Creating Filters

Filters are used to search logs and view information about filter condition, time, or fields in the logs. You can configure basic and advanced filters to match the filtering conditions. You can either load existing filters or define a new filter. A filter allows you to enter specific information that must be displayed on the Event Viewer page; for example, the columns in the Event Viewer table, the time range, and the aggregation point. When you change an existing filter or create a new filter, the Event Viewer table is updated automatically. If filters contain time details, the time range in Event Viewer is updated with the time specified in the filter.

Filters provide:

• Quick access to critical information—If you are a firewall administrator, you might have to regularly deny traffic from a specific application or a specific set of addresses. You might also have to allow or deny specific application access to some users. To achieve these conditions, you must set user search criteria, scan through the firewall logs that match that criteria, and display the matching logs.
• Filter sharing among users—Other users in your domain can use the filters you create without modifying or deleting the filters.
• Filter usage across multiple functional areas—Filters can be used across multiple functional areas such as the Event Viewer, dashboard, alerts, and reports.

Procedure

1. Select Monitor > Events & Logs.
2. Click Detail View.
3. Click the filter text field.

   The filter keys available are displayed alphabetically in a drop-down list.

4. Type the exact key in the filter text field, or select the key from the drop-down key list.

   The key appears in the filter bar. While typing in the values, you are prompted with suggestions in the drop-down list whenever possible.

   For example: EventName =

5. Continue to add filter expressions <key>space <operator> space <value>.

   The key appears, along with the value combination in the filter bar.

   For example: EventName = LOGIN_FAILED

6. Repeat the Step 4 and Step 5 to add additional filter expressions.

   The available filter keys are displayed alphabetically in the drop-down list.

   For example: EventName = LOGIN_FAILED AND SrcIP =

7. Type in the required IP address.

   For example: EventName = LOGIN_FAILED AND SrcIP = 192.168.45.350

   The term operator AND/OR is displayed in the filter bar to add a different key.

8. Click Save > Save Filter.
9. Click OK.

   The event logs for EventName = LOGIN_FAILED AND SrcIP = 192.168.45.350 are displayed.

Related Documentation

• Using Filters
• Events and Logs Overview
• Firewall Events and Logs Overview