Event Viewer combines the functionality of a browser (such
as Explorer) with that of a spreadsheet (such as MS Excel) to create a
collection of audit event data called a drillsheet. The drillsheet allows groups of similar audit-event records to be
displayed on a single row, allowing you—quickly and easily—to detect patterns in
the data.
Traditional event viewers display events in a single list. Each
event fills one row in the list and each data element within an event fills one
cell in the row. This display of events is appropriate when the number of events
is small. When the number of alarms is large, however, or when events appear
quickly, this linear display isn’t practical.
The Event Viewer groups alarms together into one row, based on
similar information to both alarms. By default, the Event Viewer consolidates or
collapses alarms, based on the first two field columns. For example, you might
have ten alarms present in the event viewer all triggered by the same signature.
Rather than listing ten different rows for each alarm, Event Viewer creates one
record (row) listing the name of the alarm with a count field value of 10. Any
information common to all ten alarms is listed in the record. Any information
different among the ten alarms is listed as a + symbol, indicating additional
information exists. You can view the additional information by expanding the
record. To expand the record, simply double-click the + sign.
Expanding and Collapsing the Row
As previously mentioned, the Event Viewer is configured by
default to collapse alarms into one record, based on identical information
contained in the first two field columns. To view additional information about
each alarm, you must expand the columns until the information you need is shown.
You can expand the additional information by selecting the row you want to
expand, and then click the Expand This Branch One Column to the Right button on
the tool bar.
If you want to expand the entire row all the way to the right,
select the Expand This Branch all the way to the Right button, located on the
Event Viewer tool bar. You can collapse a row back to the left by choosing the
Collapse This Branch One Column to the Left button or the Collapse This Branch
to the Currently Selected Column button on the Event Viewer tool bar.
|
Note |
Neither of these changes is permanent. If the Event Viewer
is closed, all changes to the expanded rows are
lost. |
By default, all rows are expanded to at least the first two
columns. If you want to increase the expansion for all rows beyond the second
column, you can configure Event Viewer to do this automatically. To set the
default expansion boundary:
-
Select the column which you want to expand.
-
Choose Edit | Set Event Expansion Boundary from the Event
Viewer menu bar.
Managing Columns in Event Viewer
Columns can be moved to any position in the Event Viewer. To
move a column, click-and-drag the column to the new position. This isn’t a
permanent change: if one Event Viewer is closed and reopened, the default column
placement will be used.
You can delete columns from the Event Viewer Grid. To delete a
column, right-click the column you want to delete, and then select Delete Column
from the Shortcut menu. Deleting a column isn’t a permanent change.
You can also select which columns you want Event Viewer to
display, as well as how the information in the columns is sorted. To add or
remove a column, use the following steps:
-
Choose Edit | Insert/Modify Column(s) from the Event Viewer
menu bar.
-
Select the columns you want to view by placing an X in the show field.
-
Click OK.
Sections
Comments (0 posted)
Syndication
