Sorting and filtering event log data

  • Article

Applies To: Forefront Client Security

You can perform simple sorting of events in the default Events view in the MOM Operator console. You can also create a custom view that displays only events that are relevant to Client Security.

To sort event log data in the MOM Operator console

  1. On the Client Security collection server, open the MOM Operator console. By default, the view selected is Alerts.

  2. In the lower half of the navigation pane, click Events. The console displays a list of events in the upper half of the details pane and information about the currently selected event in the lower half of the pane.

  3. Above the list of events, click the column by which you want to sort the events. To find Client Security events in the default Events view, click the Source column and look for alerts from the Client Security sources: FcsSas, FCSAM, and Microsoft Forefront Client Security.

To filter event data with a custom view

  1. On the Client Security collection server, open the MOM Operator console. By default, the view selected is Alerts.

  2. In the lower half of the navigation Pane, click My Views. The upper half of the navigation pane displays a list of your views.

  3. Right-click the All My Views root node, click New, and then click Events View.

  4. Use the Create New - Events View dialog box to create a view that filters event data in a way that is useful to you. To do so, select the type of event view you want and configure the criteria. Suggested event view types are as follows:

    • Events that generated alerts—Limits the custom event view to only those events that generated alerts, such as events that generated a "Computer Infected - Failed Response" alert. This view type does not limit the events to Client Security sources only.

    • Events from a specified source—Limits the custom event view to only those events from a source you name. You can specify only one source per custom event view. This view type does not limit the events to those that generated alerts.

    • Events that satisfy specified criteria—Limits the custom event view to events that meet criteria you specify. For example, you can limit events to a specified source and to those that generated an alert. You can specify only one source name per custom event view.

    You can use the new custom event view as needed to view events filtered by the criteria you specified.