Network Security Management Reports and Analytics

System Events

The System Events section provides the tools to view the system event logs and download the logs in CSV format. Firewall system events can be used by the administrator for troubleshooting network. You can access the system event logs by navigating to All Logs under the System Events tab on the Monitor View of a firewall.

Topics:

You need to have the following pre-requisites to view and manage System Events:

  • System events are available for both GEN6 and GEN 7 firewalls.

  • System events are supported for newly added device with the latest firmware. You can refer the Release Notes to learn more about the build information.

  • You can enable System events for devices with lower version of Sonic OS by upgrading the firmware. You can refer to Enabling System Events for Existing Firewalls to see more details.

  • System events archival are supported for 30 days.

  • You can refer to the System Events Reference Guide to see the list of default system events that are supported for NSM SaaS.

You need to have NSM Advance License to view and manage System Events.

Navigating to System Events Page

To see the list of events that have been created click on System Events page on the Monitor View of the firewall. You can use the Search option to search for a particular event.

You have a Time Range option that lets you customize the time duration of the report. The Limit drop down is used to set the limit of the number of displayed events. You can further filter the graph according to a specific time by using the Time Slider which is present above the graph.

You can also click on Refresh button to refresh the information on the page and export the table in CSV format using the Export button. The columns of the table can be edited using the Grid Settings button at the top of the page.

The event categories in the list have been color coded which can be viewed on the extreme left column.

You can expand each of the event to see additional information such as event ID, category, event name, message, priority, source IP, destination IP etc.

Only the following Priority levels for System Events are supported for egressing to NSM SaaS - Alerts, Critical, Error, and Warning. For an event priority to show up in NSM SaaS, its IPFIX setting has to be enabled on the Log>Settings page of the Device View.

Enabling System Events for Existing Firewalls

If your device has a lower firmware version then you can enable System Events by first upgrading your firmware. You can refer to the NSM Administration Guide to upgrade your firmware. Next, you need to follow the steps given below. This applicable for both GEN6 and GEN7 firewalls:

  1. Click on Synchronize Firewall option under Actions on the Firewall > Inventory page.

  2. Click on OK to complete the synchronization.

  3. You can view the Firmware Version under the firewall to confirm if the updated version is appearing on the firewall.

  4. Next, click on Reconfigure Reporting and Analytics option under Actions on the Firewall > Inventory page.

  5. Click on OK to complete the reconfiguration.

  6. After the reporting and analytics is reconfigured, check if the flow log transport mechanism has changed from VPN to Encrypted mode. If it is changed successfully, the system will disable the SGMSServer-VPN tunnel that is established to transfer flow logs to NSM and you should not enable this tunnel manually.

Once you have successfully completed all the steps, you will be able to view the System Events option in the Monitor View of the firewall.

There may be momentary loss of data in the firewall while reconfiguring reporting and analytics.

Authentication Logs

This section provides you with the tools to view and generate user authentication reports for user login/logout, admin login/logout and failed login reports. You can access the Authentication Logs by navigating under the System Events tab. The log data is available for 30 days.

You need to have NSM Advance License to view and manage Authentication Logs.

Authentication Logs are available for both GEN6 and GEN 7 firewalls. You can refer the Release Notes to learn more about the build information.

  • User Login: This tab provides all the login/logout information of the user.

  • Admin Login: This tab provides all the login/logout information of the administrator of a firewall.

  • Failed Login: This tab provides all the information regarding the failed login attempt of both the user and the administrator.

  • The report column includes information such as Time, Initiator IP, User, Initiator/Destination Interface, Initiator/Destination Port, Session Time, Service and Message

You can use the Search button to search the information of an user. You have a Time Range option that lets you customize the time duration of the report. The Limit drop down is used to set the limit of the number of users. You can further filter the table according to a specific time by using the Time Slider which is present above the graph.

You have the option to create Customized Filters as per your requirements for the initiator IP and the user columns as well as create Custom Reports. You can also click on Refresh button to refresh the information on the page, edit the columns in the table by the Column Selection button and export the table in PDF/CSV format using the Export button.

Admin Login:

User Login:

Failed Login:

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden