I need to generate views for PCI compliance 10.2.x. related to network and firewall devices (all Cisco IOS and ASA). I have created a group containing all the relevant devices and I can see that all the events are properly parsed using built-in parser for Cisco IOS and Cisco ASA devices. I can see in the parsed events that login/logoff events are present, events related to configuration changes are present and so on, nothing is reported as "unknown event".
If I choose any of the predefined views under Compliance>PCI the result is always an empty dashboard regardless the time frame chosen...(even selecting "All").
I don't expect this to work out-of-the-box but I'm also not expecting to have to start completely from scratch... How can I troubleshoot this issue? Is there a way to see what queries the PCI predefined views do?
Click on "Edit Current View" and on the right pane click on "Edit Query". That's now I troubleshoot and investigate views.