Chapter 10: Local Event Database and Event Correlation

Cisco Press

1 2 Page 2
Page 2 of 2

The Event Monitor is similar to the Event Log except that it auto-refreshes the view displayed at a set interval. The refresh interval is set to 15 seconds by default. You can increase this by changing the time setting in the drop-down box at the top of the screen next to Refresh Interval. The options are 15 seconds, 1 minute, and 5 minutes. In addition to these options, the administrator can temporarily pause the display and halt the automatic refresh or cause an immediate refresh to occur if desired. The Pause and Refresh options are available as buttons at the bottom-left portion of the Event Monitor screen as displayed in Figure 10-8. The fields displayed in the Event Monitor View are nearly identical to those displayed in the Event Log including: Event Number, Date, Host, Severity, and Event. The only difference is that the Event Monitor does not provide the capability to Find Similar.

Figure 10.8

Figure 10-8

The Event Monitor View

Even though you cannot use the Find Similar feature, the Event Monitor also provides the capability to create a monitoring filter. Filtering a near real-time view for specific incoming events can be extremely useful when actively tuning an installation or performing an investigation based on specific criteria or involved hosts.

The Monitoring Filter is similar to the Event Filter discussed in relation to the Event Log. However, there are subtle differences. Because the Event Monitor displays events as they occur and it is not used in reference to historical events in the database, the options differ. The options available, as displayed in Figure 10-9, follow:

  •  Filter by eventset—Similar to the Event Log filter, you can apply a granular eventset as a filter to the Event Monitor to limit the real-time incoming events.

  •  Define filter—Selecting this option allows you to set a one-time filter capable of limiting the scope of the Event Monitor display. The criteria available for filtering the log are:

  •  Minimum Severity—This parameter allows you to select the lowest severity level on any event to display in a range from Information to Critical.

     Maximum Severity—This parameter allows you to select the highest possible severity level to display in a range from Information to Critical.

     Host—You can enter the name of a host directly into this field to display only events from this host, or if desired, you can click the change link to open a dialog window complete with drop-down boxes that enable you to select the host from a list or select a group if desired. Leaving this field blank or unconfigured defines all hosts as the matching criteria for this parameter. This option is helpful when attempting to troubleshoot a specific host issue in near real-time without having to view all events from all other hosts rolling in to the database.

     Rule Module—This parameter allows you to select a specific rule module that caused the triggered events. Only rules contained in the selected rule module cause the display of events. This option allows administrators to limit their view only to events added to the database that are tied to a rule module they are actively tuning at that time.

     Rule ID—You can enter a specific rule ID in this field to display only events resulting from this particular rule. This is also another field that is used to assist during the tuning process.

     Display last—This parameter defines the number of events displayed per page because of this newly defined filter. The default is 50 per page and the maximum is 100.

     Filter text—By entering a word or phrase into this field and selecting either include or exclude, you ensure that any event either including or excluding this text is required or excluded from the search results. This is yet another useful parameter when either performing an investigation or undergoing active tuning.

     Filter out duplicates—This option allows you to filter any events that occur in identical search criteria results.

Figure 10.9

Figure 10-9

Change Filter

Filtering the Event Monitor is a common practice. Becoming adept at the different parameters available ensures your ability to quickly isolate and fix issues in your environment.

Automated Filtering from Directed Links

You can click on links that direct you to an automatically filtered view of the data to filter the Event Log available throughout the CSA MC. The following list outlines a few samples of directed links that provide filtered Event Log views:

  • Most Active Hosts—# Events—When viewing the most active hosts' pop-up window that is available from the Status Summary page, you can use a directed filtered link by selecting the # Events (such as 11 events) next to the specific most active hosts, as displayed in Figure 10-10. You can produce a filtered view of events from the host that occurred in the last day. You can also change the Sort By field to Rules Triggered and filter the display to add an additional filter in addition to the host and also include the events derived from this host and a specific rule, as seen in Figure 10-11.

  • Figure 10.10

    Figure 10-10

    Most Active Host Events Directed Link

     

    Figure 10.11

    Figure 10-11

    Most Active Host Events Secondary Criteria

     
  •  Most Active Rules—# Events—This directed link provides a similar output as most active hosts, except that it initially focuses on the rule most triggered rather than the hosts.

  •  Host—Host Name—View Related Events—When viewing a Host configuration page, you can immediately view the events in the database from this specific host by clicking on View related events from the Quick links section of the Host configuration page, as displayed in Figure 10-12.

  • Figure 10.12

    Figure 10-12

    View Related Events—Host Quicklinks

     
  •  Group—Group Name—View Related Events—Similar to the way you can create a filtered view of all related events from the Host configuration page, you can create the same type of view from the Group configuration page.

Additional Event Correlation

The CSA MC performs event correlation of all events received from every managed agent in the architecture. This level of correlation provides useful detail of the security posture of your systems and also provides a historic account of actions as they spread across the computing environment. In addition to correlating this information in the CSA MC, you might wish to send the data to another collector for further correlation with additional non-CSA messages, such as network IPS, firewall, and other security-based data sources. Examples of collection tools available from Cisco Systems include Cisco MARS Appliance, CiscoWorks SIMS, and the Security Monitor included in the CiscoWorks VMS Suite.

Summary

One of the most important features of the CSA MC product is the event database. To run an efficient operational deployment of the CSA product both during and post implementation, you must be able to effectively isolate events in the Event Monitor and Event Log. The data available in a properly filtered view can ensure rapid policy tuning and data interpretation during a security investigation. If necessary, continue to practice the skills and tools covered in this chapter until you are confident you know which options are best used in specific circumstances and how to quickly gain access to the data you require.

Copyright © 2007 Pearson Education. All rights reserved.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)