details on using the Time Slider, see Using the Time Slider.

Figure 59-3 Time Slider Elements


Note The Time Slider is not supported for real-time viewing.


You can change the display shown by the Time Slider page by using the Time Slider paging controls on the right. See details in Table 59-8.

Table 59-8 Time Slider Paging Controls 

Element
Description

Previous page (earlier). The size of page varies according to the selected mode.

First page (earliest).

Next page (later). The size of page varies according to the selected mode.

Last page (most recent)

Zoom in (smaller total time interval shown)

Zoom out (greater time interval shown)


For details on the operation of the Time Slider, see Using the Time Slider.

Event Details Pane

The Event Details pane (see [9] in Figure 59-2) presents information contained within a single event. The information, which is displayed in multiple tabs within the pane, varies according to the richness of the event and the capability of Event Viewer to parse the data. Components include:

Displayed Fields Tab—Displays the fields shown in the Event Table.

Details Tab—Displays all available fields for the selected event. The fields are presented in alphabetical order.

Explanation Tab—Displays a generic explanation for this event type.

Related Threats Tab—Displays threats correlated to the event. (IPS Events only)

Recommended Action Tab—Displays a generic recommendation for an event of this type. (Syslogs only)

Trigger Packet Tab—Displays trigger packet data. (IPS Events only)

Context Packet Tab—Displays context packet data from Source (Attacker) & Destination (Target). (IPS Events only)

Managing the Event Manager Service

The Event Manager service enables the use of the Event Viewer application. For Event Viewer to function, the service must be started. There are several tasks that you can perform to configure and manage the overall functioning of the service.

This section contains the following topics:

Starting, Stopping, and Configuring the Event Manager Service

Selecting Devices to Monitor

Monitoring Event Data Store Disk Space Usage

Archiving or Backing Up and Restoring the Event Data Store

Starting, Stopping, and Configuring the Event Manager Service

The Event Manager service must be running for you to use Event Viewer.

When you install Security Manager, the Event Manager service is automatically enabled unless the server has 4GB or less memory, in which case Event Manager is disabled. Although you can manually start the service on a system with 4GB or less memory, you might find the performance to be dissatisfactory. The key factors are the number of devices managed and their rate of event generation.


Tip If you get a message that Event Viewer is unavailable when you select Tools > Event Viewer, but the Enable Event Management option is selected in the Tools > Security Manager Administration > Event Management page, try restarting the Event Manager Service. First, deselect the Enable option and click Save. Wait for the service to stop. Then, select the Enable option, click Save, and wait for the service to finish restarting. You can then try opening Event Viewer again.


The following procedure explains how to start, stop, and configure the Event Manager service.

Related Topics

Monitoring Event Data Store Disk Space Usage


Step 1 In the main Security Manager window (not Event Viewer), select Tools > Security Manager Administration and select Event Management from the table of contents.

Step 2 Do one of the following:

To enable, or start, the Event Manager service, select Enable Event Management.

To disable, or stop, the Event Manager service, deselect Enable Event Management.

You can also change the other settings, such as the event data store location and maximum size, the syslog port to which devices should send events, and the pagination size (which determines the maximum number of events returned for a query in Event Viewer). For detailed information about these settings, see Event Management Page.

Step 3 Click Save to save your changes.

If you changed the Enable Event Management option, you are prompted to confirm that you want to start or stop the Event Manager Service. If you click Yes, the service is started or stopped immediately, and you are shown a progress indicator and told when the change is completed. Wait until the status change is completed before continuing.

If you change other settings, with the exception of the pagination size, the Event Manager service must be briefly stopped and restarted. You are shown a progress indicator.


Selecting Devices to Monitor

All ASA devices and IPS sensors that are added to the Security Manager database are automatically selected for monitoring in Event Viewer.


Note To reliably report events from contexts in multiple-context mode, Cisco Event Viewer requires an IP address for the management interface of each context.


If you do not want to use Event Viewer with a device, you can deselect the device for monitoring. Note that if an ASA device is not configured to use the Security Manager server as a syslog server, you will not get events from the ASA anyway, so you might not need to deselect an ASA that you do not want to monitor.


Tip You cannot monitor Cisco IOS IPS devices in Event Viewer.


Related Topics

Adding Devices to the Device Inventory

Configuring ASA Devices for Event Management

Configuring IPS Devices for Event Management


Step 1 In Event Viewer, select View > Manage Monitored Device to open the Manage Monitored Devices dialog box.

The device list shows all devices in the Security Manager inventory to which you have view permissions. You cannot see any devices for which you have no permissions. Any selections you make are limited to the displayed devices.

Step 2 Ensure that only those devices whose events you want to monitor in Event Viewer are selected. Deselect any undesired devices.

You can change the selection status for all devices in a device group by selecting or deselecting the group.

Step 3 Click OK.

You might need to wait for the changes take effect in Event Viewer.


Monitoring Event Data Store Disk Space Usage

The Event Manager service uses a specified amount of disk space for the event data store. This ensures that the service does not overwhelm the server computer. You configure the size of the event data store on the Tools > Security Manager Administration > Event Management page as described in Event Management Page.

When the allocated space is completely used, the oldest event is deleted whenever a new event must be added.

You can monitor how much of the allocated space is currently being used, and the age of the oldest event, by selecting View > Show Event Store Disk Usage. The information is displayed as a pie chart that shows the used and unused space in gigabytes (GB).

You can use this information to help you decide whether to increase or decrease the allocated space.


Tip If you decrease the event data store size, and your new size is less than the amount of space currently being used, the oldest events are immediately deleted until your new target size is reached.


Archiving or Backing Up and Restoring the Event Data Store

The event data store is not included with the regular Security Manager database backup. If you want to archive or back up the event data store, you must do so separately. You can restore the backups if necessary.

This procedure explains the steps required for backup and restore for the event data store.


Tip When you disable the Event Manager service, events are not written to the data store, so you will miss any events generated during the backup or restore process.



Step 1 To back up the event data store:

a. Using the Security Manager client, select Tools > Security Manager Administration, and select Event Management from the table of contents.

b. Determine the name of the event data store folder. The folder is shown in the Event Data Store Location field; the default is NMSROOT\MDC\eventing\database, where NMSROOT is the installation directory (usually C:\Program Files\CSCOpx).

c. Deselect the Enable Event Management check box to stop the Event Manager service. Click Save to save your changes. You are prompted to verify that you want to stop the service; click Yes and wait until you are notified that the service has stopped.

d. Outside of Security Manager, make a copy of the NMSROOT\MDC\eventing\config\collector.properties file and the event data store folder. Place the copy on a separate server so that the backup is available in case of hardware failure.

e. In the Security Manager client's Tools > Security Manager Administration > Event Management page, select the Enable Event Management check box and click Save. You are prompted to verify that you want to start the service; click Yes and wait until you are notified that the service has started.

Step 2 To restore the event data store, use the same process you used to back up the data with the following exceptions:

Instead of making a copy of the existing event data store, copy the backup into the event data store location. You can optionally delete the existing data before copying in the backup data. However, as long as you do not exceed the data store size limit, you can mix the backup and existing data. (The data store limit is configured in the Tools > Security Manager Administration > Event Management page.)


Note Mixing old and new data works only if you are preserving the existing copy of collector.properties (that is, you are not restoring the file), and the new and old data are from the same server. You cannot merge the data store from two or more separate servers.


Do not restore collector.properties unless you are recovering from a hardware failure or some other event that required you to reinstall Security Manager.


Using Event Viewer

The events collected and displayed within Event Viewer contain information that varies widely according to the source. Event listings are constructed to parse and display the information received; but the scope, categorization, level of detail, and particulars of that information vary widely.

This section contains the following topics:

Preparing for Event Management

Using Event Views

Performing Operations on Specific Events

Event Filtering and Querying

Looking Up a Security Manager Policy from Event Viewer

Preparing for Event Management

Before you can view events generated from a device, you must configure the device to work with Event Viewer.

This section contains the following topics:

Ensuring Time Synchronization

Configuring ASA Devices for Event Management

Configuring IPS Devices for Event Management

Ensuring Time Synchronization

Standard network management practice includes consideration of time differences and network device synchronization. Typically, this includes the use of a Network Time Protocol (NTP) server. Event Viewer is most easily used with a common time standard. However, it is worth noting that you can view the time an event is received by Security Manager (Receive Time), and for IPS devices, the time the event was generated by a device (Generation Time).

Configuring ASA Devices for Event Management

Before you can use Event Viewer, or any other application that analyzes syslog events, to view events generated from an ASA device, you must configure the logging policies on the device to generate and transmit syslog messages.


Tip Although you can configure devices individually to specify the appropriate logging configuration, it is likely that more than one ASA device in your network would use the same logging configuration. Although this topic describes how to configure an individual device, you can also create shared policies and assign them to multiple devices. For more information about configuring and assigning shared policies, see Creating a New Shared Policy and Modifying Policy Assignments in Policy View.


Besides the logging configuration described here, you can also configure logging for individual access control entries when you configure them either in firewall policies or ACL policy objects. The default is to log denied access only, but you can configuring ACL logging options to provide increased logging.


Note To reliably report events from contexts in multiple-context mode, Cisco Event Viewer requires an IP address for the management interface of each context.



Step 1 (Device view) Select the ASA device, then select Platform > Logging > Syslog > Logging Setup from the Policies selector.

In the policy, select Enable Logging. You can configure other options as needed. For detailed information about the options, see Logging Setup Page.

Step 2 Select Platform > Logging > Syslog > Syslog Servers.

Add the Security Manager server's IP address to the syslog servers table. Configure the server to use the UDP protocol. The default port, 514, is correct unless you configure a different port on the Security Manager Administration Event Management Page.

If you are using other event management applications, such as CS-MARS, also add those servers to this policy.


Note You can use EMBLEM message format if you desire; both traditional and EMBLEM formats are supported. Keep in mind that EMBLEM is not supported by CS-MARS, so do not send EMBLEM-formatted messages to a CS-MARS server.


For detailed information about the options in the Syslog Servers policy, see Syslog Servers Page.

Step 3 If you want to configure non-default syslog server settings, such as adding time stamps to syslog messages, changing the severity level of messages, or suppressing the generation of specific messages altogether, configure the Platform > Logging > Syslog > Server Setup policy. For detailed information, see Server Setup Page

Step 4 (Optional) You can configure the Platform > Logging > Syslog > Logging Filters policy to fine-tune the kinds of messages sent to syslog servers. For detailed information about this policy, see Logging Filters Page and Edit Logging Filters Dialog Box.

Following are some tips for configuring this policy:

When adding the logging filter, select Syslog Servers for Logging Destination.

You can create a simple filter based on message severity, or you can configure a much more complex filter based on event classes. If you elect to use event classes, you can do the configuration directly in the Logging Filters policy, or you can configure event lists separately in the Event Lists policy (see Event Lists Page).

Step 5 (Optional) You can configure the Platform > Logging > Syslog > Rate Limit policy to limit the quantity of messages generated per time interval, either by message severity or message number. This can help you avoid flooding the syslog server. See Rate Limit Page.

Step 6 (Optional, but recommended) You can configure the Platform > Device Admin > Server Access > NTP policy to specify a network time protocol server. Using NTP ensures consistent date and time information for easy event correlation. Specify the same NTP server you use for the Security Manager server. If you use different servers, ensure the servers are synchronized. See NTP Page.


Configuring IPS Devices for Event Management

Before you can use Event Viewer to view events generated from an IPS device, you must configure the Allowed Hosts policy on the device to allow the Security Manager server access to the device. Because Security Manager also needs to be configured in the Allowed Hosts policy to allow configuration access, your IPS devices might already be configured correctly. You should also configure the network time protocol (NTP).

Configure the following policies for IPS devices in Device view to enable effective event management on those devices:

Platform > Device Admin > Device Access > Allowed Hosts—(Required) Add the Security Manager server to the table. You can either identify the Security Manager server by its host IP address (for example, 10.100.10.10), or you can specify the network that it is on (for example, 10.100.10.0/24).

If you are using other event management applications with the device, such as CS-MARS, ensure that you also add those servers to the policy.

For more information about configuring the Allowed Hosts policy, see Identifying Allowed Hosts.

Platform > Device Admin > Server Access > NTP—(Recommended) Configure the same NTP server that you use for the Security Manager server to ensure consistent date and time information for easy event correlation. If you use different servers, ensure the servers are synchronized. For more information, see Identifying an NTP Server.


Tip Although you can configure devices individually to specify the appropriate allowed hosts and NTP configuration, it is likely that more than one IPS device in your network would use the same configuration. Although this topic describes how to configure an individual device, you can also create shared versions of these policies and assign them to multiple devices. For more information about configuring and assigning shared policies, see Creating a New Shared Policy and Modifying Policy Assignments in Policy View.


Using Event Views

This section contains the following topics:

Opening Event Viewer

Opening and Switching Views

Working in the Event Table

Customizing the Event Table Appearance

Configuring Color Rules for a View

Using the Time Slider

Creating a Custom View

Editing a View's Content

Deleting a View

Floating a View

Arranging Views

Opening Event Viewer

To open the Event Viewer do one of the following:

Select Tools > Event Viewer.

Click on the Event Viewer icon.

Use the keyboard shortcut Alt+T+W.

Event Viewer opens in a new window and displays the All Device Events view in the Last 10 Minutes mode.

Opening and Switching Views

This procedure details how to open a view and how to switch between open views.


Note You can open at most four historical views and one real-time view.


To open and switch between different views, follow these steps:


Step 1 Double-click on a view in the view selector to open it.

The Status dialog box appears briefly while the events load, events from the last 10 minutes (default) populate the Event Table, and a View tab for the view appears at the top of the event monitoring window.


Note The number of events that populate the Event Table may be limited by either the Time Filter or by the Event Data Pagination Size setting made in Security Manager. For more information, see Event Management Page


Step 2 To open a second view, select File > Open View. From the Open a View dialog box that appears, select the view to open and click OK.


Tip Alternatively, you can use the keyboard shortcut Ctrl+O or right-click on a view and select Open in New Tab.



Note Double-clicking another predefined or custom view in the event selector acts to replace the current view.


Step 3 To switch between open views, click the View tab of the view you want to open.


Working in the Event Table

You change the events displayed in the Event Table according to your particular purposes.

Scrolling—Often the event listings extend beyond the capacity of the event window to display them. You can scroll through the list using the event window scrollbar on the right to see other event listings than those displayed.

Examining Details of a Single Event—To see details of a single event, double-click the event listing. The Event Details window opens and displays line item details of the selected event. Details can then be copied or printed as a whole, or detail line items can be selected and copied, as required.


Tip Alternatively, you can click to select an event and then view event details in the Event Details pane at the bottom of the page. The tabbed Event Details pane presents more information than what you see in the Event Table; see Show Event Details in View Menu.


Clearing the Event Table—To clear the table, click Clear. This clears the display but does not delete information.

Customizing the Event Table Appearance

You can customize the appearance of predefined or custom views in the Event Table to meet your preferences and then save those preferences in a view.

Related Topics:

Creating a Custom View

Using the Column Filters

Using Custom Column Filters

Configuring Color Rules for a View


Step 1 Make one or more of the following changes:

a. To change which columns appear in the table, click the Column Selector (see [10] in Figure 59-2).

Result: The Choose Columns to Display dialog box appears.

Make your selection, and click OK. (For information on the columns, see Columns in Event Table)


Tip You can select or unselect the columns to appear either individually, or by using the Select/Unselect All check box.



Note You can revert back to displaying the default columns for a view by clicking Restore Defaults from the top of the Choose Columns to Display dialog box.


Only the selected columns appear.

b. To change the width of a column, click the right edge of the column heading and drag it.

c. To change the order of the columns, click the column heading and drag columns to the position you want.

d. To sort the events listed, click a column heading. (The default sort is by Receive Time.)


Tip Clicking a second time inverts the sorted display. Clicking a third time removes the applied sort.


The event listings in the Event Table are re-ordered.

e. To reset the width of the View Selector and Event Monitoring window to their default values, select View > Reset.

Step 2 To save your changes to the appearance of the Event Table in this view, select File > Save or, to save as a new view, select File > Save As.


Configuring Color Rules for a View

You can create and use color rules to change the appearance of all events of a particular severity in a particular view. After you have defined a color rule you can select whether or not to enable the rule, and you can edit or delete the rule.


Note A color rule is applied only to the view within which it is defined.



Tip To delete a color rule, select the rule in the View Settings pane and then click Delete.


The Add Color Rule and Edit Color Rule dialog boxes present identical fields.

Element
Description

Enable

Turns the color rule on if selected.

Severity

Determines the severity rating to which the color rule applies.

Foreground

Controls the text color.

Background

Controls the background color.

Font Type

Check boxes to set Bold and Italic characteristics of the text.

Preview Text

Provides a preview of the color rule effect.


To define and enable a color rule, follow these steps:


Step 1 Open any predefined or custom view.

Step 2 Open the View Settings pane. (See [2] in Figure 59-2).

Step 3 Click the Color Rules tab. (See [5] in Figure 59-2).

Step 4 Click Add.

Step 5 Configure the severity and color parameters. The Preview Text display box shows you how the rule will look.

Step 6 To activate the rule, select the Enable check box.

Step 7 Click OK.

The appearance of all the events of the selected severity changes to match the color rule settings.


Using the Time Slider

You can use the Time Slider to do the following:

View the EPS (Events Per Second) trends of event data on the server.

Change what page of the loaded events the Event Details window displays.

Initiate the loading of events onto the client.

See Time Slider, for additional details.


Note The Time Slider is not supported for real-time viewing.



Tip The time range of the events displayed in the Event Table is determined by the selected time interval. For more information, see Applying the Event Time Range Filter


To use the Time Slider to view EPS trends or to change the events displayed in the Event Table, follow these steps:


Step 1 Open a view.


Note Either open an historical view, or if you have opened a real-time view, change the mode by selecting a time interval.


The Time Slider displays the EPS trends for the default time interval (Last 10 Minutes) or for the last saved time interval.

Step 2 Use the paging controls to change the Time Slider's display of EPS trends, as required:

Page forward or back in the events currently displayed in the Time Slider.


Note Using the page controls alternately, for example forward and then back, causes the sort order in the Event Table to reverse. (Latest events go from the top of the table to the bottom, or from the bottom to the top).


Zoom in or out to see EPS trends, including the trends for other than the currently displayed events.


Note Zooming does not affect the Event Table display. The Time Slider uses a blue shade to indicate the time interval currently displayed in the Event Table.


For details, see Table 59-8.

Step 3 Use the Vertical Slider to change the start time for the events shown in the Event Table, as required.

Moving the Vertical Slider reloads the client so that the position of the Vertical Slider determines the most recent event displayed in the Event Table.


Creating a Custom View

You can create and save custom views that display the filters, columns, devices, colors, and arrangements you want. You simply edit any custom or predefined view and then save it as a new view. Custom views allow you to quickly open a view pane that you have customized and then saved as a view.


Note Custom views are private and not shared between users.


Related Topics:

Editing a View's Content

Customizing the Event Table Appearance

Using the Column Filters

Using Custom Column Filters

To create a view based on changes to any predefined or custom view, do the following:


Step 1 Open an existing predefined or custom view.

Step 2 Make changes to the appearance of columns, devices, colors, or column order.

Step 3 Create, delete, or change the filters you want in the new custom view.

Step 4 Select File > Save As.

The Save "[__view name__]" As dialog box appears.

Step 5 Type a unique name and a description for the new view, and then click OK.

The new view, as named and configured, is saved and displayed in the view selector.


Editing a View's Content

Editing the content of a view (as opposed to its appearance) requires either that the view be a custom view, or that it be saved as a custom view.


Note You cannot edit the content of a predefined view.


Related Topics:

Creating a Custom View

Customizing the Event Table Appearance

Using the Column Filters

Using Custom Column Filters

Deleting a View

You can delete only custom views. You cannot delete a predefined view.

To delete a view, follow these steps:


Step 1 In the View Selector, right-click the view to be deleted and select Delete.

A confirmation dialog box appears.

Step 2 Click Yes.

The custom view is deleted.


Floating a View

You can float (open in a new window) any view that you have open. When you float a view, you do not have access to the menu bar in the new window. Closing the main window also closes the floated view.


Note You can open at most four historical views and one real-time view.


To float a view, right-click on the View tab and select Floating.

To dock a view that you have floated, right-click on the View tab and select Docking.

For example, to float the All Device Events view, open the view, right-click the All Device Events tab, and select Floating.

Arranging Views

You open a new tab group to see views vertically or horizontally arranged in the same window. A tab group is a pane that displays one or more Event Monitoring windows.


Note You can open at most four historical views and one real-time view.


With two or more views open, right-click on a View tab and select either New Horizontal Group or New Vertical Group.

To change the vertical/horizontal arrangement of multiple tab groups, right-click the tab and select Change Tab Groups Orientation.

To send a View tab back to its original tab group, right-click the tab and select Move to Previous Tab Group.

To send a View tab to the next tab group, right-click the tab and select Move to Next Tab Group. You can use this to select which pane displays multiple view tabs.

Performing Operations on Specific Events

You can operate upon a single event in the Event Table in a variety of ways, which include the following:

Right-click—Right-clicking a single event in the Event Table enables you to select from a context menu various actions to perform. For more information, see Right-Click Menu, or Filtering Based on a Specific Event's Values.

Select an Event—When you click a single event in the Event Table it is highlighted and the Event Details pane displays details for that particular event. Hold the Ctrl key to select additional events, or hold the Shift key to select a range of events.

Double-click an Event—Double-clicking a single event in the Event Table causes that event's details to be shown in a pop-up window. From that pop-up window you can print the displayed details or copy some, or all, of the details. (Alternatively, you can right-click on an event and select Show All Details).

This section contains the following topics:

Right-Click Menu

Copying Event Records

Saving Events to a File

Right-Click Menu

When you right-click an event in the Event Table, the following context menu appears:

To filter to include only the selected value (cell in the Event Table), select Filter This Value.

To filter to exclude the selected value (cell in the Event Table), select Filter Not this Value. All cells that do not contain the selected value, including all empty cells, are returned.

To create a custom filter, select Custom Filter . . ..

To clear a filter on the selected value, select Clear This Filter.

To clear all filters, select Clear All Filters.

To filter on the flow of the selected event (source, source service, destination, destination service), select Filter This Flow.

To create a filter based on multiple values in the selected event, select Create Filter from Event, then select the values on which to filter.

Copying Event Records

You can copy single events, multiple events, all events, or even the contents of a single cell.

Copy an Event: To copy an event listing from the Event Table, right-click the event and select Copy Selected Event(s).


Tip You can also choose to copy a single cell after right-clicking the cell.


Copy Multiple Events: To copy selected event listings from the currently displayed Event Table, select the events to copy and then right-click in the Event Table and select Copy Selected Event(s).


Tip Click an event to select it. Hold Ctrl key to select additional events, or hold the Shift key to select a range of events.


Copy All Events: To copy all the event listings from the currently displayed Event Table, right-click anywhere in the Event Table and select Copy All Events. Alternatively, you can use the keyboard shortcut CTRL+A to select all events in the Event Table.


Tip You can paste copied events into your preferred reporting application including spreadsheets and emails.


Saving Events to a File

Although there is no automatic report generator within the Eventing feature of Security Manager, you can process all events—and custom views containing specific event compilations—into whatever reporting application meets your requirements.

Save Events: To save event listings from the Event Table, select the event or events, right-click, and then select either Save Selected Event(s) as HTML or Save Selected Event(s) as CSV from the dialog box. In the Save dialog box that appears, select a file location, type a name for the file, and click Save.

Save All Events: To save all the event listings from the Event Table, right click anywhere on the Event Table and select either Save All Events as HTML or Save All Events as CSV (comma-separated value). In the Save dialog box that appears, select a file location, type a name for the file, and click Save.

Event Filtering and Querying

This section details the numerous ways you can filter the events that appear in the Event Table.

This section contains the following topics:

Event Time Filtering

Updating the Event Table

Filtering Based on a Specific Event's Values

Clearing Filters

Filtering on a Text String

Using the Column Filters

Using Custom Column Filters

Event Time Filtering

This section describes filtering on a time basis. It covers the application of the Time Range filter and the Time Slider as well as the setting of historical or real-time views.

This section contains the following topics:

Applying the Event Time Range Filter

Using the Time Slider with Filtering

Setting Real-Time or Historical Views

Applying the Event Time Range Filter

You can use the Time Range button in the toolbar to view events shown in the Event Window during a specified time window in the past. This filter also enables you to set the Event Monitoring pane to real time.


Tip Alternatively, you can follow the menu path View > Mode and select from the context menu.


Time filters measure from the current server time, not the Eventing client time.

The events displayed in an historical view are refreshed only when you update the filter. For more information, see Updating the Event Table.

To view events from the present time into the past, select one of the following time periods: last 10 minutes, last 1 hour, last 12 hours, last 1 day, or last 1 week.

To view events from today or yesterday, select today or yesterday, as desired.

To view events from a specific day, select is on and then select the date from the displayed calendar.

To view events from a specific date and time range, select is between and select the first and last days and times from the displayed calendars.

To view real-time events, select Real Time.

Using the Time Slider with Filtering

You can use the vertical slider control in the Time Slider to change the start time for the events shown in the Event Table. This is particularly useful when you want to locate events and you know the approximate time they occurred.

For details on the operation of the Time Slider, see Using the Time Slider.

To use the Time Slider to aid filtering, follow these steps:


Step 1 Open an historical view and open the time slider.


Tip The default Time filter is the last 10 minutes.


Step 2 Move the vertical slider to the approximate time of the event or events you want to examine.

The Event Table is reloaded to display events on or before the time you specified with the vertical slider. This time range is shaded in the Time Slider pane, and noted in the Time Range filter as shown:

Step 3 To locate the event or events, you can now do any of the following:

Apply custom column filters.

Scroll or page through the Event Table.

Use the Time Slider paging controls to reset the time range forward or back. For more information, see Table 59-8.


Note The distance moved forward or back when paging in the Time Slider depends either on the mode (time range) that is set or the number of events the Event Table can hold. The position of the vertical slider denotes the most recent event loaded in the Event Table.



Setting Real-Time or Historical Views

You can use the Time Range filter to select between a real-time view or historical views.


Note The default time filter is last 10 minutes.


For more information, see Applying the Event Time Range Filter.

To filter the events displayed in the Event Monitoring pane by time, follow these steps:


Step 1 Open a view in Event Viewer.

Step 2 Click the Time Range filter to see the time filter choices.

Step 3 To change from an historical view, select Real Time.


Note If you are in the real-time view, you select any other mode to switch to the historical view for that time period.


The Event Table changes to display a scrolling real-time list of events received, and the View Settings pane is updated to show the filter definition.


Updating the Event Table

When you are using an historical mode, such as "last 10 minutes," the latest events displayed correspond to the time you clicked that filter (or opened Event Viewer). Similarly, if you are in Real-Time mode and have clicked Stop, the latest events in the Event Table correspond to the time you clicked Stop.

To run another query of the server and update the Event Table display, do any one of the following:

Click Time Range.

Click Start.

Select View > Start.

Use the keyboard shortcut Ctrl + N.

Move the vertical slider control in the Time Slider.

Select an option from the View > Mode context menu.

Filtering Based on a Specific Event's Values

You can base a new filter on information contained within an event listing, or a single cell within an event listing, by right-clicking and choosing to filter. The options include the following:

To create a filter based on multiple values in the selected event, select Create Filter from Event, then select from the dialog box the values on which to filter.

To filter to include only the selected value (cell in the Event Table), select Filter This Value.

To filter to exclude the selected value (cell in the Event Table), select Filter Not this Value. All cells that do not contain the selected value, including all empty cells, are returned.

To filter on the flow of the selected event (source, source service, destination, destination service), select Filter This Flow.

Clearing Filters

You can clear filters that you select, or all filters.

To clear a single filter, select the filter from the View Settings pane and then click Delete. The filter is cleared from the View Settings pane and the Event Table updates to include the events matching modified filtered criteria.


Tip Alternatively, you can right-click in the filtered column in the Event Table and then select Clear This Filter or use the column heading drop-down and select All.


To clear all filters, right click in the Events Table and select Clear all filters. The filters are cleared from the View Settings pane and the Event Table updates to include the events matching the modified filtered criteria.

Filtering on a Text String

The quick filter, on the left side of the toolbar (see [6] in Figure 59-2), enables you to execute a text-based filter on event data that has been loaded into the Event Table. A quick filter can locate a particular string of characters within the event data of multiple columns or all columns.

You can control the scope of the search using the Quick Filter drop-down list as follows:

Element
Description

Column

Select a specific column to limit the search to that column's contents. The default is to include all displayed columns.

Case sensitive

Selecting Case sensitive means that the data element must match the case of the search term. By default, case sensitivity is turned off.

Wild card use

Selecting wildcards means that the search term can employ an asterisk (*) in place of a characters. By default, wildcards are turned off.

Match method

You can select how to match the search term. The default is Match from start.


When you type a string in the quick filter text box, events that do not contain the string are instantly filtered out of the Event Table. The following figure provides an example:

Simply by typing tcp/48 all but six events are eliminated from the example Event Table. Also notice that the typed string of characters in this example appears in two different columns. To locate the single instance of tcp/48 appearing within the Destination column, you would use the Quick Filter drop-down list (magnifier) and select Destination.


Note To remove the quick filter, delete the contents of the quick filter text box. The quick filter is removed and the Event Table returns to displaying what it did before the quick filter was applied.


Using the Column Filters

Columns other than Description, Event Name, Generation Time, and Receive Time—that is, those with drop-down arrows in their column heading—include a filtering option. When you select a column filter value, the information shown in the Event Table is filtered in accordance with the selection.

To filter a column, click the down arrow in the column heading and select the value on which you want to filter. The list includes all values currently available in events shown in the filtered view.

Alternatively, you can right-click a value in the Event Table and select Filter This Value.

The filter icon (funnel) appears in the heading of a filtered column and the View Settings pane shows the filter definition.

You can use column filters in combination between multiple columns.

To remove the filter, select All from the list.

To filter on more than a single column value, use a custom column filter. For more information, see Using Custom Column Filters.

Using Custom Column Filters

You can limit the information currently displayed in the Event Table by defining a custom filter for one or more columns. Depending on the column selected, these filters may be defined either by selecting or entering values to filter on. To determine what filters currently apply to a column, refer to the View Settings pane.


Note You do not save a custom filter, rather, you save the view to which you have applied a custom filter.


To define and apply a custom column filter, follow these steps:


Step 1 Open a view in Event Viewer.

Step 2 Open the drop-down list for a particular column.

The column's filter options appear.

Step 3 Select (Custom . . .).

One of two different dialog boxes for filtering the selected column appears.

Step 4 Use the dialog box to define the scope of the custom filter, as follows:


Note To determine what filters currently apply to a column, refer to the View Settings pane.


a. Select the desired condition. You can select "Not" to perform the reverse filter.

b. Select the values on which to filter.

For selection trees, select the check boxes of all items to include.

For two-column selectors, select the items and click > to move them to the selection list. Alternatively, type in the value above the selection list and click +. You can type into the search field to help find a value in long lists.


Note When any view is launched, the Custom filter for each column enables you to filter on all unique values that are updated in the Event Table for that column. Any further filtering on any columns results in updating of the Event Table and alters the custom filter contents for all columns based on values updated in Event Table. Thus, if you are interested in filtering any values seen previously in the custom filter, you must clear the current filter by selecting All in the filter drop-down, or by delete the custom filter currently applied, from View Settings.


Step 5 Click OK.

The information shown in the Event Table is filtered in accordance with the changed filter, and the View Settings pane is updated to show the filter definition.


Looking Up a Security Manager Policy from Event Viewer

In Event Viewer, if an event was generated from an IPS signature policy, or from certain actions related to explicit access rules (such as denied access), you can quickly locate the related signature or access rule from the event itself.

The main reason you would want to perform policy lookup is to adjust a policy based on the events that it is generating. For example, an access rule might be dropping traffic that you actually want to allow. Because you are looking at the event, you know there is a policy that is causing the event, so with a few clicks, you can get from that event to the policy that you need to reconfigure.

You can look up policies from the following types of events:

Firewall events—You can look up policies for the following syslog messages:

106023—Denied IP packet.

106100—Permit/Denied by ACL.

302013—Built TCP (started a TCP session).

302015—Built UDP (started a UDP session).

IPS alert events—All IPS events that have valid signature and sub-signature identifiers.

Tips

Hash codes are required for successful policy lookups from syslog 106023 and 106100 events. These hash codes are available only if you deployed the configuration using Security Manager. If policy lookup fails, try deploying the configuration (either to the device or to a file), then try the policy lookup again.

If you had applied a filter to the device's policy table, and the rule or signature that generated an event is filtered from the current view, Security Manager cannot highlight it. Clear the filter and try again.

If the event is caused by an implicit rule, such as the implicit deny any at the end of access rules, Security Manager cannot highlight the rule. It is considered good practice to create an explicit deny any rule at the end of access lists.

The target policy is always found in Device view, even if the device uses a shared policy. Device view is opened if necessary to highlight the policy.

For IPS signatures, you might not be able to edit the signature if it is a default signature.

For access rules, the selected rule is the best match for the event. It is possible that more than one rule would generate the same event if you have overlapping or redundant rules. In these cases, editing the selected rule might not completely eliminate the event, because a subsequent rule might perform the same action. Use the access rules tools to analyze and combine overlapping rules.

For access rules, multiple rules might permit a packet during session creation, but the first rule only is highlighted.


Step 1 Right-click the event in Event Viewer and select Go To Policy.


Tip You can identify whether you can look up policies from the event by looking at the Event Name cell in the table. If there is a binoculars icon before the event name, policy lookup is available. Also, if the Go To Policy command is greyed out, you cannot look up policies for that type of event.


Step 2 Security Manager finds the related access rule or IPS signature for the device and highlights it in the policy table. From here, you can edit the policy to view or change it; for detailed instructions, see Configuring Access Rules and Configuring Signatures.

Your changes do not take effect until you submit and deploy the updated configurations.


Examples of Event Analysis

There are many different techniques you can use to analyze and respond to events generated by your network devices. The examples in this section can help you understand some of the things you can do with the Security Manager Event Viewer.

This section contains the following topics:

Help Desk: User Access To a Server Is Blocked By the Firewall

Monitoring and Mitigating Botnet Activity

Removing False Positive IPS Events from the Event Table

Help Desk: User Access To a Server Is Blocked By the Firewall

In this example, the help desk gets a call from a user who cannot access a server.

There are many reasons that a user might not be able to access a server, such as:

Problems at the server's end of the network, including server down, no network connection, or the server's firewall is actively preventing access by policy.

Problems in the network cloud between the user and the server, such as routing problems.

Problems in the user's network, which could include workstation problems, physical problems with a network connection (for example, broken wires), problems with the switch port or wireless access point, DNS lookup failures, and so forth.

The Security Manager Event Viewer cannot identify or resolve these problems. However, it can identify whether a firewall that you control is blocking access to the server. This can help you either to rule out the firewall as being the source of the problem, or if it is blocking access, to fix the problem or to inform the user that the server is blocked by policy.

This procedure assumes that you have first determined that access to the server is not being denied by policy and that the firewall should allow access to the server.


Step 1 Ask the user for the IP address of the workstation and server.

Step 2 In Security Manager, select Tools > Event Viewer to open Event Viewer.

Step 3 Double-click the Firewall Traffic Events view to open it. Optionally, you can use the All Device Events view if you also want to see if there are any IPS events related to the workstation.


Tip You can also select the Firewall Denied Events view to see just denial events. However, you might want to see other events related to the user's workstation.


Step 4 Ask the user to retry the server access.

Step 5 Click the Start button, or select View > Start, to refresh the event table with the latest events.

Step 6 Type the user's IP address into the Search within Results box. The list of events is filtered as you type, and presents events in which the search string appears in any column. In the following illustration, the event list shows all events in the past 10 minutes for the IP address 10.52.150.50.

Figure 59-4 Restricting the Events List to One IP Address


Tip You can also select the IP address from the Source column's drop-down list, and the server's IP address from the Destination column's drop-down list (or the reverse), to show only events with both the source and destination that interests you. Use the column filters if the search string does not sufficiently reduce the event list for easy analysis.


Step 7 Look for an event that indicates that traffic from the user's workstation to the server, or from the server to the workstation, was denied. Syslog 106xxx messages indicate denial actions.

Select the event in the table and open the Event Details pane at the bottom of the window. The tabs in this pane show the complete message information and include plain-language explanations and recommended actions.

Step 8 If the event is message 106023 or 106100, you can quickly locate the access rule that is denying the connection and fix it. You can identify whether you can look up policies from the event by looking at the Event Name cell in the table. If there is a binoculars icon before the event name, policy lookup is available. Also, if the Go To Policy command is greyed out, you cannot look up policies for that type of event.


Tip If the traffic is denied because of the implicit deny any rule at the end of the access list, the Go To Policy command cannot take you to the rule. For tips about rule lookup, see Looking Up a Security Manager Policy from Event Viewer.


a. Right-click the event and select Go To Policy. You are taken to Device view with the rule selected. You are notified if a matching rule cannot be found.

b. Modify the rule so that it allows the desired access. This might be as simple as deleting the rule, or you might have to add a new rule that specifically allows traffic to or from the destination server (place the permit rule above the deny rule). Your organization's security policy determines the allowable changes. For more information about configuring the access rules policy, see Configuring Access Rules.

c. Submit and deploy the updated configuration to the device. For more information on the deployment process, see Deploying Configurations in Non-Workflow Mode or Deploying Configurations in Workflow Mode.

Wait for deployment to complete successfully.

Step 9 Ask the user to try to access the server again. If access is again denied, click Start in Event Viewer to refresh the events list and find the latest denial event.


Tip There might be more than one access rule that can deny communications with the server. The access rule policy is processed in order, top to bottom, so deleting a rule that prevents access can result in a rule that previously was not being hit suddenly becoming active. If you have a very long access rule policy, you could have several rules that you will have to remove one after the other. Alternatively, you could use the Rule Combiner tool to consolidate and simplify your access rules policy; for more information, see Combining Rules.


Step 10 Continue to resolve access denial events until the firewall is no longer blocking access.


Tip You can also use the Packet Tracer tool to simulate traffic going through the ASA device from the workstation to the server. In Device view, right-click the device that is denying access and select Packet Tracer. For more information, see Analyzing an ASA or PIX Configuration Using Packet Tracer.


After resolving all events, if the user still cannot reach the server, you know that the firewall is no longer one of the network elements that is blocking access. Consider other intervening network devices; perhaps a router includes an access rule that blocks the traffic.


Monitoring and Mitigating Botnet Activity

After you configure Botnet Traffic Filtering as described in Chapter 17 "Managing Firewall Botnet Traffic Filter Rules", you want to monitor it and resolve any problems identified in your network. You can use Security Manager and ASDM to monitor Botnet activity, and mitigate identified problems, as explained in the following sections:

Understanding the Syslog Messages That Indicate Actionable Events

Monitoring Botnet Using the Security Manager Event Viewer

Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM)

Mitigating Botnet Traffic

Understanding the Syslog Messages That Indicate Actionable Events

Botnet Traffic Filter events use syslog message numbers 338xxx. However, some messages are informational and require no action on your part.

When viewing syslogs for botnet events, you should be most concerned with the following message numbers. For information on dealing with messages that indicate blacklisted or whitelisted traffic, see Mitigating Botnet Traffic. For detailed descriptions of syslog messages, see the Syslog Message document for your ASA software version at http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html.

338001 to 338004—Indicate blacklisted traffic that the ASA is logging, but the ASA is not stopping the traffic. These messages require immediate attention if you want to stop botnet activity that is in progress.

338005 to 338008—Indicate blacklisted traffic that the ASA is logging and dropping. This indicates that the traffic was covered by a drop rule. Thus, your network is being protected, although you still need to disinfect the victim computer.

338201, 338202—Indicate greylisted traffic that the ASA is logging but not dropping. These messages can indicate an active botnet connection that needs to be handled immediately.

338203, 338204—Indicate greylisted traffic that the ASA is logging and dropping. Your network is protected from this traffic. However, if the greylisted site is legitimate, the fact that the traffic is being dropped might be a problem that requires immediate attention. You can whitelist the greylisted address if you determine it is legitimate and redeploy the configuration, as described in Adding Entries to the Static Database.

338305 to 338307, 338310—The ASA could not download the dynamic filter database. Ensure that you configured DNS lookup on the device, and that there is a routable network path to the Cisco Intelligence Security Operations Center. You might need to contact Cisco Technical Support.

338309—The Botnet Traffic Filter license is not current, and you cannot download the dynamic database. Purchase and install the appropriate license. The Botnet Traffic Filter license is time-based, so you might have had a valid license that expired.

Monitoring Botnet Using the Security Manager Event Viewer

You can use the Event Viewer application to monitor syslog events generated by an ASA device. The Event Viewer has a predefined view that shows just botnet events.

Botnet messages are in the informational to debug severity levels and are numbered 338xxx.


Tip This procedure assumes the Event Management subsystem is enabled. If it is not, enable it using the Tools > Security Manager Administration > Event Management page.



Step 1 Select Tools > Event Viewer to open the Event Viewer window.

Step 2 Double-click Botnet Events from the list of predefined views in the left pane. You must double-click to activate the view and load it into the right pane. To verify the view has been opened, ensure that the tab name for the view in the right pane says "Botnet Events." The following illustration shows an example of the botnet events view.

Figure 59-5 Botnet Events View in the Security Manager Event Viewer

Step 3 To see the details of a specific event, select it in the table. You can then do the following:

Double-click the event to see the tabular information presented in a more readable format.

Open the Event Details section at the bottom of the window. The details pane shows information about the event organized on tabs. The Explanation and Recommended Action tabs include plain-language information about the event and what you might want to do about it.

The following illustration shows the Event Details pane for the Botnet Destination Blacklist message 338004. In this example, the recommended action is shown. The explanation for this message is "This syslog message is generated when traffic to a blacklisted IP address in the dynamic filter database appears." For information on dealing with this type of event, see Mitigating Botnet Traffic.

Figure 59-6 Botnet Event Details for Message 338004, Botnet Destination Blacklist

Step 4 To narrow the list of events to those generated by a single ASA, click the drop-down arrow in the Device column and select the desired device from the list. If you want to narrow the list to multiple ASAs, select Custom from the drop-down list and select the desired devices in the dialog box that appears.

You can also narrow the list using filters for any of the other columns. Filtering works the same way for all columns: either select the desired value from the drop-down list, or select Custom to create a more complex column filter.


Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM)

Although Security Manager includes event viewing capability, the Adaptive Security Device Manager (ASDM) includes more extensive botnet reporting features. A read-only version of ASDM is installed with the Security Manager client as a device manager, and you can start ASDM from within Security Manager.


Tip You can also install the full ASDM application separately. However, any configuration changes that you perform in ASDM are considered out-of-band changes by Security Manager and are overwritten the next time you deploy configurations from Security Manager. If you ever find a need to make configuration changes using ASDM, be sure to rediscover policies on the device in Security Manager so that Security Manager's view of the configuration is up-to-date.



Step 1 In Device view, select the ASA device.

Step 2 Select Tools > Device Manager to open an ASDM connection to the ASA. You are warned that you cannot make configuration changes. Click Yes to continue.

Step 3 In ASDM, view Botnet Traffic Filter monitoring information in the following areas:

Home > Firewall Dashboard includes a Botnet Traffic Filter summary.

Monitoring > Botnet Traffic Filter > Reports includes charts on the top botnet sites, ports, and infected hosts.

Monitoring > Logging > Log Buffer shows historical syslog messages.

Monitoring > Logging > Real-Time Log Viewer shows syslog messages as they are generated.


Tip You can also search the dynamic database on the Configure > Botnet Traffic Filter > Botnet Database page. This page also allows you to manually start a database download or to purge the dynamic database. These actions do not change the device's configuration and do not require policy rediscovery in Security Manager.



Mitigating Botnet Traffic

Botnet traffic mitigation is a two step process:

1. Stop traffic from your network to the botnet control site.

2. Disinfect the victim computers.

The following procedure explains the process in more detail.


Step 1 You see syslog events that indicate that packets are traveling to or from an objectionable address, typically message numbers 338001-338008 or 338201-3382004. For detailed information about these messages, see Understanding the Syslog Messages That Indicate Actionable Events.


Tip Messages 338201-3382004 are for greylisted traffic. You might want to first determine if the greylisted traffic is truly objectionable before stopping the traffic.


Step 2 Stop the botnet traffic:

Messages 338005-338008 and 338203-338204 indicate that the ASA is already dropping the traffic for you. Traffic classification drop rules cover the blacklisted or greylisted addresses. See Enabling Traffic Classification and Actions for the Botnet Traffic Filter.

Messages 338001-338004 and 338201-338202 indicate that the ASA is logging the event but not dropping the traffic. The first order of business is to stop this traffic.

You have these options for stopping the botnet traffic if the ASA is not already dropping it because of a drop rule:

(Preferred method.) Configure a drop rule for the botnet site and redeploy the configuration. See Enabling Traffic Classification and Actions for the Botnet Traffic Filter.

(Second best method.) Log into the ASA using an SSH client, enter privileged EXEC mode, and use the shun command to prevent traffic to or from the botnet site. You can also issue this command through ASDM in a CLI window, but you cannot do it from Security Manager. The shun command does not create a permanent rule blocking traffic.

For example, if the botnet site is 10.1.14.14, and the internal infected computer is 10.100.10.10, issue the following commands. The first command blocks all incoming traffic from the botnet command center, the second blocks traffic from the infected computer just to the botnet site.

shun 10.1.14.14

shun 10.100.10.10 10.1.14.14

(Not recommended.) Although the shun command is preferred, you can also create a permanent rule in the interface's access control list (ACL) that denies traffic to or from the botnet site. With the device selected in Security Manager, select Firewall > Access Rule, and create two rules: one that denies the botnet site as the source address, with any destination address; one that denies any source address with the botnet site as the destination address. For service, select IP so that all traffic is blocked. You must deploy the configuration for the rule to take effect.

Creating an access rule is not the preferred method because it creates a permanent rule, whereas botnet sites are transient. Using the Botnet Traffic Filter to dynamically block botnet traffic is a better fit for this type of network attack compared to traditional access rules.

Step 3 Shut down network access for the infected computer. For example, find the switch port to which the computer is attached, and shut down the port using the switch's CLI. There might also be wireless access for the computer, so completely shutting down network access might not be a simple task.

Step 4 Inform the owner of the victim computer that it is infected and dispatch IT personnel to disinfect the computer. Tools and techniques for disinfecting a computer are outside the scope of this document.


Removing False Positive IPS Events from the Event Table

An IPS appliance or service module (IPS device) triggers an alarm when a given packet or sequence of packets matches the characteristics of known attack profiles defined in the IPS signatures. False positives (benign triggers) occur when the IPS reports certain benign activity as malicious. Because each event requires human intervention to diagnose, spending your time analyzing false-positive events can significantly drain resources.

Due to the nature of the IPS signatures that are used to detect malicious activity, it is almost impossible to completely eliminate false positives without severely degrading the effectiveness of the IPS or severely disrupting the computing infrastructure of an organization (such as hosts and networks). Customized tuning when an IPS is deployed minimizes false positives. Periodic re-tuning is required when the computing environment changes (for example, when new systems and applications are deployed). IPS devices provide a flexible tuning capability that can minimize false positives during steady-state operations.

An example of a false-positive is a network management station that periodically builds a network discovery map by running ping sweeps. A ping sweep triggers the ICMP Network Sweep with Echo signature (signature ID 2100). Thus, ICMP Network Sweep with Echo events that have the IP address of the network management station as the source address are actually expected and desired events.

You have the following options to remove false-positive IPS events from the event table in Event Viewer:

Filter out events from known "clean" sources.

By filtering out the events, you do not stop their generation, but you also do not see them in the table. Because they are still available (you can remove the filter), you can see the events if some particular network behavior requires that you examine activity from the excluded host.

There are two main drawbacks to using this technique:

The events are still generated, adding events to the event store.

The filter excludes all events from a host. You cannot create a complex filter that excludes a host/signature ID pair.

The procedure below shows how to filter out events from sources that you identify as clean.

Create event action filter rules to stop the generation of the false-positive events.

Event action filter rules are the easiest way to stop generating events, and are thus preferable to editing signatures or creating custom signatures, which is a more difficult task. If you exclude a host in an event action filter rule, the IPS device does not generate alarms or log records when the host triggers the event.

Because you can target specific signatures, rather than making a blanket-exclusion of all events from a host, you can eliminate only those events that you are certain are benign. For example, the following event filter rule removes the Produce Alert action from the ICMP Network Sweep with Echo (2100) signature for the network management station 10.100.15.75. The network management host is identified as the attacker address; the action specified in an event filter rule is actually the action that is removed from the event. Note that if you create an event action override rule to add other alert-producing actions to ICMP Network Sweep with Echo events, you must also remove the override action in this rule.

For more information about configuring event action filter rules, see Configuring Event Action Filters.

The following procedure shows how to use filtering in Event Viewer to remove false positives from the events list. It uses network/host policy objects to accomplish the filtering.


Tip By creating source or destination address filters using network/host objects, you can update the filters simply by changing the contents of the object. You do not need to add or remove filters from your views. Another advantage is that you can proactively create filters for addresses that do not currently appear in the events table; the source/destination column filter controls in Event View list only those addresses that currently appear in listed events.



Step 1 Create a network/host policy object that includes the IP address of the clean hosts or networks.

a. Select Tools > Policy Object Manager to open the Policy Object Manager window (see Policy Object Manager Window).

b. Select Networks/Hosts from the table of contents.

c. Click the Add Row (+) button beneath the table of network/host policy objects, and select Group as the object type.

d. In the Add Network/Host Group dialog box, enter a name for the object, and in the Networks/Hosts list box, type in the desired IP addresses. For example, the following illustration creates a new object named IPS_Safe_Hosts with the single host address 10.100.15.75.

e. Click OK to create the object.

f. Click Close to close the Policy Object Manager window.

Step 2 Select File > Submit to submit your changes to the database (non-Workflow mode). Keep in mind that all of your configuration changes are submitted, not just the new policy object.

If you are using Workflow mode, you must submit your activity and have it approved, if necessary.


Tip Event Viewer can see only those policy objects that have been submitted to the database, so you must submit your changes before you can create a filter using the object. If you later change the object, you must also submit your changes for the filter to use the new definition of the policy object.


Step 3 Select Tools > Event Viewer to open the Event Viewer window.

Step 4 Create a custom view that filters out the network management station:

a. Double-click the predefined view that you want to use as the basis of your custom view, for example, All IPS Events. Double-clicking the view in the Views list opens the view. If you already have a custom view that you want to update, open it.

b. Click the down arrow button in the title of the Source column in the events table and select Custom to open the Custom Filter for Source dialog box.

Tip: You can also get to this dialog box through the View Settings pane by clicking the Add button, then selecting Source in the Add Custom Filter to a Column dialog box and clicking OK.

c. In the Custom Filter for Source dialog box, select the policy object you created and click the right-arrow button to move it to the selected list. Also, select the Not option next to the Condition option. The following illustration shows how the dialog box should look.

d. Click OK. The filter is added to the view settings and is used to remove events from the table.

e. Select File > Save As to save the changes as a new custom view. You are prompted for a view name and description; enter the information and click OK.

The following illustration shows what the view settings would look like if you started with the All IPS Events predefined view and named your new view Filtered IPS Events.