Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using Event Viewer Table Options

    This section covers the following topics:

    Using Event Viewer Table Options in Non Grouped Mode

    To use Event Viewer table options in nongrouped mode:

    1. Select and right-click a cell.

      Table 1 describes the event viewer cell options.

      Table 1: Event Viewer Cell Options

      Option

      Description

      Example

      Show policy

      Navigates to the Firewall Policies or IPS Policies page that generates the logs.

      Filter on Cell Data

      Updates the logs in the event viewer table with field values matching the selected cell value.

      The value selected is appended to the existing filter.

      For example: If you select an srcip column with the value 2.2.2.2 and click Filter on cell data, then the filter string will be updated with srcip equals 2.2.2.2.

      Exclude Cell Data

      Updates the logs in the event viewer table without the field values matching the selected cell value.

      Note: The option Exclude cell data is not available in the Time column.

      For example: If you select an srcip column with the value 2.2.2.2 and click Exclude cell data, then the filter string will be updated with srcip not equals 2.2.2.2.

      Show Raw Log

      Displays the actual logs received from the SRX Series devices.

      For example: Log ID 147696: 1 2014-04-08T11:00:03.917Z - snmpd 1099 SNMPD_AUTH_FAILURE [junos@2636.1.1.1.2.96 function-name="nsa_log_community" message="unauthorized SNMP community" source-address="10.207.99.91" destination-address="10.207.99.72" index1="public"] nsa_log_community: unauthorized SNMP community from 10.207.99.91 to 10.207.99.72 (public)

      Create Address Object

      Allows you to create address objects in Security Director.

      Note: This option is available only on source IP, destination IP, NAT source IP, NAT destination IP, source IPv6, and destination IPv6.

    Creating an Address Object

    To create a Security Director address object:

    1. Enter the following details:
      • Name—Name of the address object.
      • Description—Description of the address object.
    2. To save the address object, click Save.

      The host address is created, and the Security Director address object name is displayed in the address or destination address column.

    Using Event Viewer Table Options in Grouped Mode

    When you use Group by option to combine logs based on a specific field, for every distinct value of that field, one record is displayed. Other columns in the row display MULTIPLE(n) for multiple values. By default, group by tables are always sorted by count. The group by column is the first column in the table and is followed by the count column. The count column is not displayed when the table is not grouped.

    To drill-down Group by logs:

    1. Click Multiple.

      The Event Viewer table displays the grouped log details associated with multiple values.

    2. Select a row and click Show All Logs.

      The Event Viewer table view is switched to nongrouped view.

      Group by drop-down is reset to None.

    Example: Using Event Viewer Table Options in Grouped Mode

    In this sample scenario, assume that the logs are grouped based on event name and that there are multiple destination IP addresses for a specific event names.

    To drill-down grouped logs:

    1. Click Multiple in the Destination IP column of the row that you want to drill-down.

      The event viewer table displays the grouped log details.

      The filter string displays the expression SrcIP equals 1.1.1.1. The logs are grouped based on source IP with the filter SrcIP equals 1.1.1.1.

    2. Click Multiple in the Event Name column of the row that you want to drill-down.

      The event viewer table displays the grouped log details.

      The filter string displays the expression SrcIP equals 1.1.1.1 AND DstIP equals 2.1.1.1. The logs are grouped based on service with the filter SrcIP equals 1.1.1.1 AND DstIP equals 2.1.1.1.

    3. Select a row, right-click, and select Show all Logs.

      The Event Viewer table view is switched to nongrouped view with the filter SrcIP equals 1.1.1.1 AND DstIP equals 2.1.1.1 AND EventName equals rt_screen_ip.

      The Group by drop-down is reset to None.

    Using the Detailed Log View

    To use the detailed log view:

    1. Select a log in the Event Viewer table.

      The details of the log selected on the event viewer page are displayed in the detailed log view section at the bottom of the event viewer page. Table 2 lists the details of the logs.

    Table 2: Detail Log View

    Option

    Description

    General Information

    Log ID

    Displays the unique log ID.

    Log Source

    Displays the IP address of the log source.

    Local Time

    Displays the time log was received.

    UTC Time

    Displays logs in the UTC time zone.

    Category

    Displays the category of the logs.

    Severity

    Displays the severity of the logs.

    Reason

    Displays the reason the log was generated.

    Source Information

    Source IP

    Displays the source IP address.

    Source Port

    Displays the source port.

    Source Address

    Displays the source port address.

    Source Zone

    Displays the source zone.

    NAT Source IP

    Displays the NAT source IP address.

    NAT Source Port

    Displays the NAT source port.

    Destination Information

    Destination IP

    Displays the destination IP address.

    Destination Port

    Displays the destination port.

    Destination Address

    Displays the destination port address.

    Destination Zone

    Displays the destination zone.

    NAT Destination IP

    Displays the NAT destination IP address.

    NAT Destination Port

    Displays the NAT destination port.

    Traffic Information

    Attack Name

    Displays the attack name in the log.

    Policy Name

    Displays the policy name.

    Username

    Displays the username in the log.

    Application

    Display the application in the log.

    Service

    Displays the service in the log.

    Nest App

    Displays the nested application in the log.

    Rule Name

    Displays the rule name in the log.

    Using the Display Option

    To use the display option:

    1. Select a Group by option.
    2. Click Filter or press Enter.

      The group by logs are displayed in the event viewer table and the option Display is enabled.

    3. Click Display >Display Number.
    4. Select an option to display the top (n) results. The available options are:
      • Top 3
      • Top 5
      • Top 10
      • Top 20

    Using Event Graphs

    To use event graphs:

    1. Select a Group by option.
    2. Click Filter or press Enter.

      The grouped logs are displayed in the Event Viewer table.

    3. Select Split View.

      The Event Viewer displays a bar graph and a table for the top (n) grouped items.

    4. Select a row in the table below the graph.

      The corresponding bar in the graph is highlighted.

    5. Click an item in the bar graph.

      You will be switched to nongrouped view which displays all logs related to the filter criteria.

    Using the Show Logs Option to Navigate from the Event Viewer to the Policies Page

    You can navigate from the Event Viewer page to the Firewall Policies page or IPS Policies page that displays the policy associated with the logs. To navigate from the Event Viewer page to the Firewall Policies page or IPS Policies page:

    1. Launch Event Viewer, query Firewall or IPS logs.

      The firewall and IPS logs are displayed.

    2. Right click a log to select Show Policy.

      The current rule associated with the logs displays the changes on the IPS Policies page.

    3. For Firewall policy, click one of the options:
      • Changes in the Rule—Displays the changes in the rule.

        The previous rule and the current rule are displayed. You have the options to either Go to the current rule or Go to Policy Comparison. The go to policy compare provides the options to compare versions.

      • Got to Current Rule—Navigates to the current rule.

    Using the Show Logs Option to Navigate from Policies to Logs on the Event Viewer Page

    You can navigate from the Firewall Policies page or IPS Policies to view logs. To navigate from logs to a policies page:

    1. Select a Firewall Policy and select a rule.
    2. Right click Show Events Generated by Rule .

      The event logs that contain the rule name associated with the policy are displayed on the Event Viewer page.

    Creating an Exempt Rule

    To create an exempt rule:

    1. Filter the IPS category logs, right-click, and select Create an exempt rule.

      An IPS rule is added at the beginning of the Rule Type Exempt list on the IPS policy page.

    Published: 2014-04-30