Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Using NSM Log Viewer Features

    The Network and Security Manager (NSM) Log Viewer includes many display features to help you sort and correlate logs so you can analyze security events. For complete information on NSM Log Viewer features, see Chapter 18 of the NSM Administration Guide PDF Document. The following sections are provided here to give you ideas of how to take advantage of NSM features as you develop your approach to log monitoring:

    Using Predefined Views

    Out of the box, the NSM Log Viewer includes a predefined view for DI/IDP event logs. A predefined view is a filtered view of all logs collected on the NSM device server. The DI/IDP view is filtered for events that match a predefined or custom attack object (Category field = Predefined or Category = Custom). Figure 1 shows the DI/IDP view.

    Figure 1: NSM Log Viewer: Predefined View

    Image s036763.gif

    Showing and Hiding Columns

    The default columns shown in the predefined DI/IDP view might not include all of the data fields you are interested in. To select your preferred columns and the order in which they appear, select View > Choose Columns and use the dialog box to organize columns according to your preference.

    Figure 2: NSM Log Viewer: Choose Columns

    Image s036764.gif

    Using Filters

    The default DI/IDP view is filtered to display only logs where Category=Predefined or Category=Custom. To set additional filters, select View > Filter Summary and use the dialog box to set additional filters. In Figure 3, filters are selected to display logs for traffic where the rule action allowed the traffic continue to the destination server. When you approach the set of logs you examine each day, you might want to start with events of high severity, where traffic continued to the destination.

    Figure 3: NSM Log Viewer: Filters

    Image s036756.gif

    You can also filter on the fly. Suppose you find a log for an attack targeting HTTP traffic. In the row for the log, you can right-click the cell containing destination port 80 and select Filter > Only This Value to redisplay the table with only records where destination port = 80.

    Figure 4: NSM Log Viewer: Filters

    Image s036759.gif

    Using Log Viewer Detail Panes

    The details pane below the log table provides summary and security reference information for the attack object that triggered the log. The details pane also includes a link to WHOIS information for the source IP.

    Suppose your security policy rule includes the following attack object: Predefined :: HTTP: Windows Media Services NSIISlog.DLL Buffer Overflow. It generates a log when it identifies the attack pattern in traffic through the IDP Series device. Use the reference information in the details pane below the log table to learn more about the attack. You can click the hypertext linked name of the attack object in the summary tab to display reference information for the attack, as shown in Figure 5.

    Figure 5: Using NSM Log Viewer Attack Reference Information

    Image s036755.gif

    Using Flags and Comments

    As you work through logs, you can annotate them with flags and comments and then filter on your annotations. Figure 6 shows a log marked as a false positive because the attack targets server versions not present in our network.

    Figure 6: Using NSM Log Viewer Flag and Comment Features

    Image s036753.gif

    To mark a log with a flag, right-click the cell in the Flag column and select one of the following flags:

    • High (severity)
    • Medium (severity)
    • Low (severity)
    • Closed
    • False Positive
    • Assigned
    • Investigate
    • Follow-Up
    • Pending

    Using Custom Views

    As you become familiar with NSM Log Viewer filters, you are likely to discover views of the data you typically want to use to monitor traffic. You can save custom views. Because the custom view is based on filters, incoming log entries that match the filter criteria are automatically displayed in the view. You do not need to reapply the view to new logs.

    Figure 7 shows a custom view of columns and filters focusing on events where the IDP Series device allowed HTTP traffic to proceed to its destination.

    Figure 7: NSM Log Viewer: Custom View

    Image s036765.gif

    You might want to create views to help manage the following example cases:

    • Workflow—If your team distributes responsibilities based on IDP Series device, internal servers, application, severity, or type of attack, you can create views filtered on the appropriate columns. In the same manner, you can also use the Flag or Comments columns to prioritize or delegate investigation.
    • Attackers—Once you learn the IP address of an attacker, you can create a view filtered on Source IP to watch what the attackers activities on your network.
    • Devices—After you deploy a new device, you can create a view filtered on the Device column to observe and validate device effectiveness.

    To create a new view, select the columns you want to display and apply filters. Select File > New View to display a dialog box to save the view in your preferred Log Viewer folder. We recommend saving custom views in the Custom folder.

    Published: 2011-02-08