loglogic users guide - tibco software...loglogic collector guides — describe how to implement...

LogLogic, Inc. Proprietary and Confidential

LogLogic

User Guide

Software Release: 5.3

Document release: March 2012

Part No: LL41000-00E05300000

This manual supports LogLogic software release 5.1 and above releases until replaced by a newer edition.

LogLogic, Inc. Proprietary and Confidential

LogLogic, Inc.

110 Rose Orchard Way Suite 200San Jose, CA 95134

Tel: +1 408 215 5900

Fax: +1 408 774 1752

U.S. Toll Free: 888 347 3883

Email: [email protected]

www.loglogic.com

© 2004 — 2012 LogLogic, Inc.

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

"LogLogic" and the LogLogic logo are trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

www.loglogic.com

mailto:[email protected]

User Guide

Contents

Preface: About This Guide

Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Documentation Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1: Using LogLogic Appliances

LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Appliance User Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

LogLogic Product Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

LogLogic LX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13LX Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

LogLogic MX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

MX Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14LogLogic ST Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

ST Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Scalable Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2: Viewing Dashboards

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . . . 21

Viewing Message Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Viewing CPU Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Viewing Log Source Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Viewing Unapproved Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Viewing Recent Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Widget Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About My Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Managing Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Managing Summary Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Managing Trend Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Managing Alert Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Managing System Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Defining your Dashboard Canvas Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 3: Viewing Real Time Log Messages

Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Viewing Log Messages in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3

CONTENTS

Chapter 4: Searching Collected Log Messages

Search Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Using Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Search Expression Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Running an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Selecting Specific Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Select Time Frame for an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Using the Search Results Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Viewing Index Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Configuring Search Results Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Managing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Viewing Index Search Results In Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Saving Search Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Viewing Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using the Search History Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Saving an Index Search as a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Running a Previously Saved Search Expression. . . . . . . . . . . . . . . . . . . . . . . . . . 75

Using the Search Filters Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Using the Clipboard Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Adding a New Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Viewing or Editing Clipped Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Deleting Clipped Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Using Regular Expression Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Viewing Pending and Running Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Viewing Running Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Viewing Pending Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Viewing RegEx Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Viewing Finished Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Adding a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Search Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Use Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Use Exact Phrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Regular Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Boolean Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Putting Your Logins Search Filter to Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter . . 91

Modifying a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Viewing All Saved Index Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using and Creating All Index Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 5: Creating and Managing Alerts

Viewing and Handling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Managing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Preconfigured System Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Adding a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Parsed Data Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

4 User Guide

CONTENTS

User Guide 5

Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Chapter 6: Generating Real-Time Reports

Preparing a Real-Time Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Select a Source or Sources and Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 116Select Time Frame and Run a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Resize & Move Columns, Create Charts, Print and Download a Report . . . . . . . 117

Modify Report Settings and Time Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Saving a Generated Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Rerunning a Saved Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Generating a Report—An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Available Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Permission Modification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

User Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132User Authentication Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

User Created/Deleted Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

User Last Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Windows Events Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

All Database Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Database Access Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Database Data Access Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Database Privilege Modifications Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Database System Modifications Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

All Log Entry Types Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144System Object Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

User Access By Connection Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

User Actions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150User Jobs Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Threat Management Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

IDS/IPS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Exchange 2000/03 SMTP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Exchange 2000/03 Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Exchange 2000/03 Delay Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Exchange 2000/03 Size Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Accepted Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Active FW Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Active VPN Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Application Distribution Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Denied Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

FTP Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167VPN Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

VPN Sessions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

VPN Top Lists Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Web Cache Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

CONTENTS

Web Surfing Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

All Unparsed Events Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Firewall Statistics Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Total Message Count Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Security Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

System Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178VPN Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Policy Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Check Point Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Network Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Rules/Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

All Saved Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 7: Setting User Preferences

Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Changing Login Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Changing LogApp Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Appendix A: Syslog Host Field Character Sets

Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Index

6 User Guide

PREFACE:

About This Guide

The LogLogic User Guide is an operational guide for LogLogic Appliances. It covers topics related to managing dashboards, reports, alerts, and performing searches to manage and use the log data collected and aggregated from all types of source systems in your enterprise.

Related DocumentsThe LogLogic documentation is available on the Solutions CD or on the LogLogic Customer Support Website – www.loglogic.com/services/support. The documentation includes Portable Document Format (PDF) files and Online Help accessible from the LogLogic user interface.

To read the PDF documentation, you need a PDF file viewer such as Adobe Acrobat Reader. You can download the Adobe Acrobat Reader athttp:// www.adobe.com.

The following documents contain information about the LogLogic Appliances:

LogLogic Release Notes — Provides information specific to the release including product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic Customer Support Website periodically for further updates.

LogLogic Hardware Installation Guide — Describes how to get started with your LogLogic Appliance. In addition, the guide includes details about the Appliance hardware for all models.

LogLogic Installation and Upgrade Guide — Describes how to install and upgrade the LogLogic Appliance software.

LogLogic User Guide — Describes how to use the LogLogic solution, viewing dashboard, managing reports, managing alerts, and performing searches.

LogLogic Administration Guide — Describes how to administer the LogLogic solution including all Management and Administration menu options.

LogLogic Log Source Configuration Guides — Describe how to support log data from various log sources. There is a separate manual for each supported log source. These documents include information on LogLogic Collectors as well as information on how to configure log sources to work with the LogLogic solution.

LogLogic Collector Guides — Describe how to implement support for using a LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site Protector.

LogLogic Web Services API Implementation Guide — Describes how to implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administer the system.

LogLogic Syslog Alert Message Format Quick Reference Guide — Describes the LogLogic Syslog alert message format.

User Guide 7

www.loglogic.com/services/support

www.loglogic.com/services/support

About This Guide : Technical Support

LogLogic Online Help — Describes the Appliance user interface, including descriptions for each screen, tab, and element in the Appliance.

Technical SupportLogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances.

To reach the LogLogic Support team:

Telephone:

To reach the LogLogic Support team:

Telephone:

United States, Canada, Mexico Toll Free — 1-800-957-LOGS

Local —1-408-834-7480

Europe, Middle East, Africa (EMEA) or Asia Pacific (APAC) — +44 1480 479391 or 00 800 0330 4444

Japan IDC — 0061 800 0330 4444; Japan KDD - 0010 800 0330 4444

Brazil — 0021 800 0330 4444

Email: [email protected]

Support Website: http://www.loglogic.com/services/support

When contacting Customer Support, be prepared to provide the following information:

Your name, e-mail address, phone number, and fax number

Your company name and company address

Your machine type and release version

Serial number located on the back of the Appliance or the eth0 MAC address

A description of the problem and the content of pertinent error messages (if any)

Documentation SupportYour feedback on LogLogic documentation is important to us. Send e-mail to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation.

8 User Guide


http://www.loglogic.com/services/support


About This Guide : Documentation Support

ConventionsLogLogic documentation uses the following conventions:

IMPORTANT! Highlights key considerations to keep in mind.

Note: Provides additional information that is useful but not always essential.

Tip: Highlights guidelines and helpful hints.

This guide also uses the following conventions to highlight code and command-line elements:

Monospace is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).

Monospace bold is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

Monospace italic is used for placeholders, which are general names that you replace with names specific to your site, as in this example:

LogLogic_home_directory\upgrade\

Straight brackets signal options in command-line syntax.

ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]

User Guide 9

About This Guide : Documentation Support

10 User Guide

Using LogLogic Appliances : LogLogic Appliance Overview

User Guide 11

CHAPTER 1:

Using LogLogic Appliances

Contents

LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Appliance User Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

LogLogic Product Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

LogLogic Appliance OverviewLog data can comprise up to 25 percent of all enterprise data. Log data also contains critical information that can improve security, compliance and availability. Until now most companies have relied on ineffective and inefficient homegrown solutions and manual processes to manage this data.

LogLogic provides the industry's first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability,

LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators. If the network grows, simply rack and stack additional Appliances as needed.

Appliance User FunctionsThere are two primary user types on a LogLogic Appliance:

User – monitors Appliance operations, runs searches, manages alerts, and creates and runs reports based on collected data

Administrator – configures and maintains the Appliance itself, including managing log sources, user accounts, Appliance configurations, running backups, and more

Depending on access permissions, a user can perform User functions, Administrator functions, or both. This manual describes User tasks and functions. For Administrator information, see the LogLogic Administration Guide.

Release 5.0 introduces a new GUI for the LogLogic Appliance. Dashboard, Reports, Search, and Alert functions can be opened by clicking their respective icons on the home page or by clicking their buttons on the top navigation menu on the home page. See Figure 1 on page 12.

Management, and Administration functions for the Appliance are opened by clicking their buttons on the top menu on the home page. For more information on these functions, see LogLogic Administration Guide.

Using LogLogic Appliances : Appliance User Functions

12 User Guide

Online Help can be opened by clicking the Help button on any page. Brief video tutorials provide tips and guidance by example for many new LogLogic features. Tutorials can be accessed from the home page and from certain application pages. The New Features Overview page can be launched by clicking the LogLogic Tutorials link on the Home page.

Figure 1 LogLogic Appliance Home Page

The Appliance GUI provides access to all Administrator and User functions. Administrators can perform all functions on the Appliance, while Users are limited to functions that have been assigned to them the System Administrator.

Note: The functions in the navigation menu vary depending on the Appliance product family. For example, an ST Appliance displays fewer options than the LX Appliance because certain features are not available on ST Appliances. In addition, Reports may show different entries, depending on the Log Source Packages (LSPs) installed.

Note: For all text fields throughout the UI, null is not a valid entry.

In addition to documentation, the LogLogic Appliance is supported by comprehensive, context-sensitive online Help, which can be opened from any UI page in the application. Clicking the question mark (?) opens Help for the particular tab that is highlighted. Clicking the word Help (above the question mark) opens the entire online Help repository, plus a Table of Contents, an Index, and a Search function within Help. Take a moment to explore Help to discover the rich content offered there.

Using LogLogic Appliances : LogLogic Product Families

User Guide 13

LogLogic Product FamiliesLogLogic offers six families of products to provide better, faster and smarter log management, database security, and regulatory compliance solutions to corporations:

LogLogic LX Appliances are purpose-built Appliances for real-time log data collection and analysis. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and reduce the corporate cost of security and performance event remediation.

LogLogic MX Appliances perform real-time log data collection and analysis ideal for mid-size and large companies. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and are optimized to provide for log data needs in a non-enterprise environment.

LogLogic ST Appliances automate the entire log data archival process, minimizing administration costs while providing more secure log data capture and retention.

LogLogic DSM Appliances give IT security personnel full visibility into user activity on all monitored databases. Users can create custom policies to detect security violations or use out-of-the-box rules to protect against SQL injection, buffer overflow, privilege escalation attacks, and more.

LogLogic Compliance Manager Appliances bring visibility of compliance activity metrics to CIOs and CSOs, and control over activities to the compliance team, permitting them to privatively review the compliance timeliness and compliance posture mandated by Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standard (PCI-DSS).

LogLogic Appliances provide the highest log collection and analysis performance amongst all log management vendors. Log events are received and indexed in real-time. The LogLogic Appliances have clearly stated metrics that cannot be matched.

LogLogic LX Product FamilyFeaturing a parallel processing architecture, the LX 820, LX 1020, and LX 4020 Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Distributed real-time reporting and targeted queries let administrators take immediate action on network issues from a centralized management console.

These Appliances help enterprises harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment.

LX Benefits

LX product family Appliances offer the following benefits:

Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents

Non-disruptive installation and plug-and-play operation: no changes to network configurations, no integration with other systems, no training required, available in minutes

Self-maintaining, embedded database technology that eliminates the need for DB administration

To view photographs of the LX Appliance layout, see the LogLogic Hardware Installation Guide.


14 User Guide

LogLogic MX Product Family

MX 3020 and MX 4020 Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Designed specifically for mid-size and large companies, MX Appliances provide the disk space and processing power required for most non-enterprise environments.

MX Appliance features support the need to harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment. MX Appliances are designed for installations where data must be retained longer than LX Appliances provide, but where enterprise features such as failover* and managing other log Appliances are not required.

*MX4020 supports HA failover mode.

MX Benefits

MX product family Appliances offer the following benefits:

Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents

Features and specifications targeted specifically to mid-size and large companies

Self-maintaining, embedded database technology that eliminates the need for DB administration

To view photographs of the MX Appliance layout, see the LogLogic Hardware Installation Guide.

LogLogic ST Product Family

Available in compact, rack-mountable systems with up to 8 terabytes of compressed on-board storage and interfaces to NAS devices, the ST 1020, and ST 4020 Appliances archive up to 2 years of log data while eliminating the need for servers, tape libraries, and archive administrators.

The ST 2020-SAN (Storage Area Network) product offers potentially unlimited archive storage.

When used with LogLogic's LX Appliances, ST Appliances guarantee complete and accurate transmission of network equipment logs from anywhere on the enterprise WAN or LAN. ST Appliances feature an n-Tier architecture controlled by a management console that centralizes long-term log data archival while allowing for distributed log analysis and broader data accessibility.

ST Benefits

ST product family Appliances offer the following benefits:

High volume log data aggregation from centralized and remote log data sources

Long-term retention of unaltered, complete, raw log messages at a secure, central location to make archives unimpeachable

Distributed architecture of remote collection and central storage make log data collection and retention infinitely scalable

To view photographs of the ST Appliance layout, see the LogLogic Hardware Installation Guide.


User Guide 15

Scalable Infrastructure

The scalable LogLogic network infrastructure significantly accelerates response time to data center security and availability events, while providing complete log data archives for compliance and legal protection. LogLogic Appliances make log data in enterprise networks truly useful for the first time, improving corporate security, compliance and network availability, while reducing IT costs and costly network downtime, and improving corporate return on IT investment.


16 User Guide

Viewing Dashboards : Viewing System Status

CHAPTER 2:

Viewing Dashboards

LogLogic Appliances let you monitor a large variety of data to observe the system’s status and the widgets saved on your Dashboard.

Contents

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . 21

Viewing Log Source Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Viewing System StatusThe System Status tab displays a condensed view of the Appliance's current state, showing current message rate, CPU utilization, database size, alerts, and total message counts.

After you log in to the Appliance, the System Status tab is the default display. An example of the tab is shown in Figure 2 on page 18.

To view system status

1. Choose Dashboards > System Status from the navigation menu.

2. View the following sections on the System Status tab for information about your Appliance’s system status:

Current Message Rate

New Alerts

Disk Usage

CPU Usage

Message Counters

Detailed descriptions for each section are documented in Table 1 on page 18.

3. Click to expand or collapse a section to display an expanded or condensed version of the section’s status information.

4. Optionally, click the Message Rate tab for a larger view of this graph.

For more information, see Viewing Message Rate on page 24.

User Guide 17


5. Optionally, click the CPU Usage graph or the CPU Usage tab for a larger version of this graph.

For more information, see Viewing CPU Usage on page 25.

6. Click to update the system status information for your Appliance.

Figure 2 Dashboards – System Status Tab

Table 1 System Status Tab Elements

Element Description

General information

Uptime Continuous running time since the last reboot of the Appliance.

Date/Time Date and time set on the Appliance.

Software Version LogLogic software release running on the Appliance.

18 User Guide


Failover (not visible unless issues are present)

Status of the Management Station cluster’s master and standby Appliances. If issues exist, they are indicated through flags:

C: Cluster_id mismatch

A: Appliance model mismatch

V: Software version mismatch

E: Eligible

H: HA mode

X: eXcluded

O: Out-of-cluster

M: Master

S: Standby

For example, the failover status line Failover: master 10.1.4.6 (wait), standby 10.1.4.7 (flags:__V/EHX/O) means the master is waiting for the standby, and the standby is running the wrong software version, is configured for failover, is eligible for HA, but is excluded, and (as a result of the version mismatch) is out of cluster.

IMPORTANT! Once two Appliances are HA paired, no network settings should be changed.

System Status sections

Current Message Rate

Measured messages per second rate for the last 1, 5, and 15 minute time segments.

Click on the 1 MIN, 5 MIN, or 15 MIN headings links to change the Message Rate Graph time scale to 2 hour, 12 hour, and 24 hour time scales, respectively.

When using LogLogic TCP for routing logs to the Appliance, this graph displays spikes of activity every 5 minutes rather than a steadier line. This is because LogLogic TCP transfers data in regularly recurring chunks that are merged on the Appliance, and not continually.

Message Rate Graph (Message Rate tab)

Recent message rate over 1, 5, and 15 minute time segments.

The pink line represents the average number of messages per time segment.

The blue line represents the real-time incoming message rate for your Appliance.

The red line appears when inbound traffic exceeds the preset threshold

Click the Message Rate tab for a larger view of this graph.

New Alerts (LX/MX only) Number of active alerts over 1, 6, and 12 hour periods categorized by priority.

Disk Usage Current size of the database usage relative to table space allocation. This can be helpful for calculating data retention time tables, by listing Free and Total available usage.

CPU Usage Current CPU utilization for the last 1, 5, and 15 minute time segments.

Click on the 1, 5, and 15 minute headings to change the CPU Usage Graph time scale to 2, 12, and 24 hour time scales, respectively.

Table 1 System Status Tab Elements (Continued)

Element Description

User Guide 19


CPU Usage Graph Percent CPU utilization over 1, 5, and 15 minute time segments.

Click the CPU Usage Graph or the CPU Usage tab for a larger version of this graph.

Message Counters Statistics on each message category stored in the Appliance since the last boot. The count corresponds to a percentage of the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

Message categories:

Total Received—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)

Skipped—Total number of messages ignored by the Appliance due to a syntactic flaw in the message.

Dropped—Total number of messages recognized but not processed due to network congestion or a corrupted syslog message.

The following appear only on LX and MX Appliances:

Total Parsed—Total number of incoming messages parsed for all categories.

Accepted IP—Total number of messages indicating successful connections through the firewall. For example, PIX® Message Numbers - 302013-302016.

Denied IP—Total number of messages indicating denied access by the firewall. For example, PIX Message Numbers - 106001, 106006, 106007, 106015, 106023.

Security—Total number of messages to be recorded in the Security Event Log report.

System—Total number of messages to be recorded in the System Event Log report.

Generic—Total number of flawed messages received from an approved source. These messages are discarded.

URL—Total number of messages to be recorded to the Web Surfing Activity report.

FTP—Total number of messages to be recorded in the FTP Connections report.

Auth/Access —Total number of messages to be recorded to the VPN Events report.

Other—Any message that is not in included in the other listed categories.

Updates the system status information for your Appliance.

Table 1 System Status Tab Elements (Continued)

Element Description

20 User Guide


Viewing Multiple Systems Status (Management Station)The Management Station System Status is the fastest way to view the condition and status of your Appliances as traffic flows through your system. You can use this information to provide for rapid reporting to the operations staff and acquire information about syslog messages at any particular time. (See Figure 3.)

The System Status information uses a proprietary technology for optimizing and then collecting security data for immediate use. Administrators can monitor the CPU usage when necessary to check on its congestion.

Figure 3 Dashboards - Management Station Status

After you log in to the Appliance, the Dashboards > Management Station tab is the default display. An example of the tab is shown in Figure 4 on page 22.

To view system status using a Management Station

1. Choose Dashboards > Management Station from the navigation menu.

2. View the following sections on the Management Station tab for information about an Appliance’s status:

Message Statistics

Message Rate

New Alerts

Message Counters

For detailed descriptions of each section, see Table 2 on page 22.

User Guide 21


3. Click to view updated status information for the Appliance.

Figure 4 Management Station Status Screen

Table 2 Management Station Screen Elements

Element Description

General information

Software Version Management Station Appliance’s software version.

Displays the Help topic for this tab.

Management Station sections

Appliances Lists the Appliances in your Management Station cluster.

To view the System Status for an Appliance, click its name.

A green square indicates the Appliance is online.

A red square indicates the Appliance is offline.

A blank square indicates the Appliance entry is being updated.

22 User Guide


Message Statistics Displays the following message statistics:

Total, Processed, Dropped, Unapproved, and Skipped—Message processing information about each managed Appliance.

Click a number in these columns to change the displayed value to the nearest thousand, million, or billion value.

Message Rate/Sec—Message rate, per second, by time segments of 1, 5, and 15 minutes.

Click on the message rate values to set the Message Rate graph to 4, 12, and 24 hour timescales, respectively.

Time Skew—Time delta, in seconds, between the Management Station Appliance and each remote Appliance.

Message Rate Graph

Monitors the rate at which messages are passing through your Appliance.

The Message Rate graph displays the current message rate by time segments of 1, 5, and 15 minutes. For example, 1 min – 100 msgs/sec. On ST Appliances, to the right of the minutes is the number of messages per second (xxx msgs/sec) for the Appliance. xxx does not reflect the amount of messages that comes in via the LogLogic TCP protocol.

The pink line represents the average number of messages per time segment.

The blue line represents the real-time incoming message rate for your Appliance.

The red line appears when inbound traffic exceeds the preset threshold

New Alerts The number of activated alerts, by hour and priority (High, Medium, Low, All).

Click an alert value to show the Aggregated LX or MX Alert Log.

Message Counters Statistics on each message category stored in the syslog database. The count corresponds to a percentage related to the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

The following is a list of message counters:

Total Received—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Skipped—Number of messages ignored by ClarifyCRM due to a syslog message syntactic flaw.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)

Dropped—Messages recognized but not processed due to network congestion or faulty syntax.

Updates the system status information for your Appliance.

Table 2 Management Station Screen Elements (Continued)

Element Description

User Guide 23


Viewing Message Rate

The Message Rate tab shows the number of messages processed by the Appliance over a 12-hour time period. An example of the tab is shown in Figure 5 on page 24.

To view the message rate of the Appliance


2. Click the Message Rate tab to view the Message Rate graph.

3. If you are viewing a larger version of the Message Rate graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see Table 3 on page 24.

4. Click to update the Message Rate graph.

Figure 5 Message Rate Tab

Table 3 Message Rate Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go forward six hours.

Displays the corresponding Help topic.

Message Rate section

24 User Guide


Viewing CPU Usage

The CPU Usage tab contains a graph that shows CPU utilization as a percentage over a 12-hour time period. An example of the tab is shown in Figure 6.

To view the CPU usage


2. View the CPU usage by doing one of the following in the System Status screen:

View the small graph in the CPU Usage section.

Click on the small graph in the CPU Usage section to view a larger version of the graph.

Click the CPU Usage tab to view a larger version of the graph.

3. If you are viewing a larger version of the CPU Usage graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see Table 4.

4. Click to update the CPU Usage graph.

<blue line> Real-time message traffic which includes UDP syslog and/or raw TCP (SyslogNG) traffic.

<pink line> Average rate of the incoming messages for the time segment shown.

<red line> Appears when inbound traffic exceeds the preset threshold

Updates the Message Rate graph.

Table 3 Message Rate Tab Elements

Element Description

User Guide 25

Viewing Dashboards : Viewing Log Source Status

Figure 6 CPU Usage Tab

Viewing Log Source StatusThe Log Source Status tab lets you view statistics for each source device. An example of the tab is shown in Figure 7.

To view the log source status

1. Choose Dashboards > Log Source Status from the navigation Menu.

Table 4 CPU Usage Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go back 12 hours.

Displays the corresponding Help topic.

CPU Usage section

<blue line> CPU usage in real time.

<pink line> Average CPU percent utilization for the time segment shown. To see a larger version of the screen, click the CPU Usage tab.

Updates the CPU Usage graph.

26 User Guide


2. View the following log status information for each source device:

Name

IP Address

Type

Message Count

Byte Rate/Sec

Description

For detailed descriptions of each item, see Table 5 on page 28.

3. Click to update the view of your devices.

4. Optionally, click to print all the items in the list.

Figure 7 Log Source Status Tab

User Guide 27


Log Source Status Descriptions

Table 5 lists and describes the elements in the Log Source Status tab.

Table 5 Log Source Status Tab Elements

Element Description

Saves the report in a CSV format. You should save the file and export it to an Excel spreadsheet for viewing.

Note: The CSV file saves and displays a maximum of 10,000 lines. A generated report can contain more than this number.

Displays the report in HTML format in a new window. You can save the HTML file to your local machine.

Note: The HTML file saves and displays a maximum of 5000 lines. A generated report can contain more than this number.

Saves the report as a PDF file. You can save the PDF file to your local machine. Viewing the generated report as a PDF only works for Adobe Acrobat Reader version 6.0 and higher.

Note: The PDF file saves and displays a maximum of 5000 lines even though the generated report may contain more than this number.

Click to print all the items in the list.

Click to display the corresponding Help topic.

Displays the previous page of detail for the device list.

Displays the next page of detail for the device list.

To display details for a specific page, type a page number and click GO.

Note: For certain pages that display this option, you can only view a set number of rows. To set the number of rows to view, use the Personal Preferences tab.

Log Source Status section (all of the following columns are sortable)

Name Name of your source device.

IP Address IP address for your source device.

Type Type of source device.

Message Count The following types of messages counts:

Total—Total number of messages processed for the specified device.

1 Min—Total number of incoming messages during the previous one minute period.

5 Min—Total number of incoming messages during the previous five minute period.

15 Min—Total number of incoming messages during the previous 15 minute period.

1 Min (Byte Rate/Sec) Byte rate per second for each device during the previous one-minute period.

Description Description you defined for the Source Device in the Management > Devices > Devices tab and Management > Check Point Configuration > Interfaces tab.

If you selected the Auto-identify Log Sources option in the Administration > System Settings > General tab, the system displays that the source device is an auto-identified log source.

28 User Guide


Viewing Unapproved Messages

Use the Unapproved Messages tab to view information on up to 100 of the most recent real-time messages received from a recognized but unapproved source. Unapproved messages are discarded.

Summary data on unapproved messages can be seen from the Dashboards > System Status tab.

Note: Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.

To view unapproved messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Unapproved Messages tab.

This section contains the following elements.

3. Click to update the information.

Updates the view of your devices. If auto-identify is enabled and the Appliance detects new devices, refresh displays them in this view.

Advanced Options By default, all these options are displayed:

Name

IP Address

Type

Total

1 Min

5 Min

15 Min

1 Min (Byte Rate/Sec)

Description

Use the drop-down menu to view options in ascending or descending order.

Deletes all text in the Advanced Options text boxes.

Executes with the defined Advanced Options parameters.

Table 6 Unapproved Messages Tab Elements

Element Description

No. Number assigned to the message.

Time Time the message was received.

Firewall IP address of the Appliance through which the message was received.

Message Text of the message.

Table 5 Log Source Status Tab Elements (Continued)

Element Description

User Guide 29


4. (Optional) Click to print all the messages in the list.

Viewing Recent Messages

Use the Recent Messages tab to view information on up to 100 of the most recently-received real-time messages. (See Figure 8.)

Note: Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.

To view recent messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Recent Messages tab.

Figure 8 Recent Messages

This section contains the following elements.

3. Click to update the information.

4. (Optional) Click to print all the messages in the list.

Table 7 Recent Messages tab descriptions

Element Description

No. Number assigned to the message.

Time Time the message was received.

Firewall IP address of the Appliance through which the message was received.

Message Text of the message.

30 User Guide

Viewing Dashboards : Viewing Log Source Data Trend

Viewing Log Source Data TrendThe Log Source Data Trend tab displays the graphs of incoming Syslog Data rate in MB from all sources over the last 24 hours. The top graph displays Realtime Logs, and the bottom graph shows File Transfer Logs. Log data that has been fully indexed is represented by blue bars; log data to be indexed is represented by orange bars. The bar graphs refresh once per minute.

To view log source data trend

1. Choose Dashboards > Log Source Data Trend from the navigation menu.

2. View the Syslog data from all sources within the last 24 hours as shown below.

Figure 9 Log Source Data Trend

User Guide 31

Viewing Dashboards : Managing Your Dashboard

Managing Your DashboardThe My Dashboard menu allows you to customize your Dashboard with visualizations, known as “widgets”, representing Report Results, Search Results, Alerts, and Appliance performance. For example, If you have an Index Search showing web surfing activity within the Intranet, this data can be presented on your Dashboard using the Trend Graph widget, and refreshed periodically with recent data from an Index Search.

The system admin can specify the maximum number of widgets that can be displayed on your Dashboard using the Administration > System Settings > General tab.

Note: It is possible to exceed the recommended number of widgets (10) on your My Dashboard. However, graphical errors may result in the data displayed. Similarly, if you set the amount of data to be displayed inside each widget beyond the recommended value of 10, graphical errors may result.

Widget Types

You can create different types of widgets to add to your dashboard canvas. The different types are:

Summary: Displays top 10 results from any Report saved with the “Summarized” option. It also displays All Index Reports as well as Index Searches that are grouped by option (except grouped by Time). For details, see Managing Summary Widgets on page 35.

Trend: Displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month. For details, see Managing Trend Widgets on page 38.

Alerts: Displays recent triggered alerts matching your specified filters. For details, see Managing Alert Widgets on page 42.

System: Displays Network and File based data ingest trends, Disk usage, and CPU usage utilization. For details, see Managing System Widgets on page 46.

Notes:1. The widget list is only populated by reports. Therefore, you must save a report before you can create a widget. 2. Imported Compliance Suites are templates and not reports. Hence, you need to save one in order to populate in the Widget list. 3. Widgets show data from time periods as specified (Once every few hours, Once a day, Once a week, and Once a month). The widget data is refreshed after the time period has completely passed. For example: If you specify Once a day time frame, and feed data at 2:17pm, the widget data will be refreshed after midnight. Similarly, if you specify Once a week time frame, then the widget data will be refreshed after Sunday midnight.4. Widget report is always executed according to its schedule. Only when a widget is first created, and added to dashboard, the widget report execute outside the schedule. Therefore, If you wish to modify a widget report schedule, first delete the widget, and then re-create a new widget with new schedule.

About My Dashboard

By default, the dashboard canvas displays some pre-configured widgets. The Widgets link enables you to add widgets to your dashboard. A new widget is always added on the upper left side on your dashboard canvas. If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again. For detailed information about widgets, see Managing Widgets on page 33.

32 User Guide


Note: The NAS/SAN Disk Usage widget will display only on the ST Appliance.

To view your dashboard

1. Access Dashboards > My Dashboard from the navigation menu.

2. View your My Dashboard canvas as shown below.

Figure 10 My Dashboard

Managing Widgets

The Dashboard is highly customizable with widgets and data of your selection. The Widgets link allows you to view and add existing widgets to your dashboard, create new widgets, edit existing widgets settings, or remove widgets from the system.

Using the drag-drop method, you can change the position of widgets on your Dashboard. Click and drag the widgets title bar to move a widget to a new location on the canvas (see Figure 11). You can also resize any widget by pulling the bottom side of the widget. The system automatically saves your latest widget positions with your LogLogic User Account.

User Guide 33


Figure 11 My Dashboard Canvas – Manage Widgets

Depending on the widget type, some widgets display different buttons on the upper right corner of the widget (see Figure 11).

Table 8 lists and describes the widget buttons

By default, widgets are created exclusively for your use. However, you can share your widgets with others by checking Shared option on the widget's settings screen. Sharing Report and Search widgets improves system performance, since the underlying data used for the visualization only needs to be created once for all Dashboard views of the Widget.

Table 8 Widget buttons

Button Description

Shows the toolbar for that widget. Using this toolbar, you can view different presentation options of the selected report. For example, for Summary widget, you can choose to view Column chart, Bar chart or Table format.

Displays the widget in full screen view. If it is already in full screen view, this will restore the widget to normal size.

Displays the widget’s existing settings. Click the button to open the Edit widget settings window. This allows you to change the widget’s existing settings.

Removes the widget from your Dashboard. However, the widget is still available in the widget list to use on other dashboards.

Select the color of the widget ‘s graph from a color palette.

Note: From the widget toolbar, this button is available only for certain widget types.

34 User Guide


Managing Summary Widgets

The summary widgets provides focused visualization of first 10 records returned from the underlying Saved Report query.

Figure 12 illustrates an example of Summary Widget. If you click , the report displays more view options such as Column Chart, Bar Chart, Table, Axis Label, and Drilldown (see Figure 12). The Drilldown button takes you to the actual report page where you can run the report with the same log sources. The time frame on the widget is defined separately than the actual report’s time range. Similarly, when a widget is shared and if you don’t have similar privileges as the widget owner, you may not be able to view the same data as displayed in the widget.

For more information on other widget buttons, see Table 8 on page 34.

Figure 12 Summary Widget Example

To add an existing summary widget to your dashboard

Note: If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.

User Guide 35


Figure 13 Summary Widgets - List of Existing Widgets

3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.

4. Click the Add to Dashboard button to add the widget to your dashboard.

To create a new summary widget

Note: To create a summary widget, you must have the Reporting privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.


2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.

3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.

36 User Guide


Figure 14 Create a New Summary Widget

4. Enter the Name and Description of the widget.

5. Select a report from the Report list as explained in Table 9.

6. Specify a Timeframe as explained in Table 9.

Table 9 Summary Widgets Elements

Element Description

Name Name of your widget that is displayed on the widget Title bar.

Description Description of your widget.

Shared Select the checkbox if you want to share your widget with others. However, only the creator can edit this widget settings.

Selected Displays the selected report from the Report list. When the report is not selected, None is displayed.

Enter text to filter Enter the text to filter Report list and then press Enter.

Report list By default, the following columns are displayed:

Type--the report template type, for example, User Access

Name--the name of the report

Description--the description of the report

Click on the column heading to sort the table by that column to view in ascending or descending order.

User Guide 37


7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.

To edit an existing summary widget’s settings

Note: Only the creator of the widget can edit that widget’s settings.

1. Select a widget from the saved widget list (see Figure 14 on page 37).

2. Make the appropriate changes.

3. Click the Save Settings button to save the new settings.

Note: The Save & Add to Dashboard button is available only when the widget is not on your dashboard.

Managing Trend Widgets

The Trend widget displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month.

Figure 15 illustrates an example of Trend widget. If you click , the report displays more view options such as Column Chart, Line Chart, and Drilldown (see Figure 15). The Drilldown button takes you to the actual report page where you can run the report with the same log sources. The time frame on the widget is defined separately than the actual report’s time range. Similarly, when a widget is shared and if you don’t have similar privileges as the widget owner, you may not be able to view the same data as displayed in the widget.

For more information on other widget buttons, see Table 8 on page 34.

Timeframe section

Run Specify the time frame to refresh the widget’s report results. The options are:

Once every few hours

Once a day

Once a week

Once a month

Note: Depending on the above selected Run option, the corresponding following fields may change. For example: If you select Once a week option, specify time, and day of the week.

Specify the appropriate intervals.

Table 9 Summary Widgets Elements (Continued)

Element Description

38 User Guide


Figure 15 Trend Widget Example

Trend widgets allow you select a time range and zoom in to the data. When you specify a time range on the widget, the Drilldown option will use the same time range to display the report. If the chart is zoomed in, as shown in Figure 16, the zoomed time range will be used if you click the Drilldown option.

Figure 16 Trend Widget Zoomed in time range Example

To add an existing trend widget to your dashboard



2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.

User Guide 39


Figure 17 Trend Widgets - List of Existing Widgets



To create a new trend widget

Note: To create a trend widget, you must have the Index Search privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.


2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.


40 User Guide


Figure 18 Create a New Trend Widget


5. Select a saved search from the Search list as explained in Table 10.

6. Specify the Trend Range as explained in Table 10.

Table 10 Trend Widgets Elements

Element Description

Name Name of your widget displayed on the widget Title bar.

Description Description of your widget.

Shared Select the checkbox if you want to share your widget with others. However, only the creator of the widget can edit the settings.

Selected Displays your selected search. When the search is not selected, None is displayed.

Enter text to filter Enter the text to filter the saved search settings and then press Enter.

Search List By default, all these columns are displayed:

Type–the report template type, for example, User Access

Name–the name of the report

Description–the description of the report

Click on the column heading to sort the table by that column to view in ascending or descending order.

User Guide 41


7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.

To edit an existing trend widget’s settings





Note: The Save & Add to Dashboard button is available only when the widget is not on your dashboard.

Managing Alert Widgets

The Alert widget displays recent triggered alerts matching your specified filters.

Figure 19 illustrates an example of Alert Widget. If you click , the report displays more view options such as Enable, and Disable (see Figure 19). For more information on other widget buttons, see Table 8 on page 34.

Trend Range section

Tiimespan Specify the timespan from the drop-down menu. The options are:

1 Day

7 Days

30 Days

Table 10 Trend Widgets Elements (Continued)

Element Description

42 User Guide


Figure 19 Alert Widget Example

To add an existing alert widget to your dashboard



2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.

User Guide 43


Figure 20 Alerts Widgets - List of Existing Widgets



To create a new alert widget

Note: To create an alert widget, you must have the Manage Alerts privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.


2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.


44 User Guide


Figure 21 Create a New Alert Widget


5. Specify how to show alerts based on Type & Priority or Custom selection as explained in Table 11.

6. Specify number of alerts from the Show most recent list as explained in Table 11.

Table 11 Alerts Widgets Elements

Element Description

Name Specify the name of your widget displayed on the widget Title bar.

Description Specify the description of your widget.

Shared Select the checkbox if you want to share this widget with others. However, only the creator can edit this widget settings.

Only show section

Type & Priority Select this option to specify the type of system and priority. Click the checkbox to select the priority level.

Custom Selection Select this option to specify alerts from the existing list.

Selected Once you select the alert rule from the Available list, it appears under this column.

User Guide 45


7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click the Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save and add the new widget to your dashboard.

To edit an existing alert widget’s settings





Note: The Save & Add to Dashboard button is available only when the widget is not already on your Dashboard.

Managing System Widgets

The System widget displays four pre-defined widgets: Network-based Data Ingest, File-based Data Ingest, Disk Usage, and CPU.

Figure 22 illustrates an example of Network-based Data Ingest Widget. For more information on widget buttons, see Table 8 on page 34.

Available Displays list of available alert rules. Select the alert by clicking the appropriate alert rule name (or names). This allows you define certain triggered alerts on your dashboard.

Show most recent Specify how many alerts to be displayed in the widget. The options are:

10 Alerts

25 Alerts

50 Alerts

100 Alerts

Table 11 Alerts Widgets Elements (Continued)

Element Description

46 User Guide


Figure 22 Network-based Data Ingest Widget

Figure 23 illustrates an example of File-based Data Ingest Widget. For more information on widget buttons, see Table 8 on page 34.

Figure 23 File-based Data Ingest Widget

Figure 24 illustrates an example of Disk Usage Widget.

Figure 24 Disk Usage Widget

Figure 25 illustrates an example of CPU Widget. If you click the Show Toolbar button, the report displays more view options such as Hour range from 2 Hr, 6 Hr, and 12 Hr. For more information on other widget buttons, see Table 8 on page 34.

User Guide 47


Figure 25 CPU Widget

To add a system widget to your dashboard


2. Click the System icon. The pre-defined widgets are displayed in the second pane.

Figure 26 System Widgets

48 User Guide


3. Select the widget by clicking on the name from the list of pre-defined widgets to view the details in the pop-up window.

4. Click the Add to Dashboard button. The widget is added to your dashboard.

Note: If a widget is already added to the dashboard, you cannot add the same widget to the Dashboard again.

Defining your Dashboard Canvas Settings

You can specify the number and size of columns on your Dashboard canvas.

To define your dashboard canvas settings

1. Access Dashboards > My Dashboard from the navigation menu.

2. Click the Dashboard link. The Edit dashboard settings window appears as shown below.

Figure 27 Edit Dashboard Settings

3. Specify the number of columns from the column layout options. The options are: One Column, Two Columns, or Three Columns.

4. If you select Two or Three columns option, specify the width of the column by dragging the slider to the desired width.

5. You can preview your column settings in the Preview window.

6. Click Save Settings to save your Dashboard settings. The widgets on your Dashboard are rearranged as per the new Dashboard settings.

User Guide 49


50 User Guide

Viewing Real Time Log Messages : Accessing and Selecting Real Time Messages to View

CHAPTER 3:

Viewing Real Time Log Messages

The Real Time Viewer provides a scrolling display of log messages from all log sources as the Appliance receives them. You can either filter messages or view all log messages unfiltered as they arrive.

Real Time Viewer displays log messages only for syslog log sources, not for file transfer or database log source types (including log messages forwarded using LogLogic TCP).

Contents

Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . 51

Viewing Log Messages in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Accessing and Selecting Real Time Messages to ViewThe Real Time Viewer shows an immediate scrolling display of log messages as they are received by the Appliance. (See Figure 30.)

To access the Real Time Viewer:

Choose Search > Real Time Viewer from the navigation menu.

User Guide 51


Figure 28 Accessing Real Time Viewer

52 User Guide


The Real Time Viewer screen is displayed as shown below.

Figure 29 Real Time Viewer Screen

Table 12 Real-Time Viewer Tab Elements

Element Description

Saved Custom Report Select a Custom Report from the drop-down menu.

If you do not have any saved Custom Reports, this field is grayed out. This option is useful to view real-time data with the specified parameters from your saved filter for a specific Appliance.

Device Type Devices associated with the Appliance.

Source Device IP address of the selected Device Type.

The drop-down menu contains the devices connected to the Appliance.

Highest Severity Specify the selection of a set of syslog messages by their highest severity. Select this checkbox to filter the syslog messages of that severity.

User Guide 53


Search Filter Define an expression used to limit information displayed from the devices.

Filter options are:

Pre-Defined—The drop-down contains pre-defined search filters that you manage in the Search Filters tab.

Use Words—The components of messages. The maximum character length of the Use Words field is 125.

For example, userIDs like cjreid, or parts of IP addresses like 192.

Use Exact Phrase—A component of a syslog message that are not randomly linked but form a fixed string, for example, a specific URL or Authentication rejected:, keyboard-interactive for root. The maximum character length of the Use Exact Phrase field is 250.

Regular Expression—A regular expression is a tool comprised of characters and symbols, that enable the search to identify patterns retrieved the storage database. The maximum character length of the Regular _Expression field is 250.

For example:

User .* connected, \>su:.*(to root), amd sshd.*Accepted.*for root from

Save Custom Report Define and save frequently used search criteria for future use to execute a report against your real-time logs more quickly. Novice users can run reports with complex search criteria with minimal input.

Specify the following information:

Report Name—A name for the report.

Report Description—A brief description for other users to understand the type of information that this report generates.

Share with Other Users checkbox

The default, Share with Other Users option lets you make this Custom Report accessible for other users logging in to this Appliance.

Click to save your changes.

Runs the filter and display the real-time log view.

Element Description

54 User Guide


To run the Real Time Report

1. Designate which messages to view in real time. You can pre-filter messages by source device, message severity, and text matches.

2. Click .

The Real Time Viewer appears, displaying messages meeting the filter criteria as the Appliance receives them. (See Figure 30.)

Figure 30 Real Time Viewer – Raw Logs

When you leave the Real Time Viewer and return to it later, the content in the Viewer restarts upon your return. Messages from the previous Viewer instance are not retained in the new Viewer instance.

To run a previously saved report in the Real-Time Viewer:

1. Choose Search > Real Time Viewer from the navigation menu.

2. Select the report from the Save Custom Report drop-down menu.

3. Click .

For additional information on Custom Reports, see Tag Catalog on page 193.

To specify parameters to run a new report in the Real-Time Viewer

1. Choose Search > Real Time Viewer from the navigation menu.

2. Select the device type.

User Guide 55

Viewing Real Time Log Messages : Viewing Log Messages in Real Time

3. Select the source device connected to your Appliance.

4. Choose the severity level. To specify the highest level, check the Highest Severity checkbox.

5. Type your search criteria to limit information displayed from the device(s).

6. Click .

To save a Custom Report in the Real-Time Viewer

After specifying the parameters for your report, save the report:

1. Click to expand the Save Custom Report section.

2. Type a name for your report and provide a brief description.

3. If you do not plan to share the report with other users logging in to the Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.

4. Click to save your changes.

Viewing Log Messages in Real TimeBased on your selections in the Real-Time Viewer tab, the Real-Time Viewer: Log Messages tab shows a scrolling view of log messages in real time as they are received by the Appliance. The messages shown are determined by your input in the Real-Time Viewer tab Search Filter section. (See Figure 31.)

If you need to scroll through the incoming messages, click Pause. However, messages that arrive while the view is paused are skipped by the view; they do not get displayed when you resume.

Figure 31 Real-Time Viewer - Log Messages Paused

56 User Guide


Table 13 Real-Time Viewer: Log Messages Screen Elements

Element Description

Selected Device Displays the Appliance source device name for the selection in the Real-Time Viewer Filter form.

Status Status of the Real-Time Viewer display.

Stops the real-time view of the incoming log messages.

If you pause the view, Real-Time Viewer skips incoming messages until you click Resume. The number of skipped messages is displayed next to Status: Paused.

Starts the real-time view of the incoming log messages.

Deletes the view of the incoming log messages and refreshes the page.

Refreshes the view of the incoming log messages.

The number of lines to store in the buffer for viewing. The default is 10000. To change the buffer size, type the number of lines and click the Buffer Size button.

Returns the user to the Real Time Viewer page, where the existing settings can be viewed and changed. After your changes (or to keep the current settings) click the Run button.

User Guide 57


58 User Guide

Searching Collected Log Messages :

CHAPTER 4:

Searching Collected Log Messages

As the Appliance collects log data from your log sources, you can search on those collected log messages. In addition to running various simple and complex searches, you can define search filters and run reports.

Pre-defining search filters lets you include specific search criteria in an Index Search, a Regular Expression Search, the Real Time Viewer, and All Saved Searches without having to re-enter the filtering criteria each time.

Viewing archived data files lets you reload and open older, compressed log data for viewing on an Appliance.

Contents

Search Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Using Index Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Using Regular Expression Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Viewing All Saved Index Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using and Creating All Index Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

For details on Boolean expressions, Regular Expression usage, what gets indexed, and available delimiters, see the Search Strings topic in the Online Help.

User Guide 59

Searching Collected Log Messages : Search Overview

Search OverviewLogLogic provides search and reporting tools for finding specific information in collected log message content. The tool you use varies depending on the task you want to perform.

Index Search—Search on indexed log source messages using a Boolean expression and see the results immediately. Use Index Search when a simple, fast search can provide the information you need to analyze failures or other anomalies.

Regular Expression (RegEx) Search—Search using a single regular expression or pre-defined search filter, either immediately or at a scheduled time.

Real Time Viewer—The Real-Time Viewer shows an immediate scrolling display of real-time log messages as they are received by the Appliance. The options form allows for pre-filtering of these messages by log source or device group, message severity, and text matches. Only log messages meeting the filter settings are shown. SeeViewing Real Time Log Messages on page 51.

Index Report—Generate a report based on indexed data using pre-defined Boolean search filters. Essentially, an Index Report is a compilation of multiple Index Searches run at once. You can specify one or more pre-defined filters to use, and add additional criteria to those filters.

Note: For a simple search to match a specific string, use Index Search. To search for strings that match more complex patterns, use RegEx Search.

Table 14 Search and Reporting Feature Comparison

Feature Index Report

Index Search

RegEx Search

Real Time Viewer

Multiple filters in search Yes No No Yes

Boolean Expressions Yes Yes No No

Regular Expressions No No Yes Yes

Graphical Results Available Yes Yes No No

Graphically view trends over time or log sources No Yes No No

Schedulable Search No No Yes No

Save customized search criteria for future use Yes Yes Yes Yes

View finished/past search results No No Yes Yes

60 User Guide

Searching Collected Log Messages : Using Index Search

Figure 32 Search Menu

Using Index SearchUse Index Search to perform targeted searches on log messages using keywords, Boolean expressions, and wildcards on the Appliance or log sources. Index Search lets you pinpoint problem areas on all log sources captured on the Appliance and then view the search results quickly.

Due to the dynamic nature of LogLogic reporting, when paging between the last page of search results and other pages, additional messages matching the search criteria might have been received since the initiation of the original search. As such, you might see additional messages included on subsequent visits to the last search results page.

Index Search works on indexed logs making it faster than a search using regular expressions (RegEx search). By default, the Appliance performs an Index Search on the Appliance itself and all log sources collected on the Appliance in the last hour.

Search Expression RulesThe following rules apply when you enter a search expression:

Use Boolean operators, such as AND, OR, or NOT for your search expression (but do not begin the expression with leading NOT)

Use wildcard characters, such as an asterisk (*) or question mark (?) to match strings (but do not begin the expression with the wildcard)

Use delimiters such as parentheses to tell Index Search what to evaluate first

Enter up to 256 characters for your search expression

When using Index search and Tag Based search, the system does not support the use of search patterns shorter than 3 characters

User Guide 61


Index searches are case insensitive, so you do not have to use all uppercase letters when using Boolean operators, although it helps readability. Some simple Index Search examples include:

For details on Boolean expressions, search strings, and available delimiters, see the Search Strings topic in the Online Help.

Running an Index Search

Index Search is available on all Appliances except the LX 510. By default, the Appliance performs an Index Search on the Appliance itself and all log sources from which logs were collected on the Appliance in the last hour. You can search using these defaults or change them.

To run an index search from the Index Search Interface

1. Access the Index Search page from home: Search > Index Search. The Index Search interface is displayed as shown below.

Figure 33 Index Search Interface

2. Enter your search expression in the search text box and click the Run button.

Figure 34 Index Search – login – Run

Table 15 Index Search Examples

Index Search Example Rule

tcp Use search expressions containing at least three characters.

authenticate AND failed

Tcp NOT Udp

Use Boolean operators, such as AND, OR, or NOT.

admin*

10.*

Use wildcard characters such as an asterisk (*) or a question mark (?) as shortcuts to match strings.

(tcp and udp) and service

Use a delimiter, such as parentheses to specify what gets evaluated first, in this case, tcp and udp before the service keyword.

62 User Guide


The search results appear immediately on the Search Results tab, and the search term “login” is highlighted.

If you want, you can adjust the search scope and rerun the search by selecting specific log sources and/or a different timeframe.

Selecting Specific Log Sources

To perform a more targeted search, you can narrow the search scope to a group of log sources, such as all firewall interfaces, all routers, all General Syslog, Microsoft sources, other UNIX, or LogLogic Appliances.

The default rule is set as All Sources except LogLogic. This includes all logs except LogLogic Appliance logs. You can add any individual and/or group of non-LogLogic sources to this rule. However, if you specify any other log source, other than LogLogic source, the default rule will be removed from the filter list (from the left pane) and the new log source is added. This enhancement applies to only system-defined groups and not the user-defined groups. For example, if you select a user-defined group that only includes LogLogic source, then the default rule will be removed.

On the Management Station, you can select from one managed Appliance or all Appliances, or particular groups of Appliances (for example, all LX Appliances or all ST Appliances) on which to run the search. The Choose Device pop-up automatically populates the log sources included on all defined groups.

Note: When Appliance selection is “All”, “All LX/MX”, or “All ST”, only system defined groups (e.g. All Cisco PIX) and user defined global groups that reside on the management station will be displayed.

To run a targeted Index Search

1. Click the All Sources except LogLogic button to open the Select Source(s) window.

Figure 35 Open All Sources on Local Host

2. Select log sources from the Add Log Sources pane. You can select sources by Appliance, and filter by Name, IP Address, Group or Type.

Note: When adding a large number of devices, create a dynamic rule which contains all listed devices. To create a rule, first filter by Name or Type to retrieve the list of devices. Then, click the << Add filters as a rule button that will create a dynamic rule which contains all listed devices on the right pane.

User Guide 63


Figure 36 Select a Source and a Filter

3. Click << Add filters as a rule.

Figure 37 Add Search Rule

4. Enter a name for the dynamic rule in the pop-up window and click OK.

64 User Guide


Figure 38 Name Dynamic Search Rule

5. Click on the sources you want in your report and then click << Add selected log sources to add the selected devices and filters to the left-hand pane.

Figure 39 Add Selected Devices – Click Set to Confirm

6. Click Set. The new Index Report search selection appears in the Sources row. The Index Search Sources field displays the newly added log sources.

User Guide 65


66 User Guide

Select Time Frame for an Index Search

To select time frame for an index search

1. Click the calendar icon (to the right of Last Hour) to launch the Date and Time Range Picker.

2. Select a preset time interval by clicking the down arrow to the right of Last Hour, or pick a timeframe from the pop-up calendar. Click Set.

Figure 40 Schedule Index Search Report

3. Click Run.

4. At the Search pop-up, select whether you want to retrieve all messages. Click Yes. After a few moments, the Index Search results will be displayed.

Figure 41 Index Report Search Results

Using the Search Results Tab

Viewing Index Search Results

Index Search results are displayed in the Search Results tab and the keywords you entered are highlighted in different colors.


For example, when entering login AND user as your Boolean expression, the Search Results tab shows the first keyword “login” in yellow and second keyword “user” in turquoise.

Figure 42 Viewing Index Search Results

The UI uses several different colors to highlight search keywords after which it repeats the same color scheme.

To view search results using different view options

1. From the top right of the Index Search screen, click the View drop-down menu to open different view options. The options are: Reset to Default, Show Timeline, Hide Meta Header, View by, Chart Type.

Figure 43 Index Report Search Results – View

The Search Results view options are:

Table 16 Index Report Search--View options

Element Description

Reset to Default Resets to default settings.

Show Timeline Select this checkbox to show timeline graph.

Hide Meta Header Select this checkbox to hide the metadata header information.

View By Select the option to view by Time or Device type.

Chart Type Select the type. The options are Bar chart or Line chart.

User Guide 67


Configuring Search Results Settings

To configure Search Results settings

1. From the top right of the Index Search page, click the Options button. The Columns and Grouping window appears as shown below.

Figure 44 Index Search -- Options menu

2. Optionally, enter a filter keyword in the Keyword field to narrow the displayed columns in your report.

3. Select the appropriate Column Name by clicking in the checkbox to include or exclude that column from your report. You can change the column name by clicking on the name. The column name field becomes an editable field allowing you to make the changes.

Note: If you enter the same column name for two columns, the Index Search Results page displays the results for those two columns merged into one column.

4. Click or to move the selected column.

5. Choose the Display options.

68 User Guide


6. Click Apply to apply the new settings. The Index Search Results page displays the refined search results. Figure 45 displays Search Results when grouped based on Device IP.

Table 17 Display Options

Element Description

Raw Select this option to display Index Search Results in time-increasing order.

Grouped Select this option to display Index Search Results grouped by the selected column.

Group By Choose the appropriate column to display group search results from the drop-down menu. The default options are:

Time

Device IP

Device Source

Facility

Severity

You can add more columns by creating custom tags using Log Labels. See Device Types online help video tutorial for instructions.

Time Interval This option is enabled when you select to Group By Time. The results are grouped based on the specified time interval. Select the Time Interval from the following options:

Every 5 Minutes

Every 30 Minutes

Every Hour

Every 3 Hours

Every 6 Hours

Every 12 Hours

Every Day

Every Week

Sum By This optional setting allows you to add the numerical value of the selected column so that Search Results Summary displays the sum value of the grouped column instead of the count of message instances.

Aggregation Size Select the option from the drop-down menu. The results will be sorted based on the selected option. The options are:

Top 1

Top 5

Top 50

All

User Guide 69


Figure 45 Index Report Search Results – Grouped results by Device IP

Managing Search Results

The Search Results tab provides a toolbar with several options for managing Search results.

Figure 46 Search Results Toolbar

Table 18 Search Results Tab Toolbar Elements

Element Description

Collapses and condenses the results display view.

Allows you to view selected message in relation to all others in your Index Search results. For details, see Viewing Index Search Results In Context on page 71.

Create a new log message pattern with the selected message. Highlight a message in the Search Results and click the Create Message Pattern button. The Message Pattern Editor is displayed, which can be used to select a particular message from a particular device and then create a pattern based on the parameters of that message for use in further searches. For detailed instructions, see online help tutorial or Creating Message Signatures chapter in the LogLogic Administration Guide.

Clip Selected message(s)

From the drop-down menu use the default clipboard, a saved clipboard, or create a new clipboard to save results.

Saves the results. You can choose to Save or Save as from the drop-down menu to save your results. You can update your saved results using the Save as option, see Saving Search Results on page 71.

Number of Indexed Pages

Get the total number of indexed messages on the indexed search results. This is particularly useful for large volumes of log messages as it lets you go through matched messages one page at a time. To page through the results, click the next arrow; to return to the previous page click the previous page arrow. You can also return to the first page or go to the last page by clicking on the first and last page arrows accordingly. The total results number is automatically updated when you select the Show Timeline graphical view.

Displays context-sensitive help.

70 User Guide


Viewing Index Search Results In Context

When analyzing log events, you can select a particular message and see the log messages that immediately preceded or followed the message from your search results.

Note: The In Context tab appears only after the first time you click the icon in the search results toolbar.

To view a particular log message in context

1. On the Search Results tab, select the message that you want to view and then select the icon.The In Context tab appears (next to the Clipboard tab) and the message you selected is immediately displayed in the Search Results tab.

2. By scrolling down on the page, the affected log message is highlighted in blue to show its relationship to the log messages that preceded this condition as well as those that occurred after this message.

3. Click the appropriate button to save the report. You can choose to save results in CSV, PDF, or HTML format.

Figure 47 Viewing a Log Message in Context

Saving Search Results

You can download Index Search results to view immediately or save them in CSV, PDF or HTML formats. These buttons are located on the left side of the Save button. After few moments, the report in your chosen format will appear.

User Guide 71


Table 19 Save Search Results

To save search results report

1. Click Save As option from the icon drop-down menu to save the report. You can update the saved report by using the Save option. The Save As Report window appears.

Figure 48 Search Report – Save As menu

2. Enter the name and description of the report in the Name and Description fields respectively. The Name field is a mandatory field.

3. Select the Suite option from the drop-down menu.

4. Select the Share? checkbox if you want to share the report.

5. Select the desired print option. For Grouped Search, the options are: Print Summary Report or Print Detailed Report.

6. Click Save to save the results.

Output Description

CSV Use Microsoft Excel or other spreadsheet program to display index search results in a spreadsheet. By default, search results are written to SearchExpressionHits.csv and saved on the desktop.

PDF Use Adobe Acrobat Reader to display the Index Search results. By default, search results are written to report.pdf and saved on the desktop. The first page incudes a table of contents with links to the query used for the Index Search and the results table.

HTML Opens a new tab in your Web browser and immediately displays HTML Index Search results as a LogLogic report. The HTML results include a table of contents with links to the query used for the Index Search and the results table. By default, the downloaded results are saved as LogLogicReport.zip in a temp folder on the local drive. You can use your own company logo on the report, see the General tab under System Settings.

72 User Guide


Viewing Trends

After running index searches, you can use the View menu to view search results graphically using the timeline option. The trend output you see is based on your chosen time range and chosen devices referenced by the Index Search and always includes only the messages and devices for that distribution.

The trend feature can be a powerful tool during your analysis of certain events and lets you see trends for certain activities by Time and Device.

Each option lets you view timeline data in either bar chart or line chart format. These charts show:

the time or device on the x-axis

the total number of messages on the y-axis

The procedure for viewing trends over time and by device is the same.

To view trends over time

1. Click the View drop-down menu and then select the Show Timeline checkbox.

A timeline chart displays below the search text box. You can immediately see the distribution of messages over time and begin to get a sense of trends in the timeline chart.

By hovering the mouse over an affected bar, you can get the total number of messages matching your search expression at that particular point in time.

Figure 49 View Menu – Viewing Trends by the Timeline Bar Chart

For example, in Figure 49 you can see that 39 log message instances at 11:30 in the morning. The scale on the x-axis shows the total number of messages while the y-axis shows the time distribution of those instances.

Figure 50 Zooming In to the Timeline Bar Chart

User Guide 73


2. To zoom in on a particular area of interest, press and hold the left mouse button and drag over the area of interest.

This refreshes the timeline view to show the zoom area in more detail.

Figure 51 Timeline Detail

3. To return to the original view, click Zoom Out.

4. To view the same search in line format, select Chart Type > Line Chart from the View menu.

This displays the results in a line chart format. From this view, you can see spikes in the number of messages that match the keyword “login”.

Figure 52 Viewing Trends by the Timeline Line Chart

Similarly, to view the same index search by log source, select View By > Device from the View menu.

Using the Search History Tab

Each time you run an index search, your search criteria are automatically saved on the Search History tab. The Search History tab includes:

Only those index searches with valid search criteria.

User-specific index searches, which can be shared when saved as a search filter.

Most recent searches on the top of the list

You can configure the search entries displayed (rows/page) on the Search History tab through the admin > Your LogApp Account tab (see Viewing Your LogApp Account on page 185).

74 User Guide


Saving an Index Search as a Filter

While search histories are user-specific, you can save an Index Search as a search filter. You can use these saved search filters yourself or you can share these saved search filters with other users of the Appliance.

To save an index search as a search filter

1. Click Search History to see the history of Index Searches.

2. Select the saved index search message and then click the button. The Save As Filter dialog box is displayed.

3. Enter a name, description and expression for the filter.

The filter name and description helps you and other users to quickly understand the type of information that generates when running this Index Search.

4. If you want to share this filter with other users, click the Shared with other users checkbox.

5. Click Add.

Figure 53 Index Search–Search History

The index search is saved as a filter. You can use the filter in two places:

Search > Index Search > Search Filters tab

Search > All Search Filters tab

Running a Previously Saved Search Expression

Since your index searches are automatically saved for you on the Search History tab, you can browse through these previously saved sets of search criteria and run them again.

To run a previously saved index search

From the Search History tab, select the saved Index Search that you want to run and then click .

User Guide 75


Using the Search Filters Tab

The Search Filters tab lists all saved search filters created on the Search History tab. The Search Filters tab includes the button in the toolbar making it convenient to run a previously saved search filter.

The Search Filters tab organizes search filters by their name and displays the search expression used for the search filter in the Expression column.

Note: All of your saved search filters show up on the Search Filters tab and on the Index Report tab.

To view or use a previously saved index search filter

1. Select the filter from the table and then click .

This copies the search expression and enters it in the search expression text box.

2. Press Enter to run the search filter.

This loads all the results of the search on the Search Results tab.

Using the Clipboard Tab

The Index Search Clipboard is an important tool for investigating and troubleshooting log events. For example, during your analysis of a certain event, you might find an item of interest in one or more log messages. Once identified, you can create a Clipboard and copy and paste the affected log message(s) onto the Clipboard.

You can create several clipboards until you have found everything you need to help you with your analysis as you drill down on the details. After saving clipped messages to the clipboard, you can view them on Clipboard tab and on the Search Results tab.

The Clipboard tab provides a toolbar with several options for using clipped messages. These options include:

- Adds a new clipboard

- Deletes one or more clipped messages

- Allows you view or edit the clipped message

Adding a New Clipboard

You can add a clipboard from:

the Search Results page

the Clipboard tab

Note: You can add up to 1,000 messages to a Clipboard. Each user is able to create up to 100 Clipboards.

The procedures are essentially the same for adding a new Clipboard. The next procedure shows how to add a Clipboard from the Search Results tab.

76 User Guide


To add a new Clipboard from the Search Results tab

1. On the Search Results tab, select messages to add to the clipboard from the search results.

To select more than one message to add to the Clipboard, hold the Shift key as you click on each message.

2. From the Clip selected message(s) drop-down menu, select New Clipboard.

The Add Clipboard dialog box opens.

3. Enter a name for clipboard in the Name field.

If you enter an existing clipboard name, the messages are added to that existing clipboard.

4. Add a description for the clipped message in the Annotate field and click Add.

Figure 54 Add Clipboard Dialog Box

The clipboard is added to the Clipboard tab and it is also available from the Search Results tab. You can go back and view or edit the clipped message(s) later on to allow for more analysis.

Viewing or Editing Clipped Messages

After saving clipped messages and annotating them, you can view or edit clipboards on the Clipboard tab.

To view or edit clipped messages

1. On the Clipboard tab, select the clipboard that you want to view or edit and click .

The Edit Clipboard dialog box appears. You can change the following:

the Name of the clipped message

the Annotation for the clipped message

remove one or more clipped log messages

User Guide 77


Figure 55 Edit Clipboard Message

2. Modify the Name, Annotation, or remove log messages and click Update.

Deleting Clipped Messages

You can manage the clipboard table by deleting unwanted clipped messages.

To delete a clipped message

1. On the Clipboard tab, select the Clipboard you want to delete and click .

2. To delete more than one clipped message, hold down the shift key and select the messages you want to delete and then click .

The selected messages are deleted from the Clipboard tab.

78 User Guide

Searching Collected Log Messages : Tag-Based Searches Using the Tag Picker Interface

Tag-Based Searches Using the Tag Picker InterfaceYou may use the new Tag Picker Interface to access saved search terms in order to quickly run an updated Index Report.

To update an Index Report using the Tag Picker Interface

1. Access the Index Search page by going to home: Search > Index Search. Click the arrow below the text box labeled “Enter your search expression... “. The Tag Picker Interface opens.

Figure 56 Tag Picker Interface

2. Select an Event Type and left-click. The selected Event Type appears in the Enter your search expression... text box.

Figure 57 Event Type Added to Search Expression Text Box

3. Add a Boolean operator (AND) to the search expression, and left-click a saved Field Tag. The selected Field Tag appears after the Boolean operator in the Search Expression text box.

Figure 58 Field Tag Added to Search Expression Text Box

4. Add a wild card (*) to recall all saved Field Tags with that name. Click Run.

Note: You can specify special characters such as spaces, forward-slashes (/) etc. inside the quotes for Field Tags. For example: Identity: “John Smith”; Domain: “domain name / JOHN SMITH”.

User Guide 79

Searching Collected Log Messages : Tag-Based Searches Using the Tag Picker Interface

Figure 59 Tag-Based Search Results

5. Select View and display the Bar Chart for the search expression.

6. Compare with the previous saved Index Search results for this expression.

80 User Guide

Searching Collected Log Messages : Using Regular Expression Search

Using Regular Expression SearchUse the RegEx Search Filter tab to find specific types of data based on search expressions and time intervals you define. RegEx Search provides more powerful search filter options than Index Search, though RegEx Search can take longer to process and is less interactive.

Figure 60 Regular Expression Search

To specify parameters for a new search

1. Select Search > Regular Expression Search from the navigation menu.

2. (Management Station only) Select the Appliance (or All Appliances) on which to run the search.

3. Select the Device Type.

User Guide 81


4. Select the Source Device, or all devices, connected to the Appliance.

To view Global groups created on this Management Station, you must select All Appliances under Appliance.

5. Specify the Time Interval which to search for data passing through your Appliance.

6. Define your Search Filter. Select one of these options and specify any needed parameters.

Retrieve All—Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.

Pre-Defined—Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each appears. The maximum length for each field is 25 characters.

Use Words—Use a specific word(s) as a search parameter.

Use Exact Phrase—Use an exact phrase as a search parameter.

Regular Expression—Use a regular expression as a search parameter.

For more information about modifying or creating search expressions, see Using Search Filters on page 84.

7. Specify the Time Interval to search for data passing through your Appliance.

8. Set a time for the search; do one of the following:

Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately

Select a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.

9. Enter a Search Name for the search.

10. To generate the report, click .

Note: Concurrent Regular Expression Searches, apply only for Appliance models above the 1000 series. You can select the number of concurrent searches to perform. The default is one, but you can choose to perform two searches concurrently.

To generate a previously saved report

1. Select Search > Regular Expression Search from the navigation menu.

2. In the RegEx Search Filter tab, select the report from the Saved Custom Report drop-down menu.

To generate the report, click .

To export the report data to a file in CSV format, click .

To save a Custom Report

After specifying the parameters for your report, save the report:

1. Click to expand the Save Custom Report section.

2. Type a name for your report and provide a brief description.

82 User Guide


3. If you do not plan to share the report with other users logging in to the Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.

4. If packages are present on the Appliance, the Add Report to Package drop-down menu is visible letting you select a package in which to include this report.

5. Click to save your changes.

Viewing Pending and Running Searches

The Pending Searches tab regularly refreshes to list all the pending and currently running RegEx searches on the Appliance. To force a refresh, click the tab name.

Viewing Running Searches

To view a list of all the searches that are currently running, see the Currently Running Searches table in the Pending Searches tab.

For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.

To suspend a running search, check its checkbox and click . A suspended search stops processing; its partial results until that point appear in the Finished Searches tab.

Figure 61 Running and Pending RegEx Searches

Viewing Pending Searches

To view a list of all the searches that are scheduled to run, see the Currently Pending Searches table in the Pending Searches tab.

User Guide 83

Searching Collected Log Messages : Using Search Filters

For each pending search, this table lists the priority for the search, its schedule, timespan, name, owner, Regular Expression, and an estimate of the number of files to search.

To remove a pending search from the queue, check its checkbox and click . There is no confirmation prompt for removing a pending search.

To add a new RegEx search to the queue, click . The RegEx Search tab appears.

Viewing RegEx Search Results

You can view pending, running, or finished searches in the Finished Searches or Pending Searches tabs under Search > Regular Expression Search. To force a refresh of the tab and view the latest finished searches, click the tab name.

Viewing Finished Searches

To view the search results for any searches that have completed, click the number of matches for the report in the Finished Searches tab list.

Figure 62 Finished RegEx Searches

To view the search results for a particular search, click its number of Matches.

To view or download the search results in HTML, PDF, or CSV, click the format extension in the Download Size column. (Clicking the size number downloads the results as a CSV file.)

To delete a past search from the Appliance, select its checkbox and click .

Using Search FiltersSearch filters are user-created filters (saved search patterns) that can be used in:

Alerts

Real-Time Viewer

Index Search

RegEx Search

Index Reports

You can also filter your results using the Find field. Enter the keywords in the Find field to view the filtered results based on your search keywords. You can filter results based on all columns.

84 User Guide


The All Search Filters page lists all search filters:

You created in the Add Search Filter page

You created and saved from the Index Search History tab (see Saving an Index Search as a Filter on page 75)

Available to you, including shareable filters created or owned by other users

The examples that follows assumes starting with a clean slate - a newly installed Appliance with no search filters in place.

Adding a Search Filter

To add a search filter for complex pattern matching, use the Add Search Filter page.

To add a search filter

1. Select Search > All Search Filters from the navigation menu.

2. Click .

3. Type a name for your new search filter.

4. Sharing - Read Only is the default setting for a new search filter; other users of this Appliance may see and use the new search filter. Set the radio button to No to prevent others from seeing and using the new search filter. Set the radio button to Read Write to allow others to see and modify the new search filter.

5. Type a brief description of the new search filter.

This description helps you remember what the filter is for, and describes it to other users if you shared the filter.

6. Select a search filter option and enter the search filter criteria (see Search Filter Options below).

For this example we will select the following option and a single filter criterion:

a. Select the radio button Use Exact Phrase.

b. Enter $username in the Use Exact Phrase text field.

7. Click .

User Guide 85


Figure 63 Adding a Search Filter - Steps 3 - 7

Note: When adding the very first Search Filter to the Appliance, you may see the message “There is no Search Filter defined in the system” immediately after clicking Add. Refresh the Appliance memory by clicking Regular Expression Search in the navigation menu; then click Search Filters in the menu, and your new Search Filter will appear in the list.

Search Filter Options

There are four types of search expressions you can use when adding a search filter.

Note: Custom reports allow whichever filter types apply to the custom report’s contents. For example, a custom report saved from an Index Search allows Boolean search filters. When creating a search filter to be used for index search/index report, make sure to choose the Boolean expression as filter type.

Use Words

Type a word as your search criteria. If you type more than one word, you can use the AND/OR drop-down menu.

Table 20 Search Filter Comparison

Filter Type Search Criteria Use Pre-Defined RegEx Filters

Where Filter Is Used

Use Words A word, or two words with AND/OR

Yes RegEx Search, Alerts, Real-Time Viewer

Use Exact Phrase A phrase Yes RegEx Search, Alerts, Real-Time Viewer

Regular Expression

Regular expression Yes RegEx Search, Alerts, Real-Time Viewer

Boolean Expression

Keyword search using Boolean expressions

No Index Search and Index Report

86 User Guide


To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

Use Exact Phrase

Type a phrase as your search criteria. The Appliance searches for strings including the phrase you specify.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

You can also define a parameter field using $fieldname. For example, $username $zipcode $phone displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word in the RegEx Search tab. For more information, see Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter on page 91.

Regular Expression

Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.

The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters which, instead of standing for themselves, are interpreted in a special way.

Note: Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” you should write url.domain=loglogic.com.

You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.

Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts, Real-Time Viewer, or RegEx Search, select the Pre-Defined radio button.

If you are creating a search filter for an alert, the search filter must be a RegEx expression.

Boolean Expression

Type a keyword search that uses Boolean operators such as AND, OR, or NOT. For example:

“Portmapped translation built for gaddr” and NOT 155.363.777.53

This searches indexed data only. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.

In addition to entering a keyword, you can also type:

Numbers and words which are three or more characters

Terms under three characters, preceded by =. For example, for terms such as user=a or priority=7 the a and 7 are indexed.

User Guide 87


The Boolean Expression field is visible only if you enable Full Text Indexing from the General Settings tab. You cannot use Advanced Options with Boolean Search.

Your Boolean expression should be no longer than 1024 characters in length.

For more on using Boolean search strings, see the Search Strings topic in the Online Help.

Putting Your Logins Search Filter to Work

Complete the following steps to start using your Logins search filter:

1. Select Regular Expression Search from the navigation menu.

2. On the RegExEx Search Filter tab that appears, select the Pre-Defined radio button.

3. In the Pre-Defined text field (Select Expression), click the drop-down menu arrow, select Logins search, and click on the filter name. The filter form reloads and now displays “Logins search” in the Pre-Defined text field (see Figure 64, below).

88 User Guide


Figure 64 Adding a Pre-Defined Search Filter to RegEx Search Filter

User Guide 89


Note that because you specified the parameter $username in the Use Exact Phrase text field when you defined your Logins search filter, the Appliance has opened a new text box next to username in which you may further define the type of user to search for.

4. Enter “admin” in the username text field to search for that class of user alone, or enter the wildcard * to search for logins from all users.

5. Select a Start Time to run your Logins search (immediately in this example).

6. Enter a name for your search in the Search Name text field.

7. Click the Save Custom Report menu expansion arrow and enter a Report Name and Report Description, and select whether to Share with Others.

8. Click Save Report.

9. Click Run.

Figure 65 Report of Logins by username admin t

10. Click the number of matches to see the detailed report of the logins by username admin.

Figure 66 Detailed Report of Logins by username admin

90 User Guide


Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter

As shown above, when creating a pre-defined search filter, you can define a parameter field using the expression $fieldname. The value you enter in the parameter replaces $field. In our example, we chose $username as our expression, and typed admin into the User Name field. This caused the regular expression search to return admin users wherever $username was specified.

The maximum length for each $field is 25 characters. Regular expressions can be up to 255 characters in length.

This feature applies only to the Use Exact Phrase search filter and Regular Expression search.

Creating a Multi-Parameter Pre-Defined Regular Expression Search Filter

In the following example we will build on our single-parameter Logins search filter by adding two additional parameters: $zipcode and $phone.

1. Create a new pre-defined search filter exactly as the example Logins search filter we created above, except this time type $username $zipcode $phone in the Use Exact Phrase field.

2. Name your new search filter “Multi-parameter search” and click Add.

Figure 67 Add Multi-parameter Search Filter

User Guide 91


Note: This time the new search filter appeared immediately after clicking Add, and both search filters are displayed in the list.

3. Select Search > Regular Expression Search, and select the Pre-Defined radio button; then select the pre-defined search filter that you just created (Multi-parameter search) from the drop-down menu.

4. The new form reloads, displaying each text field that corresponds to each new $field (search parameter) you will define for this new search filter. The maximum length for each $field is 25 characters.

5. Click Save Custom Report at the bottom of the form, and enter a report name and description.

6. Click Save Report.

7. Type $username $zipcode $phone in the Use Exact Phrase field.

92 User Guide


Figure 68 Add Parameters to Multi-parameter Search Filter

In this example we typed $username $zipcode $phone in the Use Exact Phrase field. The Appliance generated a text field in the search form for the part after the $. We typed admin in the username field, and used the wildcard * in the zipcode and phone fields to return the maximum number of user logins.

We elected to Save Custom Report, and named it Multi-parameter search, and we selected Schedule to run immediately for the Hourly Period: Last 24 Hours. See the results of our multi-parameter search filter query in Figure 69.

User Guide 93


The detailed Multi-parameter Search Report is revealed by clicking the number of matches returned by the search (see the arrow at the bottom of the top figure).

Note: You can define this parameter for the Use Exact Phrase or Regular Expression fields from the Add or Modify page for any search filter.

Figure 69 Multi-parameter Search Filter Results and Report

8. Click the Finished Searches tab to see the results of the Parameter Search.

Modifying a Search Filter

In the second example above we created a new search filter and added two more search parameters: $zipcode and $phone. As an alternative, we could have modified the first search filter we created, “Logins by username admin”. In the example below, you will see how to modify an existing search filter (assuming you no longer want to retain the original filter configuration).

94 User Guide


To modify an existing search filter

1. Select Search > Search Filters from the navigation menu.

2. Click on the name of the filter you want to change.

The Modify Search Filter tab appears with the same options as Adding a Search Filter on page 85.

3. Modify the search filter name, description, filter options and criteria, or sharing with other users as needed.

Now we think that IP address would be more valuable to us than zipcode and phone, so we elect to modify our multi-parameter search filter to suit our new needs. We could also simply delete the filter and create a new one.

4. Click to modify the search filter.

Figure 70 Modify Search Filter

Figure 71 New Multi-parameter Search Filter

5. Select Regular Expression Search from the navigation menu.

6. Click the Pre-Defined radio button on the RegEx Search Filter tab.

User Guide 95


7. Select Multi-parameter search from the drop-down menu in the Select Expression field (but do not enter search parameters until you complete Step 8 below).

8. Click the Save Report button at the bottom of the form and enter a new report name and description. Click Save Report.

9. Return to the search parameter text fields and enter your new parameters (username = admin, and ipaddress = wildcard *).

10. Click Run.

11. Click Finished Searches and then click the number of matches returned to see the results.

Figure 72 New Multi-parameter Search Results

96 User Guide

Searching Collected Log Messages : Viewing All Saved Index Searches

Viewing All Saved Index SearchesThe All Saved Searches screen displays a list of all saved searches for specific types of data based on search expressions and time intervals you have defined and saved in the past. All saved searches and types, such as Index Search, RegEx Search, Index Report, etc., that are stored in the system are visible on this page.

Figure 73 All Saved Index Searches

Click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. You can also filter the list of saved reports displayed by title by typing a key word from the report title in the Find field and pressing Enter. The key word or words will be highlighted in the resulting list. To restore the full list of saved reports, clear the Find field and press Enter again.

You can also create reports from this page by clicking the down-arrow in the Create Report button and selecting among Index Search, Regular Expression Search, and Real Time Viewer.

For more information on Index Search, see Using Index Search on page 61.

For more information on Regular Expression Search, see Using Regular Expression Search on page 81.

For more information on Real Time Viewer, see Viewing Real Time Log Messages on page 51.

User Guide 97

Searching Collected Log Messages : Using and Creating All Index Reports

Using and Creating All Index ReportsUse the All Index Reports screen to view a list of all saved searches for specific types of data based on search expressions and time intervals you defined. You can use these results to verify information found in your reports.

The results provide the number of hits for each selected search filter, which you can view in a table or a graphical chart. From the table, you can drill down to view the specific hits for a filter in detail similar to Index Search results.

To create an Index Report

1. From Search menu, select All Index Reports submenu.

2. Click Create Report to open the Properties window.

Figure 74 Create Report – All Index Reports

3. Select log sources from the right-hand pane. You can select sources by Appliance, and filter returns by Name, IP Address, Group or Type.

4. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.

98 User Guide


Figure 75 Select Log Sources – Add as a Rule

Figure 76 Enter Name of Dynamic Rule

5. Click OK to add the selected source and filters to the left-hand pane.

6. On the right-hand pane select a device name (or names) from the list by clicking its name.

7. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.

User Guide 99


Figure 77 Add Selected Devices

8. Click Columns and Filters to select the columns for your report and choose filters for your results. Click in the field under the Value column and enter a term for the filter (such as login, id, etc.). Then click in the field under the Operator column and pick an operator from the drop-down.

Click Apply. The selected operator and value will move to the left-hand column.

Figure 78 Apply Columns and Filters

8. Click Index Report Search Selections to select from the available expressions to be used in the report. If none are available, click New Expression... to add a new Boolean search expression for use in any Index Report.

100 User Guide


Figure 79 Add New Boolean Expression

9. In the Add Search Expression... popup that appears, enter Name, Description, Expression, and then click Sharing to define whether others can use or modify the new filter. Click Save.

Figure 80 Add Search Expression

10. Place a checkmark next to the new search expression and click << Apply Selections to add them to the left-hand pane for use in filtering your report. Then click Save As.

User Guide 101


Figure 81 Apply Filter Selections

11. Enter a name and description of the report in the pop-up. Select Share with others if desired. Click Save & Close. The new report will appear in the list of all saved Index Reports.

Figure 82 Name and Save the Report

102 User Guide


Figure 83 Report Saved

12. Click in the Name field and enter a term to search for entries in the Saved Reports list. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.

Figure 84 Filter by Name

13. Click the Run icon in the Actions column. The Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today; Yesterday). Select the timeframe from the Date and Time Range Picker, and click Run again to execute the report.

Figure 85 Date and Time Range Picker

User Guide 103


On the results page, click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.

104 User Guide

Creating and Managing Alerts : Viewing and Handling Alerts

CHAPTER 5:

Creating and Managing Alerts

Alerts notify you of any unusual traffic on the network or detect anomalies on log sources or the LogLogic Appliance itself.

You can create alerts specific to your monitoring needs, and use alerts that come pre-configured with Compliance Suites or Log Source Packages. You can also update existing alerts or remove them as needed.

For any alert, you can designate alert trap receivers as well as email recipients so people can receive notification of alerts via email.

Contents

Viewing and Handling Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Adding a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Viewing and Handling AlertsThe Show Triggered Alerts page lists events triggered by rules defined for this Appliance to monitor and report on. The Show Triggered Alerts page lets you:

view all alerts

filter shown alerts by alert category, priority, alert type, and keywords

view all system alerts only, regardless of priority

change the alert category to Acknowledged

delete the alerts permanently

(MA or Management Station only) view alerts on a specific managed Appliance or on all managed Appliances

Note: When the Data Privacy mode is enabled, these types of alerts will not be displayed on Show Triggered Alerts page: VPN Connection Alert, VPN Statistic Alert, VPN Message Alert, Pre-defined Search Filter Alert, Cisco PIX/ASA Messages Alert, and Network Policy Alert. For more information on Data Privacy mode, see Managing System Settings chapter in the LogLogic Administration Guide.

When an alert is triggered, Alert Viewer shows the alert category as New.

To filter and view alerts

1. Choose Alerts > Show Triggered Alerts from the home page.

The Show Triggered Alerts page is displayed. (See Figure 86 on page 106.)

User Guide 105

Creating and Managing Alerts : Viewing and Handling Alerts

2. Select the type of alerts to display from the Show drop-down menu.

All States shows all alerts in all categories.

New or Acknowledged Alerts shows only alerts in the selected category.

3. Select the alert priority to view from the second drop-down menu. The options are: All Priorities, High, Medium, Low, and All System Alerts. To view all system alerts regardless of priority, select All System Alerts.

4. Select the type of alert from the third drop-down menu. To view all types of alerts, select All Types.

5. (MA or Management Station only) Select the Appliance from which to view triggered alerts. To aggregate alerts from all managed Appliances into a single list, select All.

6. To filter using the keywords, enter the keywords in the Find field and press Enter. To search based on Priority and Type, select the respective drop-down menus. For the remaining columns, enter the keyword in the Find field to filter the list. The filtered results will be displayed.

Figure 86 Show Triggered Alerts Page

The Show Triggered Alerts page displays the specified alerts with the following details:

Table 21 Alert Details

Element Description

Time Time the alert triggered.

Source IP Source IP address contained in the syslog message. If an alert is for multiple devices, Device Group is shown as the Source IP.

Priority The priority of the alert. An alert's priority is specified in the Manage Alerts tab.

Type The Log Appliance alert type. For a list of alert types, see Viewing and Handling Alerts on page 105.

Alert Destination Email addresses, trap receivers, or syslog receiver where notifications were sent when the alert triggered.

106 User Guide

Creating and Managing Alerts : Managing Alerts

To page through and move alerts

To page through multiple results to your query:

Use the navigation buttons to go to the first, previous, next, or last page, respectively

Type the page number and click to view the results on a specific page

To acknowledge or remove alerts:

To move alerts to the Acknowledged category, select their checkboxes and click .

To delete selected alerts, select their checkboxes and click .

To delete all alerts permanently, regardless of priority, click .

Tip: Move an alert to the Acknowledged category once you have been notified of the alert. Remove an alert once the cause of the alert is corrected.

Managing AlertsManage Alert Rules lets you define rules to detect unusual traffic on your network or detect Appliance system anomalies. You can add, modify, or remove alerts. You can configure alerts to generate SNMP events and/or send an email notification when the alert rule is triggered. Each Appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP server for the default alerts.

Note: Users with Administrator privileges can modify or delete any Alert. If you do not have Administrator privileges, you can modify or delete only the Alerts you have created.

Figure 87 Manage Alert Rules

User Guide 107

Creating and Managing Alerts : Managing Alerts

108 User Guide

The Manage Alert Rules page displays the following details:

Preconfigured System Alerts

System Alerts notify you when system health and status criteria exceed acceptable bounds. All LogLogic Appliances include several system alerts that are preconfigured and enabled. By default, these alerts have:

Email notifications are sent to the Appliance admin user

Priority set to high

Default reset time of 300 seconds, except:

TCP Forward Falling Behind alert has a default reset time of 3600 seconds

License Monitoring alert has a default reset time of 86400 seconds

All these alert settings can be customized as needed.

Table 22 Manage Alert Rules Details

Element Description

Find Filter using the keywords. Enter the keywords in the Find field and press Enter.

Name Name of the alert.

Type Type of the alert.

Priority The defined priority of the alert.

Enabled Indicates whether the alert is active:

—You must assign a User and Alert Receiver for this alert.

—You must assign a Device for this alert.

Description Description of the alert.

Table 23 Preconfigured System Alerts

Alert Description Default

System Alert - CPU Temperature

The temperature of the Appliance CPU has exceeded the specified High Threshold

70 degrees celsius

System Alert - Disk Usage

The usage of the specified drive on the Appliance has exceeded the specified High Threshold

90%

System Alert - Dropped Message

The number of messages dropped by the Appliance has exceeded the specified High Threshold

10 msg/sec

System Alert - Fail Over * A failover has occurred on the Appliance n.a.

System Alert - License Monitoring

Monitors log source and disk space usage only when the license is installed. You cannot remove or create new alert of this type. However, you can enable or disable this alert.

System Alert - Migration Complete *

A data migration involving the Appliance is successfully complete

n.a.

System Alert - Network Connection Speed

The speed of the network connection for the Appliance has dropped below the specified Low Threshold

10-Half

System Alert - Network Interface

A problem occurred with the Appliance network interface

n.a.

* Indicates System Alert not available on MA product family Appliances.

Creating and Managing Alerts : Adding a New Alert

Adding a New AlertAdding an alert to the Appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps and email user IDs).

Modifying an alert lets you change the same options available here for adding an alert.

IMPORTANT! When setting up an alert, do not pick search expressions with variables in them. Doing so treats variables as having a literal meaning.

To add an alert

1. Choose Alerts > Manage Alert Rules from the navigation menu.

The Manage Alert Rules page appears.

2. Click . The Manage Alert Rules Type tab appears.

Figure 88 Manage Alert Rules Type Tab

System Alert - RAID Disk Failure

A failure occurred on an Appliance RAID disk n.a.

System Alert - Synchronization Failure *

A failure occurred during log data synchronization on the Appliance

n.a.

Table 23 Preconfigured System Alerts (Continued)

Alert Description Default

* Indicates System Alert not available on MA product family Appliances.

User Guide 109


3. In the Type tab, select an alert type.

Once you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, and Email Recipients tabs are enabled.

Table 24 Alert Types

Alert Type Triggered when...

Adaptive Baseline Alert

The messages/second rate rises above, or falls below, the nominal rate for the traffic.

Note: A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.

Cisco PIX/ASA Messages Alert

The messages/second rate for a specific PIX/ASA message code is above or below specified rates.

Message Volume Alert The messages/second rate is above or below specified rates. If the user sets the “Zero Message Alert” checkbox, an alert is triggered only if zero messages are received within the timespan set.

Network Policy Alert * A network policy message is received with an Accept or Deny Policy Action.

The Appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.

Parsed Data Alert Parsed data meets certain conditions specified for the alert.

Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See Parsed Data Alerts on page 112.

Pre-defined Search Filter Alert

A text search filter matches message fields. This uses one of the Appliance's saved RegEx Search Filters.

Ratio Based Alert The specified message count is above or below a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”

The Appliance checks for any conditions that would trigger a Ratio Based Alert every 60 seconds.

System Alert ** An Appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”.

By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.

VPN Connections Alert

A VPN connection is denied access and/or disconnected.

The VPN Connections Alert is only applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.

VPN Messages Alert Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN devices.

VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria. This alert is applicable to Check Point VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.

* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.** System Alerts do not have a Devices tab.

110 User Guide


Note: System Alert is the only type of alert that can be created on an MA Appliance. For the ST Appliance, an Adaptive Baseline Alert, a Message Volume Alert, and a Pre-defined Search Filter Alert can be created, along with a new System Alert. The LX Appliance can create all types of Alerts.

Tip: The Pre-defined Search Filter is disabled if there are no search filters defined on the Appliance. To create a Pre-defined Search Filter, use Search Filters to add the filter. A search filter for an alert can contain a RegEx expression only.

4. Set up the alert in the General tab.

Options on the General tab vary depending on the alert type. For a complete list of options for a specific alert type, see the Online Help for that alert type. These steps include typical options:

a. Enter a Name for the alert.

b. Set the alert Priority. (High is the default.)

c. Select to Enable the alert. This enables the alert once you click .

d. Place a check in the Enable View Alert Detail from Email checkbox to provide additional alert detail in email.

e. (Optional) Enter a specific SNMP OID to further define the alert.

For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.

f. Enter a Description for the alert.

Tip: Enter a name and description unique enough to easily identify the alert in a large list.

g. Select the Enable Schedule checkbox to specify the time period for scheduling the alerts. Select the appropriate Time and Day box to specify the schedule. The selected box turns blue. To remove any particular time slot, click on the blue box.

5. Specify log sources for the alert in the Devices tab.

All the log sources on the Appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.

Select the Track all devices individually checkbox to generate independent alert messages for each selected device. The reset time tracks for the group as a whole and you can change alert properties using one alert for the device group.

Note: When configuring any alerts (except for System Alerts) on logs transferred using LogLogic TCP, the alert reporting can be slightly less than real-time. Because LogLogic TCP sends data in chunks that the Appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 1 second.

User Guide 111


6. Specify SNMP trap receivers for the alert in the Alert Receivers tab.

You can define alerts for both SNMP traps and users or for SNMP traps only. The Alert Receivers tab lists all the available traps and syslog for the Appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps.For more information about Alert Receivers, see the LogLogic Administration Guide.

7. Specify people to receive alerts via email in the Email Recipients tab.

Note: Email messages that include an alert are limited to 1024 bytes. Any additional alert text is truncated in the email message.

You can define alerts for both users and SNMP traps or for users only. Available Users lists all the users available for the Appliance.

For more information about adding users, see the LogLogic Administration Guide.

8. Click to add the new alert to the Appliance.

Note: The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed in these tabs so they’re automatically present when enabled again (via the Manage Devices, Alerts > Alert Receivers, or Manage Users tabs, respectively).

Parsed Data Alerts

Parsed Data alerts are created differently from other alert types. There is no Parsed Data alert type to select in the interface; its creation is based on a Pre-defined Search Filter alert. The Filter specifies matching values that are extracted by the parser from the log messages.

To use Parsed Data alert, you need to know the name of the database table where parsed logs will be stored along with the column names. You can find the exact column names using the Management > Column Manager page to create the search filter for this alert type. For more information, see Managing Column Manager chapter in the LogLogic Administration Guide. When specifying the matching values, data type should be considered for the relevant table columns. For example, IP address must be a numeric type, i.e. 32-bit integer and not the string representation such as 169.1.1.1.

1. Create a Pre-defined Search Filter:

a. Name the filter.

b. For filter type, select Use Exact Phrase.

c. For the DB table, specify _table=. (Only one _table= entry is allowed.)

d. Specify columns and values to match as name/value pairs separated by columns. For example:

_table=Authentication,actionID=2,statusID=4

2. Create a Pre-defined Search Filter alert:

a. Name the Search Filter alert with a prefix _parsed_. For example, _parsed_Login Failure.

b. Select the Pre-defined Search Filter you created for this alert.

Usage notes:

112 User Guide

Creating and Managing Alerts : Modifying or Removing An Alert

Parsed data alerts apply only to messages from configured log sources.

Parsed data alerts apply only to the tables configured in the alert.

Do not configure the same alert for both real-time and pulled data files. Create separate alerts for each, with the same search expression.

Modifying or Removing An AlertYou can modify alert settings or remove alerts from the Manage Alert Rules page. The same tabs appear when you add an alert (see Adding a New Alert on page 109).

To edit, or remove an existing alert rule

1. Click the alert name in the Name column.

Figure 89 Access the Alert Rule

The General tab appears.

Figure 90 View or Edit the Settings for an Alert Rule

User Guide 113

Creating and Managing Alerts : Modifying or Removing An Alert

2. View the settings for the Alert Rule on the General tab, the Alert Receivers tab, and the Email Recipients tab. Change the settings and click Update or Cancel to retain.

3. To remove an existing alert, click the alert’s checkbox (see Figure 89) and then click . The Remove Alerts tab appears, where you can confirm or cancel the

removal.

114 User Guide

Generating Real-Time Reports :

CHAPTER 6:

Generating Real-Time Reports

Real-Time Reports let you search and generate reports for monitoring various real-time activities derived from the log data that is collected from your log sources. Each Real-Time Report category contains multiple specific reports.

IMPORTANT! Depending on LSP packages, and your selected log sources, you may see different types of reports, columns, and optional filters for each report.

Contents

Preparing a Real-Time Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Threat Management Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Policy Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

User Guide 115

Generating Real-Time Reports : Preparing a Real-Time Report

Preparing a Real-Time ReportThe Real-Time Reports are a central component to LogLogic’s Agile Reporting, which lets you quickly view detailed information about your collected log data, catered to your specific needs.

Real-Time Reports can take longer than Saved Reports because they run against all up-to-the-minute raw log data, not against stored summarized log data. Real-Time Reports capture all hits in collected raw log data that meet the report's criteria.

Figure 91 Reports Menu

To generate a Real-Time Report, refer to the procedure and illustrations shown in Generating a Report—An Example on page 119.

Select a Source or Sources and Search Filters1. In the navigation menu under Reports, select the category and type of report to

generate.

2. Click Create Report to open the Properties window.

3. Under Add Log Sources, click the down arrow next to Select and pick a filter (Name, IP Address, Group or Type) to filter returns.

a. If you picked “Name”, enter a Source Name, a specific Device Name or a Name Mask. Wild cards are accepted in this field.

b. If you picked “IP Address”, enter a Source IP Address, a specific IP Address or an IP Address Mask. Wild cards are accepted in this field.

c. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.

d. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box.

116 User Guide


Note: When adding a large number of devices, create a dynamic rule which contains all listed devices. To create a rule, first filter by Name or Type to retrieve the list of devices. Then, click the << Add filters as a rule button that will create a dynamic rule which contains all listed devices on the right pane.

4. If desired, add a second filter by clicking the + sign and repeating Step 3 as often as you like.

5. To delete a filter, click the - sign to remove the last selection made (repeat if needed). Do not click Cancel unless you want to cancel your report.

6. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.

7. Click OK to add the selected source and filters to the left-hand pane.

8. Select a device name (or names) by clicking its name.

9. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.

10. Click Run to initiate a report of the selected source and devices with the filters you chose in Step 3.

Select Time Frame and Run a Report1. When you click Run in Step 10, the Date and Time Range Picker pops up, with Last

Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today; Yesterday).

2. To select a different date range, click the small calendar icon to the right of the current Date and Hour display and chose any month and day for the start of the report period. Move to the right and click the second small calendar icon to chose any month and day for the end of the report period.

3. Click Run again to execute the report.

Resize & Move Columns, Create Charts, Print and Download a Report1. On the results page, you may resize and move the columns to the positions you prefer

by clicking on them and dragging.

2. To see detailed information for a particular Source device, click the number of returns for the device in the Count column.

3. Click <back to summarized results and then click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.

Note: The charts are populated based on column that is used as a data source. For example, Denied Connections: On Demand (Chart for: Attempts); where Attempts is the column name that is used as a data source for the chart. If you need to display a chart based on different column, you must sort the report by the column, and the column must have numeric values.

4. Reports may be downloaded in CSV, PDF, or HTML format by clicking on the icons below the Display Chart button.

Modify Report Settings and Time Frame1. Clicking the Edit Settings button opens up a Properties window again, this time

allowing you to Add Columns and Filters if desired.

User Guide 117


2. Enter your selections for Add Columns and Filters (if any) and click Save As.

3. Enter a name and description for the report in the pop-up window. Select Share with others if desired. Click Save & Close.

4. Click Run Again to execute your report with the new filtering criteria. The new report will appear in the list of all Saved Reports (from Reports > All Saved Reports).

5. Click the date range (blue type at top left) to modify the timeframe for your report. The Date and Time Range Picker appears, with Last Hour as the default setting. Follow the steps listed in Select Time Frame and Run a Report on page 117.

6. From the list of Saved Reports (access Reports > All Saved Reports), you may click Run or Edit to modify the report settings of any Saved Report.

7. To search for a particular report or report series in the Saved Reports list, click in the Find field and enter a search term.

8. Press Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Find field and press Enter to see all Saved Reports again.

9. You may add a schedule for a Saved Report by clicking the report Name and then clicking Schedule selected.

The Scheduling window opens. You can define a Timeframe, Email Recipients (pre-defined system users), and Formatting options. Click the Manage Recipients button to update the Appliance address book. Using this option, you can add new or modify recipient addresses that are non-defined system users (that are not defined under Management > Users page).

10. You may delete a Saved Report from the list by clicking the report Name and then clicking Remove selected. You will see a pop-up message asking you to Confirm Deletion.

Saving a Generated Report

There are several options for saving a generated report, available from the icons at the top of the report results:

Save as CSV—Downloads and saves the report data in a comma-separated .csv file, viewable in spreadsheet applications such as Microsoft Excel.

Save as PDF—Downloads and saves the report data in a PDF file, viewable in Acrobat format such as Adobe Acrobat Reader.

View as HTML—Open the report data formatted in a new browser window or tab, from which you can also download the HTML file for archival.

Rerunning a Saved Report

To rerun a saved report, go to Reports > All Saved Reports and select a previously saved report. You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards.

Note: Wildcard searches are supported for IP addresses and detailed messages.

118 User Guide


Generating a Report—An Example

This example shows how to generate a Network Activity report that displays denied connection activity related to the IP addresses you select. The steps below apply to the generation of all reports on the Appliance except the Check Point Policies report, which lists current Check Point Firewall policy rules on log sources connected to your Appliance.

The other exception is All Saved Reports, which lists previous search results, saved as reports, and selected to be shared with others at the time of generation.

To generate a Denied Connections Report

1. Select Reports > Network Activity > Denied Connections from the home page menu.

2. Click the Create Report button.

Figure 92 Create Report Button

3. Select the log source connected to the Appliance.

Figure 93 Select Log Source

User Guide 119


4. Select log sources from the list by clicking its name (or names). Click Add selected log sources to move them to the Log Sources list.

Figure 94 Add Selected Log Source

5. Click Run to run the report.

120 User Guide


6. Specify the time interval to search for data passing through the Appliance and click Run.


7. On the Denied Connections results page, adjust the order and position of columns.

Figure 96 Denied Connections Results

User Guide 121


8. Select Display Chart to graph the Denied Connections results. Pie chart and bar chart options are available. Mousing over the chart segments highlights the results.

Note: The charts are populated based on column that is used as a data source. For example, Denied Connections: On Demand (Chart for: Attempts); where Attempts is the column name that is used as a data source for the chart. If you need to display a chart based on different column, you must sort the report by the column, and the column must have numeric values.

Figure 97 Denied Connections Report – Pie Chart Display

9. Right-click a chart segment to print the data in the segment.

Figure 98 Pie Chart Segment Selected for Printing

122 User Guide


Figure 99 Bar Chart Display of Denied Connections Report

10. At the top menu, select the CSV, PDF, or HTML icon to export the entire report to a file.

Figure 100 PDF Selected as Export Format

User Guide 123


11. To choose another time to run the Denied Connections report, click the date range in the upper left section of the report. The Date and Time Range Picker opens.


12. Select the date and time and click Run.

13. Click the Edit Settings button to revise columns and filters in the report and Run the report again.

124 User Guide


Figure 102 Revise Columns and Filters in the Denied Connections Report

To re-run and edit settings of a previously saved report (Denied Connections):

1. Select Reports > Network Activity > Denied Connections from the Home page.

Figure 103 Saved Report – Denied Connections

User Guide 125


2. To run the saved report, click the Run icon and then click the Run button on the Date and Time Range Picker that pops up.

Figure 104 Denied Connection Report – Date and Time Range Picker

3. After the Denied Connections report opens, click the Edit Settings button.

Figure 105 Denied Connections Report – Edit Settings Button

The Edit Settings window is displayed.

126 User Guide


Figure 106 Denied Connections Report – Edit Settings Window

4. Click Properties to open the Properties Dialog pane as shown below.

Figure 107 Denied Connections Report – Edit Settings Properties Dialog Pane

5. Enter your data and click OK.

6. To add a schedule for the Denied Connections report, click the Scheduling link.

The Add a Schedule pane opens on the right side. You can define a Timeframe, Email Recipients (pre-defined system users), and Formatting options. Click the Manage Recipients button to update the Appliance address book. Using this option, you can add new or modify recipient addresses that are non-defined system users (that are not defined under Management > Users page).

User Guide 127


7. Click the Add Schedule button at the bottom of the Timeframe pane to confirm the schedule for the Denied Connections report.

Figure 108 Denied Connections Report – Edit Settings Properties, Schedule Timeframe Pane

8. Click Save and Close on the Properties window to save your entries.

9. View the saved schedule for the Denied Connections report.

Figure 109 Schedule Information Added to the Denied Connections Report

10. To make further changes to the Denied Connections report, repeat Steps 1 — 9.

Available Operators

Each report has multiple filter operators available that are listed in Table 25 on page 129.

Note: Some report columns display as empty when the actual value is either null or an empty string.

If the value is null, you can filter using --null--.

128 User Guide


If the value is an empty string, you can filter using two single quotes ".

Table 25 Optional Filter Operators

Operator Description

= Specifies an acceptable substitution for a word in a query.

!= Specifies to not substitute a word in a query.

in Displays data in the results that contains the specified word in a list.

not in Excludes data in the results that contains the specified word in a list

like Displays data that has a partial match to the value you type.

For example, you can use this operator to type a partial IP address such as 10.2.3.*. This type of search returns all IP addresses which contain these numbers.

not like Excludes data that contains a partial match to the value you type.

contain Displays data that matches the alphanumeric string you type.

For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not contain Excludes data that matches the alphanumeric string you type.

start with Displays data that begins with the alphanumeric value you type.For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not start with Excludes data that begins with the alphanumeric value you type.end with Displays data that ends with the alphanumeric value you type.

For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not end with Excludes data that ends with the alphanumeric value you type.

regexp Displays data in the results only that contains the regular expression you define.

not regexp Displays data in the results only that does not contain the regular expression you define.

> Displays only data in the results that is above a threshold number.

< Displays only data in the results that is below a threshold number.

between Displays data that is between (inclusive) the numeric values you type.

User Guide 129

Generating Real-Time Reports : Access Control Reports

Access Control ReportsTo search for and generate reports on the number of times a selected log source executes an authentication rule, use Access Control reports.

The submenu that appears when you click home: Reports > Access Control lists which reports are available for each log source.

To access Access Control reports

Choose home: Reports > Access Control > report-name from the navigation submenu, where report-name is any one of the following Access Control reports.

Preparing a Real-Time Report on page 116 includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Access Control report, and are explained in their respective sections.

For information on saving the generated report, see Saving a Generated Report on page 118.

Table 26 Access Control Reports

Report Definition Page

Permission Modification

Use the Permission Modification screen to search for and create a report on changes made to user permissions on selected log sources during a specified time interval.

page 131

User Access Use the User Access screen to search for and generate a report on user activities in accessing resource (for example, service, file, directory, application) on selected log sources during a specified time interval.

page 132

User Authentication

Use the User Authentication screen to search for and generate a report on who has authenticated on selected log sources during a specified time interval.

page 133

User Created/Deleted

Use the User Created/Deleted screen to search for and generate a report on what users have created or deleted during a specified time interval.

page 134

User Last Activity Use the User Last Activity screen to search for and generate a report on activity of users during a specified time interval.

page 135

Windows Events Use the Windows Events screen to search for and generate a report on data about all log events from the Microsoft Windows operating systems. For example, the captured log events include, application, security, and system events.

page 136

130 User Guide


Permission Modification Reports

To search for and generate a report on activities related to modification of user permissions (for example, adding or deleting permissions) on selected log sources during a specified time interval, use the Permission Modification Real-Time Report.

Menu path: home: Reports > Access Control > Permission Modification

In addition to setting the common report options in Preparing a Real-Time Report on page 116, you can select optional filter operators in the generated report.

Optional columns and filters can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The optional filters are:


Table 27 Permission Modification Report Optional Filter Operators

Option Description

Source Device Description of the device that sent these log messages

User User who is making the inquiry

Action Action taken

Status Status of the connection

Source IP IP address of the source host device

Source Domain Domain of the source host device

Target User User for whom inquiry is being made

Target IP IP address of the accessed Appliance

Target Domain Domain of the accessed Appliance

Type Type of connection

Originating Host The original host name where the event was originally created

Subsystem The subsystem of the host

Originating IP The original source IP address where the event was originally created

Event Name Name of the event

Application Type The type of application that generated the event

Count Number of connections

User Guide 131


User Access Reports

To search for and generate a report on user activities in accessing resources (for example, service, file, directory, application) on selected log sources during a specified time interval, use the User Access Real-Time Report.

Menu path: home: Reports > Access Control > User Access


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The options are:


Table 28 User Access Report Optional Filter Operators

Option Description





Target User User for whom inquiry is being made


Target Domain Domain of the accessed Appliance

Group The name of the Policy group

Action Action taken









132 User Guide


User Authentication Reports

To search for and generate a report on who has authenticated on selected log sources during a specified time interval, use the User Authentication Real-Time Report.

Menu path: home: Reports > Access Control > User Authentication


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Source IP, Status, and Count.


Table 29 User Authentication Report Optional Filter Operators

Option Description





Target User User for whom the inquiry is made

Group The name of the Policy group








Disconnect Reason Reason the connection was terminated


User Guide 133


User Created/Deleted Reports

To search for and generate a report on what users have been created or deleted on selected log sources during a specified time interval, use the Users Created/Deleted Real-Time Report.

Menu path: home: Reports > Access Control > User Created/Deleted


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Source IP, Target User, Target IP, and Count.:


Table 30 User Created/Deleted Report Optional Filter Operators

Option Description




Target User User for whom the inquiry is being made







Action Action taken

Action Details Details of the action

Status Status of use


134 User Guide


User Last Activity Reports

To search for and generate a report on the most recent activity of all users on selected log sources during a specified time interval, use the User Last Activity report.

Menu path: home: Reports > Access Control > User Last Activity


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:


Table 31 User Last Activity Report Optional Filter Operators

Option Description


Time Time of connection

Connection ID ID number for the connection



Target User User for whom the inquiry is being made


Action Action taken

Action Details Details of the action

Status Status of the activity






Access Details Details of access

User Guide 135


Windows Events Reports

To search for and generate a report on data on all Windows Event IDs, the number of events for each ID, and a description of each ID for selected log sources running the Microsoft Windows operating systems, use the Windows Events Real-Time Report. For example, the captured log events include application, security, and system events.

Menu path: home: Reports > Access Control > Windows Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, Event ID, and Count.


Table 32 Windows Events Report Optional Filter Operators

Option Description


Event ID Numeric ID corresponding to the source device

User User ID on the source device

Source Domain Domain name of the source device

Target User User ID of the destination device

Target Domain Domain name of the destination device






Action Action taken

Status Status of use

Type Content type of the object as seen in the HTTP reply header

Count Number of Windows events for the source device

136 User Guide

Generating Real-Time Reports : Database Activity Reports

Database Activity ReportsTo search for and generate reports on various events occurring on database server log sources, use the Database Activity reports.

To access Database Activity reports

Choose home: Reports > Database Activity > report-name from the navigation menu, where report-name is any one of the following reports:


Optional filter operators are different for each Database Activity report, and explained in their respective sections.


Table 33 Database Activity Reports

Report Description Page

All Database Events Use the All Database Events screen to search for and generate a report on the event types that are occurring.

page 138

Database Access Use the Database Access screen to search for and generate a report on all database server connections including user access and failed user access attempts.

page 139

Database Data Access Use the Database Data Access screen to search for and generate a report on user access and changes to your data for a specified time period.

page 140

Database Privilege Modifications

Use the Database Privilege Modifications screen to search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation.

page 141

Database System Modifications

Use the Database System Modifications screen to search for and generate a report on system database changes such as drops and table drops.

page 142

User Guide 137


All Database Events Reports

To search for and generate a report on the event types that are occurring on specified database server log sources during a specified time interval, use the All Database Events Real-Time Report.

Menu path: home: Reports > Database Activity > All Database Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.


Table 34 All Database Events Report Optional Filter Operators

Option Description


Database Database name on which the action occurred

DB User User name of the database user whose actions were audited

Sys Priv System privileges granted or revoked

Database Object Name Name of the object affected by the action

Status Status or return code of the action completion (numeric value)

Severity Severity level of the event

OS User Operating system login user name of the user whose actions were audited

Event Type ID Database vendor audit code for the action type

Event Type Name Type of database event such as DROP_TABLE, SQL_UPDATE, or CREATE_TABLE (names vary by vendor)

Object Priv Object privileges granted or revoked on the database object

Count Number of log entries returned with the given parameters

138 User Guide


Database Access Report

To search for and generate a report on all database server connections, including user access and failed user access attempts, on specified database server log sources during a specified time interval, use the Database Access Real-Time Report.

Menu path: home: Reports > Database Activity > Database Access




Table 35 Database Access Report Optional Filter Operators

Option Description

Source Device Description of the device that sent log data









Access Type The action or method used to access any database object



User Guide 139


Database Data Access Report

To search for and generate a report on user access and changes to your data on specified database server log sources during a specified time interval, use the Database Data Access Real-Time Report.

Menu path: home: Reports > Database Activity > Database Data Access




Table 36 Database Data Access Report Optional Filter Operators

Option Description










Access Type The action or method used to access any database object



140 User Guide


Database Privilege Modifications Report

To search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation, on specified database server log sources during a specified time interval, use the Database Privilege Modifications Real-Time Report.

Menu path: home: Reports > Database Activity > Database Privilege Modifications


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, DB User, Modification Type, Object Priv, and Count.


Table 37 Database Privilege Modifications Report Optional Filter Operators

Advanced Option Description










Modification Type Modification action of a user, profile, or role privilege



User Guide 141


Database System Modifications Report

To search for and generate a report on system database changes such as drops and table drops, use the Database System Modifications Real-Time Report.

Menu path: home: Reports > Database Activity > Database System Modifications


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, DB User, Database Object Name, Access/Modification Type, and Count.


Table 38 Database System Modifications Report Optional Filter Operators

Option Description










Access/Modification Type

Modification action of a user, profile, or role privilege



142 User Guide

Generating Real-Time Reports : IBM i5/OS Activity Reports

IBM i5/OS Activity ReportsTo search for and generate reports on various events occurring on your IBM i5/OS log sources, use IBM i5/OS Activity reports.

To access IBM i5/OS Activity reports

Choose home: Reports > IBM i5/OS Activity > report-name from the navigation menu, where report-name is any one of the following reports:


Optional filter operators are different for each Database Activity report, and explained in their respective sections.


Table 39 IBM i5/OS Activity Reports


All Log Entry Types Use the IBM i5/OS Activity All Log Entry Types screen to search for and generate a report on all recorded entry types.

page 144

System Object Access Use the IBM i5/OS Activity System Object Access screen to search for and generate a report on all failed access attempts throughout the system.

page 146

User Access by Connection Use the IBM i5/OS Activity User Access by Connection screen to search for and generate a report on all system access and system access attempts by user.

page 148

User Actions Use the IBM i5/OS Activity User Actions screen to search for and generate a report on all user actions performed and attempted.

page 150

User Jobs Use the IBM i5/OS Activity User Jobs screen to search for and generate a report on all jobs that users are running.

page 152

User Guide 143


All Log Entry Types Reports

To search for and generate a report on all recorded entry types, use the All Log Entry Types Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > All Log Entry Types


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

Table 40 All Log Entry Types Reports Optional Filter Operators

Option Field Description

Source Device devIP IP address of the device that sent log data

Journal Type jrnEntryType Two-character Audit Journal record (entry) type

Journal Description jrnTypeDesc Description of the journal entry type

Journal Job jobName Name of the job that caused the entry to be created

Journal User jrnUserName Profile name of the user associated with Journal Job

Journal Number jrnJobNbr Job number of the Journal Job

Journal Program jrnPgm Name of the program that created the entry

Journal Library jrnPgmLib Program library

Journal System Name jrnSyName Name of the system where the journal resides

Journal Remote Port jrnRmtPort Remote port of the system associated with the journal entry

Journal Remote Address jrnRmtIPAdr Network address of the system associated with this entry

Action action An action associated with the entry type

Action Description actionDesc Description of the action

Attribute Name attribute Name of an attribute that was the target of the action

Attribute Description attributeDesc Description of the attribute (if available)

Destination Server destServer Name of a remote workstation or server in a network event

DLO Folder DLOFolder Name of the Document Library Object folder

DLO User DLOUser Name of the Document Library Object owner or user creating or accessing the DLO

Entry Type entryType Type of event or entry in the journal type (can be considered a subtype of the journal type)

Entry Description entryDesc Description of the entry

Job Name jobName Name of the Journal Job or the job that was the target of the action described in the entry

Job Number jobNumber Number of the Journal Number or the job that was the target of the action described in the entry

Job User jobUser The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

Local IP Address lclIPadr Local IP address of the system involved in the network event

144 User Guide



Object Library lib Library of the object that was acted on

Object Name obj Name of the object that was acted on

Object Type objType Type of object that was acted on

Remote IP Address rmtIPadr Remote IP address of the system involved in the network event

Source Server srcServer Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status status Status code

Status Description statusDesc Description of the status code (if available)

User ID/Profile user A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Count (computed by the Appliance)

A count of action attempts, entries, or other count information; dependent on Journal and Entry type

Table 40 All Log Entry Types Reports Optional Filter Operators (Continued)


User Guide 145


System Object Access Reports

To search for and generate a report on all failed access attempts throughout the system, use the System Object Access Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > System Object Access



Table 41 System Object Access Reports Optional Filter Operators


























146 User Guide













Table 41 System Object Access Reports Optional Filter Operators (Continued)


User Guide 147


User Access By Connection Reports

To search for and generate a report on all system access and system access attempts by users, use the User Access By Connection Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Access By Connection



Table 42 User Access By Connection Reports Optional Filter Operators


























148 User Guide













Table 42 User Access By Connection Reports Optional Filter Operators (Continued)


User Guide 149


User Actions Reports

To search for and generate a report on all user actions performed and attempted, use the User Actions Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Actions



Table 43 User Actions Reports Optional Filter Operators


























150 User Guide













Table 43 User Actions Reports Optional Filter Operators (Continued)


User Guide 151


User Jobs Reports

To search for and generate a report on all jobs that users are running, use the User Jobs Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Jobs



Table 44 User Jobs Reports Optional Filter Operators


























152 User Guide













Table 44 User Jobs Reports Optional Filter Operators (Continued)


User Guide 153

Generating Real-Time Reports : Threat Management Reports

Threat Management ReportsTo search for and generate reports on information about IDS/IPS log sources, use IDS/IPS Activity reports.

To access Threat Management reports

Choose home: Reports > Threat Management > IDS/IPS Activity from the navigation menu:

Preparing a Real-Time Report on page 116 includes the common options that you specify for Real-Time Reports.


Table 45 Threat Management Reports


IDS/IPS Activity Use the IDS/IPS Activity screen to search for and generate a report on all attack activities from Intrusion Detection/Prevention Systems (IDS/IPS).

page 155

154 User Guide

Generating Real-Time Reports : Threat Management Reports

IDS/IPS Activity Reports

To search for and generate a report on all attack activities from IDS/IPS systems, use the IDS/IPS Activity Real-Time Report.

Menu path: home: Reports > Threat Management > IDS/IPS Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or Descending order. Choose sort order using the drop-down menu. The default is to display only Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:


Table 46 IDS/IPS Activity Report Optional Filter Operators

Option Description

Log Source IP IP address of the device that sent these log messages

Source IP IP address from which the attack originated

Source Port Port from which the attack originated

Destination IP IP address that was targeted

Destination Port Port that was targeted

Action Response of the intrusion prevention system (IPS) when it detects an attack reported by the IDS/IPS

Note: If you do not have an IPS associated with your IDS/IPS, you might not see any results if using this filter.

Signature ID Rule or numeric ID for the event

Note: The Signature ID from the vendor might be more consistent than the Signature.

Protocol Protocol of the destination device

Signature Identifier from IDS/IPS for an event

Sensor Device that sends events to a collector analysis system

Sensor IP IP address of the device that detected the event

Classification Type of attack

Priority Priority level of the attack

Count Number of attacks.

User Guide 155

Generating Real-Time Reports : Mail Activity Reports

Mail Activity ReportsTo search for and generate reports on information about mail-related activities on mail server log sources, use Mail Activity reports.

The Report Information tab that appears when you click on home: Reports > Mail Activity lists which reports are available for each log source.

To access Mail Activity reports

Choose home: Reports > Mail Activity > report-name from the navigation menu, where report-name is any one of the following reports:


Optional filter operators are different for each Mail Activity report, and explained in their respective sections.


Table 47 Mail Activity Reports


Exchange 2000/03 SMTP

Use the Exchange 2000/03 SMTP screen to search for and generate a report on all Exchange 2000/03 SMTP events recorded by your mail servers.

page 157

Exchange 2000/03 Activity

Use the Exchange 2000/03 Activity screen to search for and generate a report on all mail server activity for your Microsoft Exchange servers.

page 158

Exchange 2000/03 Delay

Use the Exchange 2000/03 Delay screen to search for and generate a report on all delays in mail activity for your Microsoft Exchange servers.

page 160

Exchange 2000/03 SMTP size

Use the Exchange 2000/03 SMTP Size screen to search for and generate a report on mail size for all your Microsoft Exchange server mail activity.

page 160

156 User Guide


Exchange 2000/03 SMTP Reports

To search for and generate a report on all mail server activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Activity Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 SMTP


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, all options are shown except the Source User, Source Host, Domain Name, and Time Taken (ms):.


Table 48 Exchange 2000/03 SMTP Report Optional Filter Operators

Option Description


Source User User of the source device

Source IP IP address of the source device

Source Host Host name of the source device

Domain Name Domain name of the source device

Destination IP IP address of the destination device

Destination Port Port of the destination device

Method Request method to obtain an object; for example, GET

URL Query URL requested

Status SMTP result codes

Size Number of bytes transferred

Time Taken (ms) Time to complete the event

Count Number of cache views

User Guide 157


Exchange 2000/03 Activity Reports

To search for and generate a report on all delays in mail activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Delay Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Activity


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Recipient Domain, Status, and Count are shown:


Table 49 Exchange 2000/03 Activity Report Optional Filter Operators

Option Description

Source Device Name of the Microsoft Exchange device

Message ID Numeric identifier of the message

Sender Email address of the sender

Sender Domain Domain name of the sender’s email

Recipient Email address of the recipient

Recipient Domain Domain name of the recipient’s email

Status Exchange status

Count Number of emails

158 User Guide


Exchange 2000/03 Delay Reports

To search for and generate a report on all mail server activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Activity Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Delay


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Recipient Domain, Average Delay, Max Delay, and Count are shown:


Table 50 Exchange 2000/03 Delay Report Optional Filter Operators

Option Description







Average Delay Average delay of each message

Max Delay Maximum delay of each message


User Guide 159


Exchange 2000/03 Size Reports

To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Size Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Size


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Sender, Total Size (Bytes), Max Size (Bytes), Count, and Actual Count are shown:


Table 51 Exchange 2000/03 Size Report Optional Filter Operators

Option Description







Total Size (Bytes) Total number of bytes transferred

Max Size (Bytes) Maximum number of bytes transferred


Actual Count

160 User Guide

Generating Real-Time Reports : Network Activity Reports

Network Activity ReportsTo search for and generate reports on information about connections on log sources, use Network Activity reports.

To access Network Activity reports

Choose home: Reports > Network Activity > report-name from the navigation menu, where report-name is any one of the following:


Optional filter operators are different for each Network Activity report, and explained in their respective sections.


Table 52 Network Activity Reports


Accepted Connections Use the Accepted Connections screen to search for and generate a report on IP connections that were accepted by a log source.

page 162

Active FW Connections Use the Active FW Connections screen to search for and generate a report on current active sessions from the selected firewall log sources.

page 163

Active VPN Connections Use the Active VPN Connections screen to search for and generate a report on current active sessions through Check Point Interface, Cisco VPN 3000, Nortel Connectivity, and RADIUS Acct Client log sources.

page 164

Application Distribution Use the Application Distribution screen to search for and generate a report on information about messages, grouped by application ports, that were accepted by a device.

page 165

Denied Connections Use the Denied Connections screen to search for and generate a report on connections denied by the selected firewall log sources.

page 166

FTP Connections Use the FTP Connections screen to search for and generate a report on syslog messages related to FTP traffic through the selected firewall log sources.

page 167

VPN Access Use the VPN Access screen to search for and generate a report on the number of VPN connections that the log source either completed or denied.

page 168

VPN Sessions Use the VPN Sessions screen to search for and generate a report on data about separate invocations of sessions on log sources during a specified time interval.

page 169

VPN Top Lists Use the VPN Top Lists screen to search for and generate a report on the top users and IP addresses and statistics.

page 170

Web Cache Activity Use the Web Cache Activity screen to search for and generate a report on locally stored web information served during a specified time interval.

page 171

Web Surfing Activity Use the Web Surfing Activity screen to search for and generate a report on web information served during a specified time interval.

page 172

User Guide 161


Accepted Connections Reports

To search for and generate a report on IP connections that were accepted by selected firewall log sources during a specified time interval, use the Accepted Connections Real-Time Report.

Note: 1. Accepted Connections data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour. 2. To view the detail report, you must enable the Administration > System Settings > General tab > Enable Accept Detail option. This may require additional time and storage in downloading this report.

Menu path: home: Reports > Network Activity > Accepted Connections


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.

Note: Column headings differ for PIX and non-PIX devices.

* Note: Under certain conditions Network Address Translation (NAT) addresses can show up as 0.0.0.0 in real time reports such as Accepted Connections Reports. This is not a bug since System Alert messages of a certain type (e.g., FWSM-4-106100 in Cisco Catalyst 6500 Series Switches) do not have a translated (mapped) address present in the logs. Therefore, zero is correct because there is no relevant IP address in the parsed logs for FWSM-4-106100.


Table 53 Accepted Connections Report Optional Filter Operators

Option Description


Translated IP IP address as translated by the device*

Source IP IP address of the source host (non-PIX devices only)

Destination IP IP address of the destination host device (non-PIX devices only)

Port Port number (service) of the destination host

Protocol Protocol of the destination host

Description Description of the port (service)

Messages Number of log messages received representing this connection

In Bytes Number of incoming bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)

Out Bytes Number of outgoing bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)

Action Accept or encrypt - Identifies if the connection was accepted or accepted with encryption (Check Point Interface only)

162 User Guide


Active FW Connections Reports

To search for and generate a report on current active sessions through selected Cisco PIX Firewall log sources, use the Active FW Connections Real-Time Report.

The Active Firewall Connection report is generated by monitoring the start and end messages of a particular connection in progress. Connections that have generated a start message but have not yet generated an end message are assumed to be active for a period of time before being timed-out.

Menu path: home: Reports > Network Activity > Active FW Connections

In Active FC Connections reports, you must specify the log source:




Note: The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.

Table 54 Active FW Connections Screen Elements

Element Description

IP Address IP address for the log source

Port Port number for the log source

Protocol Protocol type (from the drop-down menu)

Table 55 Active FW Connections Report Optional Filter Operators

Option Description

Create Time Time the session began

Connection ID in the log message assigned to the unique connection

Protocol IP Protocol (TCP, UDP, etc.) of the connection

Translated IP/Port Public (NAT’ed) IP address of the source host (IP address only)

Source IP/Port IP address of the internal host device (IP address only)

Destination IP/Port IP address of the external host device (IP address only)

Direction Inbound or Outbound connection attempt

User Guide 163


Active VPN Connections Reports

To search for and generate a report on current active sessions through selected VPN and RADIUS log sources, use the Active VPN Connections Real-Time Report.

Menu path: home: Reports > Network Activity > Active VPN Connections




Note: The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.

Table 56 Active VPN Connections Report Optional Filter Operators

Option Description


Connections Number of log messages received representing connections

164 User Guide


Application Distribution Reports

To search for and generate a report that summarizes accepted traffic by application ports through selected firewall log sources during a specified time interval, use the Application Distribution Real-Time Report.

Note: 1. The Application Distribution data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour. 2. To view the detail report, you must enable the Administration > System Settings > General tab > Enable Accept Detail option. This may require additional time and storage in downloading this report.

Menu path: home: Reports > Network Activity > Application Distribution




Table 57 Application Distribution Report Optional Filter Operators

Option Description


Port Port number (service) of the connection

Protocol IP protocol (TCP, UDP, etc.) of the connection

Description Description of the port (service)

Messages Number of log messages received representing this connection

Src -> Dest Bytes Number of outbound bytes sent (not for Nortel VPN)

Bar Graph Percentage of total outbound bytes represented as a bar graph

Percentage Number of outbound bytes represented as a percentage

Dst -> Src Bytes Number of inbound bytes received (not for Nortel VPN)

User Guide 165


Denied Connections ReportsTo search for and generate a report on denied connections by selected firewall log sources during a specified time interval, use the Denied Connections Real-Time Report.

Menu path: home: Reports > Network Activity > Denied Connections

In addition to setting the common report options in Preparing a Real-Time Report on page 116, you can select:

The type of information the Appliance aggregates for the generated report Various optional filter operators in the generated report for your Appliance

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following optional filter operators:

For more information on saving the generated report, see Saving a Generated Report on page 118.

Table 58 Denied Connections Report Summary Methods

Method Description

Src IP/Any--> Any/Port

Aggregates records from a specific Source IP and any port going to any destination IP and a specific destination port. The system derives the Source IP and destination port from your Device Type and Source Device selections.

Src IP/Any --> Dest IP/Port

Aggregates records from a specific Source IP and any port going to a specific Destination IP and specific Destination port. The system derives the Source IP and Destination IP from your Device Type and Source Device selections.

Denied by Port Aggregates records from the port numbers only

Table 59 Denied Connections Report Optional Filter Operators

Option Description


Attempts* Number of times log messages denied the connection

Src IP IP address of the source host device

Src Port Port number of the source host device

Dest IP IP address of the destination host device

Dest Port Port number of the destination host device

Protocol IP protocol (TCP, UDP, etc.) of the connection

Description Description of the destination port (service)

Access Group (Cisco PIX/ASA only) Lists any group of which you are a member

Rules (Check Point Interface only) Condition set on the firewall to complete the security policy; identifies what is allowed and not allowed through a specific interface.

Policy ID Unique policy identifier of the device on the firewall (Juniper Firewall only)

Direction (Check Point Interface, Cisco PIX/ASA/FWSM, Juniper Firewall, and Nortel Connectivity only) Inbound or Outbound connection attempt. Direction is stored as a number internally, for INBOUND use 1, for OUTBOUND use 2, and for INTERNAL use 3.

* Note: “Attempts” for Cisco router by “src IP/any” will be larger than the number shown in the Denied Connections Report because IP packets are measured in this instance, instead of the actual number of messages sent.

166 User Guide


FTP Connections Reports

To search for and generate a report on all syslog messages related to FTP traffic through the selected firewall device during a specified time interval, use the FTP Connections Real-Time Report.

Menu path: home: Reports > Network Activity > FTP Connections




Table 60 FTP Connections Report Optional Filter Operators

Option Description


Source Device IP IP address of the source device that sent these log messages

From IP address of the source device

To IP address of the destination device

Count Number of times syslog messages related to FTP traffic were generated

User Guide 167


VPN Access Reports

To search for and generate reports on the VPN connections that the selected log sources either completed or denied during a specified time interval, use the VPN Access Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Access




Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.

Table 61 VPN Access Report Optional Filter Operators

Option Description


Public IP Public IP address originating the VPN connection

Group VPN group of which the source device is a part

User VPN user ID

Target User VPN user ID of the originating VPN connection

Connections Number of log messages received representing connections

Denies Number of denied connection messages received

Avg Duration Average duration of each connection

Byte Count Number of bytes transferred during the session

Avg Bandwidth (Bytes/Sec)

Average bandwidth used for each connection

168 User Guide


VPN Sessions Reports

To search for and generate a report on data about VPN sessions (including initiation and conclusion times) on selected log sources during a specified time interval, use the VPN Sessions Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Sessions


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Avg Duration, Avg Bytes, and Count.



Table 62 VPN Sessions Report Optional Filter Operators

Option Description


User User ID

Target User User ID on the device with which the source device attempted to connect

Source IP IP address of the device that sent these log messages

Target IP IP address of the device with which the source device attempted to connect

Avg Duration Average duration of each connection

Avg Bytes Average number of bytes

Count Number of VPN sessions

User Guide 169


VPN Top Lists Reports

To search for and generate a report on the top users, IP addresses, and other statistics, use the VPN Top Lists Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Top Lists


Choose the Method from the drop-down menu. The options are: Top Disconnect Reasons, By IP Address, and By User. Depending on the method selection, the default column options will change. Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options for Top Disconnect Reasons:

IMPORTANT! If you run a report for the Top Disconnect Reasons, the “unknown” that displays in the Disconnect Reasons column, represents the disconnect reasons reported by RADIUS. If you have not properly plugged in your RADIUS server, all reasons display as “unknown”. Click a Connections number or Source Device to drill-down and view the Disconnect Details column. This column displays the VPN syslog messages associated with the disconnect reason.


Table 63 VPN Top Lists Report Types

Report Type Description

Source Device The description of the source device

Connections Number of connections to the source device

Disconnect Reason Reason for disconnection

170 User Guide


Web Cache Activity Reports

To search for and generate a report on all URLs accessed through proxy or cache servers on specified log sources during a specified time interval, use the Web Cache Activity Real-Time Report.

Menu path: home: Reports > Network Activity > Web Cache Activity


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source Device, Source IP, Destination IP, Status, Size, Filter Category, Filter Result, and Count:

When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.


Table 64 Web Cache Activity Report Optional Filter Operators

Option Description


Source User User of the source device

Source IP IP address of the source device





Peer IP IP address of the peer device

Peer Host Host name of the peer device

Peer Status A code that explains how the request was handled; for example, by forwarding it to a peer or returning the request to the source


URL URL requested

Cache Code Information on the result of the transaction: the kind of request, how it was satisfied, or in what way it failed

Status HTTP result codes



Filter Category The category of the filter

Filter Result The results after using the filter

Count Number of cache views

User Guide 171


Web Surfing Activity Report

To search for and generate a report on all URLs accessed via firewalls or web servers on selected log sources during a specified time interval, use the Web Surfing Activity Real-Time Report.

Menu path: home: Reports > Network Activity > Web Surfing Activity


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source Device IP, Source IP, Destination IP, Status, Size, and Count:

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.


Table 65 Web Surfing Activity Report Optional Filter Operators

Option Description

Source Device IP IP address of the device that sent these log messages

Source User User ID of the source device

Source IP IP address of the device originating the connection






URL URL requested

Status HTTP result codes



User Agent

Referred By

Count Number of syslog messages received for this connection and status code

172 User Guide

Generating Real-Time Reports : Operational Reports

Operational ReportsTo search for and generate reports on information about syslog messages on log sources, use Event Logs reports.

The Report Information tab that appears when you click on home: Reports > Operational lists which reports are available for each log source.

To access Event Logs reports

Choose home: Reports > Operational report-name from the navigation menu, where report-name is any one of following reports:


Optional filter operators are different for each Event Logs report, and explained in their respective sections.


Table 66 Operational Reports


All Unparsed Events

Use the All Unparsed Events screen to search for and generate a report on unparsed syslog messages for selected devices.

page 174

Firewall Statistics Use the Firewall Statistics screen to search for and generate a report summarizing firewall syslog messages classified as security messages.

Total Message Count

Use the Total Message Count screen to search for and generate a report summarizing firewall or Nortel VPN device syslog messages classified as system messages.

Security Events Use the Security Events screen to search for and generate a report on firewall syslog messages classified as security messages.

page 177

System Events Use the System Events screen to search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages.

page 178

VPN Events Use the VPN Events screen to search for and generate a report on the number of Cisco VPN syslog messages that appear with the type called “System Type”.

page 179

User Guide 173


All Unparsed Events Reports

To search for and generate a report on syslog messages that are not parsed into the Security, System, or VPN Events reports, or into any other report table (for example, Authentication) for selected log sources during a specified time interval, use the All Unparsed Events Real-Time Report.

Menu path: home: Reports > Operational > All Unparsed Events

In addition to setting the common report options in Preparing a Real-Time Report on page 116, you can select optional filter operators in the generated report. Optional filter operators are not visible if you select the Boolean Search in the Search Filter criteria.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:


Table 67 All Unparsed Events Report Optional Filter Operators

Option Description

Source Device Description of the device that sent the log messages

Source Device IP IP address of the source device that sent the log messages

Facility Syslog facility associated with the message

Severity Severity code associated with the message

Count Number of times syslog messages were generated

174 User Guide


Firewall Statistics Reports

To search for and generate a summary report of event types and messages per firewall, for selected log sources during a specified time interval, use the All Unparsed Events Real-Time Report.

Menu path: home: Reports > Operational > Firewall Statistics




Table 68 Firewall Statistics Report Optional Filter Operators

Option Description


System Messages The number of system messages

Security Messages The number of security messages

Accepted Messages The number of accepted messages

Denied Messages The number of denied messages

Total Messages The total number of messages

User Guide 175


Total Message Count Reports

To search for and generate a summary report of log messages for selected log sources at a specified time interval, use the Total Message Count Report.

Menu path: home: Reports > Operational > Total Message Count




Table 69 Total Message Count Report Optional Filter Operators

Option Description

Time Time the syslog message was generated


Messages The total number of messages

176 User Guide


Security Events Reports

To search for and generate a report on firewall syslog messages classified as security messages for selected log sources during a specified time interval, use the Security Events Real-Time Report.

Menu path: home: Reports > Operational > Security Events




Table 70 Security Events Report Optional Filter Operators

Option Description

Source Device Description of the device originating the connection

Source Device IP IP address of the source device

Message Code Code number of the security message

Message Code Description

Description of the security message (Cisco PIX only)

Module Juniper Netscreen module name, that is, system (Juniper Firewall only)

Severity The severity codes are listed below:

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(Juniper Firewall only)

Count Number of syslog messages classified as security messages generated

User Guide 177


System Events Reports

To search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages for selected log sources during a specified time interval, use the System Events Real-Time Report.

Menu path: home: Reports > Operational > System Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. Optional filter operators are not visible if you select Boolean Search in the Search Filter criteria. By default, the following options are all selected:


Table 71 System Events Report Optional Filter Operators

Option Description


Source Device IP IP address of the source device that sent these log messages

Message Code Code number of the system message

Message Code Description

Description of the system message (Cisco PIX only)

Module Juniper Netscreen module name, that is, system (Juniper Firewall only)

Severity The severity codes are listed below:

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(Juniper Firewall only)

Count Number of system messages received for the specified code

178 User Guide


VPN Events Reports

To search for and generate a report on Cisco VPN, CheckPoint VPN, Nortel VPN, or RADIUS syslog messages of the System Message type for selected log sources during a specified time interval, use the VPN Events Real-Time Report.

Menu path: home: Reports > Operational > VPN Events


By default, the following options are all selected:



Table 72 VPN Events Report Optional Filter Operators

Option Description

Time Time the syslog message was generated

Source Device IP address of the device originating the connection

Group VPN group name

User VPN user ID

Public IP Public IP address originating the VPN connection

Severity Severity Code associated with the message

Code Code number of the system message

Area Name of the defined VPN area

Detail Message Text of the syslog message

User Guide 179

Generating Real-Time Reports : Policy Reports

Policy ReportsTo search for and generate reports on information about policies that were exercised on a log source, use Policy reports.

The Report Information tab that appears when you click on home: Reports > Policy Reports lists which reports are available for each log source.

To access Policy Reports

Choose home: Reports > Policy Reports > report-name from the navigation menu, where report-name is one of:

Preparing a Real-Time Report on page 116 includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.

Optional filter operators are different for each Policy report, and explained in their respective sections.


Table 73 Policy Reports

Report Reports Provide Page

Check Point Policies The Check Point Policies report lists current Check Point Firewall policy rules on log sources connected to your Appliance.

page 181

Network Policies Use the Network Policies screen to search for and generate a report on the number of times a particular network policy has been exercised by a selected firewall device.

page 182

Rules/Policies Use the Rules/Policies screen to search for and generate a report on enforcement of a particular rule or policy by a selected firewall device.

page 183

180 User Guide


Check Point Policies Reports

To search for and generate a report listing current Check Point Firewall policy rules on log sources connected to your Appliance, use the Check Point Policy Real-Time Report.

Menu path: home: Reports > Policy Reports > Check Point Policy


Table 74 Check Point Policy Screen Elements

Element Description

LEA Server LEA servers connected to your system.

Package Security package that Check Point organizes for policy rules. For example, you can install one package on a firewall, but you can define several packages at the same time.

Rule Index Rule numbers (represents Check Point indices) the CPMI process retrieves. You can view Check Point policy rules only if you configured your LEA server to use auto discovery (CPMI).

Note: Rule 0 is not assigned by Check Point. It is assigned by LogLogic as a default for parsed messages that do not automatically have a rule number assigned by Check Point.

Rule Description for the rule.

User Guide 181


Network Policies Reports

To search for and generate a report on the number of times a particular network policy has been exercised by selected firewall log sources during a specified time interval, use the Network Policies Real-Time Report.

Menu path: home: Reports > Policy Reports > Network Policies


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:


Table 75 Network Policies Report Optional Filter Operators

Option Description

Log Source IP IP address of the device that sent these log messages

Source IP IP address of the device that exercised the policy

Source Port Port of source device



Protocol Protocol of the destination device

Signature Identifier of the policy

Classification Classification of the policy

Priority Priority of the policy

Count Number of times a policy was exercised

182 User Guide


Rules/Policies Reports

To search for and generate a report on information about enforcement of a particular rule or policy by selected firewall devices during a specified time interval, use the Rules/Policies Real-Time Report.

Menu path: home: Reports > Policy Reports > Rules/Policies


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display all the following options:


Table 76 Rules/Policies Report Optional Filter Operators

Option Description

Interface Name (or IP address) of the network interface that enforced the policy

Rule Rule number that was enforced (Check Point Interface only)

Policy Policy number that was enforced

Type Type of rule/policy that was enforced

Messages Number of messages received representing this policy

Bar Graph Number of messages received expressed as a bar graph

Percentage Number of messages received expressed as a percentage

Package Security policy package (Check Point Interface only)

Rule Description Displays Rule Details: Source, Destination, Service Description and Rule Actions: Permit, Deny, etc. (Check Point Interface only)

User Guide 183

Generating Real-Time Reports : All Saved Reports

All Saved ReportsThe All Saved Reports screen displays a list of all saved reports for specific types of data based on search expressions and time intervals you have defined and saved in the past. All saved searches and types, such as Index Search, RegEx Search, Index Report, etc., that are stored in the system are visible on this page as shown below.

Figure 110 All Saved Reports

You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards. You can also filter the list of saved reports displayed by title or by typing a key word from the report title in the Find field and pressing Enter. The key word or words will be highlighted in the resulting list. To restore the full list of saved reports, clear the Find field and press Enter again.

For more information on saving the generated report, see Saving a Generated Report on page 118.

184 User Guide

Setting User Preferences : Viewing Your LogApp Account

CHAPTER 7:

Setting User Preferences

The admin tab on the home page allows you to set values for your Account Information, System Preferences, and to Change Password.

Contents

Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Changing Login Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Changing LogApp Account Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Viewing Your LogApp Account

To view your LogApp Account

1. Choose admin from the home page.

Figure 111 admin Menu

2. Review and accept or change the default settings as explained in Table 77 on page 186.

User Guide 185

Setting User Preferences : Changing Login Landing Page

Table 77 Account Options

3. Click Save.

Changing Login Landing PageThe Login Landing Page (Home) appears immediately upon logging in to the LMI Appliance. By default the LogLogic Overview Welcome screen is displayed. However, you can change your landing page at anytime.

To change your login landing page


2. Click the down arrow next to Login landing page and select the page among these other landing page options: My Dashboard, System Status, Triggered Alerts, Index Search, All Saved Reports, and All Saved Searches.

Element Description

Account Information

User Login The login name of the current user. This can be reset by the system administrator or user.

Email Address The email address of the current user. This can be reset by the system administrator or user.

System Preferences

Rows per Page The number of rows that display in each report page. Can be set from 10 to 1000 rows by user.

Page Refresh Rate The page refresh rate in seconds. Can be set from 30 to 600 seconds by user.

Emailed Chart Size The number of segments in display charts. Can be set from 3 to 30 segments by user.

Session Timeout Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).

Enable Multiline View

Checking this checkbox enables display of multiple lines in PDF and HTML reports.

Login Landing Page The page that appears immediately after logging into the LMI Appliance. You can change this at any time. For instructions, see Changing Login Landing Page on page 186.

186 User Guide

Setting User Preferences : Changing LogApp Account Password

Figure 112 Your LogApp Account - Login Landing Page

3. Click Save.

The next time you login to the Appliance, the alternate home page that you selected in this step will be displayed. You can change this destination at anytime.

Changing LogApp Account PasswordYou can change your password at any time.

To change your password


2. Click the Change Password button.

The Change Password dialog box appears. It displays date of last password update.

User Guide 187

Setting User Preferences : Changing LogApp Account Password

Figure 113 Your LogApp Account - Change Password

3. In the Current Password field, enter your current password.

4. In the New Password field, enter your new password. Note the password requirements specified on the window.

5. In the Confirm New Password field, enter your new password again for verification.

188 User Guide

Syslog Host Field Character Sets : Syslog Header Character Sets

APPENDIX A:

Syslog Host Field Character Sets

This appendix describes the acceptable character sets in an ASCII syslog header.

Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Syslog Header Character SetsTable 78 lists and describes the acceptable characters in an ASCII syslog header.

Table 78 Acceptable Alpha/Numeric Character Sets

Character Descriptions Examples

Alpha chars, upper or lower case A-Z and a-z

Numbers 0-9

Punctuation at @

underscore _

period .

backslash /

colon :

asterisk *

brackets [ ]

parenthesis ( )

plus +

minus -

space

tab

User Guide 189

Syslog Host Field Character Sets : Exceptions

ExceptionsThe following exceptions are noted for ASCII syslog headers:

Some Unix/Linux syslog messages have a path in the process name. That is taken care of by looking for a leading backslash (/) and any number of the following characters:

Alpha characters, upper or lower case

A-Z

a-z

The numbers 0-9

Punctuation including:

underscore _

period .

dash -

Space and tab use depends on the log source. Some log sources have spaces at the point right before the log source target string is found. Others have only a tab. Specifically:

Windows messages require a space before the target string.

Cisco VPN3000 requires a tab.

190 User Guide

User Guide

Index

AAccepted Connections

Real-Time report 162Access Control

Real-Time report 130Active FW Connections

Real-Time report 163Active VPN Connections

Real-Time report 164alert receivers

defining alert 112Alert Viewer

using 105viewing alerts 105

Alert Widgets 42alerts

about 105adding 109managing 107modifying 113parsed data alert 112removing 113selecting types 109tab description 108

All Database EventsReal-Time report 138, 144

All Unparsed EventsReal-Time report 174, 175, 176

appliancesintroducing 11system status 17

Application DistributionReal-Time report 165

BBoolean expression, entering 62

Cchange LogApp account password 187change Login Landing Page 186Check Point Policy

Real-Time report 181

tab description 181using 181

clipboardadding a new 76index search 76

configuring result settings 68Connectivity

Real-Time report 161considerations 9conventions 9CPU Usage

tab description 26viewing 25

DDashboard 32Dashboard settings 49Database Access

Real-Time report 139Database Activity

Real-Time report 137Database Data Access report 140Database Privilege Modifications

Real-Time report 141Database System Modifications

Real-Time report 142Denied Connections

Real-Time report 166devices

defining alert 111

Eelements 9Event Logs

Real-Time reports 173examples

index search 62exceptions

syslog header 190Exchange 2000/03 SMTP Activity 156Exchange 2000/03 SMTP Activity Report 157expressions

191

192

INDEX

index search, entering 62

Ffilters

saving index search 76Finished Search


FTP ConnectionsReal-Time report 167

Ggroups

global, in regex search 82

IIBM i5/OS Activity Reports

Real-Time report 143IDS

Real-Time report 154, 155IDS Activity

Real-Time report 155index report 98Index Search

saving as a filter 75index search 61, 97

adding a new clipboard for 76clipboard 76Clipboard tab 76configure results settings 68examples 62filter, reusing 76filters 76manage results 70narrowing the scope 63results 66results, viewing in context 71running 62Search Filters tab 76Search History tab 74Search Results tab 66using 61using history 74viewing trends 73

index search expression rules 61

index search filters 76

Llog message, viewing in context 71log messages

deleting clipped 78viewing or editing 77

Log Source Statustab description 28viewing 26

Login Landing Page 186LogLogic product families 13LX appliances 13

MMail Activity

Real-Time report 156, 157, 159Mail Delay

Real-Time report 158Mail Size

Real-Time report 160Manage Widgets 33

Alerts 42Summary 35System 46Trend 38

management stationviewing system status 21

managing search results 70message rate

viewing 24MX appliances 14My Dashboard 32

Nnavigation menu 11network infrastructure 15Network Policies


PParameterized Pre-defined Regular Expression

Search Filters 91parsed data alerts 112Pending Search

User Guide

User Guide

INDEX


Permission ModificationReal-Time report 131

placeholders 9Policy reports

Real-Time report 180product families 13

RReal-Time reports

about 115Access Control reports 130common options 116Connectivity reports 161Database Activity reports 137event logs 173generating 116IBM i5/OS activity reports 143IDS reports 154Mail Activity reports 156Policy reports 180

Real-Time Viewercreating reports 51Log Messages screen 56saving reports 51using 51

Recent Messagestab description 30viewing 30

regular expression (regex) search 81view pending searches 83view running searches 83

related documents 7results

index search, index searchIn Context tab 71

rules, index search expression 61Rules/Policies

Real-Time report 183Running Search

using 83

Sscope

narrowing on index search 63

screen output 9search

about 59all index searches 97features overview 60index report 98index search 61index, running 62regular expression (regex) 81viewing search information 116

Search Filtersadding new 85modifying 94overview 84tab description 84

Search IP Addresssaving a report 82

Security EventsReal-Time report 177

ST appliances 14Summary Widgets 35Syslog Header character sets 189System Events

Real-Time report 178System Object Access

Real-Time report 146system prompts 9system status

viewing 17viewing (management station) 21

System Widgets 46

TTrend Widgets 38trends

viewing 73

UUnapproved Messages

tab description 29viewing 29

User AccessReal-Time report 132

User Access By ConnectionReal-Time report 148

User Actions

193

194

INDEX

Real-Time report 150User Authentication

Real-Time report 133User Jobs

Real-Time report 152User Last Activity

Real-Time report 135user roles 11users

defining alert 112Users Created/Denied


Vview LogApp account 185viewing

clipped log messages 77log message in context 71

viewing in context 71viewing search results 66VPN Access

Real-Time reports 168VPN Events

Real-Time report 179VPN Sessions

Real-Time report 169VPN/RADIUS Top Lists


WWeb Cache

Real-Time report 171Web Surfing

Real-Time report 172Widgets 32Window Events


User Guide