Show and Hide Columns on the Event Logging Page

The Event Logging page displays ASA and FTD syslog events and ASA NetFlow Secure Event Logging (NSEL) events sent to the Cisco cloud from configured ASA and FDM-managed devices.

You can show or hide columns on the Event Logging page by using the Show/Hide widget with the table:

Procedure

Step 1	In the left pane, choose Analytics > Event Logging .
Step 2	Scroll to the far right of the table and click the column filter icon .
Step 3	Check the columns you want to see and uncheck the columns you want to hide.

Other users logging into the tenant will see the same columns you chose to show until columns are shown or hidden again.

This table describes the default column headers:


Column Header	Description
Date/Time	The time the device generated the event. By default, event timestamps are displayed in your Local time zone. To view event timestamps in UTC, see Change the Time Zone for the Event Timestamps
Device Type	ASA (Adaptive Security Appliance) FTD (Firepower Threat Defense)
Event Type	This composite column can have any of the following: FTD Event Types Connection: Displays connection events from access control rules. File: Displays events reported by file policies in access control rules. Intrusion: Displays events reported by intrusion policy in access control rules. Malware: Displays events reported by malware policies in access control rules. ASA Event Types: These event types represent groups of syslog or NetFlow events. See ASA Event Types for more information about which syslog ID or which NetFlow ID is included in which group. Parsed Events: Parsed syslog events contain more event attributes than other syslog events and CDO is able to return search results based on those attributes more quickly. Parsed events are not a filtering category; however, parsed event IDs are displayed in the Event Types column in italics. Event IDs that are not displayed in italics are not parsed. ASA NetFlow Event IDs: All Netflow (NSEL) events from ASA appear here.
Sensor ID	The Sensor ID is the IP address from which events are sent to the Secure Event Connector. This is typically the Management interface on the Firepower Threat Defense or the ASA.
Initiator IP	This is the IP address of the source of the network traffic. The value of the Initiator address field corresponds to the value of the InitiatorIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
Responder IP	This is the destination IP address of the packet. The value of the Destination address field corresponds to the value in the ResponderIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
Port	The port or ICMP code used by the session responder. The value of the destination port corresponds to the value of the ResponderPort in the event details.
Protocol	It represents the protocol in the events.
Action	Specifies the security action defined by the rule. The value you enter must be an exact match to what you want to find; however, the case doesn't matter. Enter different values for connection, file, intrusion, malware, syslog, and NetFlow event types: For connection event types, the filter searches for matches in the AC_RuleAction attribute. Those values could be Allow, Block, Trust. For file event types, the filter searches for matches in the FileAction attribute. Those values could be Allow, Block, Trust. For intrusion event types, the filter searches for matches in the InLineResult attribute. Those values could be Allowed, Blocked, Trusted. For malware event types, the filter searches for matches in the FileAction attribute. Those values could be Cloud Lookup Timeout. For syslog and NetFlow events types, the filter searches for matches in the Action attribute.
Policy	The name of the policy that triggered the event. Names will be different for ASA and FDM-managed devices.