Chapter 8. Monitoring CSA Events
This chapter covers the following topics:
As the Cisco Security Agent (CSA) hosts deployed throughout your enterprise architecture begin to protect systems from malicious code, worms, viruses, unauthorized user interaction, and other various policy violations, the CSA Management Console (MC) begins to receive events regarding the various issues. These events are correlated in a central repository on the CSA MC known as the event log. These events provide the security operations team with great insight into their environment. From here, they can see what is currently or has already impacted their environment and tighten current policies or create new policies to allow or disallow specific actions. It is extremely important for the CSA administrator to understand how to use and interpret the event log to efficiently and effectively deploy policies to remote agents as well as react appropriately to malicious events. In many cases, however, this information is used purely for reporting because the malicious actions are noted in the event log as prevented and no further action is required.
The CSA MC offers you several ways to view and sort events in the database. Options for viewing events include summarized views most often used in NOCs or SOCs (network/security operation centers), live event views, and historical views. All of these methods provide for sorting and filtering such that the only data presented at any given time is what is required.
To view events, either historically or live, you start with the Events section of the CSA MC. Events is located on the top navigation bar. Placing your cursor over Events or clicking Events presents a drop-down menu for navigation, as shown in Figure 8-1. The Events menu options are as follows:
Status Summary— High-level overview and summarized information
Event Log— A filterable complete event log
Event Monitor— Recent events refreshed regularly for a near-real-time view
Event Log Management— Create tasks to manage the database
Event Sets— Sets of predetermined information used when viewing, reporting, or notification of events in the database
Alerts— Configuration of alerts based on received events
Throughout this chapter, you will explore the various ways to view and use the Events menu to ensure a successful CSA architecture.