Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Track Event Action Filter actions

Hi

I would like to track if an ‘event action filter’ triggers.

A filter that removes all actions from an event effectively consumes the event.

But can I track if an ‘event action filter’ triggers (cli command, debug)?

Br

Johan Kellerman

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Track Event Action Filter actions

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.

3 REPLIES
New Member

Re: Track Event Action Filter actions

You may use CLI command:

show statistics virtual-sensor | begin SigEvent Action Filter

Output will be as follow:

      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 591910
         Number of Filter Line matches = 591910
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 7307
            produce-verbose-alert = 584603
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
            3  = 92797
            4  = 488830
            5  = 7307
            6  = 2976

New Member

Re: Track Event Action Filter actions

Thanks!

But how do I know which filter the filternumber refers to?

Filter Hit Counts
            18  = 18
            19  = 7
            4  = 18499
            6  = 8
            7  = 10
            9  = 2

Br

Johan

New Member

Re: Track Event Action Filter actions

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.

289
Views
0
Helpful
3
Replies
CreatePlease login to create content