LogLogic Users Guide - TIBCO Software...The LogLogic Users Guide is an operational guide for the...
Transcript of LogLogic Users Guide - TIBCO Software...The LogLogic Users Guide is an operational guide for the...
LogLogic, Inc. Proprietary and Confidential
LogLogic
Users Guide
Software Release: 5.1
Document release: December 2010
Part No: LL41000-00E05100000
This manual supports LogLogic software release 5.1 and above releases until replaced by a newer edition.
LogLogic, Inc. Proprietary and Confidential
LogLogic, Inc.
110 Rose Orchard Way Suite 200San Jose, CA 95134
Tel: +1 408 215 5900
Fax: +1 408 774 1752
U.S. Toll Free: 888 347 3883
Email: [email protected]
www.loglogic.com
© 2004 — 2010 LogLogic, Inc.
Proprietary Information
This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.
Trademarks
"LogLogic" and the LogLogic logo are trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company product names are trademarks or registered trademarks of their respective owners.
Notice
The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.
Users Guide
Contents
Preface: About This Guide
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Documentation Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1: Using LogLogic Appliances
LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Appliance User Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
LogLogic Product Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
LogLogic LX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19LX Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
LogLogic MA Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
MA Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20LogLogic MX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
MX Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
LogLogic ST Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21ST Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Scalable Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 2: Viewing Dashboards
Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . . . 27Viewing Message Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Viewing CPU Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Viewing Log Source Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Viewing Unapproved Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Viewing Recent Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Widget Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
About My Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Managing Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Managing Summary Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Managing Trend Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Managing Alert Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Managing System Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Defining your Dashboard Canvas Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 3: Viewing Real Time Log Messages
Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3
CONTENTS
Viewing Log Messages in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 4: Searching Collected Log Messages
Search Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using and Creating All Index Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Using Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Search Expression Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Running an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Selecting Specific Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Select Time Frame for an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Using the Search Results Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Viewing Index Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configuring Search Results Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Managing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Viewing Index Search Results In Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Saving Search Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Viewing Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Using the Search History Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Saving an Index Search as a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Running a Previously Saved Search Expression. . . . . . . . . . . . . . . . . . . . . . . . . . 85
Using the Search Filters Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Using the Clipboard Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Adding a New Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Viewing or Editing Clipped Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Deleting Clipped Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Using Regular Expression Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Viewing Pending and Running Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Viewing Running Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Viewing Pending Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Viewing RegEx Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Viewing Finished Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Adding a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Search Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Use Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Use Exact Phrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Regular Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Boolean Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Putting Your Logins Search Filter to Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter . 101Modifying a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Viewing Archived Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Viewing Archived Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Verifying the SHA Digest on Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Listing Archived Passive (Non-Parseable) Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4 Users Guide
CONTENTS
Users Guide 5
Chapter 5: Creating and Managing Alerts
Viewing and Handling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Managing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Preconfigured System Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Adding a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Parsed Data Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 6: Generating Real-Time Reports
Preparing a Real-Time Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Select a Source or Sources and Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Schedule and Run a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Resize & Move Columns, Create Charts, Print and Download a Report . . . . . . . 121Modify Report Settings and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Saving a Generated Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Rerunning a Saved Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Generating a Report—An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Available Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Permission Modification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136User Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
User Authentication Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
User Created/Deleted Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139User Last Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Windows Events Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Accepted Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Active FW Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Active VPN Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Application Distribution Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Denied Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147FTP Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
VPN Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
VPN Sessions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150VPN Top Lists Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Web Cache Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Web Surfing Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154All Database Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Database Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Database Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Database Privilege Modifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Database System Modifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
All Unparsed Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Security Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
System Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
VPN Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
CONTENTS
IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
All Log Entry Types Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
System Object Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166User Access By Connection Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
User Actions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
User Jobs Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Threat Management Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168IDS/IPS Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Mail Delay Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Mail Size Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Exchange 2000/03 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Policy Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Rules/Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Check Point Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Network Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 7: Message Signatures
Creating Message Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Chapter 8: Tag Catalog
Field Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Event Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Chapter 9: Dynamic Groups
Add Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 10: Setting User Preferences
Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Changing Login Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Changing LogApp Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Appendix A: Syslog Host Field Character Sets
Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Index
6 Users Guide
PREFACE
About This Guide
The LogLogic Users Guide is an operational guide for the LogLogic Appliances. It covers topics related to managing reports, managing alerts, and performing searches to manage and use the log data collected and aggregated from all types of source systems in your enterprise.
Related DocumentsThe LogLogic documentation is available on the Solutions CD or on the LogLogic Technical Support website – www.loglogic.com/services/support. The documentation includes Portable Document Format (PDF) files and Online Help accessible from the LogLogic user interface.
To read the PDF documentation, you need a PDF file viewer such as Adobe Acrobat Reader. You can download the Adobe Acrobat Reader athttp:// www.adobe.com.
The following documents contain additional information about the LogLogic Appliances:
LogLogic Release Notes — Provides information specific to the release including product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic support web site periodically for further updates.
LogLogic Upgrade Guide — Describes how to upgrade the LogLogic Appliance software.
LogLogic Quick Start Guide — Describes how to get started with your LogLogic Appliance. In addition, the guide includes details about the Appliance hardware.
LogLogic LX 2010N Quick Start Guide — Describes how to get started with the LogLogic LX 2010N NEBS-compliant Appliance, and includes details about the Appliance hardware.
LogLogic Administration Guide — Describes how to administer the LogLogic solution including managing users, managing log data storage, and managing new log sources (devices).
LogLogic Management Appliance Guide — Describes how to manage multiple distributed Appliances using an MA 2010 Appliance.
LogLogic Log Source Configuration Guides — Describe how to support log data from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the LogLogic solution.
LogLogic Collector Guides — Describe how to implement support for using a LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site Protector.
Users Guide 7
: Technical Support
LogLogic Web Services API Implementation Guide — Describes how to implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administer the system.
LogLogic Syslog Alert Message Format Quick Reference Guide — Describes the LogLogic Syslog alert message format.
LogLogic Online Help — Describes the Appliance user interface, including descriptions for each screen, tab, and element in the Appliance.
Technical SupportLogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances.
To reach the LogLogic Support team:
Telephone:
Toll Free — 1-800-957-LOGS
Local —1-408-834-7480
Europe, Middle East, Africa (EMEA) or Asia Pacific (APAC): + 44 (0) 207 1170075 or +44 (0) 8000 669970
Email: [email protected]
Support Website: www.loglogic.com/services/support
When contacting Customer Support, be prepared to provide the following information:
Your name, e-mail address, phone number, and fax number
Your company name and company address
Your machine type and release version
Serial number located on the back of the Appliance or the eth0 MAC address
A description of the problem and the content of pertinent error messages (if any)
Documentation SupportYour feedback on LogLogic documentation is important to us. Send e-mail to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.
In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation.
8 Users Guide
: Documentation Support
ConventionsLogLogic documentation uses the following conventions:
Caution: Highlights important situations that could potentially damage data or cause system failure.
IMPORTANT! Highlights key considerations to keep in mind.
Note: Provides additional information that is useful but not always essential.
Tip: Highlights guidelines and helpful hints.
This guide also uses the following conventions to highlight code and command-line elements:
Monospace is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).
Monospace bold is used to distinguish system prompts or screen output from user responses, as in this example:
username: system
home directory: home\app
Monospace italic is used for placeholders, which are general names that you replace with names specific to your site, as in this example:
LogLogic_home_directory\upgrade\
Straight brackets signal options in command-line syntax.
ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]
Users Guide 9
: Documentation Support
10 Users Guide
Using LogLogic Appliances : LogLogic Appliance Overview
Users Guide 11
CHAPTER 1:
Using LogLogic Appliances
LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Appliance User Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
LogLogic Product Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
LogLogic Appliance OverviewLog data can comprise up to 25 percent of all enterprise data. Log data also contains critical information that can improve security, compliance and availability. Until now most companies have relied on ineffective and inefficient homegrown solutions and manual processes to manage this data.
LogLogic provides the industry's first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability,
LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators. If the network grows, simply rack and stack additional Appliances as needed.
Appliance User FunctionsThere are two primary user types on a LogLogic Appliance:
User – monitors Appliance operations, runs searches, manages alerts, and creates and runs reports based on collected data
Administrator – configures and maintains the Appliance itself, including managing log sources, user accounts, Appliance configurations, running backups, and more
Depending on access permissions, a user can perform User functions, Administrator functions, or both. This manual describes User tasks and functions. For Administrator information, see the LogLogic Administration Guide.
Release 5.0 introduces a new GUI for the LogLogic Appliance. Reports, Search, and Alert functions can be opened by clicking their respective icons on the home page or by clicking their buttons on the top menu on the home page. See Figure 1 on page 12.
Dashboard, Management, and Administration functions for the Appliance are opened by clicking their buttons on the top menu on the home page. See Figure 2 on page 13.
Online Help can be opened by clicking the Help button on any page. Brief video tutorials provide tips and guidance by example for many new LogLogic features. Tutorials can be accessed from the home page and from certain application pages. Familiarize yourself with LogLogic 5 by viewing the tutorials presented on the New Features Overview page.
Using LogLogic Appliances : Appliance User Functions
12 Users Guide
Figure 1 LogLogic Appliance Home Page
The Appliance GUI provides access to all Administrator and User functions. Administrators can perform all functions on the Appliance, while Users are limited to functions that have been assigned to them the System Administrator.
Note: The functions in the navigation menu vary depending on the Appliance product family. For example, an ST Appliance displays fewer options than the LX Appliance because certain features are not available on ST Appliances. In addition, Database Activity (under Reports > Database Activity) may show different entries, depending on the Log Source Packages (LSPs) installed.
Note: For all text fields throughout the UI, null is not a valid entry.
Using LogLogic Appliances : Appliance User Functions
Users Guide 13
Figure 2 Dashboards – System Status
In addition to documentation, the LogLogic Appliance is supported by comprehensive, context-sensitive online Help, which can be opened from any UI page in the application. Clicking the question mark (?) opens Help for the particular tab that is highlighted – in this case, System Status. Clicking the word Help (above the question mark) opens the entire online Help repository, plus a Table of Contents, an Index, and a Search function within Help. Take a moment to explore Help to discover the rich content offered there.
Using LogLogic Appliances : Appliance User Functions
14 Users Guide
Figure 3 shows the various Reports categories and subcategories.
Figure 3 Reports Menu
Using LogLogic Appliances : Appliance User Functions
Users Guide 15
Figure 4 shows the Reports Access Control templates.
Figure 4 Reports Menu – Templates
Figure 5 shows the Search menu options.
Figure 5 Search Menu
Using LogLogic Appliances : Appliance User Functions
16 Users Guide
Figure 6 shows the Alerts menu options.
Figure 6 Alerts Menu
Figure 7 shows the Management menu options.
Figure 7 Management Menu
Using LogLogic Appliances : Appliance User Functions
Users Guide 17
Figure 8 shows the Administration menu options.
Figure 8 Administration Menu
Using LogLogic Appliances : Appliance User Functions
18 Users Guide
Figure 9 shows the admin menu.
Figure 9 admin Menu
Using LogLogic Appliances : LogLogic Product Families
Users Guide 19
LogLogic Product FamiliesLogLogic offers six families of products to provide better, faster and smarter log management, database security, and regulatory compliance solutions to corporations:
LogLogic LX Appliances are purpose-built Appliances for real-time log data collection and analysis. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and reduce the corporate cost of security and performance event remediation.
LogLogic MA Appliances provide centralized management of multiple remote LogLogic Appliances. These Appliances let you monitor multiple Appliances at once, to view alerts for managed Appliances, generate reports on individual or all managed Appliances, and to remotely administer managed Appliances.
LogLogic MX Appliances perform real-time log data collection and analysis ideal for mid-size and large companies. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and are optimized to provide for log data needs in a non-enterprise environment.
LogLogic ST Appliances automate the entire log data archival process, minimizing administration costs while providing more secure log data capture and retention.
LogLogic DSM Appliances give IT security personnel full visibility into user activity on all monitored databases. Users can create custom policies to detect security violations or use out-of-the-box rules to protect against SQL injection, buffer overflow, privilege escalation attacks, and more.
LogLogic Compliance Manager Appliances bring visibility of compliance activity metrics to CIOs and CSOs, and control over activities to the compliance team, permitting them to privatively review the compliance timeliness and compliance posture mandated by Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standard (PCI-DSS).
LogLogic Appliances provide the highest log collection and analysis performance amongst all log management vendors. Log events are received and indexed in real-time. The LogLogic Appliances have clearly stated metrics that cannot be matched.
LogLogic LX Product FamilyFeaturing a parallel processing architecture, the LX 510, LX 820, LX 1020, LX 2010 and LX 4020 Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Distributed real-time reporting and targeted queries let administrators take immediate action on network issues from a centralized management console.
These Appliances help enterprises harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment.
LX Benefits
LX product family Appliances offer the following benefits:
Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents
Non-disruptive installation and plug-and-play operation: no changes to network configurations, no integration with other systems, no training required, available in minutes
Using LogLogic Appliances : LogLogic Product Families
20 Users Guide
Self-maintaining, embedded database technology that eliminates the need for DB administration
To view photographs of the LX Appliance layout, see the LogLogic Quick Start Guide.
LogLogic MA Product Family
MA 1020 and MA 2010 Appliances provide centralized management of multiple distributed LogLogic Appliances (referred to on an MA Appliance as remote products). From a Management Appliance, you can monitor and manage remote products, receive alerts, and search log data collected by the managed Appliances.
These Appliances are ideal for enterprise environments where multiple LogLogic Appliances are distributed in multiple remote locations, and a single centralized view of all the Appliances is needed.
MA Benefits
MA product family Appliances offer the following benefits:
High-level health and status information for all remote LogLogic Appliances
Improved user interface for monitoring remote Appliances
System Alerts from remote Appliances and their log sources
To view photographs of the MA Appliance layout, see the LogLogic Quick Start Guide.
For more information on how to set up, configure, and use the MA to monitor and manage remote products, see the LogLogic Management Appliance Guide.
LogLogic MX Product Family
MX 2010 and MX 3020 Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Designed specifically for mid-size and large companies, MX Appliances provide the disk space and processing power required for most non-enterprise environments.
MX Appliance features support the need to harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment. MX Appliances are designed for installations where data must be retained longer than LX Appliances provide, but where enterprise features such as failover and managing other log Appliances are not required.
MX Benefits
MX product family Appliances offer the following benefits:
Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents
Features and specifications targeted specifically to mid-size and large companies
Self-maintaining, embedded database technology that eliminates the need for DB administration
To view photographs of the MX Appliance layout, see the LogLogic Quick Start Guide.
Using LogLogic Appliances : LogLogic Product Families
LogLogic ST Product Family
Available in compact, rack-mountable systems with up to 8 terabytes of compressed on-board storage and interfaces to NAS devices, the ST 1020, ST 2010, ST 3010, and ST 4020 Appliances archive up to 2 years of log data while eliminating the need for servers, tape libraries, and archive administrators.
The ST 2020-SAN (Storage Attached Network) product offers potentially unlimited archive storage.
When used with LogLogic's LX Appliances, ST Appliances guarantee complete and accurate transmission of network equipment logs from anywhere on the enterprise WAN or LAN. ST Appliances feature an n-Tier architecture controlled by a management console that centralizes long-term log data archival while allowing for distributed log analysis and broader data accessibility.
ST Benefits
ST product family Appliances offer the following benefits:
High volume log data aggregation from centralized and remote log data sources
Long-term retention of unaltered, complete, raw log messages at a secure, central location to make archives unimpeachable
Distributed architecture of remote collection and central storage make log data collection and retention infinitely scalable
To view photographs of the ST Appliance layout, see the LogLogic Quick Start Guide.
Scalable Infrastructure
The scalable LogLogic network infrastructure significantly accelerates response time to data center security and availability events, while providing complete log data archives for compliance and legal protection. LogLogic Appliances make log data in enterprise networks truly useful for the first time, improving corporate security, compliance and network availability, while reducing IT costs and costly network downtime, and improving corporate return on IT investment.
Users Guide 21
Using LogLogic Appliances : LogLogic Product Families
22 Users Guide
Viewing Dashboards : Viewing System Status
CHAPTER 2:
Viewing Dashboards
LogLogic Appliances let you monitor a large variety of data to observe the system’s status:
Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . 27
Viewing Log Source Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Viewing System StatusThe System Status tab displays a condensed view of the Appliance's current state, showing current message rate, CPU utilization, database size, alerts, and total message counts.
After you log in to the Appliance, the System Status tab is the default display. An example of the tab is shown in Figure 10 on page 24.
To view system status
1. Choose Dashboards > System Status from the navigation menu.
2. View the following sections on the System Status tab for information about your Appliance’s system status:
Current Message Rate
New Alerts
Disk Usage
CPU Usage
Message Counters
Detailed descriptions for each section are documented in Table 1 on page 24.
3. On LX 510, LX 820, LX 10100, LX 2010, LX 4020, MX 2010, MX 3020, ST 1020, ST 2010, ST 2020-SAN, LX 3010 and ST-4020 Appliances:
Click to expand or collapse a section to display an expanded or condensed version of the section’s status information.
4. Optionally, click the Message Rate tab for a larger view of this graph.
For more information, see Viewing Message Rate on page 30.
Users Guide 23
Viewing Dashboards : Viewing System Status
5. Optionally, click the CPU Usage graph or the CPU Usage tab for a larger version of this graph.
For more information, see Viewing CPU Usage on page 31.
6. Click to update the system status information for your Appliance.
Figure 10 Dashboards – System Status Tab
Table 1 System Status Tab Elements
Element Description
General information
Uptime Continuous running time since the last reboot of the Appliance.
Date/Time Date and time set on the Appliance.
Software Version LogLogic software release running on the Appliance.
24 Users Guide
Viewing Dashboards : Viewing System Status
Failover (not visible unless issues are present)
Status of the Management Station cluster’s master and standby Appliances. If issues exist, they are indicated through flags:
C : Cluster_id mismatch
A : Appliance model mismatch
V : Software version mismatch
E : Eligible
H : HA mode
X : eXcluded
O : Out-of-cluster
M : Master
S : Standby
For example, the failover status line Failover: master 10.1.4.6 (wait), standby 10.1.4.7 (flags:__V/EHX/O) means the master is waiting for the standby, and the standby is running the wrong software version, is configured for failover, is eligible for HA, but is excluded, and (as a result of the version mismatch) is out of cluster.
IMPORTANT! Once two Appliances are HA paired, no network settings should be changed.
System Status sections
Current Message Rate
Measured messages per second rate for the last 1, 5, and 15 minute time segments.
Click on the 1 MIN, 5 MIN, or 15 MIN headings links to change the Message Rate Graph time scale to 2 hour, 12 hour, and 24 hour time scales, respectively.
When using LogLogic TCP for routing logs to the Appliance, this graph displays spikes of activity every 5 minutes rather than a steadier line. This is because LogLogic TCP transfers data in regularly recurring chunks that are merged on the Appliance, and not continually.
Message Rate Graph (Message Rate tab)
Recent message rate over 1, 5, and 15 minute time segments.
The pink line represents the average number of messages per time segment.
The blue line represents the real-time incoming message rate for your Appliance.
The red line appears when inbound traffic exceeds the preset threshold
Click the Message Rate tab for a larger view of this graph.
New Alerts (LX/MX only) Number of active alerts over 1, 6, and 12 hour periods categorized by priority.
Disk Usage Current size of the database usage relative to table space allocation. This can be helpful for calculating data retention time tables, by listing Free and Total available usage.
CPU Usage Current CPU utilization for the last 1, 5, and 15 minute time segments.
Click on the 1, 5, and 15 minute headings to change the CPU Usage Graph time scale to 2, 12, and 24 hour time scales, respectively.
Table 1 System Status Tab Elements (Continued)
Element Description
Users Guide 25
Viewing Dashboards : Viewing System Status
CPU Usage Graph Percent CPU utilization over 1, 5, and 15 minute time segments.
Click the CPU Usage Graph or the CPU Usage tab for a larger version of this graph.
Message Counters Statistics on each message category stored in the Appliance since the last boot. The count corresponds to a percentage of the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.
Message categories:
Total Received—Total number of incoming messages for all categories.
Processed—Total number of messages received and parsed into the database.
Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)
Skipped—Total number of messages ignored by the Appliance due to a syntactic flaw in the message.
Dropped—Total number of messages recognized but not processed due to network congestion or a corrupted syslog message.
The following appear only on LX and MX Appliances:
Total Parsed—Total number of incoming messages parsed for all categories.
Accepted IP—Total number of messages indicating successful connections through the firewall. For example, PIX® Message Numbers - 302013-302016.
Denied IP—Total number of messages indicating denied access by the firewall. For example, PIX Message Numbers - 106001, 106006, 106007, 106015, 106023.
Security—Total number of messages to be recorded in the Security Event Log report.
System—Total number of messages to be recorded in the System Event Log report.
Generic—Total number of flawed messages received from an approved source. These messages are discarded.
URL—Total number of messages to be recorded to the Web Surfing Activity report.
FTP—Total number of messages to be recorded in the FTP Connections report.
Auth/Access —Total number of messages to be recorded to the VPN Events report.
Other—Any message that is not in included in the other listed categories.
Updates the system status information for your Appliance.
Table 1 System Status Tab Elements (Continued)
Element Description
26 Users Guide
Viewing Dashboards : Viewing System Status
Viewing Multiple Systems Status (Management Station)The Management Station System Status is the fastest way to view the condition and status of your Appliances as traffic flows through your system. You can use this information to provide for rapid reporting to the operations staff and acquire information about syslog messages at any particular time. (See Figure 11.)
The System Status information uses a proprietary technology for optimizing and then collecting security data for immediate use. Administrators can monitor the CPU usage when necessary to check on its congestion.
Figure 11 Dashboards - Management Station Status
After you log in to the Appliance, the Dashboards > Management Station tab is the default display. An example of the tab is shown in Figure 12 on page 28.
To view system status using a Management Station
1. Choose Dashboards > Management Station from the navigation menu.
2. View the following sections on the Management Station tab for information about an Appliance’s status:
Message Statistics
Message Rate
New Alerts
Message Counters
For detailed descriptions of each section, see Table 2 on page 28.
Users Guide 27
Viewing Dashboards : Viewing System Status
3. Click to view updated status information for the Appliance.
Figure 12 Management Station Status Screen
Table 2 Management Station Screen Elements
Element Description
General information
Software Version Management Station Appliance’s software version.
Displays the Help topic for this tab.
Management Station sections
Appliances Lists the Appliances in your Management Station cluster.
To view the System Status for an Appliance, click its name.
A green square indicates the Appliance is online.
A red square indicates the Appliance is offline.
A blank square indicates the Appliance entry is being updated.
28 Users Guide
Viewing Dashboards : Viewing System Status
Message Statistics Displays the following message statistics:
Total, Processed, Dropped, Unapproved, and Skipped—Message processing information about each managed Appliance.
Click a number in these columns to change the displayed value to the nearest thousand, million, or billion value.
Message Rate/Sec—Message rate, per second, by time segments of 1, 5, and 15 minutes.
Click on the message rate values to set the Message Rate graph to 4, 12, and 24 hour timescales, respectively.
Time Skew—Time delta, in seconds, between the Management Station Appliance and each remote Appliance.
Message Rate Graph
Monitors the rate at which messages are passing through your Appliance.
The Message Rate graph displays the current message rate by time segments of 1, 5, and 15 minutes. For example, 1 min – 100 msgs/sec. On ST Appliances, to the right of the minutes is the number of messages per second (xxx msgs/sec) for the Appliance. xxx does not reflect the amount of messages that comes in via the LogLogic TCP protocol.
The pink line represents the average number of messages per time segment.
The blue line represents the real-time incoming message rate for your Appliance.
The red line appears when inbound traffic exceeds the preset threshold
New Alerts The number of activated alerts, by hour and priority (High, Medium, Low, All).
Click an alert value to show the Aggregated LX or MX Alert Log.
Message Counters Statistics on each message category stored in the syslog database. The count corresponds to a percentage related to the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.
The following is a list of message counters:
Total Received—Total number of incoming messages for all categories.
Processed—Total number of messages received and parsed into the database.
Skipped—Number of messages ignored by ClarifyCRM due to a syslog message syntactic flaw.
Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)
Dropped—Messages recognized but not processed due to network congestion or faulty syntax.
Updates the system status information for your Appliance.
Table 2 Management Station Screen Elements (Continued)
Element Description
Users Guide 29
Viewing Dashboards : Viewing System Status
Viewing Message Rate
The Message Rate tab shows the number of messages processed by the Appliance over a 12-hour time period. An example of the tab is shown in Figure 13 on page 30.
To view the message rate of the Appliance
1. Choose Dashboards > System Status from the navigation menu.
2. Click the Message Rate tab to view the Message Rate graph.
3. If you are viewing a larger version of the Message Rate graph, click the back and forward buttons to display the number of messages during a specific time segment.
For additional information about the graph, see Table 3 on page 30.
4. Click to update the Message Rate graph.
Figure 13 Message Rate Tab
Table 3 Message Rate Tab Elements
Element Description
Go back 12 hours.
Go back six hours.
Go forward 12 hours.
Go forward six hours.
Displays the corresponding Help topic.
Message Rate section
30 Users Guide
Viewing Dashboards : Viewing System Status
Viewing CPU Usage
The CPU Usage tab contains a graph that shows CPU utilization as a percentage over a 12-hour time period. An example of the tab is shown in Figure 14.
To view the CPU usage
1. Choose Dashboards > System Status from the navigation menu.
2. View the CPU usage by doing one of the following in the System Status screen:
View the small graph in the CPU Usage section.
Click on the small graph in the CPU Usage section to view a larger version of the graph.
Click the CPU Usage tab to view a larger version of the graph.
3. If you are viewing a larger version of the CPU Usage graph, click the back and forward buttons to display the number of messages during a specific time segment.
For additional information about the graph, see Table 4.
4. Click to update the CPU Usage graph.
<blue line> Real-time message traffic which includes UDP syslog and/or raw TCP (SyslogNG) traffic.
<pink line> Average rate of the incoming messages for the time segment shown.
<red line Appears when inbound traffic exceeds the preset threshold
Updates the Message Rate graph.
Table 3 Message Rate Tab Elements
Element Description
Users Guide 31
Viewing Dashboards : Viewing Log Source Status
Figure 14 CPU Usage Tab
Viewing Log Source StatusThe Log Source Status tab lets you view statistics for each source device. An example of the tab is shown in Figure 15.
To view the log source status
1. Choose Dashboards > Log Source Status from the navigation Menu.
Table 4 CPU Usage Tab Elements
Element Description
Go back 12 hours.
Go back six hours.
Go forward 12 hours.
Go back 12 hours.
Displays the corresponding Help topic.
CPU Usage section
<blue line> CPU usage in real time.
<pink line> Average CPU percent utilization for the time segment shown. To see a larger version of the screen, click the CPU Usage tab.
Updates the CPU Usage graph.
32 Users Guide
Viewing Dashboards : Viewing Log Source Status
2. View the following log status information for each source device:
Name
IP Address
Type
Message Count
Byte Rate/Sec
Description
For detailed descriptions of each item, see Table 5 on page 34.
3. Click to update the view of your devices.
4. Optionally, click to print all the items in the list.
Figure 15 Log Source Status Tab
Users Guide 33
Viewing Dashboards : Viewing Log Source Status
Log Source Status Descriptions
Table 5 lists and describes the elements in the Log Source Status tab.
Table 5 Log Source Status Tab Elements
Element Description
Saves the report in a CSV format. You should save the file and export it to an Excel spreadsheet for viewing.
Note: The CSV file saves and displays a maximum of 10,000 lines. A generated report can contain more than this number.
Displays the report in HTML format in a new window. You can save the HTML file to your local machine.
Note: The HTML file saves and displays a maximum of 5000 lines. A generated report can contain more than this number.
Saves the report as a PDF file. You can save the PDF file to your local machine. Viewing the generated report as a PDF only works for Adobe Acrobat Reader version 6.0 and higher.
Note: The PDF file saves and displays a maximum of 5000 lines even though the generated report may contain more than this number.
Click to print all the items in the list.
Click to display the corresponding Help topic.
Displays the previous page of detail for the device list.
Displays the next page of detail for the device list.
To display details for a specific page, type a page number and click GO.
Note: For certain pages that display this option, you can only view a set number of rows. To set the number of rows to view, use the Personal Preferences tab.
Log Source Status section (all of the following columns are sortable)
Name Name of your source device.
IP Address IP address for your source device.
Type Type of source device.
Message Count The following types of messages counts:
Total—Total number of messages processed for the specified device.
1 Min—Total number of incoming messages during the previous one minute period.
5 Min—Total number of incoming messages during the previous five minute period.
15 Min—Total number of incoming messages during the previous 15 minute period.
1 Min (Byte Rate/Sec) Byte rate per second for each device during the previous one-minute period.
Description Description you defined for the Source Device in the Administration > Manage Devices > Syslog and Administration > Check Point Devices > Interface tabs.
If you selected the Auto-identify option in the Administration > System Settings > General tab, the system displays that the source device is an auto-identified log source.
34 Users Guide
Viewing Dashboards : Viewing Log Source Status
Viewing Unapproved Messages
Use the Unapproved Messages tab to view information on up to 100 of the most recent real-time messages received from a recognized but unapproved source. Unapproved messages are discarded.
Summary data on unapproved messages can be seen from the Dashboards > System Status tab.
Note: Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.
To view unapproved messages
1. Choose Dashboards > Log Source Status from the navigation menu.
2. Click the Unapproved Messages tab.
This section contains the following elements.
3. Click to update the information.
Updates the view of your devices. If auto-identify is enabled and the Appliance detects new devices, refresh displays them in this view.
Advanced Options By default, all these options are displayed:
Name
IP Address
Type
Total
1 Min
5 Min
15 Min
1 Min (Byte Rate/Sec)
Description
Use the drop-down menu to view options in ascending or descending order.
Deletes all text in the Advanced Options text boxes.
Executes with the defined Advanced Options parameters.
Table 6 Unapproved Messages Tab Elements
Element Description
No. Number assigned to the message.
Time Time the message was received.
Firewall IP address of the Appliance through which the message was received.
Message Text of the message.
Table 5 Log Source Status Tab Elements (Continued)
Element Description
Users Guide 35
Viewing Dashboards : Viewing Log Source Status
4. (Optional) Click to print all the messages in the list.
Viewing Recent Messages
Use the Recent Messages tab to view information on up to 100 of the most recently-received real-time messages. (See Figure 16.)
Note: Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.
To view recent messages
1. Choose Dashboards > Log Source Status from the navigation menu.
2. Click the Recent Messages tab.
Figure 16 Recent Messages
This section contains the following elements.
3. Click to update the information.
4. (Optional) Click to print all the messages in the list.
Table 7 Recent Messages tab descriptions
Element Description
No. Number assigned to the message.
Time Time the message was received.
Firewall IP address of the Appliance through which the message was received.
Message Text of the message.
36 Users Guide
Viewing Dashboards : Viewing Log Source Data Trend
Viewing Log Source Data TrendThe Log Source Data Trend tab displays the graphs of incoming Syslog Data rate in MB from all sources over the last 24 hours. The top graph displays Realtime Logs, and the bottom graph shows File Transfer Logs. Log data that has been fully indexed is represented by blue bars; log data to be indexed is represented by orange bars. The bar graphs refresh once per minute.
To view log source data trend
1. Choose Dashboards > Log Source Data Trend from the navigation menu.
2. View the Syslog data from all sources within the last 24 hours as shown below.
Figure 17 Log Source Data Trend
Users Guide 37
Viewing Dashboards : Managing Your Dashboard
Managing Your DashboardThe My Dashboard menu allows you to customize your Dashboard with visualizations, known as “widgets”, representing Report Results, Search Results, Alerts, and Appliance performance. For example, If you have an Index Search showing web surfing activity within the Intranet, this data can be presented on your Dashboard using the Trend Graph widget, and refreshed periodically with recent data from an Index Search.
The system admin can specify the maximum number of widgets that can be displayed on your Dashboard using the Administration > System Settings > General tab. LogLogic recommends displaying a maximum of 10 widgets on your Dashboard.
Widget Types
You can create different types of widgets to add to your dashboard canvas. The different types are:
Summary: Displays top 10 results from any Report saved with the “Summarized” option. It also displays All Index Reports as well as Index Searches that are grouped by option (except grouped by Time). For details, see Managing Summary Widgets on page 41.
Trend: Displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month. For details, see Managing Trend Widgets on page 44.
Alerts: Displays recent triggered alerts matching your specified filters. For details, see Managing Alert Widgets on page 48.
System: Displays Network and File based data ingest trends, Disk usage, and CPU usage utilization. For details, see Managing System Widgets on page 52.
About My Dashboard
By default, the dashboard canvas is empty and does not display any widgets. The Widgets link enables you to add widgets to your dashboard. A new widget is always added on the upper left side on your dashboard canvas. If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again. For detailed information about widgets, see Managing Widgets on page 39.
To view your dashboard
1. Access Dashboards > My Dashboard from the navigation menu.
2. View your My Dashboard canvas as shown below.
38 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 18 My Dashboard
Managing Widgets
The Dashboard is highly customizable with widgets and data of your selection. The Widgets link allows you to view and add existing widgets to your dashboard, create new widgets, edit existing widgets settings, or remove widgets from the system.
Using the drag-drop method, you can change the position of widgets on your Dashboard. Click and drag the widgets title bar to move a widget to a new location on the canvas (see Figure 19). You can also resize any widget by pulling the bottom side of the widget. The system automatically saves your latest widget positions with your LogLogic User Account.
Users Guide 39
Viewing Dashboards : Managing Your Dashboard
Figure 19 My Dashboard Canvas – Manage Widgets
Depending on the widget type, some widgets display different buttons on the upper right corner of the widget (see Figure 19).
Table 8 lists and describes the widget buttons
By default, widgets are created exclusively for your use. However, you can share your widgets with others by checking Shared option on the widget's settings screen. Sharing Report and Search widgets improves system performance, since the underlying data used for the visualization only needs to be created once for all Dashboard views of the Widget.
Table 8 Widget buttons
Button Description
Shows the toolbar for that widget. Using this toolbar, you can view different presentation options of the selected report. For example, for Summary widget, you can choose to view Column chart, Bar chart or Table format.
Displays the widget in full screen view. If it is already in full screen view, this will restore the widget to normal size.
Displays the widget’s existing settings. Click the button to open the Edit widget settings window. This allows you to change the widget’s existing settings.
Removes the widget from your Dashboard. However, the widget is still available in the widget list to use on other dashboards.
Select the color of the widget ‘s graph from a color palette.
Note: From the widget toolbar, this button is available only for certain widget types.
40 Users Guide
Viewing Dashboards : Managing Your Dashboard
Managing Summary Widgets
The summary widgets provides focused visualization of first 10 records returned from the underlying Saved Report query.
Figure 20 illustrates an example of Summary Widget. If you click , the report displays more view options such as Column Chart, Bar Chart, and Table (see Figure 20). For more information on other widget buttons, see Table 8 on page 40.
Figure 20 Summary Widget Example
To add an existing summary widget to your dashboard
Note: If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.
Users Guide 41
Viewing Dashboards : Managing Your Dashboard
Figure 21 Summary Widgets - List of Existing Widgets
3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.
4. Click the Add to Dashboard button to add the widget to your dashboard.
To create a new summary widget
Note: To create a summary widget, you must have the Reporting privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.
3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.
42 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 22 Create a New Summary Widget
4. Enter the Name and Description of the widget.
5. Select a report from the Report list as explained in Table 9.
6. Specify a Timeframe as explained in Table 9.
Table 9 Summary Widgets Elements
Element Description
Name Name of your widget that is displayed on the widget Title bar.
Description Description of your widget.
Shared Select the checkbox if you want to share your widget with others. However, only the creator can edit this widget settings.
Selected Displays the selected report from the Report list. When the report is not selected, None is displayed.
Enter text to filter Enter the text to filter Report list and then press Enter.
Filters and refreshes the view of your widgets.
Report list By default, the following columns are displayed:
Type--the report template type, for example, User Access
Name--the name of the report
Description--the description of the report
Click on the column heading to sort the table by that column to view in ascending or descending order.
Users Guide 43
Viewing Dashboards : Managing Your Dashboard
7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.
To edit an existing summary widget’s settings
Note: Only the creator of the widget can edit that widget’s settings.
1. Select a widget from the saved widget list (see Figure 22 on page 43).
2. Make the appropriate changes.
3. Click the Save Settings button to save the new settings.
Note: The Save & Add to Dashboard button is available only when the widget is not on your dashboard.
Managing Trend Widgets
The Trend widget displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month.
Figure 23 illustrates an example of Trend widget. If you click , the report displays more view options such as Column Chart, and Line Chart (see Figure 23). For more information on other widget buttons, see Table 8 on page 40.
Timeframe section
Run Specify the time frame to refresh the widget’s report results. The options are:
Once every few hours
Once a day
Once a week
Once a month
Note: Depending on the above selected Run option, the corresponding following fields may change. For example: If you select Once a week option, specify time, and day of the week.
Specify the appropriate intervals.
Table 9 Summary Widgets Elements (Continued)
Element Description
44 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 23 Trend Widget Example
To add an existing trend widget to your dashboard
Note: If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.
Users Guide 45
Viewing Dashboards : Managing Your Dashboard
Figure 24 Trend Widgets - List of Existing Widgets
3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.
4. Click the Add to Dashboard button to add the widget to your dashboard.
To create a new trend widget
Note: To create a trend widget, you must have the Index Search privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.
3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.
46 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 25 Create a New Trend Widget
4. Enter the Name and Description of the widget.
5. Select a saved search from the Search list as explained in Table 10.
6. Specify the Trend Range as explained in Table 10.
Table 10 Trend Widgets Elements
Element Description
Name Name of your widget displayed on the widget Title bar.
Description Description of your widget.
Shared Select the checkbox if you want to share your widget with others. However, only the creator of the widget can edit the settings.
Selected Displays your selected search. When the search is not selected, None is displayed.
Enter text to filter Enter the text to filter the saved search settings and then press Enter.
Filters and refreshes the view of your widgets.
Search List By default, all these columns are displayed:
Type–the report template type, for example, User Access
Name–the name of the report
Description–the description of the report
Click on the column heading to sort the table by that column to view in ascending or descending order.
Users Guide 47
Viewing Dashboards : Managing Your Dashboard
7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.
To edit an existing trend widget’s settings
Note: Only the creator of the widget can edit that widget’s settings.
1. Select a widget from the saved widget list (see Figure 25 on page 47).
2. Make the appropriate changes.
3. Click the Save Settings button to save the new settings.
Note: The Save & Add to Dashboard button is available only when the widget is not on your dashboard.
Managing Alert Widgets
The Alert widget displays recent triggered alerts matching your specified filters.
Figure 26 illustrates an example of Alert Widget. If you click , the report displays more view options such as Enable, and Disable (see Figure 26). For more information on other widget buttons, see Table 8 on page 40.
Trend Range section
Tiimespan Specify the timespan from the drop-down menu. The options are:
1 Day
7 Days
30 Days
Table 10 Trend Widgets Elements (Continued)
Element Description
48 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 26 Alert Widget Example
To add an existing alert widget to your dashboard
Note: If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.
Users Guide 49
Viewing Dashboards : Managing Your Dashboard
Figure 27 Alerts Widgets - List of Existing Widgets
3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.
4. Click the Add to Dashboard button to add the widget to your dashboard.
To create a new alert widget
Note: To create an alert widget, you must have the Manage Alerts privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.
3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.
50 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 28 Create a New Alert Widget
4. Enter the Name and Description of the widget.
5. Specify how to show alerts based on Type & Priority or Custom selection as explained in Table 11.
6. Specify number of alerts from the Show most recent list as explained in Table 11.
Table 11 Alerts Widgets Elements
Element Description
Name Specify the name of your widget displayed on the widget Title bar.
Description Specify the description of your widget.
Shared Select the checkbox if you want to share this widget with others. However, only the creator can edit this widget settings.
Only show section
Type & Priority Select this option to specify the type of system and priority. Click the checkbox to select the priority level.
Custom Selection Select this option to specify alerts from the existing list.
Selected Once you select the alert rule from the Available list, it appears under this column.
Users Guide 51
Viewing Dashboards : Managing Your Dashboard
7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click the Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save and add the new widget to your dashboard.
To edit an existing alert widget’s settings
Note: Only the creator of the widget can edit that widget’s settings.
1. Select a widget from the saved widget list (see Figure 28 on page 51).
2. Make the appropriate changes.
3. Click the Save Settings button to save the new settings.
Note: The Save & Add to Dashboard button is available only when the widget is not already on your Dashboard.
Managing System Widgets
The System widget displays four pre-defined widgets: Network-based Data Ingest, File-based Data Ingest, Disk Usage, and CPU.
Figure 29 illustrates an example of Network-based Data Ingest Widget. For more information on widget buttons, see Table 8 on page 40.
Available Displays list of available alert rules. Specify the alert by selecting the appropriate checkbox. This allows you define certain triggered alerts on your dashboard.
Show most recent Specify how many alerts to be displayed in the widget. The options are:
10 Alerts
25 Alerts
50 Alerts
100 Alerts
Table 11 Alerts Widgets Elements (Continued)
Element Description
52 Users Guide
Viewing Dashboards : Managing Your Dashboard
Figure 29 Network-based Data Ingest Widget
Figure 30 illustrates an example of File-based Data Ingest Widget. For more information on widget buttons, see Table 8 on page 40.
Figure 30 File-based Data Ingest Widget
Figure 31 illustrates an example of Disk Usage Widget.
Figure 31 Disk Usage Widget
Figure 32 illustrates an example of CPU Widget. If you click the Show Toolbar button, the report displays more view options such as Hour range from 2 Hr, 6 Hr, and 12 Hr. For more information on other widget buttons, see Table 8 on page 40.
Users Guide 53
Viewing Dashboards : Managing Your Dashboard
Figure 32 CPU Widget
To add a system widget to your dashboard
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the System icon. The pre-defined widgets are displayed in the second pane.
Figure 33 System Widgets
54 Users Guide
Viewing Dashboards : Managing Your Dashboard
3. Select the widget by clicking on the name from the list of pre-defined widgets to view the details in the pop-up window.
4. Click the Add to Dashboard button. The widget is added to your dashboard.
Note: If a widget is already added to the dashboard, you cannot add the same widget to the Dashboard again.
Defining your Dashboard Canvas Settings
You can specify the number and size of columns on your Dashboard canvas.
To define your dashboard canvas settings
1. Access Dashboards > My Dashboard from the navigation menu.
2. Click the Dashboard link. The Edit dashboard settings window appears as shown below.
Figure 34 Edit Dashboard Settings
3. Specify the number of columns from the column layout options. The options are: One Column, Two Columns, or Three Columns.
4. If you select Two or Three columns option, specify the width of the column by dragging the slider to the desired width.
5. You can preview your column settings in the Preview window.
6. Click Save Settings to save your Dashboard settings. The widgets on your Dashboard are rearranged as per the new Dashboard settings.
Users Guide 55
Viewing Dashboards : Managing Your Dashboard
56 Users Guide
Viewing Real Time Log Messages : Accessing and Selecting Real Time Messages to View
CHAPTER 3:
Viewing Real Time Log Messages
The Real Time Viewer provides a scrolling display of log messages from all log sources as the Appliance receives them. You can either filter messages or view all log messages unfiltered as they arrive.
Real Time Viewer displays log messages only for syslog log sources, not for file transfer or database log source types (including log messages forwarded using LogLogic TCP).
Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . 57
Viewing Log Messages in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Accessing and Selecting Real Time Messages to ViewThe Real Time Viewer shows an immediate scrolling display of log messages as they are received by the Appliance. (See Figure 37.)
To access the Real Time Viewer:
Choose Search > Real Time Viewer from the navigation menu.
Figure 35 Accessing Real Time Viewer
Users Guide 57
Viewing Real Time Log Messages : Accessing and Selecting Real Time Messages to View
The Real Time Viewer screen is displayed as shown below.
Figure 36 Real Time Viewer Screen
Table 12 Real-Time Viewer Tab Elements
Element Description
Saved Custom Report Select a Custom Report from the drop-down menu.
If you do not have any saved Custom Reports, this field is grayed out. This option is useful to view real-time data with the specified parameters from your saved filter for a specific Appliance.
Device Type Devices associated with the Appliance.
Source Device IP address of the selected Device Type.
The drop-down menu contains the devices connected to the Appliance.
Highest Severity Specify the selection of a set of syslog messages by their highest severity. Select this checkbox to filter the syslog messages of that severity.
58 Users Guide
Viewing Real Time Log Messages : Accessing and Selecting Real Time Messages to View
Search Filter Define an expression used to limit information displayed from the devices.
Filter options are:
Pre-Defined—The drop-down contains pre-defined search filters that you manage in the Search Filters tab.
Use Words—The components of messages. The maximum character length of the Use Words field is 125.
For example, userIDs like cjreid, or parts of IP addresses like 192.
Use Exact Phrase—A component of a syslog message that are not randomly linked but form a fixed string, for example, a specific URL or Authentication rejected:, keyboard-interactive for root. The maximum character length of the Use Exact Phrase field is 250.
Regular Expression—A regular expression is a tool comprised of characters and symbols, that enable the search to identify patterns retrieved the storage database. The maximum character length of the Regular _Expression field is 250.
For example:
User .* connected, \>su:.*(to root), amd sshd.*Accepted.*for root from
Save Custom Report Define and save frequently used search criteria for future use to execute a report against your real-time logs more quickly. Novice users can run reports with complex search criteria with minimal input.
Specify the following information:
Report Name - A name for the report.
Report Description - A brief description for other users to understand the type of information that this report generates.
Share with Other Users checkbox
The default, Share with Other Users option lets you make this Custom Report accessible for other users logging in to this Appliance.
Click to save your changes.
Runs the filter and display the real-time log view.
Element Description
Users Guide 59
Viewing Real Time Log Messages : Accessing and Selecting Real Time Messages to View
To run the Real Time Report
1. Designate which messages to view in real time. You can pre-filter messages by source device, message severity, and text matches.
2. Click .
The Real Time Viewer appears, displaying messages meeting the filter criteria as the Appliance receives them. (See Figure 37.)
Figure 37 Real Time Viewer – Raw Logs
When you leave the Real Time Viewer and return to it later, the content in the Viewer restarts upon your return. Messages from the previous Viewer instance are not retained in the new Viewer instance.
To run a previously saved report in the Real-Time Viewer:
1. Choose Search > Real Time Viewer from the navigation menu.
2. Select the report from the Save Custom Report drop-down menu.
3. Click .
For additional information on Custom Reports, see Tag Catalog on page 185.
To specify parameters to run a new report in the Real-Time Viewer
1. Choose Search > Real Time Viewer from the navigation menu.
2. Select the device type.
3. Select the source device connected to your Appliance.
60 Users Guide
Viewing Real Time Log Messages : Viewing Log Messages in Real Time
4. Choose the severity level. To specify the highest level, check the Highest Severity checkbox.
5. Type your search criteria to limit information displayed from the device(s).
6. Click .
To save a Custom Report in the Real-Time Viewer
After specifying the parameters for your report, save the report:
1. Click to expand the Save Custom Report section.
2. Type a name for your report and provide a brief description.
3. If you do not plan to share the report with other users logging in to the Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.
4. Click to save your changes.
Viewing Log Messages in Real TimeBased on your selections in the Real-Time Viewer tab, the Real-Time Viewer: Log Messages tab shows a scrolling view of log messages in real time as they are received by the Appliance. The messages shown are determined by your input in the Real-Time Viewer tab Search Filter section. (See Figure 38.)
If you need to scroll through the incoming messages, click Pause. However, messages that arrive while the view is paused are skipped by the view; they do not get displayed when you resume.
Figure 38 Real-Time Viewer - Log Messages Paused
Users Guide 61
Viewing Real Time Log Messages : Viewing Log Messages in Real Time
Table 13 Real-Time Viewer: Log Messages Screen Elements
Element Description
Selected Device Displays the Appliance source device name for the selection in the Real-Time Viewer Filter form.
Status Status of the Real-Time Viewer display.
Stops the real-time view of the incoming log messages.
If you pause the view, Real-Time Viewer skips incoming messages until you click Resume. The number of skipped messages is displayed next to Status: Paused.
Starts the real-time view of the incoming log messages.
Deletes the view of the incoming log messages and refreshes the page.
Refreshes the view of the incoming log messages.
The number of lines to store in the buffer for viewing. The default is 10000. To change the buffer size, type the number of lines and click the Buffer Size button.
Returns the user to the Real Time Viewer page, where the existing settings can be viewed and changed. After your changes (or to keep the current settings) click the Run button.
62 Users Guide
Searching Collected Log Messages : Search Overview
CHAPTER 4:
Searching Collected Log Messages
As the Appliance collects log data from your log sources, you can search on those collected log messages. In addition to running various simple and complex searches, you can define search filters and run reports.
Pre-defining search filters lets you include specific search criteria in an Index Search, a Regular Expression Search, the Real Time Viewer, and All Saved Searches without having to re-enter the filtering criteria each time.
Viewing archived data files lets you reload and open older, compressed log data for viewing on an Appliance.
Contents
Search Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using and Creating All Index Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Using Index Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Using Regular Expression Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Viewing Archived Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
For details on Boolean expressions, Regular Expression usage, what gets indexed, and available delimiters, see the Search Strings topic in the Online Help.
Search OverviewLogLogic provides search and reporting tools for finding specific information in collected log message content. The tool you use varies depending on the task you want to perform.
Index Search – Search on indexed log source messages using a Boolean expression and see the results immediately. Use Index Search when a simple, fast search can provide the information you need to analyze failures or other anomalies.
Regular Expression (RegEx) Search – Search using a single regular expression or pre-defined search filter, either immediately or at a scheduled time.
Real Time Viewer – The Real-Time Viewer shows an immediate scrolling display of real-time log messages as they are received by the Appliance. The options form allows for pre-filtering of these messages by log source or device group, message severity, and text matches. Only log messages meeting the filter settings are shown. SeeViewing Real Time Log Messages on page 57.
Index Report – Generate a report based on indexed data using pre-defined Boolean search filters. Essentially, an Index Report is a compilation of multiple Index Searches run at once. You can specify one or more pre-defined filters to use, and add additional criteria to those filters.
Users Guide 63
Searching Collected Log Messages : Search Overview
Note: For a simple search to match a specific string, use Index Search. To search for strings that match more complex patterns, use RegEx Search.
Figure 39 Search Tools
Table 14 Search and Reporting Feature Comparison
Feature Index Report
Index Search
RegEx Search
Real Time Viewer
Multiple filters in search Yes No No Yes
Boolean Expressions Yes Yes No No
Regular Expressions No No Yes Yes
Graphical Results Available Yes Yes No No
Graphically view trends over time or log sources No Yes No No
Schedulable Search No No Yes No
Save customized search criteria for future use Yes Yes Yes Yes
View finished/past search results No No Yes Yes
64 Users Guide
Searching Collected Log Messages : Using and Creating All Index Reports
Using and Creating All Index ReportsUse the All Index Reports screen to view a list of all saved searches for specific types of data based on search expressions and time intervals you defined. You can use these results to verify information found in your reports.
The results provide the number of hits for each selected search filter, which you can view in a table or a graphical chart. From the table, you can drill down to view the specific hits for a filter in detail similar to Index Search results.
To create an Index Report
1. Click Create Report to open the Properties window.
Figure 40 Create Report – All Index Reports
2. Select log sources from the right-hand pane. You can select sources by Appliance, and filter returns by Name, IP Address, Group or Type.
3. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.
Users Guide 65
Searching Collected Log Messages : Using and Creating All Index Reports
Figure 41 Select Log Sources – Add as a Rule
Figure 42 Enter Name of Dynamic Rule
4. Click OK to add the selected source and filters to the left-hand pane.
5. On the right-hand pane select a device name (or names) from the list by clicking its name or the checkbox next to it.
6. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.
66 Users Guide
Searching Collected Log Messages : Using and Creating All Index Reports
Figure 43 Add Selected Devices
7. Click Columns and Filters to select the columns for your report and choose filters for your results. Click in the field under the Value column and enter a term for the filter (such as login, id, etc.). Then click in the field under the Operator column and pick an operator from the drop-down.
Click Apply. The selected operator and value will move to the left-hand column.
Figure 44 Apply Columns and Filters
8. Click Index Report Search Selections to select from the available expressions to be used in the report. If none are available, click New Expression... to add a new Boolean search expression for use in any Index Report.
Users Guide 67
Searching Collected Log Messages : Using and Creating All Index Reports
Figure 45 Add New Boolean Expression
9. In the Add Search Expression... popup that appears, enter Name, Description, Expression, and then click Sharing to define whether others can use or modify the new filter. Click Save.
Figure 46 Add Search Expression
10. Place a checkmark next to the new search expression and click << Apply Selections to add them to the left-hand pane for use in filtering your report. Then click Save As.
68 Users Guide
Searching Collected Log Messages : Using and Creating All Index Reports
Figure 47 Apply Filter Selections
11. Enter a name and description of the report in the pop-up. Select Share with others if desired. Click Save & Close. The new report will appear in the list of all saved Index Reports.
Figure 48 Name and Save the Report
Users Guide 69
Searching Collected Log Messages : Using and Creating All Index Reports
70 Users Guide
Figure 49 Report Saved
12. Click in the Name field and enter a term to search for entries in the Saved Reports list. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.
Figure 50 Filter by Name
13. Click the Run icon in the Actions column. The Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today; Yesterday). Select the timeframe from the Date and Time Range Picker, and click Run again to execute the report.
Figure 51 Date and Time Range Picker
Searching Collected Log Messages : Using Index Search
14. On the results page, click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.
Using Index SearchUse Index Search to perform targeted searches on log messages using keywords, Boolean expressions, and wildcards on the Appliance or log sources. Index Search lets you pinpoint problem areas on all log sources captured on the Appliance and then view the search results quickly.
Due to the dynamic nature of LogLogic reporting, when paging between the last page of search results and other pages, additional messages matching the search criteria might have been received since the initiation of the original search. As such, you might see additional messages included on subsequent visits to the last search results page.
Index Search works on indexed logs making it faster than a search using regular expressions (RegEx search). By default, the Appliance performs an Index Search on the Appliance itself and all log sources collected on the Appliance in the last hour.
Search Expression RulesThe following rules apply when you enter a search expression:
Use Boolean operators, such as AND, OR, or NOT for your search expression (but do not begin the expression with leading NOT)
Use wildcard characters, such as an asterisk (*) or question mark (?) to match strings (but do not begin the expression with the wildcard)
Use delimiters such as parentheses to tell Index Search what to evaluate first
Enter up to 256 characters for your search expression
When using Index search and Tag Based search, the system does not support the use of search patterns shorter than 3 characters
Index searches are case insensitive, so you do not have to use all uppercase letters when using Boolean operators, although it helps readability. Some simple Index Search examples include:
For details on Boolean expressions, search strings, and available delimiters, see the Search Strings topic in the Online Help.
Table 15 Index Search Examples
Index Search Example Rule
tcp Use search expressions containing at least three characters.
authenticate AND failed
Tcp NOT Udp
Use Boolean operators, such as AND, OR, or NOT.
admin*
10.*
Use wildcard characters such as an asterisk (*) or a question mark (?) as shortcuts to match strings.
(tcp and udp) and service
Use a delimiter, such as parentheses to specify what gets evaluated first, in this case, tcp and udp before the service keyword.
Users Guide 71
Searching Collected Log Messages : Using Index Search
Running an Index Search
Index Search is available on all Appliances except the LX 510. By default, the Appliance performs an Index Search on the Appliance itself and all log sources from which logs were collected on the Appliance in the last hour. You can search using these defaults or change them.
To run an index search from the Index Search Interface
1. Access the Index Search page from home: Search > Index Search. The Index Search interface is displayed as shown below.
Figure 52 Index Search Interface
2. Enter your search expression in the search text box and click the Run button.
Figure 53 Index Search – login – Run
The search results appear immediately on the Search Results tab, and the search term “login” is highlighted.
If you want, you can adjust the search scope and rerun the search by selecting specific log sources and/or a different timeframe.
Selecting Specific Log Sources
To perform a more targeted search, you can narrow the search scope to a group of log sources, such as all firewall interfaces, all routers, all General Syslog, Microsoft sources, other UNIX, or LogLogic Appliances.
On the Management Station, you can select from one managed Appliance or all Appliances, or particular groups of Appliances (for example, all LX Appliances or all ST Appliances) on which to run the search. The Choose Device pop-up automatically populates the log sources included on all selected Appliances.
72 Users Guide
Searching Collected Log Messages : Using Index Search
To run a targeted Index Search
1. Click the All Sources on Localhost button to open the Select Source(s) window.
Figure 54 Open All Sources on Local Host
2. Select log sources from the Add Log Sources pane. You can select sources by Appliance, and filter by Name, IP Address, Group or Type.
Figure 55 Select a Source and a Filter
3. Click << Add as a rule.
Users Guide 73
Searching Collected Log Messages : Using Index Search
Figure 56 Add Search Rule
4. Enter a name for the dynamic rule in the pop-up window and click OK.
Figure 57 Name Dynamic Search Rule
5. Place a checkmark next to the sources you want in your report and then click << Add selected log sources to add the selected devices and filters to the left-hand pane.
74 Users Guide
Searching Collected Log Messages : Using Index Search
Figure 58 Add Selected Devices – Click Set to Confirm
6. Click Set. The new Index Report search selection appears in the Sources row. The Index Search Sources field displays the newly added log sources.
Select Time Frame for an Index Search
To select time frame for an index search
1. Click the calendar icon (to the right of Last Hour) to launch the Date and Time Range Picker.
2. Select a preset time interval by clicking the down arrow to the right of Last Hour, or pick a timeframe from the pop-up calendar. Click Set.
Figure 59 Schedule Index Search Report
3. Click Run.
4. At the Search pop-up, select whether you want to retrieve all messages. Click Yes. After a few moments, the Index Search results will be displayed.
Users Guide 75
Searching Collected Log Messages : Using Index Search
Figure 60 Index Report Search Results
Using the Search Results Tab
Viewing Index Search Results
Index Search results are displayed in the Search Results tab and the keywords you entered are highlighted in different colors.
For example, when entering login AND user as your Boolean expression, the Search Results tab shows the first keyword “login” in yellow and second keyword “user” in turquoise.
Figure 61 Viewing Index Search Results
The UI uses several different colors to highlight search keywords after which it repeats the same color scheme.
76 Users Guide
Searching Collected Log Messages : Using Index Search
To view search results using different view options
1. From the top right of the Index Search screen, click the View drop-down menu to open different view options. The options are: Reset to Default, Show Timeline, Hide Meta Header, View by, Chart Type.
Figure 62 Index Report Search Results – View
The Search Results view options are:
Configuring Search Results Settings
To configure Search Results settings
1. From the top right of the Index Search page, click the Options button. The Columns and Grouping window appears as shown below.
Table 16 Index Report Search--View options
Element Description
Reset to Default Resets to default settings.
Show Timeline Select this checkbox to show timeline graph.
Hide Meta Header Select this checkbox to hide the metadata header information.
View By Select the option to view by Time or Device type.
Chart Type Select the type. The options are Bar chart or Line chart.
Users Guide 77
Searching Collected Log Messages : Using Index Search
Figure 63 Index Search -- Options menu
2. Optionally, enter a filter keyword in the Keyword field to narrow the displayed columns in your report.
3. Select the appropriate Column Name by clicking in the checkbox to include or exclude that column from your report. You can change the column name by clicking on the name. The column name field becomes an editable field allowing you to make the changes.
Note: If you enter the same column name for two columns, the Index Search Results page displays the results for those two columns merged into one column.
4. Click or to move the selected column.
5. Choose the Display options.
Table 17 Display Options
Element Description
Raw Select this option to display Index Search Results in time-increasing order.
Grouped Select this option to display Index Search Results grouped by the selected column.
78 Users Guide
Searching Collected Log Messages : Using Index Search
6. Click Apply to apply the new settings. The Index Search Results page displays the refined search results. Figure 64 displays Search Results when grouped based on Device IP.
Group By Choose the appropriate column to display group search results from the drop-down menu. The default options are:
Time
Device IP
Device Source
Facility
Severity
You can add more columns by creating custom tags using Log Labels, see Device Types online help video tutorial for instructions.
Time Interval This option is enabled when you select to Group By Time. The results are grouped based on the specified time interval. Select the Time Interval from the following options:
Every 5 Minutes
Every 30 Minutes
Every Hour
Every 3 Hours
Every 6 Hours
Every 12 Hours
Every Day
Every Week
Sum By This optional setting allows you to add the numerical value of the selected column so that Search Results Summary displays the sum value of the grouped column instead of the count of message instances.
Aggregation Size Select the option from the drop-down menu. The results will be sorted based on the selected option. The options are:
Top 1
Top 5
Top 50
All
Table 17 Display Options
Element Description
Users Guide 79
Searching Collected Log Messages : Using Index Search
Figure 64 Index Report Search Results – Grouped results by Device IP
Managing Search Results
The Search Results tab provides a toolbar with several options for managing Search results.
Figure 65 Search Results Toolbar
Table 18 Search Results Tab Toolbar Elements
Element Description
Collapses and condenses the results display view.
Allows you to view selected message in relation to all others in your Index Search results. For details, see Viewing Index Search Results In Context on page 81.
Clip Selected message(s)
From the drop-down menu use the default clipboard, a saved clipboard, or create a new clipboard to save results.
Create Message Pattern
Create a new Log Labels message pattern with the selected message. Highlight a message in the Search Results and click the Create Message Pattern button. The Message Pattern Editor is displayed, which can be used to select a particular message from a particular device and then create a pattern based on the parameters of that message for use in further searches. For detailed instructions, see online help tutorial.
Saves the results. You can choose to Save or Save as from the drop-down menu to save your results. You can update your saved results using the Save as option, see Saving Search Results on page 81.
Number of Indexed Pages
Get the total number of indexed messages on the indexed search results. This is particularly useful for large volumes of log messages as it lets you go through matched messages one page at a time. To page through the results, click the next arrow; to return to the previous page click the previous page arrow. You can also return to the first page or go to the last page by clicking on the first and last page arrows accordingly. The total results number is automatically updated when you select the Show Timeline graphical view.
Displays context-sensitive help.
80 Users Guide
Searching Collected Log Messages : Using Index Search
Viewing Index Search Results In Context
When analyzing log events, you can select a particular message and see the log messages that immediately preceded or followed the message from your search results.
Note: The In Context tab appears only after the first time you click the icon in the search results toolbar.
To view a particular log message in context
1. On the Search Results tab, select the message that you want to view and then select the icon.The In Context tab appears (next to the Clipboard tab) and the message you selected is immediately displayed in the Search Results tab.
2. By scrolling down on the page, the affected log message is highlighted in blue to show its relationship to the log messages that preceded this condition as well as those that occurred after this message.
3. Click the appropriate button to save the report. You can choose to save results in CSV, PDF, or HTML format.
Figure 66 Viewing a Log Message in Context
Saving Search Results
You can download Index Search results to view immediately or save them in CSV, PDF or HTML formats. These buttons are located on the left side of the Save button. After few moments, the report in your chosen format will appear.
Users Guide 81
Searching Collected Log Messages : Using Index Search
Table 19 Save Search Results
To save search results report
1. Click Save As option from the icon drop-down menu to save the report. You can update the saved report by using the Save option. The Save As Report window appears.
Figure 67 Search Report – Save As menu
2. Enter the name and description of the report in the Name and Description fields respectively. The Name field is a mandatory field.
3. Select the Suite option from the drop-down menu.
4. Select the Share? checkbox if you want to share the report.
5. Select the desired print option. For Grouped Search, the options are: Print Summary Report or Print Detailed Report.
6. Click Save to save the results.
Output Description
CSV Use Microsoft Excel or other spreadsheet program to display index search results in a spreadsheet. By default, search results are written to SearchExpressionHits.csv and saved on the desktop.
PDF Use Adobe Acrobat Reader to display the Index Search results. By default, search results are written to report.pdf and saved on the desktop. The first page incudes a table of contents with links to the query used for the Index Search and the results table.
HTML Opens a new tab in your Web browser and immediately displays HTML Index Search results as a LogLogic report. The HTML results include a table of contents with links to the query used for the Index Search and the results table. By default, the downloaded results are saved as LogLogicReport.zip in a temp folder on the local drive. You can use your own company logo on the report, see the General tab under System Settings.
82 Users Guide
Searching Collected Log Messages : Using Index Search
Viewing Trends
After running index searches, you can use the View menu to view search results graphically using the timeline option. The trend output you see is based on your chosen time range and chosen devices referenced by the Index Search and always includes only the messages and devices for that distribution.
The trend feature can be a powerful tool during your analysis of certain events and lets you see trends for certain activities by Time and Device.
Each option lets you view timeline data in either bar chart or line chart format. These charts show:
the time or device on the x-axis
the total number of messages on the y-axis
The procedure for viewing trends over time and by device is the same.
To view trends over time
1. Click the View drop-down menu and then select the Show Timeline checkbox.
A timeline chart displays below the search text box. You can immediately see the distribution of messages over time and begin to get a sense of trends in the timeline chart.
By hovering the mouse over an affected bar, you can get the total number of messages matching your search expression at that particular point in time.
Figure 68 View Menu – Viewing Trends by the Timeline Bar Chart
For example, in Figure 68 you can see that 39 log message instances at 11:30 in the morning. The scale on the x-axis shows the total number of messages while the y-axis shows the time distribution of those instances.
Figure 69 Zooming In to the Timeline Bar Chart
Users Guide 83
Searching Collected Log Messages : Using Index Search
2. To zoom in on a particular area of interest, press and hold the left mouse button and drag over the area of interest.
This refreshes the timeline view to show the zoom area in more detail.
Figure 70 Timeline Detail
3. To return to the original view, click Zoom Out.
4. To view the same search in line format, select Chart Type > Line Chart from the View menu.
This displays the results in a line chart format. From this view, you can see spikes in the number of messages that match the keyword “login”.
Figure 71 Viewing Trends by the Timeline Line Chart
Similarly, to view the same index search by log source, select View By > Device from the View menu.
Using the Search History Tab
Each time you run an index search, your search criteria are automatically saved on the Search History tab. The Search History tab includes:
Only those index searches with valid search criteria.
User-specific index searches, which can be shared when saved as a search filter.
Most recent searches on the top of the list
You can configure the search entries displayed (rows/page) on the Search History tab through the admin > Your LogApp Account tab (see Viewing Your LogApp Account on page 193).
Saving an Index Search as a Filter
While search histories are user-specific, you can save an Index Search as a search filter. You can use these saved search filters yourself or you can share these saved search filters with other users of the Appliance.
84 Users Guide
Searching Collected Log Messages : Using Index Search
To save an index search as a search filter
1. Click Search History to see the history of Index Searches.
2. Select the saved index search message and then click the button. The Save As Filter dialog box is displayed.
3. Enter a name, description and expression for the filter.
The filter name and description helps you and other users to quickly understand the type of information that generates when running this Index Search.
4. If you want to share this filter with other users, click the Shared with other users checkbox.
5. Click Add.
Figure 72 Index Search - Search History
The index search is saved as a filter. You can use the filter in two places:
Search > Index Search > Search Filters tab
Search > All Search Filters tab
Running a Previously Saved Search Expression
Since your index searches are automatically saved for you on the Search History tab, you can browse through these previously saved sets of search criteria and run them again.
To run a previously saved index search
From the Search History tab, select the saved Index Search that you want to run and then click .
Using the Search Filters Tab
The Search Filters tab lists all saved search filters created on the Search History tab. The Search Filters tab includes the button in the toolbar making it convenient to run a previously saved search filter.
Users Guide 85
Searching Collected Log Messages : Using Index Search
The Search Filters tab organizes search filters by their name and displays the search expression used for the search filter in the Expression column.
Note: All of your saved search filters show up on the Search Filters tab and on the Index Report tab.
To view or use a previously saved index search filter
1. Select the filter from the table and then click .
This copies the search expression and enters it in the search expression text box.
2. Press Enter to run the search filter.
This loads all the results of the search on the Search Results tab.
Using the Clipboard Tab
The Index Search Clipboard is an important tool for investigating and troubleshooting log events. For example, during your analysis of a certain event, you might find an item of interest in one or more log messages. Once identified, you can create a Clipboard and copy and paste the affected log message(s) onto the Clipboard.
You can create several clipboards until you have found everything you need to help you with your analysis as you drill down on the details.
You can share the clipped messages with other users to serve as a knowledge base for these users. After saving clipped messages to the clipboard, you can view them on Clipboard tab and on the Search Results tab.
The Clipboard tab provides a toolbar with several options for using clipped messages. These options include:
- Adds a new clipboard
- Deletes one or more clipped messages
- Allows you view or edit the clipped message
Adding a New Clipboard
You can add a clipboard from:
the Search Results page
the Clipboard tab
Note: You can add up to 1,000 messages to a Clipboard. Each user is able to create up to 100 Clipboards.
The procedures are essentially the same for adding a new Clipboard. The next procedure shows how to add a Clipboard from the Search Results tab.
86 Users Guide
Searching Collected Log Messages : Using Index Search
To add a new Clipboard from the Search Results tab
1. On the Search Results tab, select messages to add to the clipboard from the search results.
To select more than one message to add to the Clipboard, hold the Shift key as you click on each message.
2. From the Clip selected message(s) drop-down menu, select New Clipboard.
The Add Clipboard dialog box opens.
3. Enter a name for clipboard in the Name field.
If you enter an existing clipboard name, the messages are added to that existing clipboard.
4. Add a description for the clipped message in the Annotate field and click Add.
Figure 73 Add Clipboard Dialog Box
The clipboard is added to the Clipboard tab and it is also available from the Search Results tab. You can go back and view or edit the clipped message(s) later on to allow for more analysis.
Viewing or Editing Clipped Messages
After saving clipped messages and annotating them, you can view or edit clipboards on the Clipboard tab.
To view or edit clipped messages
1. On the Clipboard tab, select the clipboard that you want to view or edit and click .
The Edit Clipboard dialog box appears. You can change the following:
the Name of the clipped message
the Annotation for the clipped message
remove one or more clipped log messages
Users Guide 87
Searching Collected Log Messages : Using Index Search
Figure 74 Edit Clipboard Message
2. Modify the Name, Annotation, or remove log messages and click Update.
Deleting Clipped Messages
You can manage the clipboard table by deleting unwanted clipped messages.
To delete a clipped message
1. On the Clipboard tab, select the Clipboard you want to delete and click .
2. To delete more than one clipped message, hold down the shift key and select the messages you want to delete and then click .
The selected messages are deleted from the Clipboard tab.
88 Users Guide
Searching Collected Log Messages : Tag-Based Searches Using the Tag Picker Interface
Tag-Based Searches Using the Tag Picker InterfaceYou may use the new Tag Picker Interface to access saved search terms in order to quickly run an updated Index Report.
To update an Index Report using the Tag Picker Interface
1. Access the Index Search page by going to home: Search > Index Search. Click the arrow below the text box labeled “Enter your search expression... “. The Tag Picker Interface opens.
Figure 75 Tag Picker Interface
2. Select an Event Type and left-click. The selected Event Type appears in the Enter your search expression... text box.
Figure 76 Event Type Added to Search Expression Text Box
3. Add a Boolean operator (AND) to the search expression, and left-click a saved Field Tag. The selected Field Tag appears after the Boolean operator in the Search Expression text box.
Figure 77 Field Tag Added to Search Expression Text Box
4. Add a wild card (*) to recall all saved Field Tags with that name. Click Run.
Users Guide 89
Searching Collected Log Messages : Tag-Based Searches Using the Tag Picker Interface
Note: You can specify special characters such as spaces, forward-slashes (/) etc. inside the quotes for Field Tags. For example: Identity: “John Smith”; Domain: “domain name / JOHN SMITH”.
Figure 78 Tag-Based Search Results
5. Select View and display the Bar Chart for the search expression.
6. Compare with the previous saved Index Search results for this expression.
90 Users Guide
Searching Collected Log Messages : Using Regular Expression Search
Using Regular Expression SearchUse the RegEx Search Filter tab to find specific types of data based on search expressions and time intervals you define. RegEx Search provides more powerful search filter options than Index Search, though RegEx Search can take longer to process and is less interactive.
Figure 79 Regular Expression Search
To specify parameters for a new search
1. Select Search > Regular Expression Search from the navigation menu.
2. (Management Station only) Select the Appliance (or All Appliances) on which to run the search.
3. Select the Device Type.
Users Guide 91
Searching Collected Log Messages : Using Regular Expression Search
4. Select the Source Device, or all devices, connected to the Appliance.
To view Global groups created on this Management Station, you must select All Appliances under Appliance.
5. Specify the Time Interval which to search for data passing through your Appliance.
6. Define your Search Filter. Select one of these options and specify any needed parameters.
Retrieve All—Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.
Pre-Defined—Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each appears. The maximum length for each field is 25 characters.
Use Words—Use a specific word(s) as a search parameter.
Use Exact Phrase—Use an exact phrase as a search parameter.
Regular Expression—Use a regular expression as a search parameter.
For more information about modifying or creating search expressions, see Using Search Filters on page 94.
7. Specify the Time Interval to search for data passing through your Appliance.
8. Set a time for the search; do one of the following:
Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately
Select a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.
9. Enter a Search Name for the search.
10. To generate the report, click .
Note: Concurrent Regular Expression Searches, apply only for Appliance models above the 1000 series. You can select the number of concurrent searches to perform. The default is one, but you can choose to perform two searches concurrently.
To generate a previously saved report
1. Select Search > Regular Expression Search from the navigation menu.
2. In the RegEx Search Filter tab, select the report from the Saved Custom Report drop-down menu.
To generate the report, click .
To export the report data to a file in CSV format, click .
To save a Custom Report
After specifying the parameters for your report, save the report:
1. Click to expand the Save Custom Report section.
2. Type a name for your report and provide a brief description.
92 Users Guide
Searching Collected Log Messages : Using Regular Expression Search
3. If you do not plan to share the report with other users logging in to the Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.
4. If packages are present on the Appliance, the Add Report to Package drop-down menu is visible letting you select a package in which to include this report.
5. Click to save your changes.
Viewing Pending and Running Searches
The Pending Searches tab regularly refreshes to list all the pending and currently running RegEx searches on the Appliance. To force a refresh, click the tab name.
Viewing Running Searches
To view a list of all the searches that are currently running, see the Currently Running Searches table in the Pending Searches tab.
For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.
To suspend a running search, check its checkbox and click . A suspended search stops processing; its partial results until that point appear in the Finished Searches tab.
Figure 80 Running and Pending RegEx Searches
Viewing Pending Searches
To view a list of all the searches that are scheduled to run, see the Currently Pending Searches table in the Pending Searches tab.
Users Guide 93
Searching Collected Log Messages : Using Search Filters
For each pending search, this table lists the priority for the search, its schedule, timespan, name, owner, Regular Expression, and an estimate of the number of files to search.
To remove a pending search from the queue, check its checkbox and click . There is no confirmation prompt for removing a pending search.
To add a new RegEx search to the queue, click . The RegEx Search tab appears.
Viewing RegEx Search Results
You can view pending, running, or finished searches in the Finished Searches or Pending Searches tabs under Search > Regular Expression Search. To force a refresh of the tab and view the latest finished searches, click the tab name.
Viewing Finished Searches
To view the search results for any searches that have completed, click the number of matches for the report in the Finished Searches tab list.
Figure 81 Finished RegEx Searches
To view the search results for a particular search, click its number of Matches.
To view or download the search results in HTML, PDF, or CSV, click the format extension in the Download Size column. (Clicking the size number downloads the results as a CSV file.)
To delete a past search from the Appliance, select its checkbox and click .
Using Search FiltersSearch filters are user-created filters (saved search patterns) that can be used in:
Alerts
Real-Time Viewer
Index Search
RegEx Search
Index Reports
The All Search Filters tab lists all search filters:
You created in the Add Search Filter tab
94 Users Guide
Searching Collected Log Messages : Using Search Filters
You created and saved from the Index Search History tab (see Saving an Index Search as a Filter on page 84)
Available to you, including shareable filters created or owned by other users
The examples that follows assumes starting with a clean slate - a newly installed Appliance with no search filters in place.
Adding a Search Filter
To add a search filter for complex pattern matching, use the Add Search Filter tab.
To add a search filter
1. Select Search > All Search Filters from the navigation menu.
2. Click .
Figure 82 Adding a Search Filter - Steps 1, 2
3. Type a name for your new search filter.
4. Sharing - Read Only is the default setting for a new search filter; other users of this Appliance may see and use the new search filter. Set the radio button to No to prevent others from seeing and using the new search filter. Set the radio button to Read Write to allow others to see and modify the new search filter.
5. Type a brief description of the new search filter.
This description helps you remember what the filter is for, and describes it to other users if you shared the filter.
6. Select a search filter option and enter the search filter criteria (see Search Filter Options below).
For this example we will select the following option and a single filter criterion:
a. Select the radio button Use Exact Phrase.
b. Enter $username in the Use Exact Phrase text field.
7. Click .
Users Guide 95
Searching Collected Log Messages : Using Search Filters
Figure 83 Adding a Search Filter - Steps 3 - 7
Note: When adding the very first Search Filter to the Appliance, you may see the message “There is no Search Filter defined in the system” immediately after clicking Add. Refresh the Appliance memory by clicking Regular Expression Search in the navigation menu; then click Search Filters in the menu, and your new Search Filter will appear in the list.
Figure 84 Search Filter Added
Search Filter Options
There are four types of search expressions you can use when adding a search filter.
Table 20 Search Filter Comparison
Filter Type Search Criteria Use Pre-Defined RegEx Filters
Where Filter Is Used
Use Words A word, or two words with AND/OR
Yes RegEx Search, Alerts, Real-Time Viewer
Use Exact Phrase A phrase Yes RegEx Search, Alerts, Real-Time Viewer
Regular Expression
Regular expression Yes RegEx Search, Alerts, Real-Time Viewer
Boolean Expression
Keyword search using Boolean expressions
No Index Search and Index Report
96 Users Guide
Searching Collected Log Messages : Using Search Filters
Note: Custom reports allow whichever filter types apply to the custom report’s contents. For example, a custom report saved from an Index Search allows Boolean search filters. When creating a search filter to be used for index search/index report, make sure to choose the Boolean expression as filter type.
Use Words
Type a word as your search criteria. If you type more than one word, you can use the AND/OR drop-down menu.
To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RDIUS opened UDP handle string.
Use Exact Phrase
Type a phrase as your search criteria. The Appliance searches for strings including the phrase you specify.
To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RDIUS opened UDP handle string.
You can also define a parameter field using $fieldname. For example, $username $zipcode $phone displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word in the RegEx Search tab. For more information, see Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter on page 101.
Regular Expression
Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.
The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters which, instead of standing for themselves, are interpreted in a special way.
Note: Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” you should write url.domain=loglogic.com.
You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.
Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts, Real-Time Viewer, or RegEx Search, select the Pre-Defined radio button.
If you are creating a search filter for an alert, the search filter must be a RegEx expression.
Users Guide 97
Searching Collected Log Messages : Using Search Filters
Boolean Expression
Type a keyword search that uses Boolean operators such as AND, OR, or NOT. For example:
“Portmapped translation built for gaddr” and NOT 155.363.777.53
This searches indexed data only. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.
In addition to entering a keyword, you can also type:
Numbers and words which are three or more characters
Terms under three characters, preceded by =. For example, for terms such as user=a or priority=7 the a and 7 are indexed.
The Boolean Expression field is visible only if you enable Full Text Indexing from the General Settings tab. You cannot use Advanced Options with Boolean Search.
Your Boolean expression should be no longer than 1024 characters in length.
For more on using Boolean search strings, see the Search Strings topic in the Online Help.
Putting Your Logins Search Filter to Work
Complete the following steps to start using your Logins search filter:
1. Select Regular Expression Search from the navigation menu.
2. On the RexEx Search Filter tab that appears, select the Pre-Defined radio button.
3. In the Pre-Defined text field (Select Expression), click the drop-down menu arrow, select Logins search, and click on the filter name. The filter form reloads and now displays “Logins search” in the Pre-Defined text field (see Figure 30, below).
98 Users Guide
Searching Collected Log Messages : Using Search Filters
Figure 85 Adding a Pre-Defined Search Filter to RegEx Search Filter
Users Guide 99
Searching Collected Log Messages : Using Search Filters
Note that because you specified the parameter $username in the Use Exact Phrase text field when you defined your Logins search filter, the Appliance has opened a new text box next to username in which you may further define the type of user to search for.
4. Enter “admin” in the username text field to search for that class of user alone, or enter the wildcard * to search for logins from all users.
5. Select a Start Time to run your Logins search (immediately in this example).
6. Enter a name for your search in the Search Name text field.
7. Click the Save Custom Report menu expansion arrow and enter a Report Name and Report Description, and select whether to Share with Others.
8. Click Save Report.
9. Click Run.
Figure 86 Report of Logins by username admin t
10. Click the number of matches to see the detailed report of the logins by username admin.
Figure 87 Detailed Report of Logins by username admin
100 Users Guide
Searching Collected Log Messages : Using Search Filters
Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter
As shown above, when creating a pre-defined search filter, you can define a parameter field using the expression $fieldname. The value you enter in the parameter replaces $field. In our example, we chose $username as our expression, and typed admin into the User Name field. This caused the regular expression search to return admin users wherever $username was specified.
The maximum length for each $field is 25 characters. Regular expressions can be up to 255 characters in length.
This feature applies only to the Use Exact Phrase search filter and Regular Expression search.
Creating a Multi-Parameter Pre-Defined Regular Expression Search Filter
In the following example we will build on our single-parameter Logins search filter by adding two additional parameters: $zipcode and $phone.
1. Create a new pre-defined search filter exactly as the example Logins search filter we created above, except this time type $username $zipcode $phone in the Use Exact Phrase field.
2. Name your new search filter “Multi-parameter search” and click Add.
Figure 88 Add Multi-parameter Search Filter
Users Guide 101
Searching Collected Log Messages : Using Search Filters
Note: This time the new search filter appeared immediately after clicking Add, and both search filters are displayed in the list.
3. Select Search > Regular Expression Search, and select the Pre-Defined radio button; then select the pre-defined search filter that you just created (Multi-parameter search) from the drop-down menu.
4. The new form reloads, displaying each text field that corresponds to each new $field (search parameter) you will define for this new search filter. The maximum length for each $field is 25 characters.
5. Click Save Custom Report at the bottom of the form, and enter a report name and description.
6. Click Save Report.
7. Type $username $zipcode $phone in the Use Exact Phrase field.
102 Users Guide
Searching Collected Log Messages : Using Search Filters
Figure 89 Add Parameters to Multi-parameter Search Filter
In this example we typed $username $zipcode $phone in the Use Exact Phrase field. The Appliance generated a text field in the search form for the part after the $. We typed admin in the username field, and used the wildcard * in the zipcode and phone fields to return the maximum number of user logins.
We elected to Save Custom Report, and named it Multi-parameter search, and we selected Schedule to run immediately for the Hourly Period: Last 24 Hours. See the results of our multi-parameter search filter query in Figure 90.
Users Guide 103
Searching Collected Log Messages : Using Search Filters
The detailed Multi-parameter Search Report is revealed by clicking the number of matches returned by the search (see the arrow at the bottom of the top figure).
Note: You can define this parameter for the Use Exact Phrase or Regular Expression fields from the Add or Modify page for any search filter.
Figure 90 Multi-parameter Search Filter Results and Report
8. Click the Finished Searches tab to see the results of the Parameter Search.
Modifying a Search Filter
In the second example above we created a new search filter and added two more search parameters: $zipcode and $phone. As an alternative, we could have modified the first search filter we created, “Logins by username admin”. In the example below, you will see how to modify an existing search filter (assuming you no longer want to retain the original filter configuration).
104 Users Guide
Searching Collected Log Messages : Using Search Filters
To modify an existing search filter
1. Select Search > Search Filters from the navigation menu.
2. Click on the name of the filter you want to change.
The Modify Search Filter tab appears with the same options as Adding a Search Filter on page 95.
3. Modify the search filter name, description, filter options and criteria, or sharing with other users as needed.
Now we think that ip address would be more valuable to us than zipcode and phone, so we elect to modify our multi-parameter search filter to suit our new needs. We could also simply delete the filter and create a new one.
4. Click to modify the search filter.
Figure 91 Modify Search Filter
Figure 92 New Multi-parameter Search Filter
5. Select Regular Expression Search from the navigation menu.
6. Click the Pre-Defined radio button on the RegEx Search Filter tab.
Users Guide 105
Searching Collected Log Messages : Using Search Filters
7. Select Multi-parameter search from the drop-down menu in the Select Expression field (but do not enter search parameters until you complete Step 8 below).
8. Click the Save Report button at the bottom of the form and enter a new report name and description. Click Save Report.
9. Return to the search parameter text fields and enter your new parameters (username = admin, and ipaddress = wildcard *).
10. Click Run.
11. Click Finished Searches and then click the number of matches returned to see the results.
Figure 93 New Multi-parameter Search Results
106 Users Guide
Searching Collected Log Messages : Viewing Archived Data
Viewing Archived DataAdministration > Data Files lets you view all archived data files.
Figure 94 Archived Data Files
Because data files are compressed, you must save them to a local machine and decompress them for viewing. When you click a Data File Name, the Appliance initiates a file download to your local system.
Viewing Archived Data Files
The Data Files page lists all archived data files. The Appliance archives data on an ongoing, hourly basis. To download and view a data file, click its file name.
To view a Data File
1. To limit the list of data files by time, select the year, month, day, and time to view.
2. Click on the Data File Name for the file you want to view.
The Appliance downloads the data file to your local machine.
3. Unzip the downloaded file.
4. Open the downloaded file in a text editor.
For information about for each data file on the Data Files page, see the online Help.
Users Guide 107
Searching Collected Log Messages : Viewing Archived Data
Figure 95 Data File Download
Verifying the SHA Digest on Data Files
LogLogic lets you verify the integrity of your data files by verifying that the SHA Digest has not changed since the LogLogic Appliance captured the data. Use the Data Files page to verify the SHA Digest. Releases 4.9 and 5.0 support both SHA-256 and MD5 SHA Digests. Releases prior to 4.9.0 support only the MD5 SHA Digest. (See CLI section of the LogLogic Administration Guide for information on setting the Appliance Digest.)
Note: To further ensure the integrity of data on an ST Appliance, consider using a WORM (write once read many) storage server such as Network Appliance’s SnapLock. For more information on using SnapLock with LogLogic ST Appliances, see the LogLogic Administration Guide.
To verify the SHA Digest on data files
1. In the navigation menu, click Administration > Data Files.
The Data Files page appears.
2. Click the checkbox to the left of each data file to verify.
3. Click Verify to start the verification process.
When verification completes, a flag appears in the Digest Verified column:
A green flag indicates successful verification of the data files’s Digest. The timestamp next to the green flag identifies the date and time the verification succeeded.
A red flag indicates failed verification. Mouse over the failure message for more information on the reason. A failure can mean:
The file was modified. Mouse over the failure to view the new Digest.
The file is no longer accessible. The file might be inaccessible for various reasons such as the location of the file has changed or the network connection is down and your file is on a storage server such as a NAS or Centera.
108 Users Guide
Searching Collected Log Messages : Viewing Archived Data
Note: The verification process has a low priority in the Appliance. If the system is busy processing log data, the verification process might take longer than expected.
Listing Archived Passive (Non-Parseable) Files
The Data Files page lists all archived data files. The Appliance archives data on an ongoing, hourly basis. To download and view a data file, click its file name.
To view a Data File
1. To limit the list of data files by time, select the year, month, day, and time to view.
2. Click on the Data File Name for the file you want to view.
The Appliance downloads the data file to your local machine.
3. Open the downloaded file in a text editor.
Users Guide 109
Searching Collected Log Messages : Viewing Archived Data
110 Users Guide
Creating and Managing Alerts : Viewing and Handling Alerts
CHAPTER 5:
Creating and Managing Alerts
Alerts notify you of any unusual traffic on the network or detect anomalies on log sources or the LogLogic Appliance itself.
You can create alerts specific to your monitoring needs, and use alerts that come pre-configured with Compliance Suites or Log Source Packages. You can also update existing alerts or remove them as needed.
For any alert, you can designate alert trap receivers as well as email recipients so people can receive notification of alerts via email.
Contents
Viewing and Handling Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Adding a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Viewing and Handling AlertsThe Show Triggered Alerts page lists events triggered by rules defined for this Appliance to monitor and report on. The Show Triggered Alerts page lets you:
view all alerts
filter shown alerts by alert category and priority
view all system alerts only, regardless of priority
change the alert category to Acknowledged
delete the alerts permanently
(MA or Management Station only) view alerts on a specific managed Appliance or on all managed Appliances
When an alert is triggered, Alert Viewer shows the alert category as New.
To filter and view alerts
1. Choose Alerts > Show Triggered Alerts from the home page.
The Show Triggered Alerts page is displayed. (See Figure 96 on page 112.)
2. Select the type of alerts to display from the Show drop-down menu.
All States shows all alerts in all categories.
New or Acknowledged Alerts shows only alerts in the selected category.
3. Select the alert priority to view from the second drop-down menu. The options are:
To view all system alerts regardless of priority, select All System Alerts.
Users Guide 111
Creating and Managing Alerts : Viewing and Handling Alerts
4. (MA or Management Station only) Select the Appliance from which to view triggered alerts. To aggregate alerts from all managed Appliances into a single list, select All.
Figure 96 Show Triggered Alerts Page
The Show Triggered Alerts page displays the specified alerts with the following details:
To page through and move alerts
To page through multiple results to your query:
Use the navigation buttons to go to the first, previous, next, or last page, respectively
Type the page number and click to view the results on a specific page
To acknowledge or remove alerts:
To move alerts to the Acknowledged category, select their checkboxes and click .
To delete selected alerts, select their checkboxes and click .
To delete all alerts permanently, regardless of priority, click .
Tip: Move an alert to the Acknowledged category once you have been notified of the alert. Remove an alert once the cause of the alert is corrected.
Table 21 Alert Details
Element Description
Time Time the alert triggered.
Source IP Source IP address contained in the syslog message. If an alert is for multiple devices, Device Group is shown as the Source IP.
Priority The priority of the alert. An alert's priority is specified in the Manage Alerts tab.
Type The Log Appliance alert type. For a list of alert types, see Viewing and Handling Alerts on page 111.
Alert Destination Email addresses, trap receivers, or syslog receiver where notifications were sent when the alert triggered.
112 Users Guide
Creating and Managing Alerts : Managing Alerts
Managing AlertsManage Alert Rules lets you define rules to detect unusual traffic on your network or detect Appliance system anomalies. You can add, modify, o r remove alerts. You can configure alerts to generate SNMP events and/or send an email notification when the alert rule is triggered. Each Appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP server for the default alerts.
Note: Users with Administrator privileges can modify or delete any Alert. If you do not have Administrator privileges, you can modify or delete only the Alerts you create.
Figure 97 Manage Alert Rules
The Manage Alert Rules page displays the he following details:
Table 22 Manage Alert Rules Details
Element Description
Name Name of the alert.
Type Type of the alert.
Priority The defined priority of the alert.
Enabled Indicates whether the alert is active:
—You must assign a User and Alert Receiver for this alert.
—You must assign a Device for this alert.
Description Description of the alert.
Users Guide 113
Creating and Managing Alerts : Adding a New Alert
114 Users Guide
Preconfigured System Alerts
System Alerts notify you when system health and status criteria exceed acceptable bounds. All LogLogic Appliances include several system alerts that are preconfigured and enabled. By default, these alerts have:
Email notifications are sent to the Appliance admin user
Priority set to high
Default reset time of 300 seconds (except TCP Forward Falling Behind, which has a default reset time of 3600 seconds)
All these alert settings can be customized as needed.
Adding a New AlertAdding an alert to the Appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps and email user IDs).
Modifying an alert lets you change the same options available here for adding an alert.
IMPORTANT! When setting up an alert, do not pick search expressions with variables in them. Doing so treats variables as having a literal meaning.
To add an alert
1. Choose Alerts > Manage Alert Rules from the navigation menu.
The Manage Alert Rules page appears.
2. Click . The Manage Alert Rules Type tab appears.
Table 23 Preconfigured System Alerts
Alert Description Default
System Alert - CPU temperature
The temperature of the Appliance CPU has exceeded the specified High Threshold
70 degrees celsius
System Alert - Disk Usage
The usage of the specified drive on the Appliance has exceeded the specified High Threshold
90%
System Alert - Dropped Message
The number of messages dropped by the Appliance has exceeded the specified High Threshold
10 msg/sec
System Alert - Fail Over * A failover has occurred on the Appliance n.a.
System Alert - Migration Complete *
A data migration involving the Appliance is successfully complete
n.a.
System Alert - Network Connection Speed
The speed of the network connection for the Appliance has dropped below the specified Low Threshold
10-Half
System Alert - Network Interface
A problem occurred with the Appliance network interface
n.a.
System Alert - RAID Disk Failure
A failure occurred on an Appliance RAID disk n.a.
System Alert - Synchronization Failure *
A failure occurred during log data synchronization on the Appliance
n.a.
* Indicates System Alert not available on MA product family Appliances.
Creating and Managing Alerts : Adding a New Alert
Figure 98 Manage Alert Rules Type Tab
3. In the Type tab, select an alert type.
Once you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, and Email Recipients tabs are enabled.
Table 24 Alert Types
Alert Type Triggered when...
Adaptive Baseline Alert
The messages/second rate rises above, or falls below, the nominal rate for the traffic.
Note: A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.
Cisco PIX/ASA Messages Alert
The messages/second rate for a specific PIX/ASA message code is above or below specified rates.
Message Volume Alert The messages/second rate is above or below specified rates. If the user sets the "Zero Message Alert" checkbox, an alert is triggered only if zero messages are received within the timespan set.
Network Policy Alert * A network policy message is received with an Accept or Deny Policy Action.
The Appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.
Parsed Data Alert Parsed data meets certain conditions specified for the alert.
Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See Parsed Data Alerts on page 117.
Pre-defined Search Filter Alert
A text search filter matches message fields. This uses one of the Appliance's saved RegEx Search Filters.
Ratio Based Alert The specified message count is above or below a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”
The Appliance checks for any conditions that would trigger a Ratio Based Alert every 60 seconds.
* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.** System Alerts do not have a Devices tab.
Users Guide 115
Creating and Managing Alerts : Adding a New Alert
Note: System Alert is the only type of alert that can be created on an MA Appliance. For the ST Appliance, an Adaptive Baseline Alert and a Message Volume Alert can be created, along with a new System Alert. The LX Appliance can create all types of Alerts.
Tip: The Pre-defined Search Filter is disabled if there are no search filters defined on the Appliance. To create a Pre-defined Search Filter, use Search Filters to add the filter. A search filter for an alert can contain a RegEx expression only.
4. Set up the alert in the General tab.
Options on the General tab vary depending on the alert type. For a complete list of options for a specific alert type, see the Online Help for that alert type. These steps include typical options:
a. Enter a Name for the alert.
b. Set the alert Priority. (High is the default.)
c. Select to Enable the alert. This enables the alert once you click .
d. (Optional) Enter a specific SNMP OID to further define the alert.
For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.
e. Enter a Description for the alert.
Tip: Enter a name and description unique enough to easily identify the alert in a large list.
5. Specify log sources for the alert in the Devices tab.
All the log sources on the Appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.
Select the Track all devices individually checkbox to generate independent alert messages for each selected device. The reset time tracks for the group as a whole and you can change alert properties using one alert for the device group.
System Alert ** An Appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”.
By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.
VPN Connections Alert
A VPN connection is denied access and/or disconnected.
VPN Messages Alert Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN and Nortel Contivity devices.
VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria.
Table 24 Alert Types (Continued)
Alert Type Triggered when...
* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.** System Alerts do not have a Devices tab.
116 Users Guide
Creating and Managing Alerts : Adding a New Alert
Note: When configuring any alerts (except for System Alerts) on logs transferred using LogLogic TCP, the alert reporting can be slightly less than real-time. Because LogLogic TCP sends data in chunks that the Appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 300 seconds.
6. Specify SNMP trap receivers for the alert in the Alert Receivers tab.
You can define alerts for both SNMP traps and users or for SNMP traps only. The Alert Receivers tab lists all the available traps and syslog for the Appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps.
7. Specify people to receive alerts via email in the Email Recipients tab.
Note: Email messages that include an alert are limited to 1024 bytes. Any additional alert text is truncated in the email message.
You can define alerts for both users and SNMP traps or for users only. Available Users lists all the users available for the Appliance.
For more information about adding users, see the LogLogic Administration Guide.
8. Click to add the new alert to the Appliance.
Note: The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed in these tabs so they’re automatically present when enabled again (via the Manage Devices, Alerts > Alert Receivers, or Manage Users tabs, respectively).
Parsed Data Alerts
Parsed Data alerts are created differently from other alert types. There is no Parsed Data alert type to select in the interface; its creation is based on a Pre-defined Search Filter alert.
1. Create a Pre-defined Search Filter:
a. Name the filter.
b. For filter type, select Use Exact Phrase.
c. For the DB table, specify _table=. (Only one _table= entry is allowed.)
d. Specify columns and values to match as name/value pairs separated by columns. For example:
_table=Authentication,actionID=2,statusID=4
2. Create a Pre-defined Search Filter alert:
a. Name the Search Filter alert with a prefix _parsed_. For example, _parsed_Login Failure.
b. Select the Pre-defined Search Filter you created for this alert.
Usage notes:
Parsed data alerts apply only to messages from configured log sources.
Parsed data alerts apply only to the tables configured in the alert.
Users Guide 117
Creating and Managing Alerts : Modifying or Removing An Alert
Do not configure the same alert for both real-time and pulled data files. Create separate alerts for each, with the same search expression.
Modifying or Removing An AlertYou can modify alert settings or remove alerts from the Manage Alert Rules page. The same tabs appear when you add an alert (see Adding a New Alert on page 114).
To edit, or remove an existing alert rule
1. Click the alert name in the Name column.
Figure 99 Access the Alert Rule
The General tab appears.
Figure 100 View or Edit the Settings for an Alert Rule
2. View the settings for the Alert Rule on the General tab, the Alert Receivers tab, and the Email Recipients tab. Change the settings and click Update or Cancel to retain.
3. To remove an existing alert, click the alert’s checkbox (see Figure 99) and then click . The Remove Alerts tab appears, where you can confirm or cancel the removal.
118 Users Guide
Generating Real-Time Reports :
CHAPTER 6:
Generating Real-Time Reports
Real-Time Reports let you search and generate reports for monitoring various real-time activities derived from the log data that is collected from your log sources. Each Real-Time Report category contains multiple specific reports.
The Real-Time Reports are a central component to LogLogic’s Agile Reporting, which lets you quickly view detailed information about your collected log data, catered to your specific needs.
Real-Time Reports can take longer than Saved Reports because they run against all up-to-the-minute raw log data, not against stored summarized log data.
Real-Time Reports capture all hits in collected raw log data that meet the report's criteria.
Contents
Preparing a Real-Time Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Threat Management Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Policy Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Table 25 Real-Time Report Categories - Advanced Options
Report Category Reports Provide Page
Access Control The number of times a log source executes an authentication rule page 135
Network Activity Information about connections on a log source page 142
Database Activity Various events occurring on database log sources page 154
Operational Information about syslog messages on log sources page 160
IBM i5/OS Activity Various events occurring on IBM i5/OS log sources page 165
IDS/IPS Activity Information about IDS/IPS systems page 168
Mail Activity Information about mail-related activities on mail server log sources
page 169
Policy Information about policies exercised on a log source page 174
Users Guide 119
Generating Real-Time Reports : Preparing a Real-Time Report
Preparing a Real-Time Report
Figure 101 Reporting Tools
To generate a Real-Time Report, refer to the procedure and illustrations shown in Generating a Report—An Example on page 122.
Select a Source or Sources and Search Filters1. In the navigation menu under Reports, select the category and type of report to
generate.
2. Click Create Report to open the Properties window.
3. Under Add Log Sources, click the down arrow next to Select and pick a filter (Name, IP Address, Group or Type) to filter returns.
4. If desired, add a second filter by clicking the + sign and repeating Step 3 as often as you like.
5. To delete a filter, click the - sign to remove the last selection made (repeat if needed). Do not click Cancel unless you want to cancel your report.
6. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.
7. Click OK to add the selected source and filters to the left-hand pane.
8. Select a device name (or names) by clicking its name or the checkbox next to it.
9. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.
10. Click Run to initiate a report of the selected source and devices with the filters you chose in Step 3.
Schedule and Run a Report1. When you click Run in Step 10, the Date and Time Range Picker pops up, with Last
Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today; Yesterday).
120 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
2. To select a different date range, click the small calendar icon to the right of the current Date and Hour display and chose any month and day for the start of the report period. Move to the right and click the second small calendar icon to chose any month and day for the end of the report period.
3. Click Run again to execute the report.
Resize & Move Columns, Create Charts, Print and Download a Report1. On the results page, you may resize and move the columns to the positions you prefer
by clicking on them and dragging.
2. To see detailed information for a particular Source Device, click the number of returns for the device in the Counts column.
3. Click <back to summarized results and then click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.
4. Reports may be downloaded in CSV, PDF, or HTML format by clicking on the icons below the Display Chart button.
Modify Report Settings and Schedule
1. Clicking the Edit Settings button pops up a Properties window again, this time allowing you to Add Columns and Filters if desired.
2. Enter your selections for Add Columns and Filters (if any) and click Save As.
3. Enter a name and description for the report in the pop-up. Select Share with others if desired. Click Save & Close.
4. Click Run Again to execute your report with the new filtering criteria. The new report will appear in the list of all Saved Reports.
5. From the list of Saved Reports, you may click Run or Edit to modify the report settings of any Saved Report.
6. Click the date range (blue type at top left) to modify the timeframe for your report. Apply Selections to add them to the report, then click Save As.
7. Again, enter a name and description of the report in the pop-up. Select Share with others if desired. Click Save & Close. The new report will appear in the list of all Saved Reports.
8. To search for a particular report or report series in the Saved Reports list, click in the Name field and enter a search term.
9. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.
10. You may Add a Schedule for a Saved Report by clicking the report Name and then clicking "Schedule selected" at the bottom of the page.
11. You may delete a Saved Report from the list by clicking the report Name and then clicking "Remove selected" at the bottom of the page. You will see a pop-up message asking you to Confirm Deletion.
Users Guide 121
Generating Real-Time Reports : Preparing a Real-Time Report
Saving a Generated Report
There are several options for saving a generated report, available from the icons at the top of the report results:
Save as CSV – Save the report data in a comma-separated .csv file, viewable in spreadsheet applications such as Microsoft Excel
View as HTML – Open the report data formatted in a new browser window or tab, from which you can also download the HTML file for archival
View as PDF – Open the report data in a PDF file, which you can save for archival
Rerunning a Saved Report
To rerun a saved report, go to home: Reports > All Saved Reports and select a previously saved report. You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards.
Note: Wildcard searches are supported for IP addresses and detailed messages.
Generating a Report—An Example
This example shows how to generate a Network Activity report that displays denied connection activity related to the IP addresses you select. The steps below apply to the generation of all reports on the Appliance except the Check Point Policies report, which lists current Check Point Firewall policy rules on log sources connected to your Appliance.
The other exception is All Saved Reports, which lists previous search results, saved as reports, and selected to be shared with others at the time of generation.
To generate a Denied Connections Report
1. Select Reports > Network Activity > Denied Connections from the home page menu.
122 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 102 Menu – Reports > Network Activity > Denied Connections
2. Click the Create Report button.
Figure 103 Create Report Button
Users Guide 123
Generating Real-Time Reports : Preparing a Real-Time Report
3. Select the log source connected to the Appliance.
Figure 104 Select Log Source
4. Add selected device to Log Source search. Click the Run button.
124 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 105 Add Selected Log Source
Users Guide 125
Generating Real-Time Reports : Preparing a Real-Time Report
5. Specify the time interval to search for data passing through the Appliance.
Figure 106 Date and Time Range Picker
6. On the Denied Connections results page, adjust the order and position of columns.
Figure 107 Denied Connections Results
126 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
7. Select Display Chart to graph the Denied Connections results. Pie chart and bar chart options are available. Mousing over the chart segments highlights the results.
Figure 108 Denied Connections Report – Pie Chart Display
8. Right-click a chart segment to print the data in the segment.
Figure 109 Pie Chart Segment Selected for Printing
Users Guide 127
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 110 Bar Chart Display of Denied Connections Report
9. At the top menu, select the CSV, PDF, or HTML icon to export the entire report to a file.
Figure 111 PDF Selected as Export Format
128 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
10. To choose another time to run the Denied Connections report, click the date range in the upper left section of the report. The Date and Time Range Picker opens.
Figure 112 Date and Time Range Picker
11. Click the Edit Settings button to revise columns and filters in the report.
Users Guide 129
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 113 Revise Columns and Filters in the Denied Connections Report
To re-run and edit settings of a previously saved report (Denied Connections):
1. Select Reports > Network Activity > Denied Connections from the Home page.
130 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 114 Saved Report – Denied Connections
2. To run the saved report, click the Run icon and then click the Run button on the Date and Time Range Picker that pops up.
Figure 115 Denied Connection Report – Date and Time Range Picker
3. After the Denied Connections report opens, click the Edit Settings button.
Figure 116 Denied Connections Report – Edit Settings Button
4. When the Edit Settings window opens, click Properties... to open the Properties Dialog pane.
Users Guide 131
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 117 Denied Connections Report – Edit Settings Window
Figure 118 Denied Connections Report – Edit Settings Properties Dialog Pane
5. Enter your data and click OK.
6. To add a schedule for the Denied Connections report, select the desired Timeframe using the drop-down menus in the Scheduling pane, and choose the report format (PDF, HTML, CSV).
7. Click the Add Schedule button at the bottom of the Timeframe pane to confirm the schedule for the Denied Connections report.
132 Users Guide
Generating Real-Time Reports : Preparing a Real-Time Report
Figure 119 Denied Connections Report – Edit Settings Properties, Schedule Timeframe Pane
8. Click Save and Close on the Properties... window to save your entries.
9. View the saved schedule for the Denied Connections report.
Figure 120 Schedule Information Added to the Denied Connections Report
10. To make further changes to the Denied Connections report, repeat Steps 1 — 9.
Available Operators
Table 26 on page 134 lists the available filter operators.
Note: Some report columns display as empty when the actual value is either null or an empty string.
If the value is null, you can filter using --null--.
If the value is an empty string, you can filter using two single quotes ".
Users Guide 133
Generating Real-Time Reports : Preparing a Real-Time Report
Table 26 Optional Filter Operators
Operator Description
= Specifies an acceptable substitution for a word in a query.
!= Specifies to not substitute a word in a query.
in Displays data in the results that contains the specified word in a list.
not in Excludes data in the results that contains the specified word in a list
like Displays data that has a partial match to the value you type.
For example, you can use this operator to type a partial IP address such as 10.2.3.*. This type of search returns all IP addresses which contain these numbers.
not like Excludes data that contains a partial match to the value you type.
contain Displays data that matches the alphanumeric string you type.
For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.
not contain Excludes data that matches the alphanumeric string you type.
start with Displays data that begins with the alphanumeric value you type.For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.
not start with Excludes data that begins with the alphanumeric value you type.end with Displays data that ends with the alphanumeric value you type.
For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.
not end with Excludes data that ends with the alphanumeric value you type.
regexp Displays data in the results only that contains the regular expression you define.
not regexp Displays data in the results only that does not contain the regular expression you define.
> Displays only data in the results that is above a threshold number.
< Displays only data in the results that is below a threshold number.
between Displays data that is between (inclusive) the numeric values you type.
134 Users Guide
Generating Real-Time Reports : Access Control Reports
Access Control ReportsTo search for and generate reports on the number of times a selected log source executes an authentication rule, use Access Control reports.
The submenu that appears when you click home: Reports > Access Control lists which reports are available for each log source.
To access Access Control reports
Choose home: Reports > Access Control > report-name from the navigation submenu, where report-name is one of the Access Control reports.
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Access Control report, and are explained in their respective sections linked from Table 27.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 27 Access Control Reports
Report Reports Provide Page
Permission Modification
Changes made to user access during a specified time interval page 136
User Access Who has connected to a log source during a specified time interval
page 137
User Authentication
Who is authorized to connect to a log source during a specified time interval
page 138
User Created/Deleted
What users are created or deleted during a specified time interval page 139
User Last Activity Activity of users during a specified time interval page 140
Windows Events Data about all log events from the Microsoft Windows operating system
page 141
Users Guide 135
Generating Real-Time Reports : Access Control Reports
Permission Modification Reports
To search for and generate a report on activities related to modification of user permissions (for example, adding or deleting permissions) on selected log sources during a specified time interval, use the Permission Modification Real-Time Report.
Menu path: home: Reports > Access Control > Permission Modification
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 28 Permission Modification Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
User User who made changes
Actions Action taken to modify permission
Status Status of the change
Source IP IP address of the source host device
Source Domain Domain of the source host device
Target User User for whom modifications were made
Target IP IP address of the Appliance affected by the change
Target Domain Domain of the Appliance affected by the change
Type Type of changes made
Count Number of changes made
136 Users Guide
Generating Real-Time Reports : Access Control Reports
User Access Reports
To search for and generate a report on user activities in accessing resources (for example, service, file, directory, application) on selected log sources during a specified time interval, use the User Access Real-Time Report.
Menu path: home: Reports > Access Control > User Access
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 29 User Access Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
User User who is making the inquiry
Source IP IP address of the source host device
Source Domain Domain of the source host device
Target User User for whom inquiry is being made
Target IP IP address of the accessed Appliance
Target Domain Domain of the accessed Appliance
Action Action taken
Status Status of the connection
Type Type of connection
Count Number of connections
Users Guide 137
Generating Real-Time Reports : Access Control Reports
User Authentication Reports
To search for and generate a report on who has authenticated on selected log sources during a specified time interval, use the User Authentication Real-Time Report.
Menu path: home: Reports > Access Control > User Authentication
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Source IP, Status, and Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 30 User Authentication Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
User User who is making the inquiry
Source IP IP address of the source host device
Source Domain Domain of the source host device
Target User User for whom the inquiry is made
Status Status of the connection
Type Type of connection
Disconnect Reason Reason the connection was terminated
Count Number of connections
138 Users Guide
Generating Real-Time Reports : Access Control Reports
User Created/Deleted Reports
To search for and generate a report on what users have been created or deleted on selected log sources during a specified time interval, use the Users Created/Deleted Real-Time Report.
Menu path: home: Reports > Access Control > User Created/Deleted
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Source IP, Target User, Target IP, and Count.:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 31 User Created/Deleted Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
User User who is making the inquiry
Source IP IP address of the source host device
Target User User for whom the inquiry is being made
Target IP IP address of the accessed Appliance
Action Action taken
Action Details Details of the action
Status Status of use
Count Number of connections
Users Guide 139
Generating Real-Time Reports : Access Control Reports
User Last Activity Reports
To search for and generate a report on the most recent activity of all users on selected log sources during a specified time interval, use the User Last Activity report.
Menu path: home: Reports > Access Control > User Last Activity
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 32 User Last Activity Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Time Time of connection
Connection ID ID number for the connection
User User who is making the inquiry
Source IP IP address of the source host device
Target User User for whom the inquiry is being made
Target IP IP address of the accessed Appliance
Action Action taken
Action Details Details of the action
Status Status of the activity
Access Details Details of access
140 Users Guide
Generating Real-Time Reports : Access Control Reports
Windows Events Reports
To search for and generate a report on data on all Windows Event IDs, the number of events for each ID, and a description of each ID for selected log sources running the Microsoft Windows operating systems, use the Windows Events Real-Time Report. For example, the captured log events include application, security, and system events.
Menu path: home: Reports > Access Control > Windows Events
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, Event ID, and Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 33 Windows Events Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Event ID Numeric ID corresponding to the source device
User User ID on the source device
Source Domain Domain name of the source device
Target User User ID of the destination device
Target Domain Domain name of the destination device
Action Action taken
Status Status of use
Type Content type of the object as seen in the HTTP reply header
Count Number of Windows events for the source device
Users Guide 141
Generating Real-Time Reports : Network Activity Reports
Network Activity ReportsTo search for and generate reports on information about connections on log sources, use Network Activity reports.
The Report Information tab that appears when you click on home: Reports > Network Activity > lists which reports are available for each log source.
To access Network Activity reports
Choose home: Reports > Network Activity > report-name from the navigation menu, where report-name is one of:
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Connectivity report, and explained in their respective sections linked from Table 34.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 34 Network Activity Reports
Report Reports Provide Page
Accepted Connections IP connections accepted by a log source page 143
Active FW Connections Current active sessions from selected firewall log sources page 144
Active VPN Connections Current active sessions through various VPN log sources page 145
Application Distribution Messages, grouped by application ports, accepted by a log source
page 146
Denied Connections Connections denied by selected firewall log sources page 147
FTP Connections Syslog messages related to FTP traffic through a selected firewall log source
page 148
VPN Access Number of VPN connections that the log source completed or denied
page 149
VPN Sessions Data about separate invocations of devices during a specified time interval
page 150
VPN Top Lists Top users and IP addresses, and statistics page 151
Web Cache Activity Locally-stored web information served during a specified time interval
page 175
Web Surfing Activity Web information served during a specified time interval page 176
142 Users Guide
Generating Real-Time Reports : Network Activity Reports
Accepted Connections Reports
To search for and generate a report on IP connections that were accepted by selected firewall log sources during a specified time interval, use the Accepted Connections Real-Time Report.
Note: Accepted Connections data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.
Menu path: home: Reports > Network Activity > Accepted Connections
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.
Note: Column headings differ for PIX and non-PIX devices.
* Note: Under certain conditions Network Address Translation (NAT) addresses can show up as 0.0.0.0 in real time reports such as Accepted Connections Reports. This is not a bug since System Alert messages of a certain type (e.g., FWSM-4-106100 in Cisco Catalyst 6500 Series Switches) do not have a translated (mapped) address present in the logs. Therefore, zero is correct because there is no relevant IP address in the parsed logs for FWSM-4-106100.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 35 Accepted Connections Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Translated IP IP address as translated by the device*
Source IP IP address of the source host (non-PIX devices only)
Destination IP IP address of the destination host device (non-PIX devices only)
Port Protocol and port number (service) of the destination host
Description Description of the port (service)
Messages Number of log messages received representing this connection
In Bytes Number of incoming bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)
Out Bytes Number of outgoing bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)
Action Accept or encrypt - Identifies if the connection was accepted or accepted with encryption (Check Point Interface only)
Users Guide 143
Generating Real-Time Reports : Network Activity Reports
Active FW Connections Reports
To search for and generate a report on current active sessions through selected Cisco PIX Firewall log sources, use the Active FW Connections Real-Time Report.
The Active Firewall Connection report is generated by monitoring the start and end messages of a particular connection in progress. Connections that have generated a start message but have not yet generated an end message are assumed to be active for a period of time before being timed-out.
Menu path: home: Reports > Network Activity > Active FW Connections
In Active FC Connections reports, you must specify the log source:
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.
For information on using the generated report, see Saving a Generated Report on page 122.
Note: The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.
Table 36 Active FW Connections Screen Elements
Element Description
IP Address IP address for the log source
Port Port number for the log source
Protocol Protocol type (from the drop-down menu)
Table 37 Active FW Connections Report Optional Filter Operators
Option Description
Create Time Time the session began
Connection ID in the log message assigned to the unique connection
Protocol IP Protocol (TCP, UDP, etc.) of the connection
Global Address/Port Public (NAT’ed) IP address of the source host (IP address only)
Local Address/Port IP address of the internal host device (IP address only)
Foreign Address/Port IP address of the external host device (IP address only)
Direction Inbound or Outbound connection attempt
144 Users Guide
Generating Real-Time Reports : Network Activity Reports
Active VPN Connections Reports
To search for and generate a report on current active sessions through selected VPN and RADIUS log sources, use the Active VPN Connections Real-Time Report.
Menu path: home: Reports > Network Activity > Active VPN Connections
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.
For information on using the generated report, see Saving a Generated Report on page 122.
Note: The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.
Table 38 Active VPN Connections Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Connections Number of log messages received representing connections
Users Guide 145
Generating Real-Time Reports : Network Activity Reports
Application Distribution Reports
To search for and generate a report that summarizes accepted traffic by application ports through selected firewall log sources during a specified time interval, use the Application Distribution Real-Time Report.
Note: The Application Distribution data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.
Menu path: home: Reports > Network Activity > Application Distribution
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 39 Application Distribution Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Port Port number (service) of the connection
Protocol IP protocol (TCP, UDP, etc.) of the connection
Description Description of the port (service)
Messages Number of log messages received representing this connection
Src -> Dest Bytes Number of outbound bytes sent (not for Nortel VPN)
Bar Graph Percentage of total outbound bytes represented as a bar graph
Percentage Number of outbound bytes represented as a percentage
Dst -> Src Bytes Number of inbound bytes received (not for Nortel VPN)
Bar Graph Percentage of total inbound bytes represented as a bar graph
Percentage Number of inbound bytes represented as a percentage
146 Users Guide
Generating Real-Time Reports : Network Activity Reports
Denied Connections ReportsTo search for and generate a report on denied connections by selected firewall log sources during a specified time interval, use the Denied Connections Real-Time Report.
Menu path: home: Reports > Network Activity > Denied Connections
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select:
The type of information the Appliance aggregates for the generated report Various optional filter operators in the generated report for your Appliance
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following optional filter operators:
For help understanding the resulting report, see Saving a Generated Report on page 122.
Table 40 Denied Connections Report Summary Methods
Method Description
Src IP/Any--> Any/Port
Aggregates records from a specific Source IP and any port going to any destination IP and a specific destination port. The system derives the Source IP and destination port from your Device Type and Source Device selections.
Src IP/Any --> Dest IP/Port
Aggregates records from a specific Source IP and any port going to a specific Destination IP and specific Destination port. The system derives the Source IP and Destination IP from your Device Type and Source Device selections.
Denied by Port Aggregates records from the port numbers only
Table 41 Denied Connections Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Attempts* Number of times log messages denied the connection
Src IP IP address of the source host device
Src Port Port number of the source host device
Dest IP IP address of the destination host device
Dest Port Port number of the destination host device
Protocol IP protocol (TCP, UDP, etc.) of the connection
Description Description of the destination port (service)
Access Group (Cisco PIX/ASA only) Lists any group of which you are a member
Rules (Check Point Interface only) Condition set on the firewall to complete the security policy; identifies what is allowed and not allowed through a specific interface.
Policy ID Unique policy identifier of the device on the firewall (Juniper Firewall only)
Direction (Check Point Interface, Cisco PIX/ASA/FWSM, Juniper Firewall, and Nortel Contivity only) Inbound or Outbound connection attempt. Direction is stored as a number internally, for INBOUND use 1, for OUTBOUND use 2, and for INTERNAL use 3.
* Note: “Attempts” for Cisco router by “src IP/any” will be larger than the number shown in the Denied Connections Report because IP packets are measured in this instance, instead of the actual number of messages sent.
Users Guide 147
Generating Real-Time Reports : Network Activity Reports
FTP Connections Reports
To search for and generate a report on all syslog messages related to FTP traffic through the selected firewall device during a specified time interval, use the FTP Connections Real-Time Report.
Menu path: home: Reports > Network Activity > FTP Connections
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 42 FTP Connections Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Source Device IP IP address of the source device that sent these log messages
From IP address of the source device
To IP address of the destination device
Count Number of times syslog messages related to FTP traffic were generated
148 Users Guide
Generating Real-Time Reports : Network Activity Reports
VPN Access Reports
To search for and generate reports on the VPN connections that the selected log sources either completed or denied during a specified time interval, use the VPN Access Real-Time Report.
Menu path: home: Reports > Network Activity > VPN Access
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.
Table 43 VPN Access Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Public IP Public IP address originating the VPN connection
Group VPN group of which the source device is a part
User VPN user ID
Target User VPN user ID of the originating VPN connection
Connections Number of log messages received representing connections
Denies Number of denied connection messages received
Avg Duration Average duration of each connection
Byte Count Number of bytes transferred during the session
Avg Bandwidth (Bytes/Sec)
Average bandwidth used for each connection
Users Guide 149
Generating Real-Time Reports : Network Activity Reports
VPN Sessions Reports
To search for and generate a report on data about VPN sessions (including initiation and conclusion times) on selected log sources during a specified time interval, use the VPN Sessions Real-Time Report.
Menu path: home: Reports > Network Activity > VPN Sessions
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Avg Duration, Avg Bytes, and Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.
Table 44 VPN Sessions Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
User User ID
Target User User ID on the device with which the source device attempted to connect
Source IP IP address of the device that sent these log messages
Target IP IP address of the device with which the source device attempted to connect
Avg Duration Average duration of each connection
Avg Bytes Average number of bytes
Count Number of VPN sessions
150 Users Guide
Generating Real-Time Reports : Network Activity Reports
VPN Top Lists Reports
To search for and generate a report on the top users, IP addresses, and other statistics, use the VPN Top Lists Real-Time Report.
Menu path: home: Reports > Network Activity > VPN Top Lists
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
IMPORTANT! If you run a report for the Top Disconnect Reasons, the “unknown” that displays in the Disconnect Reasons column, represents the disconnect reasons reported by RADIUS. If you have not properly plugged in your RADIUS server, all reasons display as “unknown”. Click a Connections number or Source Device to drill-down and view the Disconnect Details column. This column displays the VPN syslog messages associated with the disconnect reason.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 45 VPN Top Lists Report Types
Report Type Description
Top Disconnect Reasons Top reasons for disconnects
Top Number of Denies Top number of denies by user or IP address
Top Number of Connections Top number of connections by user or IP address
Top Bytes Transferred Top number of bytes transferred by user or IP address
Top Bandwidth Top bandwidth by user or IP address
Top Connection Duration Top number of connection duration by user or IP address
Users Guide 151
Generating Real-Time Reports : Network Activity Reports
Web Cache Activity Reports
To search for and generate a report on all URLs accessed through proxy or cache servers on specified log sources during a specified time interval, use the Web Cache Activity Real-Time Report.
Menu path: home: Reports > Network Activity > Web Cache Activity
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source Device, Source IP, Destination IP, Status, Size, and Count:
When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 46 Web Cache Activity Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Source User User of the source device
Source IP IP address of the source device
Source Host Host name of the source device
Domain Name Domain name of the source device
Destination IP IP address of the destination device
Destination Port Port of the destination device
Peer IP IP address of the peer device
Peer Host Host name of the peer device
Peer Status A code that explains how the request was handled; for example, by forwarding it to a peer or returning the request to the source
Method Request method to obtain an object; for example, GET
URL URL requested
Cache Code Information on the result of the transaction: the kind of request, how it was satisfied, or in what way it failed
Status HTTP result codes
Type Content type of the object as seen in the HTTP reply header
Size Number of bytes transferred
Count Number of cache views
152 Users Guide
Generating Real-Time Reports : Network Activity Reports
Web Surfing Activity Report
To search for and generate a report on all URLs accessed via firewalls or web servers on selected log sources during a specified time interval, use the Web Surfing Activity Real-Time Report.
Menu path: home: Reports > Network Activity > Web Surfing Activity
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source Device IP, Source IP, Destination IP, Status, Size, and Count:
When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 47 Web Surfing Activity Report Optional Filter Operators
Option Description
Source Device IP IP address of the device that sent these log messages
Source User User ID of the source device
Source IP IP address of the device originating the connection
Source Host Host name of the source device
Domain Name Domain name of the source device
Destination IP IP address of the destination device
Destination Port Port of the destination device
Method Request method to obtain an object; for example, GET
URL URL requested
Status HTTP result codes
Type Content type of the object as seen in the HTTP reply header
Size Number of bytes transferred
Count Number of syslog messages received for this connection and status code
Users Guide 153
Generating Real-Time Reports : Database Activity Reports
Database Activity ReportsTo search for and generate reports on various events occurring on database server log sources, use the Database Activity reports.
The Report Information tab that appears when you click home: Reports > Database Activity > lists which reports are available for each log source.
To access Database Activity reports
Choose home: Reports > Database Activity > report-name from the navigation menu, where report-name is one of:
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Database Activity report, and explained in their respective sections linked from Table 48.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 48 Database Activity Reports
Report Reports Provide Page
All Database Events Event types occurring during a specified time interval page 155
Database Access All database server connections, including user access and failed user access attempts
page 156
Database Data Access User access and changes to data for a specified time interval page 157
Database Privilege Modifications
Database privilege changes, such as user reconfiguration and privilege manipulation
page 158
Database System Modifications
System database changes such as drops and table drops page 159
154 Users Guide
Generating Real-Time Reports : Database Activity Reports
All Database Events Reports
To search for and generate a report on the event types that are occurring on specified database server log sources during a specified time interval, use the All Database Events Real-Time Report.
Menu path: home: Reports > Database Activity > All Database Events
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 49 All Database Events Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Database Database name on which the action occurred
DB User User name of the database user whose actions were audited
Sys Priv System privileges granted or revoked
Database Object Name Name of the object affected by the action
Status Status or return code of the action completion (numeric value)
Severity Severity level of the event
OS User Operating system login user name of the user whose actions were audited
Event Type ID Database vendor audit code for the action type
Event Type Name Type of database event such as DROP_TABLE, SQL_UPDATE, or CREATE_TABLE (names vary by vendor)
Object Priv Object privileges granted or revoked on the database object
Count Number of log entries returned with the given parameters
Users Guide 155
Generating Real-Time Reports : Database Activity Reports
Database Access
To search for and generate a report on all database server connections, including user access and failed user access attempts, on specified database server log sources during a specified time interval, use the Database Access Real-Time Report.
Menu path: home: Reports > Database Activity > Database Access
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 50 Database Access Report Optional Filter Operators
Option Description
Source Device Description of the device that sent log data
Database Database name on which the action occurred
DB User User name of the database user whose actions were audited
Sys Priv System privileges granted or revoked
Database Object Name Name of the object affected by the action
Status Status or return code of the action completion (numeric value)
Severity Severity level of the event
OS User Operating system login user name of the user whose actions were audited
Event Type ID Database vendor audit code for the action type
Access Type The action or method used to access any database object
Object Priv Object privileges granted or revoked on the database object
Count Number of log entries returned with the given parameters
156 Users Guide
Generating Real-Time Reports : Database Activity Reports
Database Data Access
To search for and generate a report on user access and changes to your data on specified database server log sources during a specified time interval, use the Database Data Access Real-Time Report.
Menu path: home: Reports > Database Activity > Database Data Access
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 51 Database Data Access Report Optional Filter Operators
Option Description
Source Device Description of the device that sent log data
Database Database name on which the action occurred
DB User User name of the database user whose actions were audited
Sys Priv System privileges granted or revoked
Database Object Name Name of the object affected by the action
Status Status or return code of the action completion (numeric value)
Severity Severity level of the event
OS User Operating system login user name of the user whose actions were audited
Event Type ID Database vendor audit code for the action type
Access Type The action or method used to access any database object
Object Priv Object privileges granted or revoked on the database object
Count Number of log entries returned with the given parameters
Users Guide 157
Generating Real-Time Reports : Database Activity Reports
Database Privilege Modifications
To search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation, on specified database server log sources during a specified time interval, use the Database Privilege Modifications Real-Time Report.
Menu path: home: Reports > Database Activity > Database Privilege Modifications
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 52 Database Privilege Modifications Report Optional Filter Operators
Advanced Option Description
Source Device Description of the device that sent log data
Database Database name on which the action occurred
DB User User name of the database user whose actions were audited
Sys Priv System privileges granted or revoked
Database Object Name Name of the object affected by the action
Status Status or return code of the action completion (numeric value)
Severity Severity level of the event
OS User Operating system login user name of the user whose actions were audited
Event Type ID Database vendor audit code for the action type
Modification Type Modification action of a user, profile, or role privilege
Object Priv Object privileges granted or revoked on the database object
Count Number of log entries returned with the given parameters
158 Users Guide
Generating Real-Time Reports : Database Activity Reports
Database System Modifications
To search for and generate a report on system database changes such as drops and table drops, use the Database System Modifications Real-Time Report.
Menu path: home: Reports > Database Activity > Database System Modifications
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 53 Database System Modifications Report Optional Filter Operators
Option Description
Source Device Description of the device that sent log data
Database Database name on which the action occurred
DB User User name of the database user whose actions were audited
Sys Priv System privileges granted or revoked
Database Object Name Name of the object affected by the action
Status Status or return code of the action completion (numeric value)
Severity Severity level of the event
OS User Operating system login user name of the user whose actions were audited
Event Type ID Database vendor audit code for the action type
Access/Modification Type
Modification action of a user, profile, or role privilege
Object Priv Object privileges granted or revoked on the database object
Count Number of log entries returned with the given parameters
Users Guide 159
Generating Real-Time Reports : Operational Reports
Operational ReportsTo search for and generate reports on information about syslog messages on log sources, use Event Logs reports.
The Report Information tab that appears when you click on home: Reports > Operational lists which reports are available for each log source.
To access Event Logs reports
Choose home: Reports > Operational report-name from the navigation menu, where report-name is one of:
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Event Logs report, and explained in their respective sections after the table.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 54 Event Logs Reports
Report Reports Provide Page
All Unparsed Events
Syslog messages not parsed into the Security, System, or VPN Events reports
page 161
Security Events Firewall syslog messages classified as security messages page 162
System Events Firewall or Nortel VPN device syslog messages classified as system messages
page 163
VPN Events The number of VPN syslog messages based on search criteria page 164
160 Users Guide
Generating Real-Time Reports : Operational Reports
All Unparsed Events
To search for and generate a report on syslog messages that are not parsed into the Security, System, or VPN Events reports, or into any other report table (for example, Authentication) for selected log sources during a specified time interval, use the All Unparsed Events Real-Time Report.
Menu path: home: Reports > Operational > All Unparsed Events
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report. Optional filter operators are not visible if you select the Boolean Search in the Search Filter criteria.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 55 All Unparsed Events Report Optional Filter Operators
Option Description
Source Device Description of the device that sent the log messages
Source Device IP IP address of the source device that sent the log messages
Facility Syslog facility associated with the message
Severity Severity code associated with the message
Count Number of times syslog messages were generated
Users Guide 161
Generating Real-Time Reports : Operational Reports
Security Events Reports
To search for and generate a report on firewall syslog messages classified as security messages for selected log sources during a specified time interval, use the Security Events Real-Time Report.
Menu path: home: Reports > Operational > Security Events
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 56 Security Events Report Optional Filter Operators
Option Description
Source Device Description of the device originating the connection
Source Device IP IP address of the source device
Message Code Code number of the security message
Message Code Description
Description of the security message (Cisco PIX only)
Module Juniper Netscreen module name, that is, system (Juniper Firewall only)
Severity The severity codes are listed below:
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
(Juniper Firewall only)
Count Number of syslog messages classified as security messages generated
162 Users Guide
Generating Real-Time Reports : Operational Reports
System Events Reports
To search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages for selected log sources during a specified time interval, use the System Events Real-Time Report.
Menu path: home: Reports > Operational > System Events
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. Optional filter operators are not visible if you select Boolean Search in the Search Filter criteria. By default, the following options are all selected:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 57 System Events Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Source Device IP IP address of the source device that sent these log messages
Message Code Code number of the system message
Message Code Description
Description of the system message (Cisco PIX only)
Module Juniper Netscreen module name, that is, system (Juniper Firewall only)
Severity The severity codes are listed below:
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
(Juniper Firewall only)
Count Number of system messages received for the specified code
Users Guide 163
Generating Real-Time Reports : Operational Reports
VPN Events Reports
To search for and generate a report on Cisco VPN, CheckPoint VPN, Nortel VPN, or RADIUS syslog messages of the System Message type for selected log sources during a specified time interval, use the VPN Events Real-Time Report.
Menu path: home: Reports > Operational > VPN Events
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
By default, the following options are all selected:
For information on using the generated report, see Saving a Generated Report on page 122.
Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.
Table 58 VPN Events Report Optional Filter Operators
Option Description
Time Time the syslog message was generated
Source Device IP address of the device originating the connection
Group VPN group name
User VPN user ID
Public IP Public IP address originating the VPN connection
Severity Severity Code associated with the message
Code Code number of the system message
Area Name of the defined VPN area
Detail Message Text of the syslog message
164 Users Guide
Generating Real-Time Reports : IBM i5/OS Activity Reports
IBM i5/OS Activity ReportsTo search for and generate reports on various events occurring on your IBM i5/OS log sources, use IBM i5/OS Activity reports.
The Report Information tab that appears when you click home: Reports > IBM i5/OS Activity lists which reports are available for each log source.
To access IBM i5/OS Activity reports
Choose home: Reports > IBM i5/OS Activity > report-name from the navigation menu, where report-name is one of:
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.
Table 60 includes the optional filter operators for all IBM i5/OS Activity reports.
Table 59 IBM i5/OS Activity Reports
Report Reports Provide Page
All Log Entry Types All recorded entry types page 166
System Object Access All failed access attempts throughout the system page 166
User Access by Connection All system access and system access attempts by users page 167
User Actions All user actions performed and attempted page 167
User Jobs All jobs that users are running page 167
Table 60 IBM i5/OS Activity Reports Optional Filter Operators
Option Field Description
Source Device devIP IP address of the device that sent log data
Journal Type jrnEntryType Two-character Audit Journal record (entry) type
Journal Description jrnTypeDesc Description of the journal entry type
Journal Job jobName Name of the job that caused the entry to be created
Journal User jrnUserName Profile name of the user associated with Journal Job
Journal Number jrnJobNbr Job number of the Journal Job
Journal Program jrnPgm Name of the program that created the entry
Journal Library jrnPgmLib Program library
Journal System Name jrnSyName Name of the system where the journal resides
Journal Remote Port jrnRmtPort Remote port of the system associated with the journal entry
Journal Remote Address jrnRmtIPAdr Network address of the system associated with this entry
Action action An action associated with the entry type
Action Description actionDesc Description of the action
Attribute Name attribute Name of an attribute that was the target of the action
Attribute Description attributeDesc Description of the attribute (if available)
Destination Server destServer Name of a remote workstation or server in a network event
DLO Folder DLOFolder Name of the Document Library Object folder
Users Guide 165
Generating Real-Time Reports : IBM i5/OS Activity Reports
For information on using the generated report, see Saving a Generated Report on page 122.
All Log Entry Types Reports
To search for and generate a report on all recorded entry types, use the All Log Entry Types Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > All Log Entry Types
System Object Access Reports
To search for and generate a report on all failed access attempts throughout the system, use the System Object Access Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > System Object Access
DLO User DLOUser Name of the Document Library Object owner or user creating or accessing the DLO
Entry Type entryType Type of event or entry in the journal type (can be considered a subtype of the journal type)
Entry Description entryDesc Description of the entry
Job Name jobName Name of the Journal Job or the job that was the target of the action described in the entry
Job Number jobNumber Number of the Journal Number or the job that was the target of the action described in the entry
Job User jobUser The Journal User of profile name of the user associated with the job that was the target of the action described in the entry
Local IP Address lclIPadr Local IP address of the system involved in the network event
Object Library lib Library of the object that was acted on
Object Name obj Name of the object that was acted on
Object Type objType Type of object that was acted on
Remote IP Address rmtIPadr Remote IP address of the system involved in the network event
Source Server srcServer Name of a workstation or server where the audited event occurred, or that was the source system in a network event
Status status Status code
Status Description statusDesc Description of the status code (if available)
User ID/Profile user A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event
Count (computed by the Appliance)
A count of action attempts, entries, or other count information; dependent on Journal and Entry type
Table 60 IBM i5/OS Activity Reports Optional Filter Operators (Continued)
Option Field Description
166 Users Guide
Generating Real-Time Reports : IBM i5/OS Activity Reports
User Access By Connection Reports
To search for and generate a report on all system access and system access attempts by users, use the User Access By Connection Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > User Access By Connection
User Actions Reports
To search for and generate a report on all user actions performed and attempted, use the User Actions Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > User Actions
User Jobs Reports
To search for and generate a report on all jobs that users are running, use the User Jobs Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > User Jobs
Users Guide 167
Generating Real-Time Reports : Threat Management Reports
Threat Management ReportsTo search for and generate reports on information about IDS/IPS log sources, use IDS/IPS Activity reports. The Report Information tab that appears when you click on home: Reports > Threat Management > IDS/IPS Activity lists which reports are available for each log source.
Preparing a Real-Time Report on page 120 includes the common options that you specify for Real-Time Reports.
IDS/IPS Activity
To search for and generate a report on all attack activities from IDS/IPS systems, use the IDS/IPS Activity Real-Time Report.
Menu path: home: Reports > Threat Management > IDS/IPS Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or Descending order. Choose sort order using the drop-down menu. The default is to display only Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 61 IDS/IPS Activity Report Optional Filter Operators
Option Description
Log Source IP IP address of the device that sent these log messages
Source IP IP address from which the attack originated
Source Port Port from which the attack originated
Destination IP IP address that was targeted
Destination Port Port that was targeted
Action Response of the intrusion prevention system (IPS) when it detects an attack reported by the IDS/IPS
Note: If you do not have an IPS associated with your IDS/IPS, you might not see any results if using this filter.
Signature ID Rule or numeric ID for the event
Note: The Signature ID from the vendor might be more consistent than the Signature.
Protocol Protocol of the destination device
Signature Identifier from IDS/IPS for an event
Sensor Device that sends events to a collector analysis system
Sensor IP IP address of the device that detected the event
Classification Type of attack
Priority Priority level of the attack
Count Number of attacks.
168 Users Guide
Generating Real-Time Reports : Mail Activity Reports
Mail Activity ReportsTo search for and generate reports on information about mail-related activities on mail server log sources, use Mail Activity reports.
The Report Information tab that appears when you click on home: Reports > Mail Activity lists which reports are available for each log source.
To access Mail Activity reports
Choose home: Reports > Mail Activity > report-name from the navigation menu, where report-name is one of:
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Mail Activity report, and explained in their respective sections linked from Table 62.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 62 Mail Activity Reports
Report Reports Provide Page
Exchange 2000/03 Activity
All mail server activity for Microsoft Exchange servers page 170
Exchange 2000/03 Delay
All delays in mail activity for Microsoft Exchange servers page 171
Exchange 2000/03 Size Size for all mail server activity for Microsoft Exchange servers page 172
Exchange 2000/03 SMTP Activity
All SMTP events recorded by mail servers page 173
Users Guide 169
Generating Real-Time Reports : Mail Activity Reports
Mail Activity Reports
To search for and generate a report on all mail server activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Activity Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 Activity
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Recipient Domain, Status, and Count are shown:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 63 Exchange 2000/03 Activity Report Optional Filter Operators
Option Description
Source Device Name of the Microsoft Exchange device
Message ID Numeric identifier of the message
Sender Email address of the sender
Sender Domain Domain name of the sender’s email
Recipient Email address of the recipient
Recipient Domain Domain name of the recipient’s email
Status Exchange status
Count Number of emails
170 Users Guide
Generating Real-Time Reports : Mail Activity Reports
Mail Delay Reports
To search for and generate a report on all delays in mail activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Delay Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 Delay
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Recipient Domain, Average Delay, Max Delay, and Count are shown:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 64 Exchange 2000/03 Delay Report Optional Filter Operators
Option Description
Source Device Name of the Microsoft Exchange device
Message ID Numeric identifier of the message
Sender Email address of the sender
Sender Domain Domain name of the sender’s email
Recipient Email address of the recipient
Recipient Domain Domain name of the recipient’s email
Average Delay Average delay of each message
Max Delay Maximum delay of each message
Count Number of emails
Users Guide 171
Generating Real-Time Reports : Mail Activity Reports
Mail Size Reports
To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Size Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 Size
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Sender, Total Size (Bytes), Max Size (Bytes), and Count are shown:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 65 Exchange 2000/03 Size Report Optional Filter Operators
Option Description
Source Device Name of the Microsoft Exchange device
Message ID Numeric identifier of the message
Sender Email address of the sender
Sender Domain Domain name of the sender’s email
Recipient Email address of the recipient
Recipient Domain Domain name of the recipient’s email
Total Size (Bytes) Total number of bytes transferred
Max Size (Bytes) Maximum number of bytes transferred
Count Number of emails
172 Users Guide
Generating Real-Time Reports : Mail Activity Reports
Exchange 2000/03 SMTP
To search for and generate a report on all SMTP events recorded by selected mail servers during a specified time interval, use the Exchange 2000/03 SMTP Real-Time Report.
Menu path: Real-Time Reports > Mail Activity > Exchange 2000/03 SMTP
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, all options are shown except the Source User, Source Host, Domain Name, and Time Taken (ms):.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 66 Exchange 2000/03 SMTP Report Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Source User User of the source device
Source IP IP address of the source device
Source Host Host name of the source device
Domain Name Domain name of the source device
Destination IP IP address of the destination device
Destination Port Port of the destination device
Method Request method to obtain an object; for example, GET
URL Query URL requested
Status SMTP result codes
Size Number of bytes transferred
Time Taken (ms) Time to complete the event
Count Number of cache views
Users Guide 173
Generating Real-Time Reports : Policy Reports
Policy ReportsTo search for and generate reports on information about policies that were exercised on a log source, use Policy reports.
The Report Information tab that appears when you click on home: Reports > Policy Reports lists which reports are available for each log source.
To access Policy Reports
Choose home: Reports > Policy Reports > report-name from the navigation menu, where report-name is one of:
Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.
Optional filter operators are different for each Policy report, and explained in their respective sections linked from Table 67.
For information on using the generated report, see Saving a Generated Report on page 122.
Table 67 Policy Reports
Report Reports Provide Page
Rules/Policies Information about enforcement of a particular rule or policy by a selected firewall device
page 175
Check Point Policies List of current Check Point Firewall policy rules on log sources connected to Appliances
page 176
Network Policies Number of times a particular network policy is exercised by a selected firewall device
page 177
174 Users Guide
Generating Real-Time Reports : Policy Reports
Rules/Policies Reports
To search for and generate a report on information about enforcement of a particular rule or policy by selected firewall devices during a specified time interval, use the Rules/Policies Real-Time Report.
Menu path: home: Reports > Policy Reports > Rules/Policies
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display all the following options:
For information on using the generated report, see Saving a Generated Report on page 122.
Table 68 Rules/Policies Report Optional Filter Operators
Option Description
Interface Name (or IP address) of the network interface that enforced the policy
Rule Rule number that was enforced (Check Point Interface only)
Policy Policy number that was enforced
Type Type of rule/policy that was enforced
Messages Number of messages received representing this policy
Bar Graph Number of messages received expressed as a bar graph
Percentage Number of messages received expressed as a percentage
Package Security policy package (Check Point Interface only)
Rule Description Displays Rule Details: Source, Destination, Service Description and Rule Actions: Permit, Deny, etc. (Check Point Interface only)
Users Guide 175
Generating Real-Time Reports : Policy Reports
Check Point Policies Reports
To search for and generate a report listing current Check Point Firewall policy rules on log sources connected to your Appliance, use the Check Point Policy Real-Time Report.
Menu path: home: Reports > Policy Reports > Check Point Policy
For information on using the generated report, see Saving a Generated Report on page 122.
Table 69 Check Point Policy Screen Elements
Element Description
LEA Server LEA servers connected to your system.
Package Security package that Check Point organizes for policy rules. For example, you can install one package on a firewall, but you can define several packages at the same time.
Rule Index Rule numbers (represents Check Point indices) the CPMI process retrieves. You can view Check Point policy rules only if you configured your LEA server to use auto discovery (CPMI).
Note: Rule 0 is not assigned by Check Point. It is assigned by LogLogic as a default for parsed messages that do not automatically have a rule number assigned by Check Point.
Rule Description for the rule.
176 Users Guide
Generating Real-Time Reports : Policy Reports
Network Policies Reports
To search for and generate a report on the number of times a particular network policy has been exercised by selected firewall log sources during a specified time interval, use the Network Policies Real-Time Report.
Menu path: home: Reports > Policy Reports > Network Policies
In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:
For information on using the generated report, see Saving a Generated Report on page 122.
When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
Table 70 Network Policies Report Optional Filter Operators
Option Description
Log Source IP IP address of the device that sent these log messages
Source IP IP address of the device that exercised the policy
Destination IP IP address of the destination device
Destination Port Port of the destination device
Protocol Protocol of the destination device
Signature Identifier of the policy
Classification Classification of the policy
Priority Priority of the policy
Count Number of times a policy was exercised
Users Guide 177
Generating Real-Time Reports : Policy Reports
178 Users Guide
Message Signatures : Creating Message Signatures
CHAPTER 7:
Message Signatures
Message Signatures is a powerful new capability that allows Appliance users to distinguish, process, and manipulate all unique log source messages, including those of type “general syslog.”
Creating Message Signatures
To create a Message Signature
1. Access Management > Message Signatures from the navigation menu.
Figure 121 Access Message Signatures
The Message Signatures page opens as shown below.
Figure 122 Message Signatures Page
2. Click the arrow next to the Patterns For field drop-down box and select a device type for which you wish to create a Message Signature. (See Figure 123 on page 180.)
Users Guide 179
Message Signatures : Creating Message Signatures
Figure 123 Select a Log Source Device Type
3. Click Create. The Message Pattern Editor opens. (See Figure 124.)
Figure 124 Message Pattern Editor
180 Users Guide
Message Signatures : Creating Message Signatures
4. On the General tab, highlight a message in the lower pane and double-click it. Your selection will appear in the Sample Message pane. (See Figure 125.)
Figure 125 Sample Message Selected
5. Enter a Pattern Name and Description (optional). Enable the pattern.
6. Click the Field Tags tab.
7. Highlight a portion of the Sample Message you want to use as a Field Tag and click Define Field. The portion selected will appear grayed-out. The application will recognize your selection as one of 15 common tags in the Tag Library, and supply a Name, Description, and Type. Further identifying information will appear in the Tag Attributes section. You can edit these entries, or select different choices from the Tag name: and Extract as: pop-up menus. (See Figure 126.)
Figure 126 Define Field in Selected Message
Users Guide 181
Message Signatures : Creating Message Signatures
8. To edit your grayed-out selection, click on it and click Remove. (This does not remove the data, only the grayed-out condition.)
9. Click the Literal checkbox to define your tag with exactly the attributes you highlighted. Your selection will appear in bold face type. (See Figure 127.)
Figure 127 Select Literal Attribute
10. To create additional tags from your selected message, highlight another portion and click Define Field again. Your second tag candidate will appear grayed-out. Again you may accept or edit the default Name, Description, and Type.
11. In the Tag Name field, choose an existing field tag or create a new tag. (See Figure 128.)
Figure 128 Tag Name Selection
12. In the Tag Name field, choose an existing field tag or create a new tag.
13. Provide a Tag Description (optional).
182 Users Guide
Message Signatures : Creating Message Signatures
14. Click Event Type tab.
15. Click the down arrow for Event name: and select one from the drop-down menu. Accept the Event description, or edit it. (See Figure 129.)
Figure 129 Event Type Name
16. Enter an Event value (optional).
17. Click Validation tab. And then click the Validate button. (See Figure 130.)
Figure 130 Validation Tab - Click Validate
The Tag Name is highlighted in color, and the Tag value extracted appears on the right.
Users Guide 183
Message Signatures : Creating Message Signatures
18. Click Save. After a few moments the new Message Signature appears. (See Figure 131.)
Figure 131 New Message Signature Crated
The green bullet in the Status column indicates the system is ready to use the new pattern and extract the values in the log data.
Note: Please refer to the LogLogic Support Website for Knowledge Base articles on this topic.
184 Users Guide
Tag Catalog : Field Tags
CHAPTER 8:
Tag Catalog
LogLogic provides a set of useful field Tags and Event Types out of the box. You can create new Tags or Event Types, and edit the existing catalog.
Field TagsTo add a new user-defined field Tag
1. Click Management > Tag Catalog from the home page. (See Figure 132.)
Figure 132 Access Tag Catalog
The Tag Catalog opens, showing the existing Field Tags in the system. (Figure 133.)
Figure 133 Tag Catalog
Users Guide 185
Tag Catalog : Field Tags
2. Click Create to open the Create Field Tag window.
Figure 134 Create Field Tag
3. In the Tag Attributes area, enter a Name and a Description for the new field Tag. Select the Redact checkbox if you want to mask sensitive data in the presentation layer after a search is performed. (If Redact is checked, a search on the field Name will return stored results, but with **** in place of actual data.) Click OK when finished.
Figure 135 New Field Tag Added
The new field Tag will appear in the Actions column, and a checkmark will appear in the User Defined column. (Figure 135.)
4. To filter tags by name, type one or more letters in the Name field and press Enter. Corresponding named Tags will appear in the Tag Catalog list. To restore the entire list of field Tags, clear the entry in the Name field and press Enter. (Figure 136.)
Figure 136 Filter Tags by Name
186 Users Guide
Tag Catalog : Event Types
Users Guide 187
5. Place a checkmark in the Show Active checkbox to show only the active field Tags. Clear the checkbox to show all recorded field Tags.
Figure 137 Show Active Field Tags
To edit or remove an existing field Tag
1. To edit field Tag properties, click the Edit icon next to the Tag Name in the Actions column. The Edit Field Tag window appears.
Figure 138 Edit Field Tag
You can change the following Tag Attributes: Name, Description, and Redact condition. When finished click OK.
2. To remove a field Tag from the Tag Catalog, select one or more tag name and click Remove selected . Click Yes to confirm removal of the selected field Tag.
Event TypesYou can create a new Event Type, edit, or remove exisitng Event Types.
To add a new user-defined Event Type
1. Click Management > Tag Catalog from the home page.
2. Select the Event Types tab.
Figure 139 Tag Catalog Event Types
3. Click Create to open the Create Event Type window.
Tag Catalog : Event Types
Figure 140 Create Event Type
4. In the Event Type Attributes area, enter a Name and a Description for the new event type and click OK. The new Event Type will appear in the Actions column.
5. To filter Event Types by name, type one or more letters in the Name field and press Enter. Corresponding named types will appear in the Event Types Catalog list. (Figure 141) To restore the entire list of Event Types, clear the entry in the Name field and press Enter.
Figure 141 Filter Event Types by Name
6. Place a checkmark in the Show Active checkbox to show only the active Event Types. Clear the checkbox to show all recorded field Tags.
To edit or remove an existing Event Type
1. To edit Event Type Attributes, click the Edit icon next to the Event Types Name in the Actions column. The Edit Event Type window appears.
Figure 142 Edit Event Type
You can change the following Event Type Attributes: Name, and Description. When finished click OK.
2. To remove an Event Type from the Event Type Catalog, highlight one or more Event Types and click Remove selected . Click Yes to confirm deletion of the selected Event Type.
188 Users Guide
CHAPTER 9:
Dynamic Groups
With LMI 5, LogLogic introduces a new feature called Dynamic Groups. This chapter covers how to create a Dynamic Group on the LMI 5 Appliance.
Add Device GroupUse the Add Device Group tab to arrange your source devices into bundles or categories. A device must be part of the Available Devices list before it can be included in a group. If you are running a Management Station, you can multi-select and group devices across Appliances. You can view the groups you define here in the Management > Devices > Device Groups tab. (See Figure 143.)
Figure 143 Add Device Group
Device groups created across multiple Appliances have an * after the group name.
The fields on this page (Description, IP Address, Group Name, etc.) use regular expression patterns for filtering. The IP Address field also allows specifying addresses in CIDR notation.
To add a Device Group
1. Click Add New to open the Add Device Group tab. (Figure 144 on page 190.)
Users Guide 189
Dynamic Groups : Add Device Group
Figure 144 Add Device Group Tab
2. In the Group Name field, enter a unique name to identify this group of log sources.
3. Under Enable, select the Yes radio button to activate the group for use on the Appliance.
4. From the Group Type drop-down menu, select whether the group is:
Local - Group contains devices on the current Appliance only.
Global - (Management Station only) Group contains devices on multiple Appliances. Global groups can be created and accessed on Management Station Appliances only.
Note: Global groups cannot contain another global group as a member.
Global groups are marked in the Groups tab with an asterisk (*).
Select Static or Dynamic from the second drop-down. Dynamic enables the group to be automatically updated as new devices are added to the Appliance.
190 Users Guide
Dynamic Groups : Add Device Group
Note: The Dynamic option is available only for local groups, as Global Dynamic Groups are not supported.
5. In the Description field, enter a description for the group.
6. Under Available Devices, find the devices available that are available to add to the group. You can use one or any combination of the following fields:
In the Name Pattern field, enter a device name or partial name.
In the IP Pattern field, enter a device IP address or partial address. CIDR notation may also be used.
From the Device Type drop-down menu, select a device type.
Note: All Device Types is an option only for Dynamic Groups.
In the Desc Pattern field, enter a device description or partial description. The descriptions defined in the Add Device or Add File Transfer Device tabs are searched using this pattern.
(Global group only) From the Appliance drop-down menu, select All or a specific Appliance by its IP address. If you select All, only Global groups are listed. If you do not have any Global groups, All (all devices) appears. If you select a specific Appliance IP address, only devices from the selected Appliance are listed.
Click to search for devices based on the specified search criteria.
The Available Devices table lists all devices matching the criteria.
Notes:
1) All devices that appear in the Available Devices list when the Filter button is clicked will be added automatically to the Dynamic Group. It is actually not necessary to click the Filter button for this to occur. New devices auto-discovered or manually added to the system will be added automatically to the Dynamic Group if the device matches the pattern.
2) Dynamic Groups cannot contain Static Groups as members. However, Static Groups can contain Dynamic Groups as members.
7. (For Static Groups only) In the Available Devices table, check the checkbox for the devices to add to the group and then click .
The selected devices are added to the Current Devices in Group table. To remove a device from this table, check its checkbox and then click .
8. Click to add the group to the Appliance.
Notes:
1) A user must have "all device access" to create or update a Dynamic Group.
2) A user can be given explicit permission on the Dynamic Group, but if they do not have "all device access", they can see and use the Group, but cannot edit it.
Users Guide 191
Dynamic Groups : Add Device Group
192 Users Guide
Setting User Preferences : Viewing Your LogApp Account
CHAPTER 10:
Setting User Preferences
The admin tab on the home page allows you to set values for your Account Information, System Preferences, and to Change Password.
Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Changing Login Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Changing LogApp Account Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Viewing Your LogApp Account
To view your LogApp Account
1. Choose admin from the home page.
Figure 145 Your LogApp Account
2. Review and accept or change the default settings as explained in Table 71 on page 194.
Users Guide 193
Setting User Preferences : Changing Login Landing Page
Table 71 Account Options
3. Click Save.
Changing Login Landing PageThe Login Landing Page (Home) appears immediately upon logging in to the LMI Appliance. By default the LogLogic Overview Welcome screen is displayed. However, you can change your landing page at anytime.
To change your login landing page
1. Choose admin from the home page.
2. Click the down arrow next to Login landing page and select the page among these other landing page options: My Dashboard, System Status, Triggered Alerts, Index Search, All Saved Reports, and All Saved Searches.
Element Description
Account Information
User Login The login name of the current user. This can be reset by the system administrator or user.
Email Address The email address of the current user. This can be reset by the system administrator or user.
System Preferences
Rows per Page The number of rows that display in each report page. Can be set from 10 to 1000 rows by user.
Page Refresh Rate The page refresh rate in seconds. Can be set from 30 to 600 seconds by user.
Emailed Chart Size The number of segments in display charts. Can be set from 3 to 30 segments by user.
Session Timeout Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).
Enable Multiline View
Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).
Login Landing Page The page that appears immediately after logging into the LMI Appliance. You can change this at any time. For instructions, see Changing Login Landing Page on page 194.
194 Users Guide
Setting User Preferences : Changing LogApp Account Password
Figure 146 Your LogApp Account - Login Landing Page
3. Click Save.
The next time you login to the Appliance, the alternate home page that you selected in this step will be displayed. You can change this destination at anytime.
Changing LogApp Account PasswordYou can change your password at any time.
To change your password
1. Choose admin from the home page.
2. Click the Change Password button.
The Change Password dialog box appears. It displays date of last password update.
Users Guide 195
Setting User Preferences : Changing LogApp Account Password
Figure 147 Your LogApp Account - Change Password
3. In the Current Password field, enter your current password.
4. In the New Password field, enter your new password. Note the password requirements specified on the window.
5. In the Confirm New Password field, enter your new password again for verification.
196 Users Guide
Syslog Host Field Character Sets : Syslog Header Character Sets
APPENDIX A:
Syslog Host Field Character Sets
This appendix describes the acceptable character sets in an ASCII syslog header.
Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Syslog Header Character SetsTable 72 lists and describes the acceptable characters in an ASCII syslog header.
Table 72 Acceptable Alpha/Numeric Character Sets
Character Descriptions Examples
Alpha chars, upper or lower case A-Z and a-z
Numbers 0-9
Punctuation at @
underscore _
period .
backslash /
colon :
asterisk *
brackets [ ]
parenthesis ( )
plus +
minus -
space
tab
Users Guide 197
Syslog Host Field Character Sets : Exceptions
ExceptionsThe following exceptions are noted for ASCII syslog headers:
Some Unix/Linux syslog messages have a path in the process name. That is taken care of by looking for a leading backslash (/) and any number of the following characters:
Alpha characters, upper or lower case
A-Z
a-z
The numbers 0-9
Punctuation including:
underscore _
period .
dash -
Space and tab use depends on the log source. Some log sources have spaces at the point right before the log source target string is found. Others have only a tab. Specifically:
Windows messages require a space before the target string.
Cisco VPN3000 requires a tab.
198 Users Guide
Users Guide
Index
AAccepted Connections
Real-Time report 143Access Control
Real-Time report 135Active FW Connections
Real-Time report 144Active VPN Connections
Real-Time report 145alert receivers
defining alert 117Alert Viewer
using 111viewing alerts 111
Alert Widgets 48
alertsabout 111adding 114managing 113modifying 118parsed data alert 117removing 118selecting types 114tab description 113
All Database EventsReal-Time report 155, 166
All Unparsed EventsReal-Time report 161
appliancesintroducing 11system status 23
Application DistributionReal-Time report 146
archived dataviewing 107
archived data filespassive files 109viewing 107
BBoolean expression, entering 71
Cchange LogApp account password 195change Login Landing Page 194
Check Point PolicyReal-Time report 176tab description 176using 176
clipboardadding a new 86index search 86
configuring result settings 77
ConnectivityReal-Time report 142
considerations 9
conventions 9CPU Usage
tab description 32viewing 31
DDashboard 38Dashboard settings 55
data 9
Database AccessReal-Time report 156
Database ActivityReal-Time report 154
Database Data AccessReal-Time report 157
Database Privilege ModificationsReal-Time report 158
Database System ModificationsReal-Time report 159
Denied ConnectionsReal-Time report 147
devicesdefining alert 116
Eelements 9Event Logs
Real-Time reports 160examples
index search 71exceptions
syslog header 198Exchange 2000/03 SMTP Activity 169, 173
Exchange 2000/03 SMTP Activity Report 173
199
200
INDEX
expressionsindex search, entering 71
Ffilters
saving index search 85Finished Search
tab description 94using 94
FTP ConnectionsReal-Time report 148
Ggroups
global, in regex search 92
IIBM i5/OS Activity Reports
Real-Time report 165IDS
Real-Time report 168IDS Activity
Real-Time report 168index report 65
Index Searchsaving as a filter 84
index search 71adding a new clipboard for 86clipboard 86Clipboard tab 86configure results settings 77examples 71filter, reusing 86filters 85manage results 80narrowing the scope 72results 76results, viewing in context 81running 72Search Filters tab 85Search History tab 84Search Results tab 76using 71using history 84viewing trends 83
index search expression rules 71
index search filters 85
Llog message, viewing in context 81log messages
deleting clipped 88viewing or editing 87
Log Source Statustab description 34viewing 32
Login Landing Page 194LogLogic product families 19
LX appliances 19
MMA appliances 20
Mail ActivityReal-Time report 169, 170
Mail DelayReal-Time report 171
Mail SizeReal-Time report 172
Manage Widgets 39Alerts 48Summary 41System 52Trend 44
management stationviewing system status 27
managing search results 80
MD5 checksums, verifying 108
message rateviewing 30
MX appliances 20
My Dashboard 38
Nnavigation menu 11network infrastructure 21
Network PoliciesReal-Time report 177
PParameterized Pre-defined Regular Expression
Search Filters 101
parsed data alerts 117
Pending Searchtab description 93
Users Guide
Users Guide
INDEX
using 93Permission Modification
Real-Time report 136placeholders 9
Policy reportsReal-Time report 174
product families 19
RReal-Time reports
about 119Access Control reports 135common options 120Connectivity reports 142Database Activity reports 154event logs 160generating 120IBM i5/OS activity reports 165IDS reports 168Mail Activity reports 169Policy reports 174report types 119
Real-Time Viewercreating reports 57Log Messages screen 61saving reports 57using 57
Recent Messagestab description 36viewing 36
regular expression (regex) search 91view pending searches 93view running searches 93
related documents 7results
index search, index searchIn Context tab 81
rules, index search expression 71
Rules/PoliciesReal-Time report 175
Running Searchusing 93
Sscope
narrowing on index search 72screen output 9
searchabout 63features overview 63index report 65index search 71
index, running 72regular expression (regex) 91viewing search information 120
Search Filtersadding new 95modifying 104overview 94tab description 94
Search IP Addresssaving a report 92
Security EventsReal-Time report 162
ST appliances 21Summary reports
about 184Summary Widgets 41Syslog Header character sets 197
System EventsReal-Time report 163
System Object AccessReal-Time report 166
system prompts 9system status
viewing 23viewing (management station) 27
System Widgets 52
TTrend Widgets 44
trendsviewing 83
UUnapproved Messages
tab description 35viewing 35
User AccessReal-Time report 137
User Access By ConnectionReal-Time report 167
User ActionsReal-Time report 167
User AuthenticationReal-Time report 138
User JobsReal-Time report 167
User Last ActivityReal-Time report 140
user roles 11
users
201
202
INDEX
defining alert 117Users Created/Denied
Real-Time report 139
Vview data files 107
view LogApp account 193viewing
clipped log messages 87log message in context 81
viewing in context 81
viewing search results 76
VPN AccessReal-Time reports 149
VPN EventsReal-Time report 164
VPN SessionsReal-Time report 150
VPN/RADIUS Top ListsReal-Time report 151
WWeb Cache
Real-Time report 152Web Surfing
Real-Time report 153Widgets 38
Window EventsReal-Time report 141
Users Guide