Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

About the All Security Events Page

 

To access this page, click Monitoring > Security Events > All Events.

Use this page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.

This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-range slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.

Tasks You Can Perform

You can perform the following tasks from this page:

  • View a brief summary of all events in your network. See Summary View .

  • View the comprehensive details of events in a tabular format that includes sortable columns. See Detail View .

Summary View

You can view a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim lane view of different events that are happening at a specific time. The events include firewall, web filtering, VPN, content filtering, antispam, antivirus, and IPS. Each event is color‐coded, with darker shades representing a higher level of activity. Each tab provides deep information like type, and number of events occurring at that specific time.

Table 1 describes the widgets on the All Events Summary View page.

Table 1: Widgets on the All Events Summary View Page

Field

Description

Total Events

View the total number of all the events that includes firewall, web filtering, IPS, IPSec VPNs, content filtering, antispam, and antivirus events.

Virus Instances

View the total number of virtual instances running in the system.

Attacks

View the total number of attacks on the firewall.

Interface Down

View the total number of interfaces that are down.

CPU Spikes

View the total number of times a CPU utilization spike has occurred.

Reboots

View the total number of system reboots.

Sessions

View the total number of sessions established through firewall.

Detail View

Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group By option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Advanced Search

You can perform advanced search of all events using the text field present above the tabular column. It includes the logical operators as part of the filter string. Enter the search string in the text field and based on your input, a list of items from the filter context menu is displayed. . You can select a value from the list and then select a valid logical operator to perform the advanced search operation Press Enter to display the search result in the tabular column below.

To delete the search string in the text field, click the delete icon (X icon).

Examples of event log filters are shown in the following list:

  • Specific events originating from or landing within United States

    Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS

  • User wants to filter all RT flow sessions originating from IP addresses in specific countries and landing on IPs in specific countries

    Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source IP = 177.1.1.1,220.194.0.150,14.1.1.2,196.194.56.4 AND Destination IP = 255.255.255.255,10.207.99.75,10.207.99.72,223.165.27.13 AND Source Country = Brazil, United States, China, Russia, Algeria AND Destination Country = Germany, India, United States

  • Traffic between zone pairs for policy – IDP2

    Source Zone = trust AND Destination Zone = untrust, internal AND Policy Name = IDP2

  • UTM logs coming from specific source country, destination country, source IP addresses with or without specific destination IP addresses.

    Event Category = antispam, antivirus, contentfilter, webfilter AND Source Country = Australia AND Destination Country = Turkey, United States, Australia AND Source IP = 1.0.0.0,1.1.1.3 OR Destination IP = 74.125.224.47,5.56.17.61

  • Events with specific sources IPs or events hitting HTP, FTP, HTTP, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.

    Application = tftp, ftp, http, unknown OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vsrx-75

Table 2 describes the fields on the All Events Detail View Page.

Table 2: Fields on the All Events Detail View Page

Field

Description

Time

View the time when the log was received.

Event Name

View the event name of the log.

Site

View the name of the tenant site.

Source Country

View the source country name.

Source IP

View the source IP address from where the event occurred.

Destination Country

View the destination country name from where the event occurred.

Destination IP

View the destination IP address of the event.

Source Port

View the source port of the event.

Destination Port

View the destination port of the event.

Description

View the description of the log.

Attack Name

View the attack name of the log: Trojan, worm, virus, and so on.

Threat Severity

View the severity level of the threat.

Policy Name

View the policy name in the log.

UTM Category or Virus Name

View the UTM category of the log.

URL

View the accessed URL name that triggered the event.

Event Category

View the event category of the log.

User Name

View the username of the log.

Action

View the action taken for the event: warning, allow, and block.

Log Source

View the IP address of the log source.

Application

View the application name from which the events or logs are generated

Hostname

View the hostname in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Nested Application

View the nested application in the log.

Source Zone

View the source zone of the log.

Destination Zone

View the destination zone of the log.

Protocol ID

View the protocol ID in the log.

Roles

View the role name associated with the log.

Reason

View the reason for the log generation. For example, a connection tear down may have an associated reason such as “authentication failed”.

NAT Source Port

View the translated source port.

NAT Destination Port

View the translated destination port.

NAT Source Rule Name

View the NAT source rule name.

NAT Destination Rule Name

View the NAT destination rule name.

NAT Source IP

View the translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

View the translated (also called natted) destination IP address.

Traffic Session ID

View the traffic session ID of the log.

Path Name

View the path name of the log.

Logical system Name

View the name of the logical system.

Rule Name

View the name of the rule.

Profile Name

View the name of the All events profile that triggered the event.