Documentation forSecurity Event Manager

The SEM legacy Flash console

To open the SEM console, see Log in to the SEM web console or Log in to the SEM Console for steps.

The SEM legacy Flash console displays normalized information about the events on your monitored devices in real time. The items in this section address how to use the SEM console to view, respond to, and search for these events on a day-to-day basis. Unless otherwise stated, the functionality described in this section is identical between the web and desktop consoles.

Click the video icon for a video tour of the SEM console.

Console views

The console is organized into functional areas called views. These views organize and present different information about the components that comprise the SEM system.

You can access six top-level views in the console.

  • Ops Center provides a graphical representation of your log data. It includes several widgets that help you identify problem areas and show trends in your network. You can select additional widgets from the widget library or add custom widgets that reflect your log activity.
  • Monitor displays events in real time as they occur in your network. You can view the details of a specific event or focus on specific types of events. This view also includes several widgets to help you identify trends or anomalies that occur in your network.
  • Explore provides tools for investigating events and related details.
    • Select nDepth to search or view event data or log messages.
    • Select Utilities to view additional utilities, such as Whois and NSlookup.
  • Build creates user components that process data on the SEM Manager.
    • Select Groups to build and manage groups.
    • Select Rules to build and manage policy rules.
    • Select Users to add and manage console users.
  • Manage manages properties for appliances and nodes.
    • Select Appliances to add and manage appliances.
    • Select Nodes to add and manage Agents.
  • Analyze is a placeholder for future improvements.


Grids are used throughout the console. Using grids, you can perform common tasks such as selecting rows and grid cells, resizing grid columns, rearranging grid columns, and sorting a grid by columns.

Rearrange grid columns

Rearrange the grid column order to meet your needs. The columns remain in your set order until you exit the console. When you reopen the console, the columns return to their default order.

To rearrange a grid column, click and drag the column header to a new position.

Sort a grid by columns

Sort grid data in each view by clicking the column headers. Each column can be sorted in ascending or descending order.

To sort a grid by one column, click the selected column header. The ▲ indicates sorting in ascending order (from A to Z). The ▼ indicates sorting in descending order (from Z to A).

In the Monitor view, you can sort a grid by multiple columns by pressing the Ctrl key and clicking each column header. The sorting order number is displayed next to ▲ or ▼ in each selected column.

Before you sort the Monitor view event grid, click Pause to stop the incoming event traffic. Click Resume to start the incoming event traffic.

SEM console grid column and data field descriptions

The following table explains the meaning of each grid column or data field that can appear in various alert grids, event grids, and information panes throughout the console. The actual columns and fields that are shown vary according to the alert, view, or grid you are working with. But the meaning of these fields remains the same, regardless of where you see them.

For convenience, the fields are listed in alphabetical order.

Grid Column or Field Description


The name of the event.


The name of the dial-up or VPN connection.


The status of the dial-up or VPN connection.


The destination IP address of the network traffic.


The destination port number of the network traffic.


The source network node for the alert data. This is usually a Manager or an Agent and is the same as the InsertionIP field. It can also be a network device, such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol.


The time the network node generated the data. This is usually the same as the InsertionTime field, but they can differ when the Agent or Manager is reading historical data, or if a network device has an incorrect time setting.


A short summary of the alert details. Additional details appear in the following fields, but EventInfo provides enough information to view a “snapshot” of the alert information.


Additional information relevant to the alert, but not reflected in other fields. This can include information useful for correlating or summarizing alert information in addition to the EventInfo field.


The node the log message came from (the SEM or Agent that collected the message for forwarding to nDepth).


The originating network device (if different than the node) that the message came from. Normally, Host and HostFromData are the same, but in the case of a remote logging device (such as a firewall) this field reports the original remote device's address.


The name of the correlation that caused this alert. The InferenceRule field will generally be blank, but in cases where the alert was related to a rule, it displays the rule name.


The Manager or Agent that first created the alert. This is the source that first read the log data from a file or other source.


The time the Manager or Agent first created the alert. This time indicates when the data was read from a log file or other source.


The IP address associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the IP addresses that appear in alert data.


The name of the Manager that received the alert. For data generated from an Agent, this is the Manager the Agent is connected to.


In the Event explorer’s event grid, the Order field indicates when each event occurred:

Indicates the event occurred before the central event shown in the event map.

Indicates the event occurred during (as part of) the central event shown in the event map.

Indicates the event occurred after the central event shown in the event map.


Displays the protocol associated with this alert (TCP or UDP).


A unique identifier for the original data. Generally, the ProviderSID field includes information that can be used in researching information on the alert in the originating network device vendor's documentation.


The IP address the network traffic is coming from.


The port number the network traffic is coming from.


The Alias Name entered when configuring the connector on the Manager or Agent.


The actual connector that generated the log message.


Connector category for the connector that generated the log message.


The user name associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the places that user names appear in alert data.