About the Device Events Page
To access this page, click Monitor > Device Events.
Use the Device Events page to view information about device events such as routine operations, failure and error conditions, and emergency or critical conditions.
You can view comprehensive details of device events in a tabular format that includes sortable columns and a line graph (also known as swim lanes). The data presented in the line graph is refreshed automatically based on the selected time range. The line graph shows light blue areas that represent all device events and dark blue areas represent blocked device events
Tasks You Can Perform
You can perform the following tasks from this page:
Click Custom button to select the date and time range to generate the device event.
Show or hide time range in the carousel by clicking show or hide buttons at the top of the page.
You can perform advanced search of all events using the text field present above the tabular column. It includes the logical operators as part of the filter string. Enter the search string in the text field and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid logical operator to perform the advanced search operation. Press Enter to display the search result in the tabular column below.
To delete the search string in the text field, click the delete icon (X icon).
Examples of event log filters are shown in the following list:
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL, FWAUTH_WEBAUTH_FAIL_LS
User wants to filter all RT flow sessions originating from IPs in specific countries and landing on IPs in specific countries
Event Name = RT_FLOW_SESSION_CREATE, RT_FLOW_SESSION_CLOSE AND Source IP = 22.214.171.124,126.96.36.199, 188.8.131.52,184.108.40.206 AND Destination IP = 255.255.255.255, 10.207.99.75,10.207.99.72, 220.127.116.11 AND Source Country = Brazil, United States, China, Russia, Algeria AND Destination Country = Germany, India, United States
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust, internal AND Policy Name = IDP2
UTM logs coming from specific source country, destination country, source IPs with or without specific destination IPs
Event Category = antispam, antivirus, contentfilter, webfilter AND Source Country = Australia AND Destination Country = Turkey, United States, Australia AND Source IP = 18.104.22.168,22.214.171.124 OR Destination IP = 126.96.36.199,188.8.131.52
Events with specific sources IPs or events hitting HTP, FTP, HTTP, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp, ftp, http, unknown OR Source IP = 192.168.34.10, 192.168.1.26 AND Hostname = dc-srx1400-1, vsrx-75
Table 1 provides guidelines on using the fields on the Device Events page.
Table 1: Fields on the Device Events Detailed View Page
View the time when the log was received.
View the event name of the log.
View the name of the tenant.
View the name of the tenant site.
View the name of source country from where the event originated.
View the source IP address from where the event occurred.
View the name of destination country from where the event occurred.
View the destination IP address of the event.
View the source port of the device event.
View the destination port of the device event.
View the description of the log.
View the attack name of the log. For example, Trojan, worm, virus, and so on.
View the severity level of the threat.
View the policy name in the log.
UTM Category or Virus Name
View the UTM category of the log.
View the accessed URL name that triggered the event.
View the event category of the log.
View the username of the log.
View the type of traffic. For example, ftp and http.
View the action taken for the event. For example, warning, allow, or block.
View the IP address of the log source.
View the application name from which the events or logs are generated.
View the host name in the log.
View the name of the application service. For example, FTP, HTTP, SSH, and so on.
View the nested application in the log.
View the source zone of the log.
View the destination zone of the log.
View the protocol ID in the log.
View the role name associated with the log.
View the reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port.
NAT Source Rule Name
View the NAT source rule name.
NAT Destination Rule Name
View the NAT destination rule name.
NAT Source IP
View the translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.
NAT Destination IP
View the translated (also called natted) destination IP address.
Traffic Session ID
View the traffic session ID of the log.
View the path name of the log.
Logical System Name
View the name of the logical system.
View the name of the rule.
The name of the profile that triggered the event.
View the number of events occurred.
View the name of the tenant from which the event originated.