Filter
Top Products
66-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Introduction to Event Viewer Capabilities
• View High Threat IPS Events—You can filter a view to display all events that exceed a certain
threat level. On a properly tuned IPS sensor, this should be a manageable flow of events to watch in
a real-time view.
Views and Filters
When you view events in Event Viewer, you open a view. A view is a set of filters and other properties,
including color rules, selected columns and their positions and widths, and the default time window, that
let you define a subset of events. Views help to limit the scope of the events list so that you can more
easily find what you are looking for.
Event Viewer includes a number of predefined views. Although you cannot change the filter rules for
these views, you can create copies of the views and change the filter rules in your copy. Views you create
are called custom views. For more information, see Creating Custom Views, page 66-37.
Using filters is key to getting the most from Event Viewer. You can distill from all the events being
received a view of only the information that you need or want. You can use the various methods of
filtering to reduce the events list, filtering lists that have already been filtered. The following list explains
the general filtering features; for more information, see Filtering and Querying Events, page 66-39.
• Time filters—You can use time filters to limit the events that are loaded into your client as well as
to limit the events displayed in the Event Table. With time filtering you can select predefined values,
such as the last hour, or specify a particular time range by dates and times. For more information,
see Selecting the Time Range for Events, page 66-39.
• Column filters—You can use column filters to filter events based on a particular value of an event.
For example, you could filter on a particular source or destination, or both. For certain columns you
can also filter on a range of values or on a policy object. Column filters are part of the view settings
for a view. For more information, see Creating Column-Based Filters, page 66-41.
• Quick filters—You can use quick filters to execute a text-based filter on events listed in the event
table. The search is not column-sensitive, showing all events in which the string appears in any
column. You can use the Quick Filter drop-down list (shown as a magnifier) to modify the scope of
the filter. For more information, see Filtering on a Text String, page 66-44.
• Drilling down with filters—Aggregating additional filters allows you to become more and more
selective, to “drill down” until you can view a particular event or set of events that meet your
requirements. The View Settings pane at the top of the Event Monitoring window updates with each
additional filter choice you make to show the current aggregate filter definition of the view selected.
Policy Navigation
You can navigate from a particular event to the policy within Security Manager that governs that event.
For more information, see Looking Up a Security Manager Policy from Event Viewer, page 66-48.
Understanding Event Viewer Access Control
The user privileges assigned to your username control what you can do in Event Viewer. If you use local
users, or other types of non-ACS access control, then all users have access to Event Viewer. However,
the following access limits are imposed:
• You must have system administrator, network administrator, or approver privileges to select or
deselect devices for monitoring. See Selecting Devices to Monitor, page 66-31.