About the All Security Events Page
To access this page, click Monitoring > Security Events > All Events.
Use this page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.
This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-range slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.
Tasks You Can Perform
You can perform the following tasks from this page:
View a brief summary of all events in your network. See Summary View .
View the comprehensive details of events in a tabular format that includes sortable columns. See Detail View .
You can view a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim lane view of different events that are happening at a specific time. The events include firewall, web filtering, VPN, content filtering, antispam, antivirus, and IPS. Each event is color‐coded, with darker shades representing a higher level of activity. Each tab provides deep information like type, and number of events occurring at that specific time.
Table 1 describes the widgets on the All Events Summary View page.
Table 1: Widgets on the All Events Summary View Page
View the total number of all the events that includes firewall, web filtering, IPS, IPSec VPNs, content filtering, antispam, and antivirus events.
View the total number of virtual instances running in the system.
View the total number of attacks on the firewall.
View the total number of interfaces that are down.
View the total number of times a CPU utilization spike has occurred.
View the total number of system reboots.
View the total number of sessions established through firewall.
Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group By option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
You can perform advanced search of all events using the text field present above the tabular column. It includes the logical operators as part of the filter string. Enter the search string in the text field and based on your input, a list of items from the filter context menu is displayed. . You can select a value from the list and then select a valid logical operator to perform the advanced search operation Press Enter to display the search result in the tabular column below.
To delete the search string in the text field, click the delete icon (X icon).
Examples of event log filters are shown in the following list:
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
User wants to filter all RT flow sessions originating from IP addresses in specific countries and landing on IPs in specific countries
Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source IP = 22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206 AND Destination IP = 255.255.255.255,10.207.99.75,10.207.99.72,220.127.116.11 AND Source Country = Brazil, United States, China, Russia, Algeria AND Destination Country = Germany, India, United States
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust, internal AND Policy Name = IDP2
UTM logs coming from specific source country, destination country, source IP addresses with or without specific destination IP addresses.
Event Category = antispam, antivirus, contentfilter, webfilter AND Source Country = Australia AND Destination Country = Turkey, United States, Australia AND Source IP = 18.104.22.168,22.214.171.124 OR Destination IP = 126.96.36.199,188.8.131.52
Events with specific sources IPs or events hitting HTP, FTP, HTTP, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp, ftp, http, unknown OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vsrx-75
Table 2 describes the fields on the All Events Detail View Page.
Table 2: Fields on the All Events Detail View Page
View the time when the log was received.
View the event name of the log.
View the name of the tenant site.
View the source country name.
View the source IP address from where the event occurred.
View the destination country name from where the event occurred.
View the destination IP address of the event.
View the source port of the event.
View the destination port of the event.
View the description of the log.
View the attack name of the log: Trojan, worm, virus, and so on.
View the severity level of the threat.
View the policy name in the log.
UTM Category or Virus Name
View the UTM category of the log.
View the accessed URL name that triggered the event.
View the event category of the log.
View the username of the log.
View the action taken for the event: warning, allow, and block.
View the IP address of the log source.
View the application name from which the events or logs are generated
View the hostname in the log.
The name of the application service. For example, FTP, HTTP, SSH, and so on.
View the nested application in the log.
View the source zone of the log.
View the destination zone of the log.
View the protocol ID in the log.
View the role name associated with the log.
View the reason for the log generation. For example, a connection tear down may have an associated reason such as “authentication failed”.
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port.
NAT Source Rule Name
View the NAT source rule name.
NAT Destination Rule Name
View the NAT destination rule name.
NAT Source IP
View the translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.
NAT Destination IP
View the translated (also called natted) destination IP address.
Traffic Session ID
View the traffic session ID of the log.
View the path name of the log.
Logical system Name
View the name of the logical system.
View the name of the rule.
View the name of the All events profile that triggered the event.