Skip to main content

 

 

Cisco Defense Orchestrator

Show and Hide Columns on the Event Logging Page

The Event Logging page displays ASA and FTD syslog events and ASA NetFlow Secure Event Logging (NSEL) events sent to the Cisco cloud from configured ASA and FTD devices. 

You can show or hide columns on the Event Logging page by using the Show/Hide widget with the table:

  1. From the CDO navigation bar, select Monitoring > Event Logging.
  2. Scroll to the far right of the table and click the Show/Hide Columns button event-show-hide-picker.jpg.
  3. Check the columns you want to see and uncheck the columns you want to hide. 

Other users logging into the tenant will see the same columns you chose to show until columns are shown or hidden again.

This table describes the column headers:

Column Header Description

Date/Time

The time the device generated the event. Time is displayed in the local time of your computer. 

Device Type

ASA (Adaptive Security Appliance)

or

FTD (Firepower Threat Defense)

Event Type

This composite column can have any of the following:

  • FTD Event Types

    • Connection-Displays connection events from access control rules.

    • File-Displays events reported by file policies in access control rules.

    • Intrusion-Displays events reported by intrusion policy in access control rules.

    • Malware-Displays events reported by malware policies in access control rules. 

  • ASA Event Types-These event types represent groups of syslog or NetFlow events. See ASA Event Types for more information about which syslog ID or which NetFlow ID is included in which group.

    • Parsed Events-Parsed syslog events contain more event attributes than other syslog events and CDO is able to return search results based on those attributes more quickly. Parsed events are not a filtering category; however, parsed event IDs are displayed in the Event Types column in italics. Event IDs that are not displayed in italics are not parsed. 

    • ASA NetFlow Event IDs: All Netflow (NSEL) events from ASA appear here.

Sensor ID

The Sensor ID is the IP address from which events are sent to the Secure Event Connector. This is typically the Management interface on the Firepower Threat Defense or the ASA. 

Initiator IP

This is the IP address of the source of the network traffic. The value of the Initiator address field corresponds to the value of the InitiatorIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.

Responder IP

This is the destination IP address of the packet. The value of the Destination address field corresponds to the value in the ResponderIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.

Port

The port or ICMP code used by the session responder. The value of the destination port corresponds to the value of the ResponderPort in the event details.

Protocol

It represents the protocol in the events. 

Action

Specifies the security action defined by the rule. The value you enter must be an exact match to what you want to find; however, the case doesn't matter. Enter different values for connection, file, intrusion, malware, syslog, and NetFlow event types:
  • For connection event types, the filter searches for matches in the AC_RuleAction attribute. Those values could be Allow, Block, Trust.
  • For file event types, the filter searches for matches in the FileAction attribute. Those values could be Allow, Block, Trust.
  • For intrusion event types, the filter searches for matches in the InLineResult attribute. Those values could be Allowed, Blocked, Trusted.
  • For malware event types, the filter searches for matches in the FileAction attribute. Those values could be Cloud Lookup Timeout.
  • For syslog and NetFlow events types, the filter searches for matches in the Action attribute. 

Policy

The name of the policy that triggered the event. Names will be different for ASA and FTD devices.

  • Was this article helpful?