Chapter 10: Local Event Database and Event Correlation

Cisco Press

More Cisco Press book chapters from new and classic Cisco Press books.

Rate your favorite Cisco Press books.

The Cisco Security Agent Management Console (CSA MC) provides the security administrator access to logged data collected from agents throughout the CSA deployment. A database stores this data, and you access it through the Event Log and Event Monitor screens. This chapter provides the information necessary to best locate and sort the data required to complete various tasks, such as tuning the deployment and investigating possible security breaches in the environment.

In this chapter, you explore the following topics:

  • Event database

  • Event Log and Event Monitor views of the database

  • The filtering of logs

CSA MC Event Database

The CSA MC stores all events collected from the CSA in a database format. By default, if you install the CSA MC software on a single server, the CSA MC installation software installs a Microsoft Desktop Engine (MSDE) database. The MSDE database holds CSA events as they are sent to the server. As an alternative to a MSDE database, you can optionally install a copy of Microsoft SQL Server to fulfill this functionality. If you choose to install MS SQL instead of MSDE, you can opt to install the database locally on the CSA MC or on an additional server that could be dedicated to providing this functionality. Regardless of the database option selected, you must use a database to store all event and configuration information.


Note - If you choose to store the data in an MS SQL database rather than MSDE, you are capable of querying the data and reporting natively from that source. Experienced SQL administrators should access the data in its native format because an incorrect command can corrupt the implementation and is not supported by Cisco. In addition, you should be aware that an MSDE database is supported only by Cisco in deployments of up to 500 agents and can store only 2GB worth of data.


The CSA MC provides two options for natively viewing the events in the event database. The first option is the Event Log, which provides access to all events in the database. The second option is the Event Monitor. The Event Monitor provides a view into the database that differs only from the Event Log view in that it automatically refreshes the data on the screen at regular intervals.

The Event Log

The Event Log is the most common viewer used in the CSA MC. It provides the administrator a record of events in the order they occurred. As displayed in Figure 10-1, each record displayed includes the following:

  •  Event Number—The number listed here corresponds to this specific event in relation to the number of events displayed for the current display criteria. The display criteria and total event count related to the criteria are shown at the top of the Event Log page.

  •  Date—This field shows the date and time that this specific event was triggered on the host that logged the event. The date and time is taken from the host itself, so an incorrect date on the host would not be altered when the CSA MC server receives it. This is because the systems that lose contact with the CSA MC, such as laptops, locally store the events triggered until communication is reestablished. These events are sent in bulk to the CSA MC and inserted into the database with the appropriate timestamps. If the host is from another time zone than the CSA MC, there is an adjustment made to account for the time difference and it is stamped in the database with the time associated with the CSA MC.

  •  Host—This displays the host that recorded this particular event. Clicking on the host name directs you to the Host Information page that includes all the information in the configuration database specific to this host.

  •  Severity—This field lists the severity of the event as mapped in the database. The entry here ranges from Information to Emergency.

  •  Event—This is the largest field in the record. It includes the specific information about the event, such as what occurred and who performed the task. It also includes options to see more complete details, a link to the specific rule that triggered the event, a link to launch the wizard that is used to tune this event, and Find Similar that allows you to sort the event log searching for similar events to the one in question.

Figure 10.1

Figure 10-1

The Event Log View

When you attempt to locate specific data, you can configure the Event Log in different ways. Some of the filter capabilities are results of clicking on links on other pages within the CSA MC, but there are also basic ways to filter the data directly from the Event Log screen itself.

Filtering the Event Log Using Change Filter

When you attempt to specify events to complete a management task, such as tuning or security investigation, it is advantageous to limit the data presented on the screen, so that the administrators can quickly and easily see patterns emerge that allow them to accomplish their goal. The Event Log Change Filter option allows the administrator to filter the Event Log using specified criteria.

To view the current filter criteria, look to the top, left corner of the Event Log screen. The screen displays the current filter in place. Above the current criteria is the total number of events that match the current criteria and the option to Change Filter. Selecting the Change Filter link presents a pop-up option that presents the Change Filter options, as displayed in Figure 10-2. There are two major options that must be selected before applying the Change Filter criteria to the displayed Event Log. These options follow:

  •  Filter by eventset—To apply a granular eventset as a filter to the Event Log, select this option and then proceed to select the specific eventset you wish to use. Eventsets include some filtering options that are not available through any othr CSA MC filtering mechanism. An example of an eventset-only filter criteria is the creation and use of an eventset that can filter the Event Log to display events from hosts across multiple groups at the same time or the ability to display events occurring only from a specific type of event.

  •  Define filter—Selecting this option allows you to set a one-time filter capable of limiting the scope of the Event Log display. You are not required to enter parameters for each of the definable options. Nondefined options use the defaults. The criteria available for filtering the log are:

  •  Start date—This parameter defines the start date of the displayed events. Events in the log prior to the start date are not shown on the screen. You can enter a specific date and time combination or use descriptive time phrases such as—now, three days ago, and two hours ago.

     End date—This parameter is similar to the Start Date parameter except it defines the latest event displayed on the screen. You can use the term now or leave this option blank and it displays all matching events up to the actual time the filter is applied and the view is generated.

     Minimum Severity—This parameter allows you to select the lowest severity level on any event to be displayed ranging from Information to Critical.

     Maximum Severity—This parameter allows you to select the highest possible severity level to be displayed ranging from Information to Critical.

     Host—You can enter the name of a host directly into this field to display only events from this host. If desired, you can click the change link to open a dialog window complete with drop-down boxes that enable you to select the host from a list or select a group. Leaving this field blank or unconfigured defines all hosts as the matching criteria for this parameter.

     Rule Module—This parameter allows you to select a specific rule module that causes events to be triggered. Rules contained only in the selected rule module cause events to display.

     Rule ID—You can enter a specific rule ID in this field to display only events resulting from this specific rule. Although you can enter this here, it is more commonly populated through links derived from other pages, such as the Most Active Rules link available on the Status Summary page and the Find Similar filtering option.

     Events per page—This parameter defines the number of events to display per page because of this newly defined filter. The default is 50 per page and the maximum is 500 per page.

     Filter text—By entering a word or phrase into this field and selecting either include or exclude, you ensure that any event either including or excluding this text is required or excluded from the search results. This is helpful when searching for events related to a specific user or file.

     Filter out duplicates—This option allows you to filter any identical events that occur in your search criteria results. The first result is displayed and duplicates are removed. By default, duplicate events are not removed.

Figure 10.2

Figure 10-2

Change Filter

To test the Change Filter option, create a simple filter and verify the results. For this example, filter the Event Log so that it displays only events that include dns.exe. To accomplish this, the only parameter you need to set is Filter text. Set the Filter text field to dns.exe and also ensure the selection of the included radio button to the right of the text entry field. View the parameters in Figure 10-3. Figure 10-4 displays the outcome of the filter that now shows three events. Also note that after applying the filter, the filter criteria displayed at the top of the page reflects the changes made in the filter.

Figure 10.3

Figure 10-3

Sample Filter Criteria

Figure 10.4

Figure 10-4

Resulting Event Log

Filtering by Eventset

The Eventset filtering option is an excellent way to filter the various logs using consistent, reusable criteria. To filter the data, it is recommended that you use the Eventset method for a filter that you continue to use often. Eventsets are made up of various settings that apply as a filter granularly. These settings include:

  •  Name—You must enter a name for this eventset to identify it among the others in the list.

  •  Description—You can add a description for this eventset.

  •  Event Types—You can include All Events by type or specify various Rule Type and Action combinations.

  •  Severity Levels—You can specify a single, various, or all event severities.

  •  Groups—You can include all hosts or specific groups.

  •  Rule Modules—You can include all rule modules or specific rule modules. Use CTRL+Click or SHFT+Click to select multiple entries.

  •  Timestamps—You can include all timestamps or specific timing via the following options: Custom Start and End, Today, Last 24 Hours, Last 7 Days, Last 30 Days, or Older than a specified number of days.

Using an eventset allows certain types of filtering options and multiple-selection criteria that is not possible any other way. In addition, filtering using this method produces consistent results and is used effectively during normal daily filtering of the Event Log by administrators, desktop support personnel, and helpdesk personnel. Figure 10-5 shows a common eventset filter created for reusable purposes.

Figure 10.5

Figure 10-5

Using Eventsets as Filtering Criteria

Filtering the Event Log Using Find Similar

Another method that you can use to filter the Event Log is to select Find Similar from any of the specific Event Log entries that you would like to isolate. You are somewhat limited in the type of parameters that can be set from this filter mechanism; however, in certain circumstances, it is efficient. The criteria used to filter the Event Log from Find Similar follows:

  •  Same host—The host that triggered this event is listed in this field by default. If you do not want to limit the resulting filtered view to events triggered by this specific rule, you must deselect this option.

  •  Same policy rule—The rule ID that triggered this event is set by default. If you do not want to include only the events specifically sent by the triggering of this rule, you must deselect this option.

  •  Same severity level—The severity level of the event you use to Find Similar is set by default. If you do not wish to filter events to display only events of this severity level, deselect this option.

  •  Same type—This criteria specifies the identification of similar events that were triggered by the same rule type and action combination.

  •  Same time frame—This option allows the administrator to specify a timeframe to which the similar events should be limited. You can specify a timeframe in minutes, hours, or days and an interval that will include the time before and after the event you use to create the Find Similar filter.

To illustrate this type of filter, look for events that include dns.exe. This time, you need to manually locate an event of that type. After locating the event, select Find Similar from that event and specify the following criteria: Same policy rule and Same time frame (+/- 15 minutes). The criteria selections can be seen in Figure 10-6 and the resulting Event Log is shown in Figure 10-7. Notice that the results of Find Similar filter do not provide exactly what we had hoped to receive (illustrated in the previous example in Figure 10-5). Because of the limited criteria, the results also display other events that are similar in nature. It is important you understand when best to use the different filtering mechanisms.

Figure 10.6

Figure 10-6

Find Similar Filter Criteria

Figure 10.7

Figure 10-7

Resulting Event Log

The Event Monitor

Related:
1 2 Page 1
Page 1 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)