Table of Contents

Using the Event Viewer

You can use Event Viewer to view real-time and historical events. Events include IDS alerts (generated by network-based and host-based sensors, IOS devices, and PIX Firewalls), syslog messages, and audit logs. This section contains the following topics:

Understanding Event Viewer Basics and Settings

Sensors and other network devices can continually forward events to Monitoring Center for Security (Security Monitor). These events are stored in the Security Monitor database. Event Viewer allows you to view the events stored in the Security Monitor database. You can view real-time events as they are forwarded to Security Monitor, and you can also view historical events stored in the database.

Note   Event Viewer is not the same as the Windows Administrative Tool also known as Event Viewer.

The following list contains examples of events that can be viewed in Event Viewer:

Event Viewer queries the database at regular intervals to extract the most recent events.

To learn more about Event Viewer, see the following topics:

Event Display

Event Viewer combines the functionality of a spreadsheet (such as Lotus 1-2-3 or Microsoft Excel) with that of a hierarchical, drill-down directory (such as Windows Explorer) to create a collection of event records called a drillsheet (a drilldown spreadsheet). The drillsheet displays groups of similar event records on a single row of a grid, enabling you to detect patterns in the data.

Event Viewer contains a grid pane that organizes and displays event records. Event Viewer can read real-time events and historical events from the database. You can configure the grid pane in a variety of ways to display information about alarms detected by the sensor. For example, you can delete unwanted columns and expand and collapse cells.

A drillsheet has rows and columns, and the intersection of a row and a column is called a cell.

The background color of a cell gives some information about the cell:

For example, in Figure 4-1, there is more than one source address associated with the events that have the name "ICMP Echo Req". Therefore, the Source Address cell in the ICMP echo request row is gray and displays "+". We also see that Source Address column has been expanded for the "ICMP Unreachable" events. Therefore, the cells in the Source Address column for the ICMP Unreachable rows are white. Finally, note that the destination address 172.21.163.170 has a gray background but has data displayed, rather than a "+". This means that this cell has not been expanded, but there is only one data element to be displayed, so it is displayed anyway.

Selecting Cells

Many of the functions performed by Event Viewer require you to select cells in the drillsheet. Typically, you select a cell by clicking it. It is important to understand what it means to select a cell in the drillsheet.

When you select a cell in the drillsheet you are actually selecting a node in the event tree. When you perform an operation against a selected cell, you are actually performing an operation on all branches of nodes that pass through the selected cell. For example, in Figure 4-2, if you select the "ICMP Unreachable" cell, any operation that you run on that cell is performed for all events that have the name "ICMP Unreachable." In this case, that would be all elements in rows 4 through 8. If you intend to execute an operation against only row 4, you must select, in Figure 4-2, either the "64.101.182.237" cell or a cell to its right.

Furthermore, if you select a cell that is blank because its value is implied by the cell above it (for example, the cell just below the "ICMP Unreachable" cell), the branch of the node that is operated on is the branch that is defined by the first cell that is filled in to the right of the blank cell that you selected. For example, in Figure 4-2, if you select the blank cell just below the "ICMP Unreachable" cell, when you perform an action, Event Viewer behaves as though you selected the "172.21.163.163" cell.

Note   You can use the Preferences panel to change this behavior. For more information, see Specifying Event Viewer Preferences.

The Count Column and the Event Count Tool-Tip

Event Viewer provides two mechanisms for displaying the number of events in a group: the Count column and the event count tool-tip.

In Figure 4-3, when you rest the mouse pointer on the source address 172.21.163.190, you see a count of 8 and a child count of 2. This means that there are 8 "ICMP Unreachable" events with a source address of 172.21.163.190. The values in the Count column confirm this. The Count column indicates that there are 7 events with the fields "ICMP Unreachable," 172.21.163.190 and 64.101.128.56 and 1 event with the fields "ICMP Unreachable," 172.21.163.190 and 171.70.168.183. The sum of 7 and 1 is 8.

Status Propagation

This section describes how Event Viewer determines the severity for individual events and groups of events.

The background color of the event group's Count column cell is the color associated with the event group's severity. For example, if row number 17 represents 200 events, and if one of those 200 events is High, the event group itself is considered High, and the background color of the Count column cell at row number 17 is red.

---

Note    You can modify the Event Viewer preferences to use icons instead of color to indicate status.

---

The status of the rows is modified in real time when events are added or deleted or when you manipulate the rows.

In addition to being shown in the Count column, the severity of an event group is reflected in the Severity column. For more information about how you can manipulate drillsheets to group events by severity, see Sorting Data and Shifting Columns.

Context Buffer

Some alarms have context buffers associated with them. Context buffers record exactly what traffic was traversing the network at the time the alarm's signature was detected. The context buffer contains up to 256 bytes of incoming traffic and 256 bytes of outgoing traffic.

Not all events have context buffers. The following is a partial list of alarms that have context buffers:

The 8000 signature contains the following subsignatures:

For more information about signatures, see the Network Security Database (NSDB). You can access the NSDB at https://hostname/vms/nsdb/html/all_sigs_index.html, where hostname is the name of the computer on which Security Monitor is installed. For information about viewing the NSDB entry for an event in Event Viewer, see Learning About Attacks.

If even one event represented by a row has a context buffer, the value in the Count column is bold. To view the context buffer(s) associated with an event group, select a cell, and then select View > Context Buffer in the TOC. For more information, see Viewing the Context Buffer.

Sorting Data and Shifting Columns

You can sort data within a column and you can change the order of columns to help you find data.

Sorting Data

By default, all columns except time-related columns and Severity columns are displayed in ascending order. This means that, from top to bottom, numbers are displayed from least to greatest, and words are displayed from A to Z. To change the sorting scheme of a column from ascending to descending (or vice versa), click the column header. To change it back, click the column header again.

Note   By default, time-related columns (times, dates, and timestamps) are displayed in descending order. The most recent dates are displayed at the top of the list, ensuring that recent events are displayed at the top of lists. To change to ascending order, click the column header. By default, Severity columns are displayed in ascending order on the basis of priority (Info, Low, High). To change to descending order (High, Low, Info), click the column header.

Sorting within a drillsheet is different from sorting in a spreadsheet in one significant way: In a drillsheet, sorting data elements in a particular column is constrained by the nature of the data in the columns to the left.

For example, Table 4-1 shows two columns. The first column has last names, and the second column has first names.

The Last Name column and the First Name column are ascending. First names are associated with last names, so any sorting of first names must be within last names. If you click the First Name header to change the sorting scheme to descending, you obtain the results shown in Table 4-2.

The data in the first column did not change when you changed the sorting scheme of the second column.

Shifting Columns

The order of the columns in a drillsheet determines how events are grouped together. For example, if your first three columns (excluding the Count column) are, in order, Name, Source Address, Dest Address, all events are grouped by name, and then each of those name groups is divided into subgroups by source address, and then each of those subgroups is divided into even smaller groups by destination address.

To change the way events are grouped, you must change the order of the columns.

To change column order, click and hold the cursor over the header of the column you want to move, and then drag the header to the desired location and release the mouse button. The window is redrawn.

Note   In Security Monitor versions earlier than 1.2, changes in column order are not persistent: If you close and re-open a drillsheet, the columns appear in their original order.

In most cases, redrawing after a column shift is nearly instantaneous. However, with large numbers of events (tens of thousands or more), a slight delay may occur during redrawing.

The Count column is always the first column in the display. You cannot drag the Count column to another position, and you cannot drag another column to the left of the Count column. If you attempt to move the Count column the columns revert to their original positions.

When columns are shifted, the entire window is redrawn, meaning that all rows are expanded to the Event Expansion Boundary for that window. To reduce the number of rows that are drawn with each column shift, consider making one of the first few columns the Event Expansion Boundary.

Graphing Features

You can display Event Viewer data as a bar graph. Two types of graph are available:

Each bar in the graph depicts two things:

The event count is denoted by the y-axis. The severity breakdown is depicted in each bar as a "stack" of colors, where blue, green, yellow, and red represent Info, Low, Medium, and High severity, respectively.

You can select which events in the viewer are graphed. You can also specify how the events are graphed; in other words, you can specify the field that defines the x-axis grouping. Each is described below.

If you want to see how the selected events were distributed over time, select Graph > By Time.

If you want to group events by some field in the display, select Graph > By Child. The "Child" means that for a selected node in Event Viewer, a graph will be drawn in which the x-axis is defined by the selected node's "child" nodes, that is, the nodes in the column to the right of the selected node. For example:

Let's say that you are viewing All IDS Events in your Event Viewer, and you would like to see a graph that breaks down the events by attack type (denial of service, reconnaissance, worms, and so on) for just IDIOM (4.0 and later) Sensors.

To do this, drag and drop the IDS Alarm Type column just to the right of the Count column, and then drag the Attack Type column just to the right of the IDS Alarm Type column. Now, select the cell in the IDS Alarm Type column that says IDS IDIOM, and then select Graph > By Child.

You will see a graph of all IDIOM (4.0 and beyond Sensor) events, grouped by attack type. For each bar, which represents a particular attack type, you will see the total number of events (represented by the height of the bar) and the breakdown by severity (represented by the height of the colors within the bar).

Deleting Columns

You can delete a column from the Event Viewer display. Deleting a column affects only the Event Viewer display that you are viewing. It does not change the default column arrangement for other existing or future Event Viewer displays.

To delete a column from the current Event Viewer display, select any cell in the column that you want to delete. Then, select Edit > Delete > Column.

Starting Event Viewer

Before you start Event Viewer, you must specify which events you want to display.

Note   Event start and stop times are the times at which events were stored in the database, not the time that the events were generated by the sensor. Usually, the two times are close, if not identical. Storage and generation times differ greatly only if there are communications problems that postpone sending events from the sensor to the database.

To start Event Viewer, follow these steps:

The Launch Event Viewer page appears.

Step 2   To select which event type appears in Event Viewer, select an option from the Event Type list box.

Step 3   Select an option from the Column Set list box:

Step 4   Select an option in the Event Start Time section to specify the oldest events that appear in Event Viewer.

Step 5   Select an option in the Event Stop Time section to specify the most recent events that appear in Event Viewer.

Step 6   To start Event Viewer, click Launch Event Viewer.

Event Viewer appears.

Tip To start another Event Viewer window from the current Event Viewer window, select File > New > Window in Windows Explorer or File > New > Navigator Window in Netscape Navigator.

Working in Event Viewer

This section describes the tasks that you can perform from the menus in Event Viewer.

Deleting an Event from the Event Viewer Display

You can delete an event or set of events from the current Event Viewer display without removing these events from the database or other, concurrently running Event Viewers.

To delete an event from the current Event Viewer display, follow these steps:

Step 2   Select Edit > Delete > From this Grid.

The Event Viewer display appears again, reflecting the deletion of the cell that you selected.

Deleting a Column from the Event Viewer Display

You can delete a column from the current Event Viewer display. Deleting a column from the current Event Viewer display does not delete the events in that column from the database, nor does it mark the events in that column for deletion from the database.

To delete a column from the current Event Viewer display, follow these steps:

---

Note    You cannot delete the Count column.

---

Step 2   Select Edit > Delete > Column.

The Event Viewer display appears again, reflecting the deletion of the column that you selected.

Deleting Events from the Database Manually

You can delete events from the database manually when you no longer need those events or when you want to reduce the size of the database.

Deleting events manually involves executing a script at a command prompt. Other methods of deleting events involve using database rules, event rules, or Event Viewer.

Note   Because of the way alarm data is stored in the database, there will not always be a one-to-one correspondence between the number of events deleted from the event display and number of records removed from the relational database.

Deleting events manually is the best method for deleting events that you no longer need. Manual deletion also is the best method to use when your database has grown larger than you want. Database rules and event rules can help you maintain the content and size of your database, but they are not as effective when you need to delete events; because you have to wait for rules to be triggered. Deleting events through Event Viewer is best only when the number of events in the database is less than 1,000,000.

To use this procedure, you must have access to the Security Monitor server. If you do not, you cannot execute a script in a command window.

To delete events from the database,

Tip The available scripts are stored on the Security Monitor server in ~CSCOpx/MDC/etc/ids/scripts.

Step 2   Open a command window and execute the script that you have chosen.

The script will run in a separate thread, so you can continue working with Security Monitor.

Step 3   If your database has less than 1,000,000 events, you can delete those events through Event Viewer:

Collapsing Cells

When a cell is collapsed, all branches that pass through the selected cell provide less detail. For each branch, the background color of the cells in the newly hidden column changes from white to gray. Also, rows are removed as necessary to conceal the appropriate data.

Note   Collapsing does not delete anything; it merely hides data from view.

Events can be collapsed by one column, by first group, or all the way (all columns). If a cell is collapsed by one column, each branch through the selected cell gives one less column of detail. If a cell is collapsed by first group, Event Viewer traverses the tree from the selected node and collapses all nodes up the branch until a node with multiple child nodes is collapsed. If a cell is collapsed all the way, all branches through the selected cell are condensed into the selected cell.

To collapse a cell, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   To collapse a cell by one column, select Edit > Collapse > One Column.

Step 3   To collapse a cell by first group, select Edit > Collapse > First Group.

Step 4   To collapse a cell all the way, select Edit > Collapse > All Columns.

Setting the Event Expansion Boundary

The Event Expansion Boundary dictates the number of a new event's columns that will be expanded if the new event does not match an existing event group. The cells in an event are expanded as long as the event matches an existing event group. After there are no matches, a new row is created for the event, and the cells in the new event are expanded until the Event Expansion Boundary is reached.

The default value for the Event Expansion Boundary is one column. You can change the default value in the Preferences dialog box.

To set the Event Expansion Boundary, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   Select Edit > Set Event Expansion Boundary.

The Event Expansion Boundary is set. The column heading is bold.

Expanding Cells

When a cell is expanded, all branches that pass through the selected cell provide more detail. For each branch, the background color of the cells in the newly filled-in column(s) changes from gray to white. Also, rows are created as necessary to display the exposed data.

Event rows can be expanded by one column, by first group, and by all columns. If a cell is expanded by one column, each branch through the selected cell gives one more column of detail. If a cell is expanded by first group, Event Viewer traverses the tree from the selected node and expands all nodes down the branch until a node with multiple children is reached. If a cell is expanded all the way, all branches through the selected cell are fully expanded.

Note   Sometimes expanding events can cause many rows to be created. If the number of new rows exceeds a certain maximum, a popup window asks you to confirm that you want to continue.

To expand a cell, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   To expand a cell by one column, select Edit > Expand > One Column.

Step 3   To expand a cell by first group, select Edit > Expand > First Group.

Step 4   To expand a cell all the way, select Edit > Expand > All Columns.

Saving Your Preferred Column Setting

This procedure explains how to specify and save the following information for a particular event type:

To save your column setting as your preferred column setting, follow these steps:

Step 2   Drag and drop columns, and delete columns, to arrange them the way you want. Also, sort the columns in ascending or descending order by clicking the column headings.

Step 3   Select Edit > Save Column Set.

Your current column setting is saved as your preferred column setting. It applies for the particular event type that you are monitoring when you are the user.

Suspending and Resuming New Events

You can suspend new events from being added to the current Event Viewer display. You can resume receiving new events when you are ready.

To suspend or resume events, follow these steps:

Event Viewer stops querying the database for new events.

Step 2   To resume receiving new events, select Actions > Resume New Events.

Event Viewer resumes querying the database for new events.

Specifying Event Viewer Preferences

Use the options in the Preferences dialog box to specify Event Viewer settings for the current Event Viewer display. To modify preferences for all Event Viewer displays, see Defining Default Event Viewer Preferences and Defining Custom Event Viewer Preferences.

To specify the Event Viewer preferences, follow these steps:

The Preferences dialog box appears.

Step 2   To determine how long, in seconds, Event Viewer will wait for a response from the remote sensor or host before concluding that the remote sensor or host is not connected, enter a value in Command Timeout field. The default is 10 seconds.

Step 3   To specify how long, in minutes, a sensor blocks traffic from a specified source when you issue a Block command from Event Viewer, enter a value in the Time to Block field. The default is 1440 minutes.

Step 4   Specify the subnet mask in the Subnet Mask field. This is the mask used to derive the network address from a source address when blocking networks based on a specific event.

Step 5   Configure the grid display behavior. Select the check box that corresponds to the desired behavior:

Step 6   Specify whether events are sorted by count or content:

Step 7   Specify the default Event Expansion Boundary in the Default Expansion Boundary field.

Step 8   To specify the maximum number of events that can be displayed in a single grid, enter a value in the Maximum Events per Grid field.

Step 9   Specify whether Event Viewer uses colors or icons to indicate event severity.

Step 10   To enable automatic queries of the database for new events, select the Auto Query Enabled check box.

Step 11   To specify how often, in minutes, Event Viewer queries the database for new events, enter a value in the Query Interval (minutes) field.

Step 12   To save your changes, click OK.

Viewing the Context Buffer

A context buffer records exactly what traffic was traversing the network at the time the alarm's signature was detected. Not all signatures contain context buffers. For more information, see Context Buffer.

To view the context buffer, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   Select View > Context Buffer.

If the signature has a context buffer, the dialog box displays the context buffer information. Otherwise, the dialog box displays the following message: No context buffer data for the selected cell.

Viewing Hostnames

You can view the hostnames that correspond to the source and destination addresses. If a hostname cannot be resolved, you receive a message that the name cannot be resolved.

To view the hostnames, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   Select View > Hostnames.

The Hostname Resolution dialog box displays the addresses and corresponding hostnames, if available.

Graphing Event Viewer Data

You can create a graph of the data, or a subset of the data, shown in Event Viewer. The graphs do not update dynamically; they provide a static view of the data at the time the graph was created.

To view a graph of Event Viewer data, follow these steps:

Step 2   To see how the selected events were distributed over time, select Graph > By Time from the menu.

The graph displays along the x-axis the range of time over which the event occurred; along the y-axis the number of occurrences. Event severity is indicated by the color of the bar.

Step 3   To see the distribution of child events, select Graph > By Child from the menu.

The graph displays the child events (the events in the column to the right of the selected node) across the X-axis of the graph and the number of occurrences along the Y-axis. Event severity is indicated by the color of the bar.

Step 4   To close the graph, click the close button (designated by the X icon) in the upper-right corner of the graph window.

Learning About Attacks

The Network Security Database (NSDB) provides detailed information about signatures, including descriptions, versions, benign triggers, and related vulnerabilities. You can access the NSDB information for a signature directly from Event Viewer.

To access the NSDB, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   Select View > Network Security Database.

If there is an NSDB entry for the event you selected, the NSDB opens in a new window. Otherwise, a dialog box notifies you that there is not an NSDB entry for the event you selected and the NSDB index page opens.

Viewing Event Statistics

You can view event statistics for a cell in Event Viewer. The statistics can include the following:

To view event statistics, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   Select View > Statistics.

The Event Statistics dialog box displays the event statistics.

Refreshing Events

Based on the settings you specified in the Preferences dialog box, Event Viewer queries the database at regular intervals for new events. If you want to check for new events between intervals or if you have automatic queries disabled, you can use the Refresh Events option to query the database for new events manually.

To refresh the Event Viewer events, follow these steps:

The Event Viewer display is refresh to include any new events.

Step 2   Repeat Step 1 as often as you would like to query for new events.

Blocking a Host or a Network

Blocking a host causes a sensor to block all traffic emanating from the source IP address associated with the selected event. In a similar way, blocking a network causes the sensor to block all traffic emanating from the network that contains the source IP address of the selected event. Blocking is accomplished through a properly configured Cisco router. For information about removing a block, see Removing a Block.

Note   The Event Viewer in Security Monitor versions 1.2 and earlier does not support blocking when you are using sensors that are operating with IDS 4.x software.

To block a host or a network, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   To block a host, select Block > Host.

The traffic is blocked for the number of minutes specified in the Preferences dialog box.

Step 3   To block a network, select Block > Net.

The traffic is blocked for the number of minutes specified in the Preferences dialog box.

---

Note    The network address of a blocked network is calculated by applying the network mask in the Preferences panel to the source IP address of the selected event.

---

Removing a Block

You can remove any blocks that you have added in Event Viewer.

Note   Security Monitor versions 1.2 and earlier do not support blocking when you are using sensors that are operating with IDS 4.x software.

To remove a block, follow these steps:

The selected cell is highlighted and outlined in gray.

Step 2   To remove a sensor's block from a host, select Remove Block > Host.

Step 3   To remove a sensor's block from a network, select Remove Block > Net.

Step 4   To remove all blocks, select Remove Block > All.

Defining Event Viewer Preferences

This section describes how to define Event Viewer preferences. It also describes how to administer preferences of Event Viewer users. This section contains the following procedures:

Defining Default Event Viewer Preferences

If you have administrative privileges, you can define the default Event Viewer preferences. Default preferences are used by all users. However, users can define custom preferences to reconfigure their views. For more information, see Defining Custom Event Viewer Preferences.

To define the default Event Viewer preferences, follow these steps:

Step 2   Select Default Preferences from the TOC.

The Default Preferences page appears.

Step 3   To determine how long, in seconds, Event Viewer will wait for a response from the remote sensor or host before concluding that the remote sensor or host is not connected, enter a value in Command Timeout field. The default is 10 seconds.

Step 4   To specify how long, in minutes, a sensor blocks traffic from a specified source when you issue a Block command from Event Viewer, enter a value in the Time to Block field. The default is 1440 minutes.

Step 5   Specify the subnet mask in the Subnet Mask field.

Step 6   Specify the default Event Expansion Boundary in the Default Expansion Boundary field.

Step 7   Enter a value in the Maximum Events per Grid field to specify the maximum number of events that can be displayed in a single grid.

Step 8   To specify how often, in minutes, Event Viewer queries the database for new events, enter a value in the Query Interval (minutes) field.

Step 9   To enable automatic queries of the database for new events, select the Auto Query Enabled check box.

Step 10   Specify whether Event Viewer uses colors or icons to indicate event severity.

Step 11   Configure the grid display behavior. Select the check box that corresponds to the desired behavior:

Step 12   Specify whether events are sorted by count or content.

Step 13   Click Apply.

The preferences you specified are the default preferences used by all Event Viewer users.

Defining Custom Event Viewer Preferences

You can define custom Event Viewer preferences that override the default Event Viewer preferences. Custom Event Viewer preferences affect only the Event Viewer displays opened by the user for whom the preferences were defined.

To define custom Event Viewer preferences, follow these steps:

Step 2   Select Your Preferences from the TOC.

The Your Preferences page appears.

Step 3   To determine how long, in seconds, Event Viewer will wait for a response from the remote sensor or host before concluding that the remote sensor or host is not connected, enter a value in Command Timeout field. The default is 10 seconds.

Step 4   To specify how long, in minutes, that a sensor blocks traffic from a specified source when you issue a Block command from Event Viewer, enter a value in the Time to Block field. The default is 1440 minutes.

Step 5   Specify the subnet mask in the Subnet Mask field.

Step 6   Specify the default Event Expansion Boundary in the Default Expansion Boundary field.

Step 7   Enter a value in the Maximum Events per Grid field to specify the maximum number of events that can be displayed in a single grid.

Step 8   To specify how often, in minutes, that Event Viewer queries the database for new events, enter a value in the Query Interval (minutes) field.

Step 9   To enable automatic queries of the database for new events, select the Auto Query Enabled check box.

Step 10   Specify whether Event Viewer uses colors or icons to indicate event severity.

Step 11   Configure the grid display behavior. Select the check box that corresponds to the desired behavior:

Step 12   Specify whether events are sorted by count or content.

Step 13   To save your changes, click Apply.

Your Event Viewer displays will use the preferences you defined.

Step 14   To revert to the default Event Viewer preferences, click Reset to Defaults.

Your custom preferences are overwritten by the default preferences used by all Event Viewer users.

Viewing Event Viewer Users

You can view a list of users that have custom Event Viewer preferences stored in the database.

To view a list of Event Viewer users, follow these steps:

Step 2   Select Users from the TOC.

The Users page appears. The users are listed in a table on this page.

Deleting Users from the Event Viewer Database

To clean up your database, you can delete preferences for users who no longer view events. Only the event viewing preferences for that user are deleted from the database.

Note   You must have administrative privileges to delete user preferences from the database.

Tip Security Monitor administers only Event Viewer user records. To administer user permissions, you must use IDS MC. For more information, refer to Using Management Center for IDS Sensors.

To delete a user from the Event Viewer database, follow these steps:

Step 2   Select Users from the TOC.

The Users page appears.

Step 3   To select which user to delete, select the check box next to the user ID.

---

Note    You can select all users by clicking Select All.

---

A check mark appears next to the user ID that you selected.

Step 4   To delete Event Viewer preferences for the selected user, click Delete.

The event viewing preferences for the selected user are deleted from the Event Viewer database.