Filter
Top Products
66-59
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
For more information about configuring event action filter rules, see Configuring Event Action
Filters, page 39-4.
The following procedure shows how to use filtering in Event Viewer to remove false positives from the
events list. It uses network/host policy objects to accomplish the filtering.
Tip By creating source or destination address filters using network/host objects, you can update the filters
simply by changing the contents of the object. You do not need to add or remove filters from your views.
Another advantage is that you can proactively create filters for addresses that do not currently appear in
the events table; the source/destination column filter controls in Event Viewer list only those addresses
that currently appear in listed events.
Step 1 Create a network/host policy object that includes the IP address of the clean hosts or networks.
a. Select Manage > Policy Objects to open the Policy Object Manager window (see Policy Object
Manager, page 6-4).
b. Select Networks/Hosts from the table of contents.
c. Click the Add Row (+) button beneath the table of network/host policy objects, and select Group
as the object type.
d. In the Add Network/Host Group dialog box, enter a name for the object, for example,
IPS_Safe_Hosts.
e. Select Enter IPv4 Address Information and enter the IP address, for example, 10.100.15.75.
f. Click Add >> to add the IP address to the Members in Group list.
g. Click OK to create the object.
h. Click Close to close the Policy Object Manager window.
Step 2 Select File > Submit to submit your changes to the database (non-Workflow mode). Keep in mind that
all of your configuration changes are submitted, not just the new policy object.
If you are using Workflow mode, you must submit your activity and have it approved, if necessary.
Tip Event Viewer can see only those policy objects that have been submitted to the database, so you
must submit your changes before you can create a filter using the object. If you later change the
object, you must also submit your changes for the filter to use the new definition of the policy
object.
Step 3 Select Launch > Event Viewer to open the Event Viewer application.
Step 4 Create a custom view that filters out the network management station:
a. Double-click the predefined view that you want to use as the basis of your custom view, for example,
All IPS Events. Double-clicking the view in the Views list opens the view. If you already have a
custom view that you want to update, open it.
b. Click the down arrow button in the title of the Source column in the events table and select Custom
to open the Custom Filter for Source dialog box.
Tip: You can also get to this dialog box through the View Settings pane by clicking the Add button,
then selecting Source in the Add Custom Filter to a Column dialog box and clicking OK.