Viewing the event log

Use the event log to view and to export system events, network access events, IPS events, advanced threat events, and management access events on your network.

1. Click Monitor > Event Log.
2. Click one of the following tabs:

   Tab	Description
   System Events	System events are logged when the system settings are changed and when problems occur with the appliance. An outbound SSL inspection event is a specific system event that is generated when outbound SSL inspection fails to inspect a connection. The event includes the destination domain or IP address the user is connecting to and the reason for the SSL inspection failure. Examples: Unsupported TLS extension Invalid certificate These system events are designed to notify users of outbound SSL inspection issues and facilitate the creation of rules that ignore SSL inspection on specified sites.
   Network Access Events	A network access event is logged when the appliance performs any of the following actions: rejects a packet, drops a packet, accepts a packet, or redirects a network user. Note: To see network access events in the event log, you must first attach an event log alert object to a rule in your Network Access policy. Tip: Click Clear Events to clear all network access events.
   IPS Events	An IPS event is logged when the appliance detects an intrusion on your network. You can use IPS events to create rules in your intrusion prevention policy. Note: To see IPS events in the event log, you must first attach an event log alert object to a rule in your Intrusion Prevention policy. Tip: You can view IP reputation information by pointing to an event. IP geography is represented by a flag icon in the Source IP and Target IP columns. Tip: Click Clear Events to clear all IPS events.
   Management Access Events	A management access event is logged when the appliance accepts, rejects, or drops traffic from a host that is connecting to a management interface for the appliance. Note: To see management access events in the event log, you must first attach an event log alert object to a rule in your Management Access policy. The appliance logs the details of the packets that match the management access policy rule to the local event database and can also send alerts (SNMP, email, remote syslog) to the SiteProtector System. Note: If you enable the QRadar® format for the remote syslog alert, the events are sent to QRadar in the same format as network access events. You can distinguish management access events from network access events by viewing the adapter ID field. The management access events use M.1 or M.2 as the adapter ID.
   Advanced Threat Events	An Advanced Threat event is logged when the appliance receives advanced threat data that the appliance can act upon from a configured Advanced Threat Protection agent. Restriction: Live Streaming and Download are unavailable for Advanced Threat events. Note: To see Advanced Threat events in the event log, you must first attach an event log alert object to a rule in your Advanced Threat policy.

3. Click Pause Live Streaming to stop the live update of the event log.
4. Click Start Live Streaming to resume the live update of the event log.
5. Filter events by completing the following steps:
   1. Click the Filter button . The Filter window is displayed.
   2. From the Column list, select a column to filter on.
      Note: The appliance does not return results for the "Time Occurred" column when you select "Any Column." Select the "Time Occurred" column to filter values in that column.
   3. From the Condition list, select a filter condition. Available filter conditions vary depending on which tab you selected in the event log. The possible filtering conditions include these options:
      • contains
      • is
      • starts with
      • ends with
      • before
      • after
      • range
   4. In the Value field, specify a filter value.
   5. Click Filter.
6. Click Export to download the displayed data to a CSV file.
   Note: The default file name is export.csv.