1. Field of the Invention
Embodiments of the present invention pertain to event handling devices that generate event logs, and specifically to generating rules to handle events.
2. Related Art
Event handling devices are common. Such devices apply a particular set of rules to a given situation, in that particular set of circumstances arises, one or another of the rules in the rule set is applicable to the circumstances. One area in which these event handling devices are often used is that of network security appliances, for example, an ASA/PIX/FWSM firewall.
Network security appliances are connected to a network, or several networks, through designated interfaces. Network traffic flow through the security devices is governed by the application of a set of related rules, or an interface instruction set. These interface instruction sets in turn, are made up of many rules. The rules specify, for example, what traffic is allowed to go where, and using which protocol. Because the application of these rules to network traffic is of interest, the outcome of each individual application of rule, called an event, is recorded in a system log, or syslog.
Many hundreds of types of syslogs are likely to be generated by a complex event handling device, such as a firewall. While some of these syslogs are routine notifications of intended applications of rules, others represent some error or misconfiguration, often in the network or the device itself. In order to troubleshoot these errors, the syslogs must be examined. In some cases, once a syslog corresponding to an error is identified, a new rule for the event handling device must be crafted by a user, to address this particular situation.