Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Events and Logs Overview

    Use the Events and Logs page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.

    This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.

    To access the Event Viewer page select Monitor > Events & Logs > All Events.

    Events & Logs—Summary View

    Click Summary View for a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim-lane view of different events that are happening at a specific time. The events include firewall, Web filtering, VPN, content filtering, antispam, antivirus and IPS. Each event is color‐coded, with darker shades representing a higher level of activity. Each tabs provide deep information like type, and number of events occurring at that specific time.

    See Table 1 the descriptions of the widgets in this view.

    Table 1: Events and Logs Summary View Widgets

    Widget

    Description

    Total Events

    Total number of all the events that includes firewall, webfiltering, IPS, IPSec, content filtering, antispam, and antivirus events.

    Virus Instances

    Total number of virtual instances running in the system.

    Attacks

    Total number of attacks on the firewall.

    Interface Down

    Total number of interfaces that are down.

    CPU Spikes

    Total number of times a CPU utilization spike has occurred.

    Reboots

    Total number of system reboots.

    Sessions

    Total number of sessions established through firewall.

    Events & Logs—Detail View

    Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group by option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

    Advanced Search

    You can perform advanced search of all events using the text field present above the tabular column. It includes the logical operators as part of the filter string. Enter the search string in the text field and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid operator based on which you want to perform the advanced search operation. Press Enter to display the search result in the tabular column below.

    To delete the search string in the text field, click X icon.

    Following are some of the examples for event log filters:

    • Specific events originating from or landing within United States

      Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS

    • User wants to filter all RT flow sessions originating from IPs in specific countries and landing on IPs in specific countries

      Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source IP = 177.1.1.1,220.194.0.150,14.1.1.2,196.194.56.4 AND Destination IP = 255.255.255.255,10.207.99.75,10.207.99.72,223.165.27.13 AND Source Country = Brazil,United States,China,Russia,Algeria AND Destination Country = Germany,India,United States

    • Traffic between zone pairs for policy – IDP2

      Source Zone = trust AND Destination Zone = untrust,internal AND Policy Name = IDP2

    • UTM logs coming from specific source country, destination country, source IPs with or without specific destination IPs

      Event Category = antispam,antivirus,contentfilter,webfilter AND Source Country = Australia AND Destination Country = Turkey,United States,Australia AND Source IP = 1.0.0.0,1.1.1.3 OR Destination IP = 74.125.224.47,5.56.17.61

    • Events with specific sources IPs or events hitting htp, tftp, http, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.

      Application = tftp,ftp,http,unknonw OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vsrx-75

    See Table 2 for field descriptions.

    Table 2: Events and Logs Detail Columns

    Field

    Description

    Event Name

    The event name of the log.

    Event Category

    The event category of the log.

    Source IP

    The source IP address from where the event occurred.

    Source Country

    The source country name.

    Source Port

    The source port of the event.

    Destination IP

    The destination IP address of the event.

    Log Source

    The IP address of the log source.

    Application

    The application name from which the events or logs are generated.

    User Name

    The username of the log.

    Host Name

    The host name in the log.

    Protocol ID

    The protocol ID in the log.

    Policy Name

    The policy name in the log.

    Source Zone

    The source zone of the log.

    Destination Zone

    The destination zone of the log.

    Nested Application

    The nested application in the log.

    Roles

    The role name associated with the log.

    Reason

    The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

    NAT Source Port

    The translated source port.

    NAT Destination Port

    The translated destination port.

    NAT Source Rule Name

    The NAT source rule name.

    NAT Destination Rule Name

    The NAT destination rule name.

    NAT Source IP

    The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

    NAT Destination IP

    The translated (also called natted) destination IP address.

    Time

    The time when the log was received.

    Role-Based Access Control for Event Viewer

    Role-Based Access Control (RBAC) has the following impact on the Event Viewer:

    • You must have Security Analyst or Security Architect or have permissions equivalent to that role to access the event viewer.
    • You cannot view event logs created in other domains. However, a super user or any user with an appropriate role who can access a global domain can view logs in a subdomain, if a subdomain is created with visibility to the parent domain.
    • You can only view logs from the devices that you can access and that belong to your domain.
    • You can only view, not edit, a policy if you do not have edit permissions.
    • The user role under Administration > Users & Roles must have Event Viewer > View Device Logs option is enabled to view or read logs.

    Modified: 2016-12-16