Log Inspection Events

Vulnerability ProtectionDeep Security Manager collects Log Inspection Events from the Vulnerability ProtectionDeep Security Agents at every heartbeat. The data from the logs is used to populate the various reports, graphs, and charts in the Vulnerability ProtectionDeep Security Manager.

Once collected by the Vulnerability ProtectionDeep Security Manager, Event logs are kept for a period of time which can be set in Administration > System Settings > Storage. The default setting is one week.

From the main page you can:

• View () the properties of an individual event
• Search () for a particular event
• Filter the list: Use the Period and Computer toolbars to filter the list of events
• View existing Auto-Tagging () Rules.
• Add or remove Columns () from the Events list view.
• Export () the event list data to a CSV file

Additionally, right-clicking an Event gives you the option to:

• Add Tag(s): Add an Event Tag to this event (See Event Tagging.)
• Remove Tag(s): Remove exiting event Tags
• Computer Details: View the Details window of the computer that generated the log entry
• Log Inspection Rule Properties: View the properties of the Log Inspection Rule associated with this event

Columns for the Log Inspection Events display:

• Time: Time the event took place on the computer.
• Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
• Reason: The Log Inspection Rule associated with this event.
• Tag(s): Any tags attached with the Event.
• Description: Description of the rule.
• Rank: The Ranking system provides a way to quantify the importance of events. By assigning "asset values" to computers, and assigning "severity values" to Log Inspection rules, the importance ("Rank") of an event is calculated by multiplying the two values together. This allows you to sort Events by Rank.
• Severity: The Log Inspection rule's severity value.
• Groups: Group that the rule belongs to.
• Program Name: Program name. This is obtained from the syslog header of the event.
• Event: The name of the event.
• Location: Where the log came from.
• Source IP: The packet's source IP.
• Source Port: The packet's source port.
• Destination IP: The packet's destination IP address.
• Destination Port: The packet's destination port.
• Protocol: Possible values are "ICMP", "ICMPV6", "IGMP", "GGP", "TCP", "PUP", "UDP", "IDP", "ND", "RAW", "TCP+UDP", AND "Other: nnn" where nnn represents a three digit decimal value.
• Action: The action taken within the event
• Source User: Originating user within the event.
• Destination User: Destination user within the event.
• Event HostName: Hostname of the event source.
• ID: Any ID decoded as the ID from the event.
• Status: The decoded status within the event.
• Command: The command being called within the event.
• URL: The URL within the event.
• Data: Any additional data extracted from the event.
• System Name: The system name within the event.
• Rule Matched: Rule number that was matched.
• Event Origin: The Deep Security component from which the event originated.

View Event Properties

Double-clicking an event displays the Properties window for that entry which displays all the information about the event on one page. The Tags tab displays tags that have been attached to this Event. For More information on Event tagging, see Policies > Common Objects > Other > Tags, and Event Tagging in the Reference section.

Filter the List and/or Search for an Event

The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe.

The Computers toolbar lets you organize the display of event log entries by computer groups or computer Policies.

Use the "Search" or "Advanced Search" options to search, sort, or filter displayed events.

Advanced Search functions (searches are not case sensitive):

• Contains: The entry in the selected column contains the search string
• Does Not Contain: The entry in the selected column does not contain the search string
• Equals: The entry in the selected column exactly matches the search string
• Does Not Equal: The entry in the selected column does not exactly match the search string
• In: The entry in the selected column exactly matches one of the comma-separated search string entries
• Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Export

Clicking the Export... button exports all event log entries to a CSV file.

Auto-Tagging

Clicking Auto-Tagging... displays a list of existing Log Inspection Auto-Tagging Rules.

You can use Auto-tagging to automatically apply tags for the Log Inspection groups. LI rules have groups associated with them in the rules. For example:

<rule id="18126" level="3">
<if_sid>18101</if_sid>
<id>^20158</id>
<description>Remote access login success</description>
<group>authentication_success,</group>
</rule>

<rule id="18127" level="8">
<if_sid>18104</if_sid>
<id>^646|^647</id>
<description>Computer account changed/deleted</description>
<group>account_changed,</group>
</rule>

Each group name has a "friendly" name string associated with it. In the above example, "authentication_success" would be "Authentication Success", "account_changed" would be "Account Changed". When this checkbox is set, the friendly names are automatically added as a tag for that event. If multiple rules trigger, multiple tags will be attached to the event.