Real-Time Event Viewer

Viewing Log Messages in the Real-Time Event Viewer

The Real-Time Event Viewer displays log messages as they are received by the Check Point Collector, Cisco IDS Collector, Network Collector, Oracle Database Collector, WinLog Collector, or Advanced Windows Collector for your Manager. The Real-Time Event Viewer can be a useful tool for troubleshooting problems with your Log Sources. For example, you can quickly verify that TLC is successfully collecting log messages from a Log Source.

To view log messages in the Real-Time Event Viewer:

1. In the side bar, select Events >Real-Time Event ViewerReal-Time Event Viewer.
2. At the top of the Real-Time Event Viewer, enter filter criteria to specify the log messages to be displayed in the viewer (see Table 74).
3. Click Start.

The Real-Time Event Viewer presents a scrolling list of the Collector's log messages in the workspace (see Table 75).

To stop the Real-Time Event Viewer, click Stop.

To reset the filter criteria fields, click Clear.

To save the displayed log messages in a CSV file, click Save.

Tips 

For busy Log Sources, the Real-Time Event Viewer will display log messages almost immediately. If you do not see any log messages for a Log Source, you can do something to the Log Source's host to prompt the creation of a log message. For example, you could log into the host, enter the configuration mode, and make a harmless, minor configuration change.

When the Real-Time Event Viewer is running, you can enable and disable the Scrolling, Resolve IPs, and Wrap Text filter criteria to change the display of log messages.

Table 74. Real-Time Event Viewer filter criteria

Field

Description

Message-content filter

Limits the Real-Time Event Viewer to log messages containing specified text (e.g. "logon" or "administrator"). By adding a .NET regular expression to the specified text, you can further limit the Real-Time Event Viewer to log messages that 1) contain the specified text, and 2) satisfy the condition(s) specified by the regular expression.

For example, if you enter the following criteria in the Message-content filter field, TLC will limit the Real-Time Event Viewer to log messages that 1) contain the string "administrator," or 2) satisfy the Process(1|2|3) regular expression: 

administrator || Process(1|2|3)

IP-address filter

A .NET regular expression for the IP address(es) of Log Sources. If a message's Log Source does not have an address that matches the expression, the Real-Time Event Viewer will not display the log message.

Collector

The Collector for which log messages will be displayed.

Messages displayed per second

Limits the event-per-second (EPS) speed with which the Real-Time Event Viewer displays log messages.

Auto-scroll

If enabled, the Real-Time Event Viewer automatically scrolls down the list of log messages as they are received.

Resolve IP addresses

If enabled, the Real-Time Event Viewer resolves the IP addresses of Log Sources and displays the host name in the Host Name column.

Wrap text

If enabled, the Real-Time Event Viewer wraps the content of log messages displayed in the Message column.

Table 75. Columns in the Real-Time Event Viewer

Column

Description

Timestamp

The date and time when the Collector created a log message.

IP

The IP address of the Log Source that created a log message.

Host Name

By default, the IP address of the Log Source. If Resolve IPs is selected in the filter criteria, this column displays the resolved host name of the Log Source.

Message

The content of a log message.