Preference Settings

This section describes the preference options that can be configured in the Event Viewer. To configure Event Viewer preferences, click the Preferences option from the Edit menu. The following sections make up the Preferences window:

Actions
Cells
Status Events
Boundaries
Event Severity Indicator
Severity Mapping

Actions

The Actions section of the Preference window enables you to set the following parameters:

Command Timeout—This parameter configures how long (in seconds) the Event Viewer should wait for a response from a sensor before it should consider the connection as down. This setting shouldn’t be changed unless you’ve been experiencing excessive timeout errors.
Time To Block—This parameter specifies how long (in minutes) a sensor should block traffic from a specified source when the Block command is issued from the Event Viewer. This block time period applies only to Blocks initiated manually from the Event Viewer, not automatic blocks initiated by the sensor. The default is 1,440 minutes (one day), and can be changed to 1 to 525,600 minutes.
Subnet Mask—The subnet mask is applied to any manually blocked address. If you only want to block the actual attacking host, you should use a netmask of 255.255.255.255. This default subnet mask will be used for all manual blocking.

Cells

The Cells section of the Preference window enables you to configure the following parameters:

Blank-Left—This configures the Event Viewer not to repeat repetitious information in the most left hand column. If ten alarms are all generated by the same signature, Event Viewer lists the name of the alarm in the first row and it won’t list anything for that column for the next nine rows below. By default, Blank-left is selected.

Blank-Right—Blank-right affects how the collapsed cells display in the Event Viewer beyond the expansion boundary. By default, Blank-right isn’t selected.

Status Events

The Status Events section enables you to decide whether Event Viewer should list status events (route down, route up, PostOffice messages) in the Event Viewer grid. If this option isn’t selected, then status events won’t be listed in the grid. If you choose Display Popup Window, then all route down messages will generate a pop-up window and other status events won’t be displayed.

Boundaries

The Boundaries section in the Preferences window enables you to configure the following:

Default Expansion Boundary—Persistent setting that configures the default expansion boundary. By default, this is set to two.
Maximum Events Per Grid—Configures the maximum amount of rows a single instance of Event Viewer will display. The default is 250,000 alarms and can be changed from 1 to 4,000,000,000.
Event Batching Timeout—Configures how often, in seconds, the Event Viewer is updated during an alarm flood. The default is 0, meaning the Event Viewer is constantly updated with new alarms as they’re generated.

Event Severity Indicator

The Event Severity Indicator section of the Preferences window enables you to configure the color and icons used to represent the different signature alarm severities. The colors affect the background of the Count field for each alarm. You can also change the icon used to represent the severity listed for each alarm. The default colors and icons used for each severity are listed in Table 26-4.

Severity Mapping

Alarms are assigned a level of severity from one to five. These alarm levels are mapped to a severity of Low, Medium, or High. Table 26-2 shows the default mapping of alarm levels to severity levels. You can change the default mapping of alarm levels to severity levels using the Severity Mapping section of the Preferences window. cp26 C R