Log inspection events

This article covers how to access and work with log inspection events. For general best practices related to events, see Events in Deep Security.

To see the log inspection events captured by Deep Security, go to Events & Reports > Events > Log Inspection Events.

What information is displayed for log inspection events?

These columns can be displayed on the log inspection events page. You can click Columns to select which columns are displayed in the table.

  • Time: Time the event took place on the computer.
  • Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
  • Reason: The log inspection rule associated with this event.
  • Tag(s): Any tags attached with the event.
  • Description: Description of the rule.
  • Rank: The ranking system provides a way to quantify the importance of events. By assigning "asset values" to computers, and assigning "severity values" to log inspection rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank.
  • Severity: The log inspection rule's severity value.
  • Groups: Group that the rule belongs to.
  • Program Name: Program name. This is obtained from the syslog header of the event.
  • Event: The name of the event.
  • Location: Where the log came from.
  • Source IP: The packet's source IP.
  • Source Port: The packet's source port.
  • Destination IP: The packet's destination IP address.
  • Destination Port: The packet's destination port.
  • Protocol: Possible values are "ICMP", "ICMPV6", "IGMP", "GGP", "TCP", "PUP", "UDP", "IDP", "ND", "RAW", "TCP+UDP", AND "Other: nnn" where nnn represents a three digit decimal value.
  • Action: The action taken within the event
  • Source User: Originating user within the event.
  • Destination User: Destination user within the event.
  • Event HostName: Hostname of the event source.
  • ID: Any ID decoded as the ID from the event.
  • Status: The decoded status within the event.
  • Command: The command being called within the event.
  • URL: The URL within the event.
  • Data: Any additional data extracted from the event.
  • System Name: The system name within the event.
  • Rule Matched: Rule number that was matched.
  • Event Origin: The Deep Security component from which the event originated.

See details about an event

Double-clicking an event (or right-clicking an event and clicking View) displays a window that contains additional information about the event. The Tags tab displays tags that have been attached to this event. For more information on event tagging, see Apply tags to identify and group events.

You can also right-click an event and select Computer Details to open the Computer editor for the computer that generated the event.

To view the properties of the rule associated with an event, right-click the event and select Log Inspection Rule Properties.

Find a particular event

You can use the lists at the top of each events page to filter and group the events. Select the values that you want to filter for and then click the large search button on the right side to apply the filter. You can also use the search bar in the upper-right corner to search for a specific event.

To perform an advanced search, click the arrow in the Search bar and select Open Advanced Search.

The Period setting lets you filter the list to display only those events that occurred within a specific time-frame.

The Computers setting lets you organize the display of event log entries by computer, computer groups or policies.

Advanced Search functions (searches are not case sensitive):

  • Contains: The entry in the selected column contains the search string
  • Does Not Contain: The entry in the selected column does not contain the search string
  • Equals: The entry in the selected column exactly matches the search string
  • Does Not Equal: The entry in the selected column does not exactly match the search string
  • In: The entry in the selected column exactly matches one of the comma-separated search string entries
  • Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Pressing the "plus" button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When your search parameters are ready, click the large blue arrow on the right side.

Export a list of events

Clicking Export exports all or selected events to a CSV file.

Tag events

Clicking Auto-Tagging displays a list of existing auto-tagging rules that have been applied to the events. You can also right-click an event to manually add or remove tags. (See Apply tags to identify and group events.)

Log inspection events are auto-tagged based upon their grouping in the log file structure. This simplifies and automates the processing of log inspection events within Deep Security Manager. You can use auto-tagging to automatically apply tags for the log inspection groups. Log inspection rules have groups associated with them in the rules. For example:

<rule id="18126" level="3">
<if_sid>18101</if_sid>
<id>^20158</id>
<description>Remote access login success</description>
<group>authentication_success,</group>
</rule>

<rule id="18127" level="8">
<if_sid>18104</if_sid>
<id>^646|^647</id>
<description>Computer account changed/deleted</description>
<group>account_changed,</group>
</rule>

Each group name has a "friendly" name string associated with it. In the above example, "authentication_success" would be "Authentication Success", "account_changed" would be "Account Changed". When this checkbox is set, the friendly names are automatically added as a tag for that event. If multiple rules trigger, multiple tags will be attached to the event.