Table Of Contents
Using Logs
About Cisco ICS Logs
About Incidents, Events, and Severity Levels
Incident Logs
Querying Incident Logs
Viewing OPSig Matching Incident Logs
Viewing OPACL Matching Incident Logs
Viewing Damage Cleanup Incident Logs
Event Logs
Querying Event Logs
Viewing Event Logs
Outbreak Logs
Querying Outbreak Logs
Viewing Outbreak Logs
Viewing Host Logs
Exporting Logs
Maintaining Logs
Deleting Logs Manually
Configuring Auto Deletion
Deleting Log Entries Created by Specific Outbreak Management Tasks
Using Logs
This chapter explains how to query and view various Cisco ICS logs. It contains the following sections:
•
About Cisco ICS Logs
• About Incidents, Events, and Severity Levels
• Incident Logs
• Event Logs
• Outbreak Logs
• Viewing Host Logs
• Exporting Logs
• Maintaining Logs
About Cisco ICS Logs
Use the logs to evaluate overall Cisco ICS security strategy. The following events generate log entries:
•System event—Cisco ICS services starts or stops; accounts are added, modified, or deleted; devices or tasks expire; and devices, a DCS server, and OfficeScan servers are added or removed.
•Outbreak event—Outbreak management tasks are created, modified, or stopped; OPACLs are stopped; or reports are generated.
•Server update event—Outbreak management tasks, OPSigs, or DCS components are downloaded either manually or by schedule.
•Deployment event—OPACLs, OPSigs, or DCS components are deployed. This includes redeployment for all components.
•Connection status event—Cisco ICS verifies connection with devices and DCS servers and when a DCS server reports its status.
•Host event—A host cleanup notification is sent or hosts are removed from the watch list.
•OPSig matching—IPS devices detect a virus or other threat.
•OPACL matching—Traffic matches the settings specified in an OPACL.
•Damage cleanup—Hosts are cleaned.
Note To allow Cisco IPS and Cisco IOS IPS devices to send logs to Cisco ICS, you must enable Security Device Event Exchange (SDEE) on the IPS and Cisco IOS IPS devices.
Layer 2 switches do not generate logs. See your switch documentation for information on logs.
Cisco ICS provides a severity level entry to represent how potentially damaging an event or incident was to your network.
About Incidents, Events, and Severity Levels
To organize logs, Cisco ICS classifies everything it detects and all actions it performs as either incidents or events. It also includes a severity level to represent how potentially damaging an incident or event was to your network.
The severity levels are as follows:
•Alert—Very important, might require immediate action.
•Info—Information message only, no action required.
•Error—An error occurred.
For possible solutions to the errors, see Device Configuration Troubleshooting Tips, page D-8.
•Notice—A normal event that might not require action.
Cisco ICS assigns more than one security level to certain incidents and events. For a classification of events and incidents by severity level, see Appendix C, "Log Severity Levels."
Incident Logs
You can query incident logs to view details about IPS devices that detect infected hosts and devices that detect network traffic matching an OPACL.
This section describes how to query and view incident logs. It contains the following topics:
• Querying Incident Logs
• Viewing OPSig Matching Incident Logs
• Viewing OPACL Matching Incident Logs
• Viewing Damage Cleanup Incident Logs
Querying Incident Logs
To query incident logs, follow these steps:
Step 1 Choose Logs > Incident Log Query.
Step 2 Click one of the following types of incidents:
•OPSig matching—Generated when IPS devices detect a virus or other threat.
•OPACL matching—Generated when traffic matches the settings specified in an OPACL.
•Damage cleanup—Generated when DCS cleans a host (visible only if a DCS server is registered to Cisco ICS).
Step 3 Under Time Period, click one of the following:
•Time period list—Select All dates, Last 24 hours, Today, Last 7 days, Last 14 days, or Last 30 days.
•Time range—Click the calendar icon, select a date, and select the time of day in hours and minutes from the lists.
Step 4 Click Display Logs.
The OPSig Matching, OPACL Matching, or Damage Cleanup window appears.
Viewing OPSig Matching Incident Logs
After you submit an incident log query for OPSig matching, the results appear in tabular form. The following information appears in the table:
•Results from—The time period you selected for the query.
•Date/Time—The date (dd/mm/yyyy) and time (hh:mm:ss) the event occurred.
Note If you previously restored Cisco ICS program settings from a database backup, the date and time might indicate the date and time of the backup, not the time that the event occurred. The most accurate time period occurs in the title of the table next to Results from.
•Severity—An indication of the level of severity. All OPSig matching events are classified as alerts. For more information, see About Incidents, Events, and Severity Levels.
•Event Type—OPSig Matching.
•IPS Log Generation Time—The time that the original log was generated.
•IPS Name—The logical name of the IPS device that detected the threat.
•IPS IP—The IP address of the IPS device that detected the threat.
•Virus Name—The official name of the threat.
•Action—The action the IPS device took against the threat.
•Infection Source—The IP address of the first-infected computer.
•Suspect Host—The IP address of the computer that might be infected and the port number through which the traffic entered the host computer.
To change the log display, do any of the following:
•Use the navigation arrows to scroll through the pages of hosts or enter a page number. Select the number of hosts per page from the list.
•Click one of the headings in the table to sort by that item.
Viewing OPACL Matching Incident Logs
After you submit an incident log query for OPACL matching, the results appear in tabular form. The following information appears in the table:
•Results from—The time period you selected for the query.
•Date/Time—The date (dd/mm/yyyy) and time (hh:mm:ss) the event occurred.
Note If you previously restored Cisco ICS program settings from a database backup, the date and time might indicate the date and time of the backup, not the time that the event occurred. The most accurate time period occurs in the title of the table next to Results from.
•Severity—An indication of the level of severity: Alert, Info, Error, Notice. For more information, see About Incidents, Events, and Severity Levels.
•Event Type—OPACL matching.
•Device Log Generation Time—The time that the original log was generated.
•Device Name—The logical name of the device.
•Device IP—The IP address of the device.
•Action—OPACL mode (blocking or logging).
•Protocol—The protocol of the packet that matched the OPACL (TCP, UDP, or ICMP).
•Source IP—The IP address of the computer from which the traffic originated.
•Destination IP—The IP address of the computer to which the traffic was destined.
•Destination Port—The port number on the computer to which the traffic was destined.
•Packet Number—The total number of packets matching the OPACL.
•ACL/IPS Interface Name—The interface that detected the matching packet.
To change the display, do any of the following:
•Use the navigation arrows to scroll through the pages of hosts or enter a page number. Select the number of hosts per page from the list.
•Click one of the headings in the table to sort by that item.
Viewing Damage Cleanup Incident Logs
After you submit an incident log query for Damage Cleanup, the results appear in tabular form. The following information appears in the table:
•Results from—The time period you selected for the query.
•Date/Time—The date (dd/mm/yyyy) and time (hh:mm:ss) the event occurred.
Note If you previously restored Cisco ICS program settings from a database backup, the date and time might indicate the date and time of the backup, not the time that the event occurred. The most accurate time period occurs in the title of the table next to Results from.
•Severity—An indication of the level of severity: Alert, Info, Error, Notice. For more information, see About Incidents, Events, and Severity Levels.
•Event Type—Damage Cleanup.
•DCS Log Generation Time—The time that the original log was generated.
•DCS Name—The logical name of the DCS server.
•DCS IP—The IP address of the DCS server.
•Virus Name—The name of the threat that was cleaned.
•Infected Host—The hostname of the computer that DCS cleaned.
•Result—The result of the cleaning; one of the following:
–Virus detected but passed (not cleaned).
–Virus detected and cleaned.
–Virus detected but unable to clean.
To change the log display, do any of the following:
•Use the navigation arrows to scroll through the pages of hosts or enter a page number. Select the number of hosts per page from the list.
•Click one of the headings in the table to sort by that item.
Event Logs
Query event logs to view details about the following:
•All events.
•System events, such as the start or stop of the Cisco ICS service.
•Outbreak events, such as the creation of a new outbreak management task.
•Server update events, such as outbreak management task download.
•Deployment events, such as OPACL deployment.
•Connection status events, such as verifying connection.
•Host events, such as removing a host from the watch list.
This section describes how to query and view event logs. It contains the following topics:
• Querying Event Logs
• Viewing Event Logs
Querying Event Logs
To query event logs, follow these steps:
Step 1 Choose Logs > Event Log Query.
Step 2 Click a type of event.
Step 3 Under Severity, select the level that represents how potentially damaging the event was:
•All.
•Alert—Very important, might require immediate action.
•Info—Information message only, no action required.
•Error—An error occurred.
For possible solutions to the errors, see Device Configuration Troubleshooting Tips, page D-8.
•Notice—A normal event that might not require action.
Step 4 Under Time Period, click one of the following:
•Time period list—All dates, Last 24 hours, Today, Last 7 days, Last 14 days, or Last 30 days.
•Time range—Click the calendar icon, select a date, and select the time of day in hours and minutes from the lists.
Step 5 Click Display Logs.
The Event Log window appears for the selected type of event.
Note If Cisco ICS deploys or removes an OPACL, the following event detail appears: Deployed OPACL update to an individual device for a new or modified task.
Viewing Event Logs
After you query an event log, the results appear in tabular for. The following information appears in the table:
•Results from—The time period you selected for the query.
•Date/Time—The date (dd/mm/yyyy) and time (hh:mm:ss) the event occurred.
Note If you previously restored Cisco ICS program settings from a database backup, the date and time might indicate the date and time of the backup, not the time that the event occurred. The most accurate time period occurs in the title of the table next to Results from.
•Severity—An indication of the level of severity: Alert, Info, Error, Notice.
For more information, see About Incidents, Events, and Severity Levels.
•Event Type.
•Task Name—The specific name of the task that Cisco ICS performed.
•Event Details—A description of the event.
•Account—The initiator of the event. For an event that Cisco ICS initiates, System-initiated appears. For user-initiated events, the user account name appears.
•Device Logical Name—The logical name of the device that performed the event.
•Device IP—The IP address of the device that performed the event.
•Result—The result of the event. If an error occurred, click the link to go to the Device Configuration Troubleshooting Tips help file.
Note If Cisco ICS deploys or removes an OPACL, the following event detail appears: Deployed OPACL update to an individual device for a new or modified task.
Outbreak Logs
This section describes how to query and view outbreak logs. It contains the following topics:
• Querying Outbreak Logs
• Viewing Outbreak Logs
Querying Outbreak Logs
You can query outbreak logs to view details about a specific outbreak management task.
To query outbreak logs, follow these steps:
Step 1 Choose Logs > Outbreak Log Query.
The Outbreak Log Query appears showing all outbreak management tasks created.
Step 2 Click a task (only one is allowed).
Step 3 Under View Logs, click one of the following:
•OPSig matching—Generated when IPS devices detect a virus or other threat.
•OPACL matching—Generated when traffic matches the settings specified in an OPACL.
•Damage cleanup—Generated when DCS cleans a host (visible only if a DCS server is registered to Cisco ICS).
•Task tracking event—All server update, outbreak, deployment, and host events.
Step 4 Click Display Logs.
The Outbreak Log window appears for the selected type of log.
Viewing Outbreak Logs
After you query an outbreak log, the results appear in tabular form. The information for OPSig matching, OPACL matching, and Damage Cleanup outbreak logs is the same as the information for incident logs. For more information, see the following:
• Viewing OPSig Matching Incident Logs.
• Viewing OPACL Matching Incident Logs.
• Viewing Damage Cleanup Incident Logs.
The information for task tracking outbreak events is the same as the information for all event logs. For more information, see Viewing Event Logs.
Viewing Host Logs
Host logs show the following information about hosts in the watch list:
•Results from—The time period you selected for the query
•Date/Time—The date (dd/mm/yyyy) and time (hh:mm:ss) the event occurred
•Severity—An indication of the level of severity: Alert, Info, Error, Notice
For more information, see About Incidents, Events, and Severity Levels.
•Event Type
•Log Generation Time—The original log generation time
•IPS/DCS Name—The logical name of the IPS device that detected the threat or the DCS server that cleaned the host
•IPS/DCS IP—The IP address of the IPS device that detected the threat or the DCS server that cleaned the host
•Virus Name—The official name of the threat
•Infection Source—The computer first infected
•Suspect Host—The computers the threat infected
•Result
To view host logs, follow these steps:
Step 1 From the menu, choose one of the following:
•Outbreak Management > Outbreak Management Summary > {Task Name} > Watch List Infected
•Outbreak Management > Outbreak Management Summary > {Task Name} > Cleaned Hosts
Step 2 Click View Host Logs.
Exporting Logs
You can export logs to CSV files, which you can open in a spreadsheet program.
To export logs, follow these steps:
Step 1 From any view log window, click Export to CSV.
Step 2 Click Save.
Step 3 Select a location to save the log.
Step 4 Click Save.
Maintaining Logs
Use Log Maintenance to manually delete logs, configure auto deletion, and delete log entries created by specific outbreak management tasks. All tabs on the Log Maintenance window display the following information:
•Log Type
•First Log Entry—The date (dd/mm/yyyy) and time (hh:mm:ss) Cisco ICS made the first log entry
•Most Recent Log Entry—The date (dd/mm/yyyy) and time (hh:mm:ss) Cisco ICS made the most recent log entry
This section describes how to maintain logs and contains the following topics:
• Deleting Logs Manually
• Configuring Auto Deletion
• Deleting Log Entries Created by Specific Outbreak Management Tasks
Deleting Logs Manually
To delete logs manually, follow these steps:
Step 1 Choose Logs > Log Maintenance.
The Manual Deletion tab appears by default.
Step 2 Under Delete Logs Older Than, enter the number of days.
Step 3 Click Delete.
A confirmation message appears.
Step 4 Click OK.
Configuring Auto Deletion
To configure auto deletion, follow these steps:
Step 1 Choose Logs > Log Maintenance.
The Manual Deletion tab appears by default.
Step 2 Click the Auto Deletion tab.
Step 3 Check the check boxes next to the types of logs to delete or check the check box at the top to select all logs.
Step 4 Under Delete logs Older Than, enter the number of days.
Step 5 Click Save.
A confirmation window appears.
Step 6 Click Back to return to the Log Maintenance window.
Cisco ICS deletes the selected logs at 2:00 a.m. daily.
Deleting Log Entries Created by Specific Outbreak Management Tasks
To delete log entries created by specific outbreak management tasks, follow these steps:
Step 1 Choose Logs > Log Maintenance.
The Manual Deletion tab appears by default.
Step 2 Click the Outbreak Deletion tab.
Step 3 Find the task whose logs require deletion.
Step 4 Click Delete.
A confirmation message appears.
Step 5 Click OK.
