Table Of Contents

Using the Event Viewer

Understanding Event Viewer Basics and Settings

Event Display

The Count Column and the Event Count Tool-Tip

Status Propagation

The Details Pane

Graphing Features

Starting Event Viewer

Working with Rows

Selecting Cells

Collapsing Cells

Expanding Cells

Working with Columns

Sorting Data and Shifting Columns

Deleting a Column from the Event Viewer Display

Adding a Column to the Event Viewer Display

Saving Your Preferred Column Setting

Applying a Column Set

Using the Events Menu Options

Deleting Events

Deleting an Event from the Event Viewer Display

Deleting Events from the Database

Suspending and Resuming New Events

Getting New Events

About Event Viewer Filters

Applying an Event Viewer Filter

Editing an Event Viewer Filter

Graphing Event Viewer Data

Using the Actions Menu Options

Copying Event Data to the Clipboard

Emailing Event Data

Blocking a Host, Network, or Connection

Removing a Block

About the Resolve and Unresolve Options

Using the Resolve Option in Event Viewer

Using the Unresolved Option in Event Viewer

Viewing Networking Information

Using the Event Viewer Ping Option

Using the Event Viewer Traceroute Option

Using the Event Viewer Resolve Hostnames Option

Using the Tools Menu Options

Learning About Attacks

Viewing Trigger Packets

Viewing IP Logs

Viewing Event Statistics

Specifying Event Viewer Preferences

Defining Event Viewer Preferences

Defining Default Event Viewer Preferences

Defining Custom Event Viewer Preferences

Viewing Event Viewer Users

Deleting User Preferences from the Event Viewer Database

Using the Event Viewer

---

You can use Event Viewer to view real-time and historical events. Events include IDS alarms (generated by network-based sensors, IOS devices, and PIX Firewalls), Cisco Security Agent (CSA) messages, PIX Firewall and IOS syslog messages, and audit logs.

This chapter contains the following topics:

•Understanding Event Viewer Basics and Settings

•Starting Event Viewer

•Working with Rows

•Working with Columns

•Using the Events Menu Options

•Graphing Event Viewer Data

•Using the Actions Menu Options

•Viewing Networking Information

•Using the Tools Menu Options

•Defining Event Viewer Preferences

Understanding Event Viewer Basics and Settings

Sensors and other network devices can continually send events to Monitoring Center for Security (Security Monitor). These events are stored in the Security Monitor database. Event Viewer allows you to view the events stored in the Security Monitor database. You can view real-time events as they are sent to Security Monitor, and you can also view historical events stored in the database.

---

Note Event Viewer is not the same as the Windows Administrative Tool also known as Event Viewer.

---

The following list contains examples of events that can be viewed in Event Viewer:

•An attempt to break into a computer (IDS Alarms)

•General security-related messages (PIX Firewall Security Summaries)

•A status or debug message from a program or a computer (Audit Logs)

Event Viewer queries the database at regular intervals to extract the most recent events.

This section contains the following topics:

•Event Display

•The Count Column and the Event Count Tool-Tip

•Status Propagation

•The Details Pane

•Graphing Features

Event Display

The Event Viewer displays event data in a window with two separate areas or panes. The large pane on the left is called the Grid Pane and the smaller pane on the right is called the Details Pane. In general, references in this document to the Event Display refer to the Grid Pane unless otherwise specified.

Figure 1-1 Event Viewer

The Grid Pane organizes and displays event records. Event Viewer can read real-time events and historical events from the database. You can configure the Grid Pane in a variety of ways to display information about alarms detected by the sensor. For example, you can add and delete columns and expand and collapse cells.

The Grid Pane combines the functionality of a spreadsheet (such as Lotus 1-2-3 or Microsoft Excel) with that of a hierarchical, drill-down directory (such as Windows Explorer) to create a collection of event records called a drillsheet (a drilldown spreadsheet). The drillsheet displays groups of similar event records on a single row of a grid, enabling you to detect patterns in the data.

A drillsheet has rows and columns, and the intersection of a row and a column is called a cell.

The background color of a cell gives some information about the cell:

•If a cell is white, only one data element is associated with that cell.

•If a cell is gray, that cell may represent more than one data element.

–If a cell is gray and displays the + symbol, that cell represents more than one data element. You can see all the data elements by double-clicking this cell.

–If a cell is gray but displays a single data element, that cell has not been expanded, but it contains only a single data element, so that element is displayed anyway.

---

Note You can use the Preferences panel to modify the Event Viewer behavior.

---

---

Note The conventions governing the background colors of cells in the Count column are different and are described in Status Propagation.

---

For example, in Figure 1-2, there is more than one attacker address associated with the events that have the name "Long HTTP Request". Therefore, the Attacker Address cell in the Long HTTP Request row is gray and displays "+". We also see that the Sensor Name column has been expanded for the "Nachi Worm ICMP Echo Request" events. Therefore, the cells in the Sensor Name column for the Nachi Worm ICMP Echo Request rows are white. Finally, note that the attacker address 172.28.114.18 has a gray background but has data displayed, rather than a "+". This means that this cell has not been expanded, but there is only one data element to be displayed, so it is displayed anyway.

Figure 1-2 Event Viewer Drillsheet

The Count Column and the Event Count Tool-Tip

Event Viewer provides two mechanisms for displaying the number of events in a group: the Count column and the event count tool-tip.

•Count Column—The Count column is the first column in the drillsheet; you cannot move, collapse, or delete it. In the Count column, a cell for a given row displays the number of events represented by that row. For example, the drillsheet in Figure 1-3 indicates that there are 25 "IDS Evasive Encoding" events. However, the count of 2 in the second row does not mean that there are 2 "ICMP Flood" events; it means that there are 2 "ICMP Flood" events for the "etcinids01" sensor.

•Event Count Tool-Tip—You can find out how many events are represented in a branch that spans more than one row by resting the mouse pointer on the cell you are interested in. A tool-tip indicates how many events pass through that branch. The tool-tip also displays a child count. The child count is the number of unique data elements to the right of the cell you have selected.

In Figure 1-3, when you rest the mouse pointer on the "ICMP Flood" signature name, you see a count of 57 and a child count of 2. This means that there are 57 total "ICMP Flood" events and two "ICMP Flood" events for the "etcinids01" sensor. The values in the Count column confirm this.

Figure 1-3 Event Count Tool-Tip

Status Propagation

This section describes how Event Viewer determines the severity for individual events and groups of events.

•Individual Events—Some events are more severe than others. Some events represent unmistakable and devastating actions, while others might represent occurrences that are either less damaging, more ambiguous, or both. To indicate the severity of an alarm, a sensor associates a severity level with each alarm that is generated. In general, those severity levels are Informational, Low, Medium, and High, and the colors associated with those levels are blue, green, yellow, and red, respectively.

•Event Groups—The background color of the event group's Count column cell is the color associated with the event group's severity. The severity of the group is the severity of the most severe event in the group. For example, if an event group contains one High event and 17 Low events, the severity of the group is High, or red.

---

Note In Admin > Event Viewer > Your Preferences, you can choose to use icons to indicate severity instead of color.

---

The status of the rows is modified in real time as events are added or deleted or when you manipulate the rows.

In addition to being shown in the Count column, the severity of an event group is reflected in the Severity column. For more information about how you can manipulate drillsheets to group events by severity, see Sorting Data and Shifting Columns.

The Details Pane

The Details Pane displays detailed event data. It appears on the right side of the Event Viewer display, next to the Grid Pane. The Detail Pane provides the following functionality:

•Allows you to work with events individually, rather than in groups.

•Displays detailed information, including extra fields, not displayed in the Grid Pane.

When you select a cell in the Grid Pane, event data appears in the Details Pane. As described in Selecting Cells, a cell in the Grid Pane represents a node in the event tree, and the node can represent a set of events. When you select a cell, the Details Pane displays the first event in the group of events represented by the cell. You can navigate through the other events represented by the cell using the Prev (Previous) and Next buttons at the bottom of the Details Pane. The index of the event displayed in the Details Pane appears in the Details Pane heading.

The Details Pane shortcut menu is similar to the Grid Pane shortcut menu. When you select a menu function from the Details Pane shortcut menu, the menu function runs against the single event that is currently displayed in the Details Pane. With the exception of the E-mail Event Data and Copy to Clipboard menu functions, all menu functions in the Details Pane behave the same as the menu functions in the Grid Pane. In general, to run a function against a group of events, use the Grid Pane. To run a function against a single event, use the Details Pane.

---

Tip The E-mail Event Data and Copy to Clipboard menu functions collect data from the Pane in which they are run. When run from the Grid Pane, they collect data displayed in the Grid Pane. When run from the Details Pane, they collect the data displayed in the Details Pane. For example, to e-mail the detailed data that appears in the Details Pane, run the E-mail Event Data menu function by right-clicking in the Details Pane.

---

Graphing Features

You can display Event Viewer data as a bar graph. Two types of graph are available:

•Graph > By Child

•Graph > By Time

Each bar in the graph depicts two things:

•The total number of events represented by the bar

•The breakdown of events by severity for the events represented by the bar

The event count is denoted by the y-axis. The severity breakdown is depicted in each bar as a "stack" of colors, where blue, green, yellow, and red represent Informational, Low, Medium, and High severity, respectively.

You can select which events are graphed. You can also specify how the events are graphed. In other words, you can specify the field that defines the x-axis grouping. Each is described below.

•Selecting the subset of events to graph—In the Grid Pane, select the node (cell) that corresponds to the events you want to graph. If you want to graph all events in the Grid Pane, select the top-left cell in the display (the root node).

•Selecting the way in which events are grouped (x-axis)—You can select how events are grouped on the x-axis in several ways.

To see how the selected events were distributed over time, select Graph > By Time.

To group events by a field in the display, select Graph > By Child. By Child means that for a selected node in Event Viewer, a graph will be drawn in which the x-axis is defined by the selected node's child nodes, that is, the nodes in the column to the right of the selected node.

For example, if you are viewing All IDS Alarms in Event Viewer and you want to view a graph that breaks down the events by attack type (denial of service, reconnaissance, worms, and so on) for just IDIOM (4.0 and later) sensors, follow these steps:

a. Add or shift the IDS Alarm Type column just to the right of the Count column.

b. Add or shift the Attack Type column just to the right of the IDS Alarm Type column.

c. Select the cell in the IDS Alarm Type column that says IDIOM, and then select Graph > By Child.

You will see a graph of all IDIOM (4.0 and later sensor) events, grouped by attack type. For each bar, which represents a particular attack type, you will see the total number of events (represented by the height of the bar) and the breakdown by severity (represented by the height of the colors within the bar).

Starting Event Viewer

Before you start Event Viewer, you must specify which events you want to display.

---

Note Event start and stop times are the times at which events were stored in the database, not the time that the events were generated by the sensor. Usually, the two times are close, if not identical. Storage and generation times differ greatly only if there are communications problems that postpone sending events from the sensor to the database.

---

To start Event Viewer, follow these steps:

---

Step 1 Select Monitor > Events.

The Launch Event Viewer page appears.

Step 2 To select which event type appears in Event Viewer, select an option from the Event Type list box.

Step 3 Select an option from the Column Set list box:

•Last Saved—If you choose Last Saved, Security Monitor queries the database to retrieve your customized set of columns. For a more detailed discussion of the Last-Saved option, see Saving Your Preferred Column Setting.

•Default—If you choose Default, Security Monitor provides the set of columns provided with Version 1.1 and earlier.

•All—If you choose All, Security Monitor provides all possible columns—the recommended columns and then all the remaining columns.

Step 4 Select an option from the Filter list box:

•<none>—If you choose <none>, Security Monitor does not apply any filters to the Event Viewer data. All events from the database will be displayed.

•Last Saved—If you choose Last Saved, Security Monitor filters the event data based on a customized filter you previously defined in Event Viewer. You can filter data based on parameters such as event severity, signature ID, and attacker and victim IP addresses. For more information about defining a filter, see Editing an Event Viewer Filter.

Step 5 Select an option in the Event Start Time section to specify the oldest events that appear in Event Viewer.

•Select At Earliest to view events starting with the oldest stored in the database.

•Select At Time to specify a date and time from which you want to start displaying events.

Step 6 Select an option in the Event Stop Time section to specify the most recent events that appear in Event Viewer.

•Select Don't Stop for real-time event analysis.

•Select At Time to specify a date and time up to which you want to display events.

Step 7 Click Launch Event Viewer.

Event Viewer appears.

---

Working with Rows

This section describes the cells in the Grid Pane. It explains what a cell is and how to expand and collapse cells.

This section contains the following topics:

•Selecting Cells

•Collapsing Cells

•Expanding Cells

Selecting Cells

Many of the functions performed by Event Viewer require you to select cells in the drillsheet. Typically, you select a cell by clicking it. It is important to understand what it means to select a cell in the drillsheet.

When you select a cell in the drillsheet you are actually selecting a node in the event tree. When you perform an operation against a selected cell, you are actually performing an operation on all branches of nodes that pass through the selected cell. For example, in Figure 1-4, if you select the "Nachi Worm ICMP Echo Request" cell, any operation that you run on that cell is performed for all events that have the name "Nachi Worm ICMP Echo Request." In this case, that would be all elements in rows 3 through 5. If you intend to execute an operation against only row 4, you must select, in Figure 1-4, either the "etcinids03" cell or a cell to its right.

Figure 1-4 Event Viewer Drillsheet

Furthermore, if you select a cell that is blank because its value is implied by the cell above it (for example, the cell just below the "Nachi Worm ICMP Echo Request" cell), the branch of the node that is operated on is the branch that is defined by the first cell that is filled in to the right of the blank cell that you selected. For example, in Figure 1-4, if you select the blank cell just below the "Nachi Worm ICMP Echo Request" cell, when you perform an action, Event Viewer behaves as though you selected the "etcinids03" cell.

---

Note You can use the Preferences panel to change this behavior. For more information, see Specifying Event Viewer Preferences.

---

Collapsing Cells

When a cell is collapsed, all branches that pass through the selected cell provide less detail. For each branch, the background color of the cells in the newly hidden column changes from white to gray. Also, rows are removed as necessary to conceal the appropriate data.

---

Note Collapsing does not delete anything; it merely hides data from view.

---

Events can be collapsed by first group or all the way (all columns). If a cell is collapsed by first group, Event Viewer traverses the tree from the selected node and collapses all nodes up the branch until a node with multiple child nodes is collapsed. If a cell is collapsed all the way, all branches through the selected cell are condensed into the selected cell.

To collapse a cell, follow these steps:

---

Step 1 Select a cell in the Grid Pane.

The selected cell is highlighted.

Step 2 To collapse a cell by first group, select Rows > Collapse > First Group.

Step 3 To collapse a cell all the way, select Rows > Collapse > All Rows.

---

Expanding Cells

When a cell is expanded, all branches that pass through the selected cell provide more detail. For each branch, the background color of the cells in the newly filled-in column(s) changes from gray to white. Also, rows are created as necessary to display the exposed data.

Event rows can be expanded by first group and by all columns. If a cell is expanded by first group, Event Viewer traverses the tree from the selected node and expands all nodes down the branch until a node with multiple children is reached. If a cell is expanded all the way, all branches through the selected cell are fully expanded.

---

Note Sometimes expanding events can cause many rows to be created. If the number of new rows exceeds a certain maximum, a popup window asks you to confirm that you want to continue.

---

To expand a cell, follow these steps:

---

Step 1 Select a cell in Event Viewer.

The selected cell is highlighted.

Step 2 To expand a cell by first group, select Rows > Expand > First Group.

Step 3 To expand a cell all the way, select Rows > Expand > All Rows.

---

Working with Columns

This section describes how to work with columns to customize what data appears in the Grid Pane. You can add, delete, and shift columns and sort data within columns. You can also save your column settings and reapply them when you launch Event Viewer.

This section contains the following topics:

•Sorting Data and Shifting Columns

•Deleting a Column from the Event Viewer Display

•Adding a Column to the Event Viewer Display

•Saving Your Preferred Column Setting

•Applying a Column Set

Sorting Data and Shifting Columns

You can sort data within a column and you can change the order of columns to help you find data.

Sorting Data

By default, all columns except time-related columns (times, dates, and timestamps) and Severity columns are displayed in ascending order. This means that, from top to bottom, numbers are displayed from least to greatest, and words are displayed from A to Z. To change the sorting scheme of a column from ascending to descending (or vice versa), click the column header. To change it back, click the column header again. A down arrow is displayed next to the column title when a column's data is sorted in descending order.

Sorting within a drillsheet is different from sorting in a spreadsheet in one significant way: In a drillsheet, sorting data elements in a particular column is constrained by the nature of the data in the columns to the left.

For example, Table 1-1 shows two columns. The first column has last names, and the second column has first names.

Table 1-1 First Names Sorted in Ascending Order 

Last Name	First Name
Baker	Alan
	Wanda
Jones	Bob
	Xena
Smith	Charles
	Yvonne

The Last Name column and the First Name column are ascending. First names are associated with last names, so any sorting of first names must be within last names. If you click the First Name header to change the sorting scheme to descending, you obtain the results shown in Table 1-2.

Table 1-2 First Names Sorted in Descending Order 

Last Name	First Name
Baker	Wanda
	Alan
Jones	Xena
	Bob
Smith	Yvonne
	Charles

The data in the first column did not change when you changed the sorting scheme of the second column.

Shifting Columns

The order of the columns in a drillsheet determines how events are grouped together. For example, if your first three columns (excluding the Count column) are, in order, Sig Name, Attacker Address, Victim Address, all events are grouped by signature name, and then each of those signature name groups is divided into subgroups by attacker address, and then each of those subgroups is divided into even smaller groups by victim address.

To change the way events are grouped, you must change the order of the columns.

To change column order, click and hold the cursor over the header of the column you want to move, and then drag the header to the desired location and release the mouse button. The window is redrawn.

In most cases, redrawing after a column shift is nearly instantaneous. However, with large numbers of events (tens of thousands or more), a slight delay may occur during redrawing.

The Count column is always the first column in the display. You cannot drag the Count column to another position, and you cannot drag another column to the left of the Count column. If you attempt to move the Count column the columns revert to their original positions.

When columns are shifted, the entire window is redrawn, meaning that all rows are expanded to the Event Expansion Boundary for that window. To reduce the number of rows that are drawn with each column shift, consider making one of the first few columns the Event Expansion Boundary.

---

Note Changes to column order and sorting scheme are not automatically saved. To save the column arrangement, see Saving Your Preferred Column Setting.

---

Deleting a Column from the Event Viewer Display

You can delete a column from the Event Viewer display. Deleting a column affects only the Event Viewer display that you are viewing. It does not change the default column arrangement for other existing or future Event Viewer displays. Additionally, deleting a column from the current Event Viewer display does not delete the events in that column from the database, nor does it mark the events in that column for deletion from the database.

To delete a column from the current Event Viewer display, follow these steps:

---

Step 1 Select any cell in the column that you want to delete.

---

Note You cannot delete the Count column.

---

Step 2 Select Columns > Delete Column.

The Event Viewer display appears again, reflecting the deletion of the column that you selected.

---

Adding a Column to the Event Viewer Display

You can add a new column to the Event Viewer display. When you add a column, it is inserted to the right of selected cell.

To add a column to the Event Viewer display, follow these steps:

---

Step 1 Select a cell in the Event Viewer grid.

The selected cell is highlighted and outlined in gray.

Step 2 Select Columns > Add Column.

The Add Column dialog box appears.

Step 3 Select the type of column you want to add from the list. Then, click OK.

The new column is inserted to the right of the selected cell in the Event Viewer grid.

---

Saving Your Preferred Column Setting

This procedure explains how to specify and save the following information for a particular event type:

•Which columns are displayed.

•The order in which the columns are displayed.

•The sorting scheme for each column.

To save your column setting as your preferred column setting, follow these steps:

---

Step 1 Drag and drop, add, and delete columns, to arrange them the way you want. Also, sort the columns in ascending or descending order by clicking the column headings.

Step 2 Select Columns > Save Column Set.

The Save Column Set dialog box appears.

Step 3 Click Yes.

Your current column setting is saved as your preferred column setting. It applies for the particular event type that you are monitoring when you are the user. When you launch Event Viewer, select Last Saved from the Column Set list box to use this column setting.

---

Applying a Column Set

You can apply a predefined column arrangement to the Grid Pane. No events are added or removed from the Grid Pane when you apply a new column set.

---

Note The arrangement of the fields in the Details Pane will not change.

---

To apply a column set, follow these steps:

---

Step 1 Start Event Viewer as explained in Starting Event Viewer.

Step 2 Select Column > Apply Column Set.

The Apply Column Set dialog box appears.

Step 3 Select a column set from the list box. You can select from the following column sets:

•Last Saved—Applies the last saved column setting. For more information about saving a column setting, see Saving Your Preferred Column Setting.

•Default—Applies the recommended arrangement of columns.

•All—Displays all event data columns.

If you are viewing IDS events, you can also select from the following column sets:

•By Victim—Arranges events by Victim IP address.

•By Attacker—Arranges events by Attacker IP address.

•By Signature—Arranges events by Signature name.

Step 4 Click OK.

The columns in the Grid Pane are rearranged according to the column set you applied.

---

Using the Events Menu Options

This section describes the menu options available for working with events in Event Viewer. You can delete events from the current Event Viewer display, delete events from the database, and apply filters.

This section contains the following topics:

•Deleting Events

•Suspending and Resuming New Events

•Getting New Events

•About Event Viewer Filters

Deleting Events

In Event Viewer, you can delete events from the current display or mark events for deletion from the database.

This section contains the following topics:

•Deleting an Event from the Event Viewer Display

•Deleting Events from the Database

Deleting an Event from the Event Viewer Display

You can delete an event or set of events from the current Event Viewer display without removing these events from the database or other, concurrently running Event Viewers.

To delete an event from Event Viewer, follow these steps:

---

Step 1 Select a cell in the Event Viewer display.

Step 2 To delete an event from the current Event Viewer display, select Events > Delete > From this Grid.

The Event Viewer display refreshes, reflecting the deletion of the cell that you selected.

---

Deleting Events from the Database

In Event Viewer, you can mark events for deletion from the database. The marked events will be physically removed from the database at some time in the future when database pruning occurs.

---

Tip You can also use the Alarm Export Utility to mark events for deletion. For more information, see Using the Alarm Export Utility, page A-2

---

To delete events from the database using Event Viewer, follow these steps:

---

Step 1 Select a cell in Event Viewer.

Step 2 Select Events > Delete > From Database.

Events deleted using this option will no longer appear in Event Viewer and will not be included in generated reports.

---

Suspending and Resuming New Events

You can suspend new events from being added to the current Event Viewer display. You can resume receiving new events when you are ready.

To suspend or resume events, follow these steps:

---

Step 1 To suspend receiving new events, select Events > Suspend New Events.

Event Viewer stops querying the database for new events.

Step 2 To resume receiving new events, select Events > Resume New Events.

Event Viewer resumes querying the database for new events.

---

Getting New Events

Based on the settings you specify in the Preferences dialog box (Tools > Options), Event Viewer queries the database at regular intervals for new events. If you want to check for new events between intervals or if you have automatic queries disabled, you can use the Get New Events option to query the database for new events manually.

To get new events in the Event Viewer, follow these steps:

---

Step 1 Select Events > Get New Events.

The Event Viewer display is refreshed to include any new events.

Step 2 Repeat Step 1 as often as you would like to query for new events.

---

About Event Viewer Filters

A filter is a set of criteria that an event must meet in order to be displayed in Event Viewer. You can define an event filter and apply a pre-defined filter to an existing Event Viewer display.

This section contains the following topics:

•Applying an Event Viewer Filter

•Editing an Event Viewer Filter

Applying an Event Viewer Filter

You can apply a pre-defined filter to an existing Event Viewer display. When you apply a filter, all events in the Grid Pane are removed and replaced with new events that match the criteria specified in the filter.

---

Note This feature is available only for IDS events.

---

To apply an Event Viewer filter, follow these steps:

---

Step 1 Select Events > Apply Filter.

The Apply Filter dialog box appears.

Step 2 Select a filter from the list box. Then, click OK.

The events in your current Event Viewer display are replaced with new events that match the criteria specified in the filter you selected.

---

Editing an Event Viewer Filter

A filter is a set of criteria that an event must meet in order to be displayed in Event Viewer. You use the Filter Editor to specify the filter criteria.

---

Note You can apply filters only to IDS events.

---

---

Note If you filter on more than one field, then the criteria for all fields must be met in order for an event to pass the filter. For example, if you specify an Attacker Address and a Victim Address, then only events that match both the Attacker Address and the Victim Address will pass the filter and be displayed in Event Viewer.

---

To edit an Event Viewer filter, follow these steps:

---

Step 1 Select Events > Edit Filter.

The Filter Editor dialog box appears.

Step 2 Select the check box next to the filter options you want to define. You can select the from the following options:

•Attacker Address—Only events whose attacker address matches the Attacker Address value will be displayed. To view all events from the IP network that contains an attacker, select the Mask check box and specify a network mask. For example, to view all events whose attackers are in the 1.1.*.* network, enter an address from the network in the Attacker Address field, and enter 255.255.0.0 in the Mask field.

•Attacker Locality—Only events whose attacker locality matches the Attacker Locality value will be displayed.

•Attacker Port—Only events in which the attacker port matches the Attacker Port value will be displayed.

•Victim Address—Only events whose victim address matches the Victim Address value will be displayed. The Mask field works in the same manner as in the Attacker Address area (see above).

•Victim Locality—Only events whose victim locality matches the Victim Locality value will be displayed.

•Victim Port—Only events in which the victim port matches the Victim Port value will be displayed.

•Signature ID—Only events whose signature ID matches the Signature ID value will be displayed.

---

Note To display signature IDs in the Grid Pane, use the Add Column option to add the Sig ID column. To view more information about a signature ID in the Network Security Database, select Explanation from the shortcut menu in either the Grid Pane or the Details Pane.

---

•Signature Name—Only events whose signature name matches the Signature Name value will be displayed.

•Risk Rating—Only events whose risk rating falls within the range specified in the Minimum and Maximum fields will be displayed.

•Alarm Trait—Only events in which the alarm trait matches the "Alarm Trait" value will be displayed.

•Severity—Only events whose severity matches one of the values selected will be displayed. For example, to display events of only High or Medium severity, select the High and Medium check boxes.

•Deny Not Performed—Select Activated to display only events in which the traffic has been denied. Select Not Activated to display only events in which the traffic has not been denied.

•Resolved—Select Resolved to display only events that have been resolved. Select Not Resolved to suppress the display of events that have been resolved.

•IP Log—Select Activated to display only events that have an associated IP Log. Select Not Activated to display only events without an IP Log.

•Trigger Packet—Select Attached to display only events that have an associated trigger packet. Select Not Attached to display only events without a Trigger Packet.

•Blocking—Select Requested to display only events that trigger the sensor to issue a block (shun). Select Not Requested to display only events that did not trigger a block.

•TCP Reset—Select Attempted to display only events that trigger the sensor to issue a TCP Reset. Select Not Attempted to display only events that did not trigger a TCP Reset.

Step 3 To apply the filter to your current Event Viewer display, click OK. If you select this option, the filter is not saved for future use.

Step 4 To apply the filter to your current Event Viewer display and save it for future use, click Save.

The events in your current Event Viewer display are filtered based on the criteria you specified. The filter is saved as the Last Saved filter, which you can apply when you start Event Viewer or from the Event Viewer display. For more information, see Starting Event Viewer, and Applying an Event Viewer Filter.

---

Graphing Event Viewer Data

You can create a graph of the data, or a subset of the data, shown in Event Viewer. The graphs do not update dynamically; they provide a static view of the data at the time the graph was created.

To view a graph of Event Viewer data, follow these steps:

---

Step 1 Select the events to graph.

•To select all events, select the top-left cell in the display (the root node).

•To select a subset of events, select the cell that corresponds to the events you want to graph.

Step 2 To see how the selected events were distributed over time, select Graph > By Time from the menu.

The graph displays along the x-axis the range of time over which the event occurred; along the y-axis the number of occurrences. Event severity is indicated by the color of the bar.

Step 3 To see the distribution of child events, select Graph > By Child from the menu.

The graph displays the child events (the events in the column to the right of the selected node) across the X-axis of the graph and the number of occurrences along the Y-axis. Event severity is indicated by the color of the bar.

Step 4 To close the graph, click the close button (designated by the X icon) in the upper-right corner of the graph window.

---

Using the Actions Menu Options

This section describes how to use the options from the Actions menu. From the actions menu, you can copy event data to the clipboard, e-mail event data, add and remove blocks, and mark events as resolved and unresolved.

This section contains the following topics:

•Copying Event Data to the Clipboard

•Emailing Event Data

•Blocking a Host, Network, or Connection

•Removing a Block

•About the Resolve and Unresolve Options

Copying Event Data to the Clipboard

You can copy event data to the clipboard and then paste the data into another program for viewing and formatting. You can copy data from a single cell, from a column, from a row or group of rows, or from all cells in the Grid Pane. You also can copy the details of an event from the Details Pane.

---

Tip If you copy data from a row, group of rows, or all rows in the Grid Pane, the data is added as it appears in your current Grid Pane display. You can add and remove columns to determine what data is added to the clipboard and rearrange the columns to determine how the data should be displayed when pasted into another application. For more information, see Working with Rows.

---

To copy event data to the clipboard, perform the step below that corresponds with the type of information you want to copy:

---

Step 1 To copy all information from the Grid Pane:

a. Right-click the top cell in the Count column.

The shortcut menu is displayed.

b. From the shortcut menu, select Actions > Copy to Clipboard > By Row(s).

All cells in the Grid Pane, including column headings, are copied to the clipboard in tab-delimited format.

Step 2 To copy the contents of a single cell:

a. Right-click the cell in the Grid Pane whose contents you want to copy to the clipboard.

The shortcut menu is displayed.

b. From the shortcut menu, select Actions > Copy to Clipboard > By Cell.

The contents of the selected cell are copied to the clipboard.

---

Note If the cell that you copied is not expanded, the contents of the cell will be expanded when you paste the information.

---

Step 3 To copy data from a row or group of rows for a particular event:

a. Right-click the cell in the row that corresponds with the event whose details you want to copy to the clipboard. If the selected cell or any cell to the right of the selected cell has expanded child cells, the event data for the child cells are also copied to the clipboard.

The shortcut menu is displayed.

b. From the shortcut menu, select Actions > Copy to Clipboard > By Row(s).

The event data and column headings are saved to the clipboard in a tab-delimited format.

Step 4 To copy event data from a column:

a. Right-click any cell in the column whose contents you want to copy to the clipboard.

b. From the shortcut menu, select Actions > Copy to Clipboard > By Column.

The event data and heading for the selected column are saved to the clipboard.

Step 5 To copy the details of an event from the Details Pane:

a. Click any cell in the row that corresponds with the event whose details you want to copy to the clipboard.

The details for the selected event are displayed in the Details Pane.

b. Right-click the Details Pane.

The shortcut menu is displayed.

c. From the shortcut menu, select Actions > Copy to Clipboard > By Cell.

The details of the selected event are copied to the clipboard.

---

Emailing Event Data

You can email event details from the Details Pane, event data from a row or group of rows in the Grid Pane, or event data for all rows in the Grid Pane to one or more people. Before you can use the Email Event Data option, you must specify an email server and an email address recipient list. For more information, seeSpecifying an Email Server, page 1-5, and Defining Custom Event Viewer Preferences.

---

Tip If you are emailing event data from a row, group of rows, or all rows in the Grid Pane, the data in the email will appear exactly as it appears in your current Grid Pane display. You can add and remove columns to determine what data is added to the email and rearrange the columns to determine how the data should be displayed. For more information, see Working with Rows.

---

To email event data, perform the step below that corresponds with the type of information you want to send:

---

Step 1 To email all data in the Grid Pane:

a. Right-click the top cell in the Count column.

The shortcut menu is displayed.

b. From the shortcut menu, select Actions > E-mail Event Data.

The E-mail Event Data window appears.

c. Click Yes.

The event data is emailed to the specified recipient(s) in a tab-delimited format. The tab-delimited format enables you to copy the text from the email message and paste it into a spreadsheet to have the grid display from Event Viewer represented in your spreadsheet program.

Step 2 To email data from a row or a group of rows for a particular event:

a. Right-click the cell in the row that corresponds with the event whose details you want to email. If the selected cell or any cell to the right of the selected cell has expanded child cells, the event data for the child cells are also included in the email.

The shortcut menu is displayed.

b. From the shortcut menu, select Actions > E-mail Event Data.

The E-mail Event Data window appears.

c. Click Yes.

The event data is emailed to the specified recipient(s) in a tab-delimited format. The tab-delimited format enables you to copy the text from the email message and paste it into a spreadsheet to have the grid display from Event Viewer represented in your spreadsheet program.

Step 3 To email the details of an event from the Details Pane:

a. Click any cell in the row that corresponds with the event whose details you want to email.

The details for the selected event are displayed in the Details Pane.

b. Right-click the Details Pane.

The shortcut menu is displayed.

c. From the shortcut menu, select Actions > E-mail Event Data.

The E-mail Event Data window appears.

d. Click Yes.

The event details are emailed to the specified recipient(s).

---

Blocking a Host, Network, or Connection

Blocking a host causes a sensor to block all traffic emanating from the source IP address associated with the selected event. In a similar way, blocking a network causes the sensor to block all traffic emanating from the network that contains the source IP address of the selected event. Blocking a connection causes a sensor to block all traffic from a particular source/destination pair. Blocking is accomplished through a properly configured Cisco router. For information about removing a block, see Removing a Block.

To block a host or a network, follow these steps:

---

Step 1 To select an event whose source (a host or a network) you want to block, click the corresponding cell in Event Viewer.

The selected cell is highlighted and outlined in gray.

Step 2 To block a host, select Actions > Block > Host.

The traffic is blocked for the number of minutes specified in the Preferences dialog box (Tools > Options).

Step 3 To block a network, select Actions > Block > Net.

The traffic is blocked for the number of minutes specified in the Preferences dialog box (Tools > Options).

---

Note The network address of a blocked network is calculated by applying the network mask in the Preferences panel to the source IP address of the selected event.

---

Step 4 To block a connection, select Actions > Block > Connection.

The traffic is blocked for the number of minutes specified in the Preferences dialog box (Tools > Options).

---

Removing a Block

You can remove any blocks that you have added in Event Viewer.

To remove a block, follow these steps:

---

Step 1 To select the event from which you want to remove the block, select the corresponding cell in Event Viewer.

The selected cell is highlighted and outlined in gray.

Step 2 To remove a sensor's block from a host or from a connection, select Actions > Remove Block > Host.

Step 3 To remove a sensor's block from a network, select Actions > Remove Block > Net.

---

About the Resolve and Unresolve Options

You can run the Resolve and Unresolve options from either the Grid or the Details Pane. Use the Resolve option to mark an event as resolved without actually deleting it from the database. After you mark an event as resolved, a flag is set in the database for that event, and that flag applies to all users who view that event record from your Security Monitor server. Use the Unresolve option to remove a resolved flag.

The Resolve and Unresolve options initiate a process that updates the database. The Grid Pane will not refresh automatically. To see any visual consequences of the actions, you must manually refresh the Grid Pane by selecting Events > Get New Events or wait for the Grid Pane to automatically refresh.

You can maximize the usefulness of the Resolve option in the following ways:

•Use the Add Column option to add the Resolved column to the Grid Pane. You can then arrange events by whether they have been resolved, making it easy to determine which events have been resolved and which have not.

•Use the Filter Editor to display only unresolved events in the Grid Pane by selecting the Unresolve option. For more information about the filter editor, see Editing an Event Viewer Filter.

This section contains the following topics:

•Using the Resolve Option in Event Viewer

•Using the Unresolved Option in Event Viewer

Using the Resolve Option in Event Viewer

Use the Resolve option to mark an event as resolved without actually deleting it from the database. After you mark an event as resolved, a flag is set in the database for that event, and that flag applies to all users who view that event record from your Security Monitor server.

To mark an event as resolved, follow these steps:

---

Step 1 Select a cell in the Grid Pane to determine which events are to be marked as resolved.

---

Tip You can also mark a single event as resolved in the Details Pane by selecting Actions > Resolve from the shortcut menu.

---

Step 2 Select Actions > Resolve.

The Clear Events window appears.

Step 3 Click Yes to confirm that you want to mark the selected event(s) as resolved.

The selected event(s) are marked as resolved in the database. To view the changes in the Grid Pane, you must refresh the Event Viewer display or wait for the display to automatically refresh.

---

Using the Unresolved Option in Event Viewer

Use the Unresolve option to remove a resolved flag. When you mark an event as unresolved, a flag is set in the database for that event, and that flag applies to all users who view that event record from your Security Monitor server.

To mark an event as unresolved, follow these steps:

---

Step 1 Select a cell in the Grid Pane to determine which events are to be marked as unresolved.

---

Tip You can also mark a single event as unresolved in the Details Pane by selecting Actions > Unresolve from the shortcut menu.

---

Step 2 Select Actions > Unresolve.

The Undo Clear Events window appears.

Step 3 Click Yes to confirm that you want to mark the selected event(s) as unresolved.

The selected event(s) are marked as unresolved in the database. To view the changes in the Grid Pane, you must refresh the Event Viewer display or wait for the display to automatically refresh.

---

Viewing Networking Information

You can use the following three menu functions to obtain additional networking information about the attacker and victim of an event.

•Ping—Determines whether an IP address can be reached from the Security Monitor server. For more information, see Using the Event Viewer Ping Option.

•Traceroute—Displays the names/addresses of the machines through which data passes when being transmitted between the Security Monitor server and the selected IP address. For more information, see Using the Event Viewer Traceroute Option.

•Resolve Hostnames—Attempts to translate a numeric IP address into a hostname. For more information, see Using the Event Viewer Resolve Hostnames Option.

Using the Event Viewer Ping Option

The Ping option determines whether an IP address can be reached from the Security Monitor server.

To use the Ping option, follow these steps:

---

Step 1 Select a cell in the Grid Pane.

The selected cell is highlighted and outlined in yellow.

Step 2 To ping the attacker IP address, select Networking > Ping > Attacker.

---

Note You can also perform this function on an individual event in the Details Pane. Select Networking > Ping > Attacker from the shortcut menu.

---

The ping results appear in a new window.

Step 3 To ping the victim IP address, select Networking > Ping > Victim.

---

Note You can also perform this function on an individual event in the Details Pane. Select Networking > Ping > Victim from the shortcut menu.

---

The ping results appear in a new window.

---

Using the Event Viewer Traceroute Option

The Traceroute option displays the names/addresses of the machines through which data passes when being transmitted between the Security Monitor server and the selected IP address.

To use the Traceroute option, follow these steps:

---

Step 1 Select a cell in the Grid Pane.

The selected cell is highlighted and outlined in yellow.

Step 2 To trace the route to the attacker IP address, select Networking > Traceroute > Attacker.

---

Note You can also perform this function on an individual event in the Details Pane. Select Networking > Traceroute > Attacker from the shortcut menu.

---

The traceroute results appear in a new window.

Step 3 To trace the route to the victim IP address, select Networking > Traceroute > Victim.

---

Note You can also perform this function on an individual event in the Details Pane. Select Networking > Traceroute > Victim from the shortcut menu.

---

The traceroute results appear in a new window.

---

Using the Event Viewer Resolve Hostnames Option

The Hostnames option attempts to translate a numeric IP address into a hostname.

To resolve hostnames, follow these steps:

---

Step 1 Select a cell in the Grid Pane.

The selected cell is highlighted and outlined in yellow.

Step 2 To resolve the hostname of the attacker IP address, select Networking > Hostnames > Attacker.

---

Note You can also perform this function on an individual event in the Details Pane. Select Networking > Hostnames > Attacker from the shortcut menu.

---

The hostname results appear in a new window.

Step 3 To resolve the hostname of the victim IP address, select Networking > Hostnames > Victim.

---

Note You can also perform this function on an individual event in the Details Pane. Select Networking > Hostnames > Victim from the shortcut menu.

---

The hostname results appear in a new window.

---

Using the Tools Menu Options

This section contains the following topics:

•Learning About Attacks

•Viewing Trigger Packets

•Viewing IP Logs

•Viewing Event Statistics

•Specifying Event Viewer Preferences

Learning About Attacks

The Network Security Database (NSDB) provides detailed information about signatures, including descriptions, versions, benign triggers, and related vulnerabilities. You can access the NSDB information for a signature directly from Event Viewer.

To access the NSDB, follow these steps:

---

Step 1 Select a cell in Event Viewer.

The selected cell is highlighted and outlined in gray.

Step 2 Select Tools > Explanation.

If there is an NSDB entry for the event you selected, the NSDB opens in a new window. Otherwise, a dialog box notifies you that there is not an NSDB entry for the event you selected and the NSDB index page opens.

---

Viewing Trigger Packets

Use the Trigger Packet option to view the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. The trigger packet provides a single data packet—the data packet that caused the alarm to fire.

---

Note The trigger packet information differs from the Attacker Context and Victim Context fields in an alarm. The Context fields contain only the "payload" data in the packet, whereas the trigger packet includes the payload data and the header data that encapsulates the payload.

---

You can view trigger packet information for only one event at a time.

To view a trigger packet, follow these steps:

---

Step 1 Select a cell in the Grid Pane that corresponds to the event for which you want to view a trigger packet.

Step 2 Select Tools > Trigger Packet.

---

Tip You can also access the Trigger Packet option from the Details Pane by selecting Tools > Trigger Packet from the shortcut menu.

---

The Packet Viewer window appears. If you selected a cell that represents multiple events with trigger packets, you must select an event ID from the listbox and click OK before the Packet Viewer window appears.

---

Viewing IP Logs

Use the IP Log option to view the data that was being transmitted on the network the instant an alarm was detected. You can use this information to help diagnose the nature of an attack. Although the amount of data contained in an IP log varies based on sensor configuration, by default an IP log contains 30 seconds of packet data.

---

Note The IP log information differs from the Context Buffer field in an alarm. The Context Buffer contains only the "payload" data in the packet, whereas the IP log includes the payload data and the header data that encapsulates the payload.

---

---

Note This option works with Cisco Intrusion Prevention System sensors based on version 4.1(2) or later software.

---

You can view IP log information for only one event at a time.

To view an IP log, follow these steps:

---

Step 1 Select a cell in the Grid Pane that corresponds to the event for which you want to view a trigger packet.

Step 2 Select Tools > IP Log.

---

Tip You can also access the IP Log option from the Details Pane by selecting Tools > IP Log from the shortcut menu.

---

The Packet Viewer window appears. If you selected a cell that represents multiple events with IP logs, you must select an event ID from the listbox and click OK before the Packet Viewer window appears.

---

Viewing Event Statistics

You can view event statistics for a cell in Event Viewer. The statistics can include the following:

•The number of events represented by the cell.

•The severity level.

•The number of child cells.

•The percentage of total events that the selected cell and its child cells represent in the current Event Viewer display.

To view event statistics, follow these steps:

---

Step 1 Select a cell in Event Viewer.

The selected cell is highlighted and outlined in gray.

Step 2 Select Tools > Statistics.

The Event Statistics dialog box displays the event statistics.

---

Specifying Event Viewer Preferences

Use the options in the Preferences dialog box to specify Event Viewer settings for the current Event Viewer display. To modify preferences for all Event Viewer displays, see Defining Default Event Viewer Preferences and Defining Custom Event Viewer Preferences.

To specify the Event Viewer preferences, follow these steps:

---

Step 1 Select Tools > Options.

The Preferences dialog box appears.

Step 2 Under Boundaries, specify the following options:

a. To specify the maximum number of events that can be displayed in a single grid, enter a value in the Maximum Events per Grid field.

b. Specify the default Event Expansion Boundary in the Default Expansion Boundary field. The default value for the Event Expansion Boundary is one column.

The Event Expansion Boundary dictates the number of a new event's columns that will be expanded if the new event does not match an existing event group. The cells in an event are expanded as long as the event matches an existing event group. After there are no matches, a new row is created for the event, and the cells in the new event are expanded until the Event Expansion Boundary is reached.

c. Select the Show New Event Row Warning check box to display a pop-up notification when an event refresh will result in large number of rows being inserted into the Event Viewer grid. By default, this option is selected.

Step 3 Under Severity Indicator, specify whether Event Viewer uses colors or icons to indicate event severity.

a. To use colors to display event severity, click the Color radio button.

b. To use icons to display event severity, click the Icon radio button.

Step 4 Under Sort By, specify whether events are sorted by count or content:

a. To sort events alphabetically based on the column to the right of the Count column, click the Content radio button.

b. To sort events based on the number of events per row from highest to lowest, click the Count radio button.

Step 5 Configure the grid display behavior. Under Cells, select the check box that corresponds to the desired behavior:

Select...	To set this behavior...
Blank Left	When multiple, contiguous rows contain the same information in a column, selecting this option causes the first instance of the information to display and subsequent instances to appear blank. When this option is cleared, the repeated information appears in every row. This option is selected by default.
Blank Right	A group of events is typically shown in a single row, with the first column (not counting the Count column) on the left defining the group. Multiple entries in associated columns are shown with a + (plus) sign in the column. Double-clicking the cell with the + sign expands the group by adding rows. When Blank Right is selected, the + sign appears even when there is only one member of a group. You have to expand the group to see the details for the one event. When Blank Right is cleared, a group of events with only one event will show the information for the single event on the top line; you do not need to "drill down" to the single event. Blank Right is cleared by default.

Step 6 Under Access NSDB from, specify where you would like to access the NSDB to view signature information:

a. To access the NSDB from CCO, select the CCO radio button.

b. To access the NSDB from the local server, select the Local Server radio button.

Step 7 Under Database, specify the following options:

a. To enable automatic queries of the database for new events, select the Auto Query Enabled check box.

b. To specify how often, in minutes, Event Viewer queries the database for new events, enter a value in the Query Interval (minutes) field.

Step 8 Under Actions, specify the following options:

a. Enter an e-mail address in the E-Mail Recipients to use for the E-mail Event Data feature. Use commas to separate multiple e-mail address. For more information about the E-mail Event Data feature, see Emailing Event Data.

b. To determine how long, in seconds, Event Viewer will wait for a response from the remote sensor or host before concluding that the remote sensor or host is not connected, enter a value in Command Timeout field. The default is 10 seconds.

c. To specify how long, in minutes, a sensor blocks traffic from a specified source when you issue a Block command from Event Viewer, enter a value in the Time to Block field. The default is 1440 minutes.

d. Specify the subnet mask in the Subnet Mask field. This is the mask used to derive the network address from a source address when blocking networks based on a specific event.

Step 9 To save your changes, click OK.

---

Note The changes made to Event Viewer preferences using the Tools > Options selection from within Event Viewer only apply to the current Event Viewer session. For information on changing default Event Viewer settings, see Defining Event Viewer Preferences.

---

---

Defining Event Viewer Preferences

This section describes how to define Event Viewer preferences. It also describes how to administer preferences of Event Viewer users.

This section contains the following topics:

•Defining Default Event Viewer Preferences

•Defining Custom Event Viewer Preferences

•Viewing Event Viewer Users

•Deleting User Preferences from the Event Viewer Database

Defining Default Event Viewer Preferences

If you have administrative privileges, you can define the default Event Viewer preferences. Default preferences are used by all users. However, users can define custom preferences to reconfigure their views. For more information, see Defining Custom Event Viewer Preferences.

To define the default Event Viewer preferences, follow these steps:

---

Step 1 Select Admin > Event Viewer.

Step 2 Select Default Preferences from the TOC.

The Default Preferences page appears.

Step 3 To determine how long, in seconds, Event Viewer will wait for a response from the remote sensor or host before concluding that the remote sensor or host is not connected, enter a value in Command Timeout field. The default is 10 seconds.

Step 4 To specify how long, in minutes, a sensor blocks traffic from a specified source when you issue a Block command from Event Viewer, enter a value in the Time to Block field. The default is 1440 minutes.

Step 5 Specify the subnet mask in the Subnet Mask field. This is the mask used to derive the network address from a source address when blocking networks based on a specific event.

Step 6 Enter an e-mail address in the E-Mail Recipients to use for the E-mail Event Data feature. Use commas to separate multiple e-mail address. For more information about the E-mail Event Data feature, see Emailing Event Data.

Step 7 Specify the default Event Expansion Boundary in the Default Expansion Boundary field.

The Event Expansion Boundary dictates the number of a new event's columns that will be expanded if the new event does not match an existing event group. The cells in an event are expanded as long as the event matches an existing event group. After there are no matches, a new row is created for the event, and the cells in the new event are expanded until the Event Expansion Boundary is reached.

Step 8 Enter a value in the Maximum Events per Grid field to specify the maximum number of events that can be displayed in a single grid.

Step 9 Select the Show New Event Row Warning check box to display a pop-up notification when an event refresh will result in large number of rows being inserted into the Event Viewer grid. By default, this option is selected.

Step 10 To specify how often, in minutes, Event Viewer queries the database for new events, enter a value in the Query Interval (minutes) field.

Step 11 To enable automatic queries of the database for new events, select the Auto Query Enabled check box.

Step 12 Specify whether Event Viewer uses colors or icons to indicate event severity.

a. To use colors to display event severity, click the Color radio button.

b. To use icons to display event severity, click the Icon radio button.

Step 13 Configure the grid display behavior. Select the check box that corresponds to the desired behavior:

Select...	To set this behavior...
Blank Left	When multiple, contiguous rows contain the same information in a column, selecting this option causes the first instance of the information to display and subsequent instances to appear blank. When this option is cleared, the repeated information appears in every row. This option is selected by default.
Blank Right	A group of events is typically shown in a single row, with the first column (not counting the Count column) on the left defining the group. Multiple entries in associated columns are shown with a + (plus) sign in the column. Double-clicking the cell with the + sign expands the group by adding rows. When Blank Right is selected, the + sign appears even when there is only one member of a group. You have to expand the group to see the details for the one event. When Blank Right is cleared, a group of events with only one event will show the information for the single event on the top line; you do not need to "drill down" to the single event. Blank Right is cleared by default.

Step 14 Specify whether events are sorted by count or content.

a. To sort events alphabetically based on the column to the right of the Count column, click the Content radio button.

b. To sort events based on the number of events per row from highest to lowest, click the Count radio button.

Step 15 Specify where you would like to access the NSDB to view signature information:

a. To access the NSDB from CCO, click the CCO radio button.

b. To access the NSDB from the local server, click the Local Server radio button.

Step 16 Click Apply.

The preferences you specified are the default preferences used by all Event Viewer users.

---

Defining Custom Event Viewer Preferences

You can define custom Event Viewer preferences that override the default Event Viewer preferences. Custom Event Viewer preferences affect only the Event Viewer displays opened by the user for whom the preferences were defined.

To define custom Event Viewer preferences, follow these steps:

---

Step 1 Select Admin > Event Viewer.

Step 2 Select Your Preferences from the TOC.

The Your Preferences page appears.

Step 3 To determine how long, in seconds, Event Viewer will wait for a response from the remote sensor or host before concluding that the remote sensor or host is not connected, enter a value in Command Timeout field. The default is 10 seconds.

Step 4 To specify how long, in minutes, a sensor blocks traffic from a specified source when you issue a Block command from Event Viewer, enter a value in the Time to Block field. The default is 1440 minutes.

Step 5 Specify the subnet mask in the Subnet Mask field. This is the mask used to derive the network address from a source address when blocking networks based on a specific event.

Step 6 Enter an email address in the E-Mail Recipients to use for the E-mail Event Data feature. Use commas to separate multiple email address. For more information about the E-mail Event Data feature, see Emailing Event Data.

Step 7 Specify the default Event Expansion Boundary in the Default Expansion Boundary field.

The Event Expansion Boundary dictates the number of a new event's columns that will be expanded if the new event does not match an existing event group. The cells in an event are expanded as long as the event matches an existing event group. After there are no matches, a new row is created for the event, and the cells in the new event are expanded until the Event Expansion Boundary is reached.

Step 8 Enter a value in the Maximum Events per Grid field to specify the maximum number of events that can be displayed in a single grid.

Step 9 Select the Show New Event Row Warning check box to display a pop-up notification when an event refresh will result in large number of rows being inserted into the Event Viewer grid. By default, this option is selected.

Step 10 To specify how often, in minutes, Event Viewer queries the database for new events, enter a value in the Query Interval (minutes) field.

Step 11 To enable automatic queries of the database for new events, select the Auto Query Enabled check box.

Step 12 Specify whether Event Viewer uses colors or icons to indicate event severity.

a. To use colors to display event severity, click the Color radio button.

b. To use icons to display event severity, click the Icon radio button.

Step 13 Configure the grid display behavior. Select the check box that corresponds to the desired behavior:

Select...	To set this behavior...
Blank Left	When multiple, contiguous rows contain the same information in a column, selecting this option causes the first instance of the information to display and subsequent instances to appear blank. When this option is cleared, the repeated information appears in every row. This option is selected by default.
Blank Right	A group of events is typically shown in a single row, with the first column (not counting the Count column) on the left defining the group. Multiple entries in associated columns are shown with a + (plus) sign in the column. Double-clicking the cell with the + sign expands the group by adding rows. When Blank Right is selected, the + sign appears even when there is only one member of a group. You have to expand the group to see the details for the one event. When Blank Right is cleared, a group of events with only one event will show the information for the single event on the top line; you do not need to "drill down" to the single event. Blank Right is cleared by default.

Step 14 Specify whether events are sorted by count or content.

a. To sort events alphabetically based on the column to the right of the Count column, click the Content radio button.

b. To sort events based on the number of events per row from highest to lowest, click the Count radio button.

Step 15 Specify where you would like to access the NSDB to view signature information:

a. To access the NSDB from CCO, click the CCO radio button.

b. To access the NSDB from the local server, click the Local Server radio button.

Step 16 To save your changes, click Apply.

Your Event Viewer displays will use the preferences you defined.

Step 17 To revert to the default Event Viewer preferences, click Reset to Defaults.

Your custom preferences are overwritten by the default preferences used by all Event Viewer users.

---

Viewing Event Viewer Users

You can view a list of users that have custom Event Viewer preferences stored in the database.

To view a list of Event Viewer users, follow these steps:

---

Step 1 Select Admin > Event Viewer.

Step 2 Select Users from the TOC.

The Users page appears. The users are listed in a table on this page.

---

Deleting User Preferences from the Event Viewer Database

To clean up your database, you can delete preferences for users who no longer view events. Only the event viewing preferences for that user are deleted from the database.

---

Note You must have administrative privileges to delete user preferences from the database.

---

---

Tip Security Monitor administers only Event Viewer user records. To administer user permissions, you must use Management Center for IPS Sensors (IPS MC). For more information, refer to Using Management Center for IDS Sensors.

---

To delete a user's preferences from the Event Viewer database, follow these steps:

---

Step 1 Select Admin > Event Viewer.

Step 2 Select Users from the TOC.

The Users page appears.

Step 3 Select the check box next to the user ID of the user whose Event Viewer preferences you want to delete.

---

Note You can select all users by clicking Select All.

---

A check mark appears next to the user ID that you selected.

Step 4 To delete Event Viewer preferences for the selected user, click Delete.

The event viewing preferences for the selected user are deleted from the Event Viewer database.

---