Skip to main content

 

 

Cisco Defense Orchestrator

Searching for and Filtering Events in the Event Logging Page

Searching and filtering the Historical and Live event tables for specific events, works the same way as it does when searching and filtering for other information in CDO. As you add filter criteria, CDO starts to limit what it displays on the Events page. You can also enter search criteria in the search field to find events with specific values. If you combine the filtering and searching mechanisms, search tries to find the value you entered from among the results displayed after filtering the events. 

Filtering works the same way for Live events as it does for Historical events with the exception that live events cannot be filtered by time.

Filter Live or Historical Events

This procedure explains how to use event filtering to see a subset of events in the Event Logging page. If you find yourself repeatedly using certain filter criteria, you can create a customized filter and save it. See Customizable Event Filters for more information.

  1. In the navigation bar, click Monitoring > Event Logging. 
  2. Click either the Historical or Live tab.
  3. Click the filter button filter_icon.png. The filtering column can be pinned open by clicking the pin icon pin_icon.jpg
  4. Click a View tab that has no saved filter elements.

filter view 1 view 2.jpg

  1. Select the event details you want to filter by:
  • FTD Event Types
    • Connection-Displays connection events from access control rules.
    • File-Displays events reported by file policies in access control rules.
    • Intrusion-Displays events reported by intrusion policy in access control rules.
    • Malware-Displays events reported by malware policies in access control rules. 

See Firepower Threat Defense Event Types for more information about these event types.

  • ASA Event Types-These event types represent groups of syslog or NetFlow events.
    See ASA Event Types for more information about which syslog ID or which NetFlow ID is included in which group.
    • Parsed Events-Parsed syslog events contain more event attributes than other syslog events and CDO is able to return search results based on those attributes more quickly. Parsed events are not a filtering category; however, parsed event IDs are displayed in the Event Types column in italics. Event IDs that are not displayed in italics are not parsed. 
  • Time Range-Click the Start or End time fields to select the beginning and end of the time period you want to display. The time stamp is displayed in the local time of your computer. 
  • Action- Specifies the security action defined by the rule. The value you enter must be an exact match to what you want to find; however, the case doesn't matter. Enter different values for connection, file, intrusion, malware, syslog, and NetFlow event types:
    •    For connection event types, the filter searches for matches in the AC_RuleAction attribute. Those values could be Allow, Block, Trust.
    •    For file event types, the filter searches for matches in the FileAction attribute. Those values could be Allow, Block, Trust.
    •    For intrusion event types, the filter searches for matches in the InLineResult attribute. Those values could be Allowed, Blocked, Trusted.
    •    For malware event types, the filter searches for matches in the FileAction attribute. Those values could be Cloud Lookup Timeout.
    •    For syslog and NetFlow events types, the filter searches for matches in the Action attribute. 
  • Sensor ID-The Sensor ID is the the Management IP address from which events are sent to the Secure Event Connector. For a Firepower Threat Defense (FTD) device, the Sensor ID is typically the IP address of the device's management interface.
  • IP addresses
    • Initiator -This is the IP address of the source of the network traffic. The value of the Initiator address field corresponds to the value of the InitiatorIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
    • Responder-This is the destination IP address of the packet. The value of the Destination address field corresponds to the value in the ResponderIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
  • Ports 
    • Initiator-The port or ICMP type used by the session initiator. The value of the source port corresponds to the value fo the InitiatorPort in the event details. (Add a range - starting port ending port and space in between or both initiator and responder)
    • Reponder-The port or ICMP code used by the session responder. The value of the destination port corresponds to the value of the ResponderPort in the event details.
  • NetFlow-NetFlow events are different than syslog events. The NetFlow filter searches for all NetFlow events IDs that resulted in an NSEL record. Those "NetFlow event IDs" are defined in the Cisco ASA NetFlow Implementation Guide
  1. (Optional) Save your filter as a custom filter by clicking out of the View tab. 
  2. (Optional) You can download events to a .CSV.GZ file for further analysis. See Downloading Events.

Filter Only NetFlow Events

This procedure finds only ASA NetFlow events:

  1. From the CDO menu bar, select Monitoring > Event Logging.
  2. Click the Filter icon filter_icon.png and pin the filter open.
  3. Check Netflow ASA Event filter. 
  4. Clear all other ASA Event filters.

Only ASA NetFlow events are displayed in the Event Logging table.

Filter for ASA or FTD Syslog Events but not ASA NetFlow Events

This procedure finds only syslog events:

  1. From the CDO menu bar, select Monitoring > Event Logging.
  2. Click the Filter icon filter_icon.png and pin the filter open.
  3. Scroll to the bottom of the filter bar and make sure the Include NetFlow Events filter is unchecked
  4. Scroll back up to the ASA Events filter tree, and make sure the NetFlow box is unchecked. 
  5. Pick the rest of your ASA or FTD filter criteria.

Combine Filter Elements

Filtering events generally follows the standard filtering rules in CDO: The filtering categories are "AND-ed" and the values within the categories are "OR-ed."  You can also combine the filter with your own search criteria. In the case of event filters; however, the device event filters are also "OR-ed." For example, if these values were chosen in the filter:

events_filter_2.jpg

With this filter in use, CDO would display FTD Connection events or ASA BotNet or Firewall Traffic events, and those events that occurred between the two times in the time range, and those events that also contain the ResponderPort 443. You can filter by historical events within a time range. The live events page always displays the most recent events.  

Search for Specific Attribute:Value Pairs

You can search for live or historical events by entering an event attribute and a value in the search field. The easiest way to do this is to click the attribute in the Event Logging table that you want to search for, and CDO enters it in the Search field. The events you can click on will be blue when you roll over them. Here is an example:

search-by-click.jpg

In this example, the search started by rolling over the InitiatorIP value of 192.168.20.56 and clicking it. Initiator IP and it's value were added to the search string. Next, Event Type, 302015 was rolled-over and clicked and added to the search string and an AND was added by CDO. So the result of this search will be a list of events that were initiated from192.168.20.56 AND that are 302015 event types.

Notice the magnifying glass next to the value 302015 in the example above. If you roll-over the magnifying glass, you could also choose an AND, OR, AND NOT, OR NOT operator to go with the value you want to add to the search. In the example below, "OR" is chosen. The result of this search will be a list of events that were initiated from 192.168.20.56 OR are a 302015 event type.

Note that if the search field is empty and you right click a value from the table, only NOT is available as there is no other value. 

search-and-click-or.jpg

As long as you rollover a value and it is highlighted blue, you can add that value to the search string. 

AND, OR, NOT, AND NOT, OR NOT Filter Operators

Here are the behaviors of "AND", "OR", "NOT", "AND NOT", and "OR NOT" used in a search string:

AND

Use the AND operator in the filter string, to find events that include all attributes. The AND operator cannot begin a search string.

For example, the search string below will search for events that contain the TCP protocol AND that originated from InitiatorIP address 10.10.10.43, AND that were sent from the Initiator port 59614. One would expect that with each additional AND statement, the number of events that meet the criteria would be small and smaller.  

Protocol: "tcp" AND InitiatorIP: "10.10.10.43" AND InitiatorPort: "59614" 

OR

Use the OR operator in the filter string, to find events that include any of the attributes. The OR operator cannot begin a search string. 

For example, the search string below will display events in the event viewer that include events that include the TCP protocol, OR that originated from InitiatorIP address 10.10.10.43, OR that were sent from the Initiator port 59614. One would expect that with each additional OR statement, the number of events that meet the criteria would be bigger and bigger.

Protocol: "tcp" OR InitiatorIP: "10.10.10.43" OR InitiatorPort: "59614" 

NOT

Use this only at the beginning of a search string to exclude events with certain attribtues. For example, this search string would exclude any event with the InitiatorIP 192.168.25.3 from the results. 

NOT InitiatorIP: "192.168.25.3"

AND NOT

Use the AND NOT operator in the filter string to exclude events that contain certain attributes. AND NOT cannot be used at the beginning of a search string.

For example, this filter string will display events with the InitiatorIP 192.168.25.3 but not those whose ResponderIP address is also 10.10.10.1.

InitiatorIP: "192.168.25.3" AND NOT ResponderIP: "10.10.10.1"

You can also combine NOT and AND NOT to exclude several attributes. For example this filter string, will exclude events with InitiatorIP 192.168.25.3 and events with ResponderIP 10.10.10.1

NOT InitiatorIP: "192.168.25.3" AND NOT ResponderIP: "10.10.10.1"

OR NOT

Use the OR NOT operator to include search results that exclude certain elements. The OR NOT operator cannot be used at the beginning of a search string. 

For example, this search string will find events with the Protocol of TCP, OR that have the InitiatorIP of 10.10.10.43, or those NOT from InitiatorPort 59614. 

Protocol: "tcp" OR InitiatorIP: "10.10.10.43" OR NOT InitiatorPort: "59614" 

You could also think of it this way: Search for (Protocol: "tcp") OR (InitiatorIP: "10.10.10.43") OR (NOT InitiatorPort: "59614").

Wildcard Searches

Use an asterick (*) to represent a wildcard in the value field of an attribute:value search to find results within events. For example, this filter string,

URL:*feedback*

will find strings in the URL attribute field of events that contain the string feedback.