Use the event log to view and to export system events, network access events, IPS
events, advanced threat events, and management access events on your
network.
Before you begin
To configure the appliance to log network access and IPS events, you must first attach an
event log alert object to a rule in your Network Access policy and Intrusion Prevention policy.
To configure the appliance to log management access events, you must first attach
an event log alert object to a rule in your Management Access policy.
Tip: You can see detailed information about a system event, network access event, IPS event,
management access event, or advanced threat event by double-clicking the event or by selecting the
event and clicking View
Details.
About this task
In the
SiteProtector™ System,
events from the appliance are displayed in the Analysis and Properties
views.
Procedure
- Click .
- Click one of the following tabs:
Tab |
Description |
System Events |
System events are logged when the system settings are changed and when problems occur with
the appliance.An outbound SSL inspection event is a specific system
event that is generated when outbound SSL inspection fails to inspect a connection. The event
includes the destination domain or IP address the user is connecting to and the reason for the SSL
inspection failure. Examples: - Unsupported TLS extension
- Invalid certificate
These system events are designed to notify users of outbound SSL inspection issues and
facilitate the creation of rules that ignore SSL inspection on specified sites.
|
Network Access Events |
A network access event is logged when the appliance performs any of the following actions:
rejects a packet, drops a packet, accepts a packet, or redirects a network user. Note: To see network access events in the event log, you must first attach an event log alert object to a
rule in your Network Access
policy.
Tip: Click Clear Events to clear all network access
events.
|
IPS Events |
An IPS event is logged when the appliance detects an intrusion on your network. You can
use IPS events to create rules in your intrusion prevention policy.
Note: To see IPS
events in the event log, you must first attach an event log alert object to a rule in your Intrusion
Prevention policy.
Tip: You can view IP reputation information by pointing to an
event. IP geography is represented by a flag icon in the Source IP and Target IP
columns.
Tip: Click
Clear Events to clear all IPS events.
|
Management Access Events |
A management access event is logged when the appliance accepts, rejects, or drops traffic
from a host that is connecting to a management interface for the appliance. Note: To see
management access events in the event log, you must first attach an event log alert object to a rule
in your Management Access policy.
The appliance logs the details of the packets that match
the management access policy rule to the local event database and can also send alerts (SNMP, email,
remote syslog) to the SiteProtector System.
Note: If you enable the QRadar® format for the remote
syslog alert, the events are sent to QRadar in the same
format as network access events. You can distinguish management access events from network access
events by viewing the adapter ID field. The management access events use M.1 or
M.2 as the adapter ID.
|
Advanced Threat Events |
An Advanced Threat event is logged when the appliance receives advanced threat data that
the appliance can act upon from a configured Advanced Threat Protection agent. Restriction: Live Streaming and Download are
unavailable for Advanced Threat events.
Note: To see Advanced Threat events in the event log,
you must first attach an event log alert object to a rule in your Advanced Threat
policy.
|
- Click Pause Live Streaming to stop the live update of the event
log.
- Click Start Live Streaming to resume the live update of the event
log.
- Filter events by completing the following steps:
- Click the Filter button . The Filter window
is displayed.
- From the Column list, select
a column to filter on.
Note: The appliance does not return
results for the "Time Occurred" column when you select "Any Column."
Select the "Time Occurred" column to filter values in that column.
- From the Condition list, select
a filter condition. Available filter conditions vary depending
on which tab you selected in the event log. The possible filtering
conditions include these options:
- contains
- is
- starts with
- ends with
- before
- after
- range
- In the Value field, specify a
filter value.
- Click Filter.
- Click Export to download the displayed data to a CSV file.
Note: The default file name is export.csv.