LogLogic Users Guide - TIBCO Software...The LogLogic Users Guide is an operational guide for the LogLogic Appliances. It covers topics related to managing reports, managing alerts,

LogLogic, Inc. Proprietary and Confidential

LogLogic

Users Guide

Software Release: 5.1

Document release: December 2010

Part No: LL41000-00E05100000

This manual supports LogLogic software release 5.1 and above releases until replaced by a newer edition.

LogLogic, Inc. Proprietary and Confidential

LogLogic, Inc.

110 Rose Orchard Way Suite 200San Jose, CA 95134

Tel: +1 408 215 5900

Fax: +1 408 774 1752

U.S. Toll Free: 888 347 3883

Email: [email protected]

www.loglogic.com

© 2004 — 2010 LogLogic, Inc.

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

"LogLogic" and the LogLogic logo are trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

www.loglogic.com

mailto:[email protected]

Users Guide

Contents

Preface: About This Guide

Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Documentation Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1: Using LogLogic Appliances

LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Appliance User Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

LogLogic Product Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

LogLogic LX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19LX Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

LogLogic MA Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

MA Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20LogLogic MX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

MX Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

LogLogic ST Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21ST Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Scalable Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 2: Viewing Dashboards

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . . . 27Viewing Message Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Viewing CPU Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Viewing Log Source Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Viewing Unapproved Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Viewing Recent Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Widget Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

About My Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Managing Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Managing Summary Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Managing Trend Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Managing Alert Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Managing System Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Defining your Dashboard Canvas Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 3: Viewing Real Time Log Messages

Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3

CONTENTS

Viewing Log Messages in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Chapter 4: Searching Collected Log Messages

Search Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Using and Creating All Index Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Using Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Search Expression Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Running an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Selecting Specific Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Select Time Frame for an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Using the Search Results Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Viewing Index Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring Search Results Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Managing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Viewing Index Search Results In Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Saving Search Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Viewing Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Using the Search History Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Saving an Index Search as a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Running a Previously Saved Search Expression. . . . . . . . . . . . . . . . . . . . . . . . . . 85

Using the Search Filters Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Using the Clipboard Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Adding a New Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Viewing or Editing Clipped Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Deleting Clipped Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Using Regular Expression Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Viewing Pending and Running Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Viewing Running Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Viewing Pending Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Viewing RegEx Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Viewing Finished Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Adding a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Search Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Use Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Use Exact Phrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Regular Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Boolean Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Putting Your Logins Search Filter to Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter . 101Modifying a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Viewing Archived Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Viewing Archived Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Verifying the SHA Digest on Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Listing Archived Passive (Non-Parseable) Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

4 Users Guide

CONTENTS

Users Guide 5

Chapter 5: Creating and Managing Alerts

Viewing and Handling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Managing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Preconfigured System Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Adding a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Parsed Data Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Chapter 6: Generating Real-Time Reports

Preparing a Real-Time Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Select a Source or Sources and Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Schedule and Run a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Resize & Move Columns, Create Charts, Print and Download a Report . . . . . . . 121Modify Report Settings and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Saving a Generated Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Rerunning a Saved Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Generating a Report—An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Available Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Permission Modification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136User Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

User Authentication Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

User Created/Deleted Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139User Last Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Windows Events Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Accepted Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Active FW Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Active VPN Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Application Distribution Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Denied Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147FTP Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

VPN Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

VPN Sessions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150VPN Top Lists Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Web Cache Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Web Surfing Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154All Database Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Database Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Database Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Database Privilege Modifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Database System Modifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

All Unparsed Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Security Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

System Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

VPN Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

CONTENTS

IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

All Log Entry Types Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

System Object Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166User Access By Connection Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

User Actions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

User Jobs Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Threat Management Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168IDS/IPS Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Mail Delay Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Mail Size Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Exchange 2000/03 SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Policy Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Rules/Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Check Point Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Network Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Chapter 7: Message Signatures

Creating Message Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Chapter 8: Tag Catalog

Field Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Event Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Chapter 9: Dynamic Groups

Add Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Chapter 10: Setting User Preferences

Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Changing Login Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Changing LogApp Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Appendix A: Syslog Host Field Character Sets

Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Index

6 Users Guide

PREFACE

About This Guide

The LogLogic Users Guide is an operational guide for the LogLogic Appliances. It covers topics related to managing reports, managing alerts, and performing searches to manage and use the log data collected and aggregated from all types of source systems in your enterprise.

Related DocumentsThe LogLogic documentation is available on the Solutions CD or on the LogLogic Technical Support website – www.loglogic.com/services/support. The documentation includes Portable Document Format (PDF) files and Online Help accessible from the LogLogic user interface.

To read the PDF documentation, you need a PDF file viewer such as Adobe Acrobat Reader. You can download the Adobe Acrobat Reader athttp:// www.adobe.com.

The following documents contain additional information about the LogLogic Appliances:

LogLogic Release Notes — Provides information specific to the release including product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic support web site periodically for further updates.

LogLogic Upgrade Guide — Describes how to upgrade the LogLogic Appliance software.

LogLogic Quick Start Guide — Describes how to get started with your LogLogic Appliance. In addition, the guide includes details about the Appliance hardware.

LogLogic LX 2010N Quick Start Guide — Describes how to get started with the LogLogic LX 2010N NEBS-compliant Appliance, and includes details about the Appliance hardware.

LogLogic Administration Guide — Describes how to administer the LogLogic solution including managing users, managing log data storage, and managing new log sources (devices).

LogLogic Management Appliance Guide — Describes how to manage multiple distributed Appliances using an MA 2010 Appliance.

LogLogic Log Source Configuration Guides — Describe how to support log data from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the LogLogic solution.

LogLogic Collector Guides — Describe how to implement support for using a LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site Protector.

Users Guide 7

www.loglogic.com/services/support


: Technical Support

LogLogic Web Services API Implementation Guide — Describes how to implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administer the system.

LogLogic Syslog Alert Message Format Quick Reference Guide — Describes the LogLogic Syslog alert message format.

LogLogic Online Help — Describes the Appliance user interface, including descriptions for each screen, tab, and element in the Appliance.

Technical SupportLogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances.

To reach the LogLogic Support team:

Telephone:

Toll Free — 1-800-957-LOGS

Local —1-408-834-7480

Europe, Middle East, Africa (EMEA) or Asia Pacific (APAC): + 44 (0) 207 1170075 or +44 (0) 8000 669970

Email: [email protected]

Support Website: www.loglogic.com/services/support

When contacting Customer Support, be prepared to provide the following information:

Your name, e-mail address, phone number, and fax number

Your company name and company address

Your machine type and release version

Serial number located on the back of the Appliance or the eth0 MAC address

A description of the problem and the content of pertinent error messages (if any)

Documentation SupportYour feedback on LogLogic documentation is important to us. Send e-mail to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation.

8 Users Guide




: Documentation Support

ConventionsLogLogic documentation uses the following conventions:

Caution: Highlights important situations that could potentially damage data or cause system failure.

IMPORTANT! Highlights key considerations to keep in mind.

Note: Provides additional information that is useful but not always essential.

Tip: Highlights guidelines and helpful hints.

This guide also uses the following conventions to highlight code and command-line elements:

Monospace is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).

Monospace bold is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

Monospace italic is used for placeholders, which are general names that you replace with names specific to your site, as in this example:

LogLogic_home_directory\upgrade\

Straight brackets signal options in command-line syntax.

ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]

Users Guide 9

: Documentation Support

10 Users Guide

Using LogLogic Appliances : LogLogic Appliance Overview

Users Guide 11

CHAPTER 1:

Using LogLogic Appliances

LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Appliance User Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

LogLogic Product Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

LogLogic Appliance OverviewLog data can comprise up to 25 percent of all enterprise data. Log data also contains critical information that can improve security, compliance and availability. Until now most companies have relied on ineffective and inefficient homegrown solutions and manual processes to manage this data.

LogLogic provides the industry's first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability,

LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators. If the network grows, simply rack and stack additional Appliances as needed.

Appliance User FunctionsThere are two primary user types on a LogLogic Appliance:

User – monitors Appliance operations, runs searches, manages alerts, and creates and runs reports based on collected data

Administrator – configures and maintains the Appliance itself, including managing log sources, user accounts, Appliance configurations, running backups, and more

Depending on access permissions, a user can perform User functions, Administrator functions, or both. This manual describes User tasks and functions. For Administrator information, see the LogLogic Administration Guide.

Release 5.0 introduces a new GUI for the LogLogic Appliance. Reports, Search, and Alert functions can be opened by clicking their respective icons on the home page or by clicking their buttons on the top menu on the home page. See Figure 1 on page 12.

Dashboard, Management, and Administration functions for the Appliance are opened by clicking their buttons on the top menu on the home page. See Figure 2 on page 13.

Online Help can be opened by clicking the Help button on any page. Brief video tutorials provide tips and guidance by example for many new LogLogic features. Tutorials can be accessed from the home page and from certain application pages. Familiarize yourself with LogLogic 5 by viewing the tutorials presented on the New Features Overview page.

Using LogLogic Appliances : Appliance User Functions

12 Users Guide

Figure 1 LogLogic Appliance Home Page

The Appliance GUI provides access to all Administrator and User functions. Administrators can perform all functions on the Appliance, while Users are limited to functions that have been assigned to them the System Administrator.

Note: The functions in the navigation menu vary depending on the Appliance product family. For example, an ST Appliance displays fewer options than the LX Appliance because certain features are not available on ST Appliances. In addition, Database Activity (under Reports > Database Activity) may show different entries, depending on the Log Source Packages (LSPs) installed.

Note: For all text fields throughout the UI, null is not a valid entry.


Users Guide 13

Figure 2 Dashboards – System Status

In addition to documentation, the LogLogic Appliance is supported by comprehensive, context-sensitive online Help, which can be opened from any UI page in the application. Clicking the question mark (?) opens Help for the particular tab that is highlighted – in this case, System Status. Clicking the word Help (above the question mark) opens the entire online Help repository, plus a Table of Contents, an Index, and a Search function within Help. Take a moment to explore Help to discover the rich content offered there.


14 Users Guide

Figure 3 shows the various Reports categories and subcategories.

Figure 3 Reports Menu


Users Guide 15

Figure 4 shows the Reports Access Control templates.

Figure 4 Reports Menu – Templates

Figure 5 shows the Search menu options.

Figure 5 Search Menu


16 Users Guide

Figure 6 shows the Alerts menu options.

Figure 6 Alerts Menu

Figure 7 shows the Management menu options.

Figure 7 Management Menu


Users Guide 17

Figure 8 shows the Administration menu options.

Figure 8 Administration Menu


18 Users Guide

Figure 9 shows the admin menu.

Figure 9 admin Menu

Using LogLogic Appliances : LogLogic Product Families

Users Guide 19

LogLogic Product FamiliesLogLogic offers six families of products to provide better, faster and smarter log management, database security, and regulatory compliance solutions to corporations:

LogLogic LX Appliances are purpose-built Appliances for real-time log data collection and analysis. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and reduce the corporate cost of security and performance event remediation.

LogLogic MA Appliances provide centralized management of multiple remote LogLogic Appliances. These Appliances let you monitor multiple Appliances at once, to view alerts for managed Appliances, generate reports on individual or all managed Appliances, and to remotely administer managed Appliances.

LogLogic MX Appliances perform real-time log data collection and analysis ideal for mid-size and large companies. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and are optimized to provide for log data needs in a non-enterprise environment.

LogLogic ST Appliances automate the entire log data archival process, minimizing administration costs while providing more secure log data capture and retention.

LogLogic DSM Appliances give IT security personnel full visibility into user activity on all monitored databases. Users can create custom policies to detect security violations or use out-of-the-box rules to protect against SQL injection, buffer overflow, privilege escalation attacks, and more.

LogLogic Compliance Manager Appliances bring visibility of compliance activity metrics to CIOs and CSOs, and control over activities to the compliance team, permitting them to privatively review the compliance timeliness and compliance posture mandated by Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standard (PCI-DSS).

LogLogic Appliances provide the highest log collection and analysis performance amongst all log management vendors. Log events are received and indexed in real-time. The LogLogic Appliances have clearly stated metrics that cannot be matched.

LogLogic LX Product FamilyFeaturing a parallel processing architecture, the LX 510, LX 820, LX 1020, LX 2010 and LX 4020 Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Distributed real-time reporting and targeted queries let administrators take immediate action on network issues from a centralized management console.

These Appliances help enterprises harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment.

LX Benefits

LX product family Appliances offer the following benefits:

Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents

Non-disruptive installation and plug-and-play operation: no changes to network configurations, no integration with other systems, no training required, available in minutes


20 Users Guide

Self-maintaining, embedded database technology that eliminates the need for DB administration

To view photographs of the LX Appliance layout, see the LogLogic Quick Start Guide.

LogLogic MA Product Family

MA 1020 and MA 2010 Appliances provide centralized management of multiple distributed LogLogic Appliances (referred to on an MA Appliance as remote products). From a Management Appliance, you can monitor and manage remote products, receive alerts, and search log data collected by the managed Appliances.

These Appliances are ideal for enterprise environments where multiple LogLogic Appliances are distributed in multiple remote locations, and a single centralized view of all the Appliances is needed.

MA Benefits

MA product family Appliances offer the following benefits:

High-level health and status information for all remote LogLogic Appliances

Improved user interface for monitoring remote Appliances

System Alerts from remote Appliances and their log sources

To view photographs of the MA Appliance layout, see the LogLogic Quick Start Guide.

For more information on how to set up, configure, and use the MA to monitor and manage remote products, see the LogLogic Management Appliance Guide.

LogLogic MX Product Family

MX 2010 and MX 3020 Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Designed specifically for mid-size and large companies, MX Appliances provide the disk space and processing power required for most non-enterprise environments.

MX Appliance features support the need to harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment. MX Appliances are designed for installations where data must be retained longer than LX Appliances provide, but where enterprise features such as failover and managing other log Appliances are not required.

MX Benefits

MX product family Appliances offer the following benefits:

Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents

Features and specifications targeted specifically to mid-size and large companies

Self-maintaining, embedded database technology that eliminates the need for DB administration

To view photographs of the MX Appliance layout, see the LogLogic Quick Start Guide.


LogLogic ST Product Family

Available in compact, rack-mountable systems with up to 8 terabytes of compressed on-board storage and interfaces to NAS devices, the ST 1020, ST 2010, ST 3010, and ST 4020 Appliances archive up to 2 years of log data while eliminating the need for servers, tape libraries, and archive administrators.

The ST 2020-SAN (Storage Attached Network) product offers potentially unlimited archive storage.

When used with LogLogic's LX Appliances, ST Appliances guarantee complete and accurate transmission of network equipment logs from anywhere on the enterprise WAN or LAN. ST Appliances feature an n-Tier architecture controlled by a management console that centralizes long-term log data archival while allowing for distributed log analysis and broader data accessibility.

ST Benefits

ST product family Appliances offer the following benefits:

High volume log data aggregation from centralized and remote log data sources

Long-term retention of unaltered, complete, raw log messages at a secure, central location to make archives unimpeachable

Distributed architecture of remote collection and central storage make log data collection and retention infinitely scalable

To view photographs of the ST Appliance layout, see the LogLogic Quick Start Guide.

Scalable Infrastructure

The scalable LogLogic network infrastructure significantly accelerates response time to data center security and availability events, while providing complete log data archives for compliance and legal protection. LogLogic Appliances make log data in enterprise networks truly useful for the first time, improving corporate security, compliance and network availability, while reducing IT costs and costly network downtime, and improving corporate return on IT investment.

Users Guide 21


22 Users Guide

Viewing Dashboards : Viewing System Status

CHAPTER 2:

Viewing Dashboards

LogLogic Appliances let you monitor a large variety of data to observe the system’s status:

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . 27

Viewing Log Source Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Viewing System StatusThe System Status tab displays a condensed view of the Appliance's current state, showing current message rate, CPU utilization, database size, alerts, and total message counts.

After you log in to the Appliance, the System Status tab is the default display. An example of the tab is shown in Figure 10 on page 24.

To view system status

1. Choose Dashboards > System Status from the navigation menu.

2. View the following sections on the System Status tab for information about your Appliance’s system status:

Current Message Rate

New Alerts

Disk Usage

CPU Usage

Message Counters

Detailed descriptions for each section are documented in Table 1 on page 24.

3. On LX 510, LX 820, LX 10100, LX 2010, LX 4020, MX 2010, MX 3020, ST 1020, ST 2010, ST 2020-SAN, LX 3010 and ST-4020 Appliances:

Click to expand or collapse a section to display an expanded or condensed version of the section’s status information.

4. Optionally, click the Message Rate tab for a larger view of this graph.

For more information, see Viewing Message Rate on page 30.

Users Guide 23


5. Optionally, click the CPU Usage graph or the CPU Usage tab for a larger version of this graph.

For more information, see Viewing CPU Usage on page 31.

6. Click to update the system status information for your Appliance.

Figure 10 Dashboards – System Status Tab

Table 1 System Status Tab Elements

Element Description

General information

Uptime Continuous running time since the last reboot of the Appliance.

Date/Time Date and time set on the Appliance.

Software Version LogLogic software release running on the Appliance.

24 Users Guide


Failover (not visible unless issues are present)

Status of the Management Station cluster’s master and standby Appliances. If issues exist, they are indicated through flags:

C : Cluster_id mismatch

A : Appliance model mismatch

V : Software version mismatch

E : Eligible

H : HA mode

X : eXcluded

O : Out-of-cluster

M : Master

S : Standby

For example, the failover status line Failover: master 10.1.4.6 (wait), standby 10.1.4.7 (flags:__V/EHX/O) means the master is waiting for the standby, and the standby is running the wrong software version, is configured for failover, is eligible for HA, but is excluded, and (as a result of the version mismatch) is out of cluster.

IMPORTANT! Once two Appliances are HA paired, no network settings should be changed.

System Status sections

Current Message Rate

Measured messages per second rate for the last 1, 5, and 15 minute time segments.

Click on the 1 MIN, 5 MIN, or 15 MIN headings links to change the Message Rate Graph time scale to 2 hour, 12 hour, and 24 hour time scales, respectively.

When using LogLogic TCP for routing logs to the Appliance, this graph displays spikes of activity every 5 minutes rather than a steadier line. This is because LogLogic TCP transfers data in regularly recurring chunks that are merged on the Appliance, and not continually.

Message Rate Graph (Message Rate tab)

Recent message rate over 1, 5, and 15 minute time segments.

The pink line represents the average number of messages per time segment.

The blue line represents the real-time incoming message rate for your Appliance.

The red line appears when inbound traffic exceeds the preset threshold

Click the Message Rate tab for a larger view of this graph.

New Alerts (LX/MX only) Number of active alerts over 1, 6, and 12 hour periods categorized by priority.

Disk Usage Current size of the database usage relative to table space allocation. This can be helpful for calculating data retention time tables, by listing Free and Total available usage.

CPU Usage Current CPU utilization for the last 1, 5, and 15 minute time segments.

Click on the 1, 5, and 15 minute headings to change the CPU Usage Graph time scale to 2, 12, and 24 hour time scales, respectively.

Table 1 System Status Tab Elements (Continued)

Element Description

Users Guide 25


CPU Usage Graph Percent CPU utilization over 1, 5, and 15 minute time segments.

Click the CPU Usage Graph or the CPU Usage tab for a larger version of this graph.

Message Counters Statistics on each message category stored in the Appliance since the last boot. The count corresponds to a percentage of the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

Message categories:

Total Received—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)

Skipped—Total number of messages ignored by the Appliance due to a syntactic flaw in the message.

Dropped—Total number of messages recognized but not processed due to network congestion or a corrupted syslog message.

The following appear only on LX and MX Appliances:

Total Parsed—Total number of incoming messages parsed for all categories.

Accepted IP—Total number of messages indicating successful connections through the firewall. For example, PIX® Message Numbers - 302013-302016.

Denied IP—Total number of messages indicating denied access by the firewall. For example, PIX Message Numbers - 106001, 106006, 106007, 106015, 106023.

Security—Total number of messages to be recorded in the Security Event Log report.

System—Total number of messages to be recorded in the System Event Log report.

Generic—Total number of flawed messages received from an approved source. These messages are discarded.

URL—Total number of messages to be recorded to the Web Surfing Activity report.

FTP—Total number of messages to be recorded in the FTP Connections report.

Auth/Access —Total number of messages to be recorded to the VPN Events report.

Other—Any message that is not in included in the other listed categories.

Updates the system status information for your Appliance.

Table 1 System Status Tab Elements (Continued)

Element Description

26 Users Guide


Viewing Multiple Systems Status (Management Station)The Management Station System Status is the fastest way to view the condition and status of your Appliances as traffic flows through your system. You can use this information to provide for rapid reporting to the operations staff and acquire information about syslog messages at any particular time. (See Figure 11.)

The System Status information uses a proprietary technology for optimizing and then collecting security data for immediate use. Administrators can monitor the CPU usage when necessary to check on its congestion.

Figure 11 Dashboards - Management Station Status

After you log in to the Appliance, the Dashboards > Management Station tab is the default display. An example of the tab is shown in Figure 12 on page 28.

To view system status using a Management Station

1. Choose Dashboards > Management Station from the navigation menu.

2. View the following sections on the Management Station tab for information about an Appliance’s status:

Message Statistics

Message Rate

New Alerts

Message Counters

For detailed descriptions of each section, see Table 2 on page 28.

Users Guide 27


3. Click to view updated status information for the Appliance.

Figure 12 Management Station Status Screen

Table 2 Management Station Screen Elements

Element Description

General information

Software Version Management Station Appliance’s software version.

Displays the Help topic for this tab.

Management Station sections

Appliances Lists the Appliances in your Management Station cluster.

To view the System Status for an Appliance, click its name.

A green square indicates the Appliance is online.

A red square indicates the Appliance is offline.

A blank square indicates the Appliance entry is being updated.

28 Users Guide


Message Statistics Displays the following message statistics:

Total, Processed, Dropped, Unapproved, and Skipped—Message processing information about each managed Appliance.

Click a number in these columns to change the displayed value to the nearest thousand, million, or billion value.

Message Rate/Sec—Message rate, per second, by time segments of 1, 5, and 15 minutes.

Click on the message rate values to set the Message Rate graph to 4, 12, and 24 hour timescales, respectively.

Time Skew—Time delta, in seconds, between the Management Station Appliance and each remote Appliance.

Message Rate Graph

Monitors the rate at which messages are passing through your Appliance.

The Message Rate graph displays the current message rate by time segments of 1, 5, and 15 minutes. For example, 1 min – 100 msgs/sec. On ST Appliances, to the right of the minutes is the number of messages per second (xxx msgs/sec) for the Appliance. xxx does not reflect the amount of messages that comes in via the LogLogic TCP protocol.

The pink line represents the average number of messages per time segment.

The blue line represents the real-time incoming message rate for your Appliance.

The red line appears when inbound traffic exceeds the preset threshold

New Alerts The number of activated alerts, by hour and priority (High, Medium, Low, All).

Click an alert value to show the Aggregated LX or MX Alert Log.

Message Counters Statistics on each message category stored in the syslog database. The count corresponds to a percentage related to the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

The following is a list of message counters:

Total Received—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Skipped—Number of messages ignored by ClarifyCRM due to a syslog message syntactic flaw.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)

Dropped—Messages recognized but not processed due to network congestion or faulty syntax.

Updates the system status information for your Appliance.

Table 2 Management Station Screen Elements (Continued)

Element Description

Users Guide 29


Viewing Message Rate

The Message Rate tab shows the number of messages processed by the Appliance over a 12-hour time period. An example of the tab is shown in Figure 13 on page 30.

To view the message rate of the Appliance


2. Click the Message Rate tab to view the Message Rate graph.

3. If you are viewing a larger version of the Message Rate graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see Table 3 on page 30.

4. Click to update the Message Rate graph.

Figure 13 Message Rate Tab

Table 3 Message Rate Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go forward six hours.

Displays the corresponding Help topic.

Message Rate section

30 Users Guide


Viewing CPU Usage

The CPU Usage tab contains a graph that shows CPU utilization as a percentage over a 12-hour time period. An example of the tab is shown in Figure 14.

To view the CPU usage


2. View the CPU usage by doing one of the following in the System Status screen:

View the small graph in the CPU Usage section.

Click on the small graph in the CPU Usage section to view a larger version of the graph.

Click the CPU Usage tab to view a larger version of the graph.

3. If you are viewing a larger version of the CPU Usage graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see Table 4.

4. Click to update the CPU Usage graph.

<blue line> Real-time message traffic which includes UDP syslog and/or raw TCP (SyslogNG) traffic.

<pink line> Average rate of the incoming messages for the time segment shown.

<red line Appears when inbound traffic exceeds the preset threshold

Updates the Message Rate graph.

Table 3 Message Rate Tab Elements

Element Description

Users Guide 31

Viewing Dashboards : Viewing Log Source Status

Figure 14 CPU Usage Tab

Viewing Log Source StatusThe Log Source Status tab lets you view statistics for each source device. An example of the tab is shown in Figure 15.

To view the log source status

1. Choose Dashboards > Log Source Status from the navigation Menu.

Table 4 CPU Usage Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go back 12 hours.

Displays the corresponding Help topic.

CPU Usage section

<blue line> CPU usage in real time.

<pink line> Average CPU percent utilization for the time segment shown. To see a larger version of the screen, click the CPU Usage tab.

Updates the CPU Usage graph.

32 Users Guide


2. View the following log status information for each source device:

Name

IP Address

Type

Message Count

Byte Rate/Sec

Description

For detailed descriptions of each item, see Table 5 on page 34.

3. Click to update the view of your devices.

4. Optionally, click to print all the items in the list.

Figure 15 Log Source Status Tab

Users Guide 33


Log Source Status Descriptions

Table 5 lists and describes the elements in the Log Source Status tab.

Table 5 Log Source Status Tab Elements

Element Description

Saves the report in a CSV format. You should save the file and export it to an Excel spreadsheet for viewing.

Note: The CSV file saves and displays a maximum of 10,000 lines. A generated report can contain more than this number.

Displays the report in HTML format in a new window. You can save the HTML file to your local machine.

Note: The HTML file saves and displays a maximum of 5000 lines. A generated report can contain more than this number.

Saves the report as a PDF file. You can save the PDF file to your local machine. Viewing the generated report as a PDF only works for Adobe Acrobat Reader version 6.0 and higher.

Note: The PDF file saves and displays a maximum of 5000 lines even though the generated report may contain more than this number.

Click to print all the items in the list.

Click to display the corresponding Help topic.

Displays the previous page of detail for the device list.

Displays the next page of detail for the device list.

To display details for a specific page, type a page number and click GO.

Note: For certain pages that display this option, you can only view a set number of rows. To set the number of rows to view, use the Personal Preferences tab.

Log Source Status section (all of the following columns are sortable)

Name Name of your source device.

IP Address IP address for your source device.

Type Type of source device.

Message Count The following types of messages counts:

Total—Total number of messages processed for the specified device.

1 Min—Total number of incoming messages during the previous one minute period.

5 Min—Total number of incoming messages during the previous five minute period.

15 Min—Total number of incoming messages during the previous 15 minute period.

1 Min (Byte Rate/Sec) Byte rate per second for each device during the previous one-minute period.

Description Description you defined for the Source Device in the Administration > Manage Devices > Syslog and Administration > Check Point Devices > Interface tabs.

If you selected the Auto-identify option in the Administration > System Settings > General tab, the system displays that the source device is an auto-identified log source.

34 Users Guide


Viewing Unapproved Messages

Use the Unapproved Messages tab to view information on up to 100 of the most recent real-time messages received from a recognized but unapproved source. Unapproved messages are discarded.

Summary data on unapproved messages can be seen from the Dashboards > System Status tab.

Note: Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.

To view unapproved messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Unapproved Messages tab.

This section contains the following elements.

3. Click to update the information.

Updates the view of your devices. If auto-identify is enabled and the Appliance detects new devices, refresh displays them in this view.

Advanced Options By default, all these options are displayed:

Name

IP Address

Type

Total

1 Min

5 Min

15 Min

1 Min (Byte Rate/Sec)

Description

Use the drop-down menu to view options in ascending or descending order.

Deletes all text in the Advanced Options text boxes.

Executes with the defined Advanced Options parameters.

Table 6 Unapproved Messages Tab Elements

Element Description

No. Number assigned to the message.

Time Time the message was received.

Firewall IP address of the Appliance through which the message was received.

Message Text of the message.

Table 5 Log Source Status Tab Elements (Continued)

Element Description

Users Guide 35


4. (Optional) Click to print all the messages in the list.

Viewing Recent Messages

Use the Recent Messages tab to view information on up to 100 of the most recently-received real-time messages. (See Figure 16.)

Note: Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.

To view recent messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Recent Messages tab.

Figure 16 Recent Messages

This section contains the following elements.

3. Click to update the information.

4. (Optional) Click to print all the messages in the list.

Table 7 Recent Messages tab descriptions

Element Description

No. Number assigned to the message.

Time Time the message was received.

Firewall IP address of the Appliance through which the message was received.

Message Text of the message.

36 Users Guide

Viewing Dashboards : Viewing Log Source Data Trend

Viewing Log Source Data TrendThe Log Source Data Trend tab displays the graphs of incoming Syslog Data rate in MB from all sources over the last 24 hours. The top graph displays Realtime Logs, and the bottom graph shows File Transfer Logs. Log data that has been fully indexed is represented by blue bars; log data to be indexed is represented by orange bars. The bar graphs refresh once per minute.

To view log source data trend

1. Choose Dashboards > Log Source Data Trend from the navigation menu.

2. View the Syslog data from all sources within the last 24 hours as shown below.

Figure 17 Log Source Data Trend

Users Guide 37

Viewing Dashboards : Managing Your Dashboard

Managing Your DashboardThe My Dashboard menu allows you to customize your Dashboard with visualizations, known as “widgets”, representing Report Results, Search Results, Alerts, and Appliance performance. For example, If you have an Index Search showing web surfing activity within the Intranet, this data can be presented on your Dashboard using the Trend Graph widget, and refreshed periodically with recent data from an Index Search.

The system admin can specify the maximum number of widgets that can be displayed on your Dashboard using the Administration > System Settings > General tab. LogLogic recommends displaying a maximum of 10 widgets on your Dashboard.

Widget Types

You can create different types of widgets to add to your dashboard canvas. The different types are:

Summary: Displays top 10 results from any Report saved with the “Summarized” option. It also displays All Index Reports as well as Index Searches that are grouped by option (except grouped by Time). For details, see Managing Summary Widgets on page 41.

Trend: Displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month. For details, see Managing Trend Widgets on page 44.

Alerts: Displays recent triggered alerts matching your specified filters. For details, see Managing Alert Widgets on page 48.

System: Displays Network and File based data ingest trends, Disk usage, and CPU usage utilization. For details, see Managing System Widgets on page 52.

About My Dashboard

By default, the dashboard canvas is empty and does not display any widgets. The Widgets link enables you to add widgets to your dashboard. A new widget is always added on the upper left side on your dashboard canvas. If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again. For detailed information about widgets, see Managing Widgets on page 39.

To view your dashboard

1. Access Dashboards > My Dashboard from the navigation menu.

2. View your My Dashboard canvas as shown below.

38 Users Guide


Figure 18 My Dashboard

Managing Widgets

The Dashboard is highly customizable with widgets and data of your selection. The Widgets link allows you to view and add existing widgets to your dashboard, create new widgets, edit existing widgets settings, or remove widgets from the system.

Using the drag-drop method, you can change the position of widgets on your Dashboard. Click and drag the widgets title bar to move a widget to a new location on the canvas (see Figure 19). You can also resize any widget by pulling the bottom side of the widget. The system automatically saves your latest widget positions with your LogLogic User Account.

Users Guide 39


Figure 19 My Dashboard Canvas – Manage Widgets

Depending on the widget type, some widgets display different buttons on the upper right corner of the widget (see Figure 19).

Table 8 lists and describes the widget buttons

By default, widgets are created exclusively for your use. However, you can share your widgets with others by checking Shared option on the widget's settings screen. Sharing Report and Search widgets improves system performance, since the underlying data used for the visualization only needs to be created once for all Dashboard views of the Widget.

Table 8 Widget buttons

Button Description

Shows the toolbar for that widget. Using this toolbar, you can view different presentation options of the selected report. For example, for Summary widget, you can choose to view Column chart, Bar chart or Table format.

Displays the widget in full screen view. If it is already in full screen view, this will restore the widget to normal size.

Displays the widget’s existing settings. Click the button to open the Edit widget settings window. This allows you to change the widget’s existing settings.

Removes the widget from your Dashboard. However, the widget is still available in the widget list to use on other dashboards.

Select the color of the widget ‘s graph from a color palette.

Note: From the widget toolbar, this button is available only for certain widget types.

40 Users Guide


Managing Summary Widgets

The summary widgets provides focused visualization of first 10 records returned from the underlying Saved Report query.

Figure 20 illustrates an example of Summary Widget. If you click , the report displays more view options such as Column Chart, Bar Chart, and Table (see Figure 20). For more information on other widget buttons, see Table 8 on page 40.

Figure 20 Summary Widget Example

To add an existing summary widget to your dashboard

Note: If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.

Users Guide 41


Figure 21 Summary Widgets - List of Existing Widgets

3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.

4. Click the Add to Dashboard button to add the widget to your dashboard.

To create a new summary widget

Note: To create a summary widget, you must have the Reporting privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.


2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.

3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.

42 Users Guide


Figure 22 Create a New Summary Widget

4. Enter the Name and Description of the widget.

5. Select a report from the Report list as explained in Table 9.

6. Specify a Timeframe as explained in Table 9.

Table 9 Summary Widgets Elements

Element Description

Name Name of your widget that is displayed on the widget Title bar.

Description Description of your widget.

Shared Select the checkbox if you want to share your widget with others. However, only the creator can edit this widget settings.

Selected Displays the selected report from the Report list. When the report is not selected, None is displayed.

Enter text to filter Enter the text to filter Report list and then press Enter.

Filters and refreshes the view of your widgets.

Report list By default, the following columns are displayed:

Type--the report template type, for example, User Access

Name--the name of the report

Description--the description of the report

Click on the column heading to sort the table by that column to view in ascending or descending order.

Users Guide 43


7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.

To edit an existing summary widget’s settings

Note: Only the creator of the widget can edit that widget’s settings.

1. Select a widget from the saved widget list (see Figure 22 on page 43).

2. Make the appropriate changes.

3. Click the Save Settings button to save the new settings.

Note: The Save & Add to Dashboard button is available only when the widget is not on your dashboard.

Managing Trend Widgets

The Trend widget displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month.

Figure 23 illustrates an example of Trend widget. If you click , the report displays more view options such as Column Chart, and Line Chart (see Figure 23). For more information on other widget buttons, see Table 8 on page 40.

Timeframe section

Run Specify the time frame to refresh the widget’s report results. The options are:

Once every few hours

Once a day

Once a week

Once a month

Note: Depending on the above selected Run option, the corresponding following fields may change. For example: If you select Once a week option, specify time, and day of the week.

Specify the appropriate intervals.

Table 9 Summary Widgets Elements (Continued)

Element Description

44 Users Guide


Figure 23 Trend Widget Example

To add an existing trend widget to your dashboard



2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.

Users Guide 45


Figure 24 Trend Widgets - List of Existing Widgets



To create a new trend widget

Note: To create a trend widget, you must have the Index Search privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.


2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.


46 Users Guide


Figure 25 Create a New Trend Widget


5. Select a saved search from the Search list as explained in Table 10.

6. Specify the Trend Range as explained in Table 10.

Table 10 Trend Widgets Elements

Element Description

Name Name of your widget displayed on the widget Title bar.

Description Description of your widget.

Shared Select the checkbox if you want to share your widget with others. However, only the creator of the widget can edit the settings.

Selected Displays your selected search. When the search is not selected, None is displayed.

Enter text to filter Enter the text to filter the saved search settings and then press Enter.

Filters and refreshes the view of your widgets.

Search List By default, all these columns are displayed:

Type–the report template type, for example, User Access

Name–the name of the report

Description–the description of the report

Click on the column heading to sort the table by that column to view in ascending or descending order.

Users Guide 47


7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.

To edit an existing trend widget’s settings





Note: The Save & Add to Dashboard button is available only when the widget is not on your dashboard.

Managing Alert Widgets

The Alert widget displays recent triggered alerts matching your specified filters.

Figure 26 illustrates an example of Alert Widget. If you click , the report displays more view options such as Enable, and Disable (see Figure 26). For more information on other widget buttons, see Table 8 on page 40.

Trend Range section

Tiimespan Specify the timespan from the drop-down menu. The options are:

1 Day

7 Days

30 Days

Table 10 Trend Widgets Elements (Continued)

Element Description

48 Users Guide


Figure 26 Alert Widget Example

To add an existing alert widget to your dashboard



2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.

Users Guide 49


Figure 27 Alerts Widgets - List of Existing Widgets



To create a new alert widget

Note: To create an alert widget, you must have the Manage Alerts privileges. For more information about privileges, see Chapter 13, Managing Users in the LogLogic Administration Guide.


2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.


50 Users Guide


Figure 28 Create a New Alert Widget


5. Specify how to show alerts based on Type & Priority or Custom selection as explained in Table 11.

6. Specify number of alerts from the Show most recent list as explained in Table 11.

Table 11 Alerts Widgets Elements

Element Description

Name Specify the name of your widget displayed on the widget Title bar.

Description Specify the description of your widget.

Shared Select the checkbox if you want to share this widget with others. However, only the creator can edit this widget settings.

Only show section

Type & Priority Select this option to specify the type of system and priority. Click the checkbox to select the priority level.

Custom Selection Select this option to specify alerts from the existing list.

Selected Once you select the alert rule from the Available list, it appears under this column.

Users Guide 51


7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click the Add to Dashboard button to add the widget to your dashboard.Or,Click the Save & Add to Dashboard button to save and add the new widget to your dashboard.

To edit an existing alert widget’s settings





Note: The Save & Add to Dashboard button is available only when the widget is not already on your Dashboard.

Managing System Widgets

The System widget displays four pre-defined widgets: Network-based Data Ingest, File-based Data Ingest, Disk Usage, and CPU.

Figure 29 illustrates an example of Network-based Data Ingest Widget. For more information on widget buttons, see Table 8 on page 40.

Available Displays list of available alert rules. Specify the alert by selecting the appropriate checkbox. This allows you define certain triggered alerts on your dashboard.

Show most recent Specify how many alerts to be displayed in the widget. The options are:

10 Alerts

25 Alerts

50 Alerts

100 Alerts

Table 11 Alerts Widgets Elements (Continued)

Element Description

52 Users Guide


Figure 29 Network-based Data Ingest Widget

Figure 30 illustrates an example of File-based Data Ingest Widget. For more information on widget buttons, see Table 8 on page 40.

Figure 30 File-based Data Ingest Widget

Figure 31 illustrates an example of Disk Usage Widget.

Figure 31 Disk Usage Widget

Figure 32 illustrates an example of CPU Widget. If you click the Show Toolbar button, the report displays more view options such as Hour range from 2 Hr, 6 Hr, and 12 Hr. For more information on other widget buttons, see Table 8 on page 40.

Users Guide 53


Figure 32 CPU Widget

To add a system widget to your dashboard


2. Click the System icon. The pre-defined widgets are displayed in the second pane.

Figure 33 System Widgets

54 Users Guide


3. Select the widget by clicking on the name from the list of pre-defined widgets to view the details in the pop-up window.

4. Click the Add to Dashboard button. The widget is added to your dashboard.

Note: If a widget is already added to the dashboard, you cannot add the same widget to the Dashboard again.

Defining your Dashboard Canvas Settings

You can specify the number and size of columns on your Dashboard canvas.

To define your dashboard canvas settings

1. Access Dashboards > My Dashboard from the navigation menu.

2. Click the Dashboard link. The Edit dashboard settings window appears as shown below.

Figure 34 Edit Dashboard Settings

3. Specify the number of columns from the column layout options. The options are: One Column, Two Columns, or Three Columns.

4. If you select Two or Three columns option, specify the width of the column by dragging the slider to the desired width.

5. You can preview your column settings in the Preview window.

6. Click Save Settings to save your Dashboard settings. The widgets on your Dashboard are rearranged as per the new Dashboard settings.

Users Guide 55


56 Users Guide

Viewing Real Time Log Messages : Accessing and Selecting Real Time Messages to View

CHAPTER 3:

Viewing Real Time Log Messages

The Real Time Viewer provides a scrolling display of log messages from all log sources as the Appliance receives them. You can either filter messages or view all log messages unfiltered as they arrive.

Real Time Viewer displays log messages only for syslog log sources, not for file transfer or database log source types (including log messages forwarded using LogLogic TCP).

Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . 57

Viewing Log Messages in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Accessing and Selecting Real Time Messages to ViewThe Real Time Viewer shows an immediate scrolling display of log messages as they are received by the Appliance. (See Figure 37.)

To access the Real Time Viewer:

Choose Search > Real Time Viewer from the navigation menu.

Figure 35 Accessing Real Time Viewer

Users Guide 57


The Real Time Viewer screen is displayed as shown below.

Figure 36 Real Time Viewer Screen

Table 12 Real-Time Viewer Tab Elements

Element Description

Saved Custom Report Select a Custom Report from the drop-down menu.

If you do not have any saved Custom Reports, this field is grayed out. This option is useful to view real-time data with the specified parameters from your saved filter for a specific Appliance.

Device Type Devices associated with the Appliance.

Source Device IP address of the selected Device Type.

The drop-down menu contains the devices connected to the Appliance.

Highest Severity Specify the selection of a set of syslog messages by their highest severity. Select this checkbox to filter the syslog messages of that severity.

58 Users Guide


Search Filter Define an expression used to limit information displayed from the devices.

Filter options are:

Pre-Defined—The drop-down contains pre-defined search filters that you manage in the Search Filters tab.

Use Words—The components of messages. The maximum character length of the Use Words field is 125.

For example, userIDs like cjreid, or parts of IP addresses like 192.

Use Exact Phrase—A component of a syslog message that are not randomly linked but form a fixed string, for example, a specific URL or Authentication rejected:, keyboard-interactive for root. The maximum character length of the Use Exact Phrase field is 250.

Regular Expression—A regular expression is a tool comprised of characters and symbols, that enable the search to identify patterns retrieved the storage database. The maximum character length of the Regular _Expression field is 250.

For example:

User .* connected, \>su:.*(to root), amd sshd.*Accepted.*for root from

Save Custom Report Define and save frequently used search criteria for future use to execute a report against your real-time logs more quickly. Novice users can run reports with complex search criteria with minimal input.

Specify the following information:

Report Name - A name for the report.

Report Description - A brief description for other users to understand the type of information that this report generates.

Share with Other Users checkbox

The default, Share with Other Users option lets you make this Custom Report accessible for other users logging in to this Appliance.

Click to save your changes.

Runs the filter and display the real-time log view.

Element Description

Users Guide 59


To run the Real Time Report

1. Designate which messages to view in real time. You can pre-filter messages by source device, message severity, and text matches.

2. Click .

The Real Time Viewer appears, displaying messages meeting the filter criteria as the Appliance receives them. (See Figure 37.)

Figure 37 Real Time Viewer – Raw Logs

When you leave the Real Time Viewer and return to it later, the content in the Viewer restarts upon your return. Messages from the previous Viewer instance are not retained in the new Viewer instance.

To run a previously saved report in the Real-Time Viewer:

1. Choose Search > Real Time Viewer from the navigation menu.

2. Select the report from the Save Custom Report drop-down menu.

3. Click .

For additional information on Custom Reports, see Tag Catalog on page 185.

To specify parameters to run a new report in the Real-Time Viewer

1. Choose Search > Real Time Viewer from the navigation menu.

2. Select the device type.

3. Select the source device connected to your Appliance.

60 Users Guide

Viewing Real Time Log Messages : Viewing Log Messages in Real Time

4. Choose the severity level. To specify the highest level, check the Highest Severity checkbox.

5. Type your search criteria to limit information displayed from the device(s).

6. Click .

To save a Custom Report in the Real-Time Viewer

After specifying the parameters for your report, save the report:

1. Click to expand the Save Custom Report section.

2. Type a name for your report and provide a brief description.

3. If you do not plan to share the report with other users logging in to the Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.

4. Click to save your changes.

Viewing Log Messages in Real TimeBased on your selections in the Real-Time Viewer tab, the Real-Time Viewer: Log Messages tab shows a scrolling view of log messages in real time as they are received by the Appliance. The messages shown are determined by your input in the Real-Time Viewer tab Search Filter section. (See Figure 38.)

If you need to scroll through the incoming messages, click Pause. However, messages that arrive while the view is paused are skipped by the view; they do not get displayed when you resume.

Figure 38 Real-Time Viewer - Log Messages Paused

Users Guide 61

Viewing Real Time Log Messages : Viewing Log Messages in Real Time

Table 13 Real-Time Viewer: Log Messages Screen Elements

Element Description

Selected Device Displays the Appliance source device name for the selection in the Real-Time Viewer Filter form.

Status Status of the Real-Time Viewer display.

Stops the real-time view of the incoming log messages.

If you pause the view, Real-Time Viewer skips incoming messages until you click Resume. The number of skipped messages is displayed next to Status: Paused.

Starts the real-time view of the incoming log messages.

Deletes the view of the incoming log messages and refreshes the page.

Refreshes the view of the incoming log messages.

The number of lines to store in the buffer for viewing. The default is 10000. To change the buffer size, type the number of lines and click the Buffer Size button.

Returns the user to the Real Time Viewer page, where the existing settings can be viewed and changed. After your changes (or to keep the current settings) click the Run button.

62 Users Guide

Searching Collected Log Messages : Search Overview

CHAPTER 4:

Searching Collected Log Messages

As the Appliance collects log data from your log sources, you can search on those collected log messages. In addition to running various simple and complex searches, you can define search filters and run reports.

Pre-defining search filters lets you include specific search criteria in an Index Search, a Regular Expression Search, the Real Time Viewer, and All Saved Searches without having to re-enter the filtering criteria each time.

Viewing archived data files lets you reload and open older, compressed log data for viewing on an Appliance.

Contents

Search Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Using and Creating All Index Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Using Index Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Using Regular Expression Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Viewing Archived Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

For details on Boolean expressions, Regular Expression usage, what gets indexed, and available delimiters, see the Search Strings topic in the Online Help.

Search OverviewLogLogic provides search and reporting tools for finding specific information in collected log message content. The tool you use varies depending on the task you want to perform.

Index Search – Search on indexed log source messages using a Boolean expression and see the results immediately. Use Index Search when a simple, fast search can provide the information you need to analyze failures or other anomalies.

Regular Expression (RegEx) Search – Search using a single regular expression or pre-defined search filter, either immediately or at a scheduled time.

Real Time Viewer – The Real-Time Viewer shows an immediate scrolling display of real-time log messages as they are received by the Appliance. The options form allows for pre-filtering of these messages by log source or device group, message severity, and text matches. Only log messages meeting the filter settings are shown. SeeViewing Real Time Log Messages on page 57.

Index Report – Generate a report based on indexed data using pre-defined Boolean search filters. Essentially, an Index Report is a compilation of multiple Index Searches run at once. You can specify one or more pre-defined filters to use, and add additional criteria to those filters.

Users Guide 63

Searching Collected Log Messages : Search Overview

Note: For a simple search to match a specific string, use Index Search. To search for strings that match more complex patterns, use RegEx Search.

Figure 39 Search Tools

Table 14 Search and Reporting Feature Comparison

Feature Index Report

Index Search

RegEx Search

Real Time Viewer

Multiple filters in search Yes No No Yes

Boolean Expressions Yes Yes No No

Regular Expressions No No Yes Yes

Graphical Results Available Yes Yes No No

Graphically view trends over time or log sources No Yes No No

Schedulable Search No No Yes No

Save customized search criteria for future use Yes Yes Yes Yes

View finished/past search results No No Yes Yes

64 Users Guide

Searching Collected Log Messages : Using and Creating All Index Reports

Using and Creating All Index ReportsUse the All Index Reports screen to view a list of all saved searches for specific types of data based on search expressions and time intervals you defined. You can use these results to verify information found in your reports.

The results provide the number of hits for each selected search filter, which you can view in a table or a graphical chart. From the table, you can drill down to view the specific hits for a filter in detail similar to Index Search results.

To create an Index Report

1. Click Create Report to open the Properties window.

Figure 40 Create Report – All Index Reports

2. Select log sources from the right-hand pane. You can select sources by Appliance, and filter returns by Name, IP Address, Group or Type.

3. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.

Users Guide 65


Figure 41 Select Log Sources – Add as a Rule

Figure 42 Enter Name of Dynamic Rule

4. Click OK to add the selected source and filters to the left-hand pane.

5. On the right-hand pane select a device name (or names) from the list by clicking its name or the checkbox next to it.

6. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.

66 Users Guide


Figure 43 Add Selected Devices

7. Click Columns and Filters to select the columns for your report and choose filters for your results. Click in the field under the Value column and enter a term for the filter (such as login, id, etc.). Then click in the field under the Operator column and pick an operator from the drop-down.

Click Apply. The selected operator and value will move to the left-hand column.

Figure 44 Apply Columns and Filters

8. Click Index Report Search Selections to select from the available expressions to be used in the report. If none are available, click New Expression... to add a new Boolean search expression for use in any Index Report.

Users Guide 67


Figure 45 Add New Boolean Expression

9. In the Add Search Expression... popup that appears, enter Name, Description, Expression, and then click Sharing to define whether others can use or modify the new filter. Click Save.

Figure 46 Add Search Expression

10. Place a checkmark next to the new search expression and click << Apply Selections to add them to the left-hand pane for use in filtering your report. Then click Save As.

68 Users Guide


Figure 47 Apply Filter Selections

11. Enter a name and description of the report in the pop-up. Select Share with others if desired. Click Save & Close. The new report will appear in the list of all saved Index Reports.

Figure 48 Name and Save the Report

Users Guide 69


70 Users Guide

Figure 49 Report Saved

12. Click in the Name field and enter a term to search for entries in the Saved Reports list. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.

Figure 50 Filter by Name

13. Click the Run icon in the Actions column. The Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today; Yesterday). Select the timeframe from the Date and Time Range Picker, and click Run again to execute the report.

Figure 51 Date and Time Range Picker

Searching Collected Log Messages : Using Index Search

14. On the results page, click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.

Using Index SearchUse Index Search to perform targeted searches on log messages using keywords, Boolean expressions, and wildcards on the Appliance or log sources. Index Search lets you pinpoint problem areas on all log sources captured on the Appliance and then view the search results quickly.

Due to the dynamic nature of LogLogic reporting, when paging between the last page of search results and other pages, additional messages matching the search criteria might have been received since the initiation of the original search. As such, you might see additional messages included on subsequent visits to the last search results page.

Index Search works on indexed logs making it faster than a search using regular expressions (RegEx search). By default, the Appliance performs an Index Search on the Appliance itself and all log sources collected on the Appliance in the last hour.

Search Expression RulesThe following rules apply when you enter a search expression:

Use Boolean operators, such as AND, OR, or NOT for your search expression (but do not begin the expression with leading NOT)

Use wildcard characters, such as an asterisk (*) or question mark (?) to match strings (but do not begin the expression with the wildcard)

Use delimiters such as parentheses to tell Index Search what to evaluate first

Enter up to 256 characters for your search expression

When using Index search and Tag Based search, the system does not support the use of search patterns shorter than 3 characters

Index searches are case insensitive, so you do not have to use all uppercase letters when using Boolean operators, although it helps readability. Some simple Index Search examples include:

For details on Boolean expressions, search strings, and available delimiters, see the Search Strings topic in the Online Help.

Table 15 Index Search Examples

Index Search Example Rule

tcp Use search expressions containing at least three characters.

authenticate AND failed

Tcp NOT Udp

Use Boolean operators, such as AND, OR, or NOT.

admin*

10.*

Use wildcard characters such as an asterisk (*) or a question mark (?) as shortcuts to match strings.

(tcp and udp) and service

Use a delimiter, such as parentheses to specify what gets evaluated first, in this case, tcp and udp before the service keyword.

Users Guide 71


Running an Index Search

Index Search is available on all Appliances except the LX 510. By default, the Appliance performs an Index Search on the Appliance itself and all log sources from which logs were collected on the Appliance in the last hour. You can search using these defaults or change them.

To run an index search from the Index Search Interface

1. Access the Index Search page from home: Search > Index Search. The Index Search interface is displayed as shown below.

Figure 52 Index Search Interface

2. Enter your search expression in the search text box and click the Run button.

Figure 53 Index Search – login – Run

The search results appear immediately on the Search Results tab, and the search term “login” is highlighted.

If you want, you can adjust the search scope and rerun the search by selecting specific log sources and/or a different timeframe.

Selecting Specific Log Sources

To perform a more targeted search, you can narrow the search scope to a group of log sources, such as all firewall interfaces, all routers, all General Syslog, Microsoft sources, other UNIX, or LogLogic Appliances.

On the Management Station, you can select from one managed Appliance or all Appliances, or particular groups of Appliances (for example, all LX Appliances or all ST Appliances) on which to run the search. The Choose Device pop-up automatically populates the log sources included on all selected Appliances.

72 Users Guide


To run a targeted Index Search

1. Click the All Sources on Localhost button to open the Select Source(s) window.

Figure 54 Open All Sources on Local Host

2. Select log sources from the Add Log Sources pane. You can select sources by Appliance, and filter by Name, IP Address, Group or Type.

Figure 55 Select a Source and a Filter

3. Click << Add as a rule.

Users Guide 73


Figure 56 Add Search Rule

4. Enter a name for the dynamic rule in the pop-up window and click OK.

Figure 57 Name Dynamic Search Rule

5. Place a checkmark next to the sources you want in your report and then click << Add selected log sources to add the selected devices and filters to the left-hand pane.

74 Users Guide


Figure 58 Add Selected Devices – Click Set to Confirm

6. Click Set. The new Index Report search selection appears in the Sources row. The Index Search Sources field displays the newly added log sources.

Select Time Frame for an Index Search

To select time frame for an index search

1. Click the calendar icon (to the right of Last Hour) to launch the Date and Time Range Picker.

2. Select a preset time interval by clicking the down arrow to the right of Last Hour, or pick a timeframe from the pop-up calendar. Click Set.

Figure 59 Schedule Index Search Report

3. Click Run.

4. At the Search pop-up, select whether you want to retrieve all messages. Click Yes. After a few moments, the Index Search results will be displayed.

Users Guide 75


Figure 60 Index Report Search Results

Using the Search Results Tab

Viewing Index Search Results

Index Search results are displayed in the Search Results tab and the keywords you entered are highlighted in different colors.

For example, when entering login AND user as your Boolean expression, the Search Results tab shows the first keyword “login” in yellow and second keyword “user” in turquoise.

Figure 61 Viewing Index Search Results

The UI uses several different colors to highlight search keywords after which it repeats the same color scheme.

76 Users Guide


To view search results using different view options

1. From the top right of the Index Search screen, click the View drop-down menu to open different view options. The options are: Reset to Default, Show Timeline, Hide Meta Header, View by, Chart Type.

Figure 62 Index Report Search Results – View

The Search Results view options are:

Configuring Search Results Settings

To configure Search Results settings

1. From the top right of the Index Search page, click the Options button. The Columns and Grouping window appears as shown below.

Table 16 Index Report Search--View options

Element Description

Reset to Default Resets to default settings.

Show Timeline Select this checkbox to show timeline graph.

Hide Meta Header Select this checkbox to hide the metadata header information.

View By Select the option to view by Time or Device type.

Chart Type Select the type. The options are Bar chart or Line chart.

Users Guide 77


Figure 63 Index Search -- Options menu

2. Optionally, enter a filter keyword in the Keyword field to narrow the displayed columns in your report.

3. Select the appropriate Column Name by clicking in the checkbox to include or exclude that column from your report. You can change the column name by clicking on the name. The column name field becomes an editable field allowing you to make the changes.

Note: If you enter the same column name for two columns, the Index Search Results page displays the results for those two columns merged into one column.

4. Click or to move the selected column.

5. Choose the Display options.

Table 17 Display Options

Element Description

Raw Select this option to display Index Search Results in time-increasing order.

Grouped Select this option to display Index Search Results grouped by the selected column.

78 Users Guide


6. Click Apply to apply the new settings. The Index Search Results page displays the refined search results. Figure 64 displays Search Results when grouped based on Device IP.

Group By Choose the appropriate column to display group search results from the drop-down menu. The default options are:

Time

Device IP

Device Source

Facility

Severity

You can add more columns by creating custom tags using Log Labels, see Device Types online help video tutorial for instructions.

Time Interval This option is enabled when you select to Group By Time. The results are grouped based on the specified time interval. Select the Time Interval from the following options:

Every 5 Minutes

Every 30 Minutes

Every Hour

Every 3 Hours

Every 6 Hours

Every 12 Hours

Every Day

Every Week

Sum By This optional setting allows you to add the numerical value of the selected column so that Search Results Summary displays the sum value of the grouped column instead of the count of message instances.

Aggregation Size Select the option from the drop-down menu. The results will be sorted based on the selected option. The options are:

Top 1

Top 5

Top 50

All

Table 17 Display Options

Element Description

Users Guide 79


Figure 64 Index Report Search Results – Grouped results by Device IP

Managing Search Results

The Search Results tab provides a toolbar with several options for managing Search results.

Figure 65 Search Results Toolbar

Table 18 Search Results Tab Toolbar Elements

Element Description

Collapses and condenses the results display view.

Allows you to view selected message in relation to all others in your Index Search results. For details, see Viewing Index Search Results In Context on page 81.

Clip Selected message(s)

From the drop-down menu use the default clipboard, a saved clipboard, or create a new clipboard to save results.

Create Message Pattern

Create a new Log Labels message pattern with the selected message. Highlight a message in the Search Results and click the Create Message Pattern button. The Message Pattern Editor is displayed, which can be used to select a particular message from a particular device and then create a pattern based on the parameters of that message for use in further searches. For detailed instructions, see online help tutorial.

Saves the results. You can choose to Save or Save as from the drop-down menu to save your results. You can update your saved results using the Save as option, see Saving Search Results on page 81.

Number of Indexed Pages

Get the total number of indexed messages on the indexed search results. This is particularly useful for large volumes of log messages as it lets you go through matched messages one page at a time. To page through the results, click the next arrow; to return to the previous page click the previous page arrow. You can also return to the first page or go to the last page by clicking on the first and last page arrows accordingly. The total results number is automatically updated when you select the Show Timeline graphical view.

Displays context-sensitive help.

80 Users Guide


Viewing Index Search Results In Context

When analyzing log events, you can select a particular message and see the log messages that immediately preceded or followed the message from your search results.

Note: The In Context tab appears only after the first time you click the icon in the search results toolbar.

To view a particular log message in context

1. On the Search Results tab, select the message that you want to view and then select the icon.The In Context tab appears (next to the Clipboard tab) and the message you selected is immediately displayed in the Search Results tab.

2. By scrolling down on the page, the affected log message is highlighted in blue to show its relationship to the log messages that preceded this condition as well as those that occurred after this message.

3. Click the appropriate button to save the report. You can choose to save results in CSV, PDF, or HTML format.

Figure 66 Viewing a Log Message in Context

Saving Search Results

You can download Index Search results to view immediately or save them in CSV, PDF or HTML formats. These buttons are located on the left side of the Save button. After few moments, the report in your chosen format will appear.

Users Guide 81


Table 19 Save Search Results

To save search results report

1. Click Save As option from the icon drop-down menu to save the report. You can update the saved report by using the Save option. The Save As Report window appears.

Figure 67 Search Report – Save As menu

2. Enter the name and description of the report in the Name and Description fields respectively. The Name field is a mandatory field.

3. Select the Suite option from the drop-down menu.

4. Select the Share? checkbox if you want to share the report.

5. Select the desired print option. For Grouped Search, the options are: Print Summary Report or Print Detailed Report.

6. Click Save to save the results.

Output Description

CSV Use Microsoft Excel or other spreadsheet program to display index search results in a spreadsheet. By default, search results are written to SearchExpressionHits.csv and saved on the desktop.

PDF Use Adobe Acrobat Reader to display the Index Search results. By default, search results are written to report.pdf and saved on the desktop. The first page incudes a table of contents with links to the query used for the Index Search and the results table.

HTML Opens a new tab in your Web browser and immediately displays HTML Index Search results as a LogLogic report. The HTML results include a table of contents with links to the query used for the Index Search and the results table. By default, the downloaded results are saved as LogLogicReport.zip in a temp folder on the local drive. You can use your own company logo on the report, see the General tab under System Settings.

82 Users Guide


Viewing Trends

After running index searches, you can use the View menu to view search results graphically using the timeline option. The trend output you see is based on your chosen time range and chosen devices referenced by the Index Search and always includes only the messages and devices for that distribution.

The trend feature can be a powerful tool during your analysis of certain events and lets you see trends for certain activities by Time and Device.

Each option lets you view timeline data in either bar chart or line chart format. These charts show:

the time or device on the x-axis

the total number of messages on the y-axis

The procedure for viewing trends over time and by device is the same.

To view trends over time

1. Click the View drop-down menu and then select the Show Timeline checkbox.

A timeline chart displays below the search text box. You can immediately see the distribution of messages over time and begin to get a sense of trends in the timeline chart.

By hovering the mouse over an affected bar, you can get the total number of messages matching your search expression at that particular point in time.

Figure 68 View Menu – Viewing Trends by the Timeline Bar Chart

For example, in Figure 68 you can see that 39 log message instances at 11:30 in the morning. The scale on the x-axis shows the total number of messages while the y-axis shows the time distribution of those instances.

Figure 69 Zooming In to the Timeline Bar Chart

Users Guide 83


2. To zoom in on a particular area of interest, press and hold the left mouse button and drag over the area of interest.

This refreshes the timeline view to show the zoom area in more detail.

Figure 70 Timeline Detail

3. To return to the original view, click Zoom Out.

4. To view the same search in line format, select Chart Type > Line Chart from the View menu.

This displays the results in a line chart format. From this view, you can see spikes in the number of messages that match the keyword “login”.

Figure 71 Viewing Trends by the Timeline Line Chart

Similarly, to view the same index search by log source, select View By > Device from the View menu.

Using the Search History Tab

Each time you run an index search, your search criteria are automatically saved on the Search History tab. The Search History tab includes:

Only those index searches with valid search criteria.

User-specific index searches, which can be shared when saved as a search filter.

Most recent searches on the top of the list

You can configure the search entries displayed (rows/page) on the Search History tab through the admin > Your LogApp Account tab (see Viewing Your LogApp Account on page 193).

Saving an Index Search as a Filter

While search histories are user-specific, you can save an Index Search as a search filter. You can use these saved search filters yourself or you can share these saved search filters with other users of the Appliance.

84 Users Guide


To save an index search as a search filter

1. Click Search History to see the history of Index Searches.

2. Select the saved index search message and then click the button. The Save As Filter dialog box is displayed.

3. Enter a name, description and expression for the filter.

The filter name and description helps you and other users to quickly understand the type of information that generates when running this Index Search.

4. If you want to share this filter with other users, click the Shared with other users checkbox.

5. Click Add.

Figure 72 Index Search - Search History

The index search is saved as a filter. You can use the filter in two places:

Search > Index Search > Search Filters tab

Search > All Search Filters tab

Running a Previously Saved Search Expression

Since your index searches are automatically saved for you on the Search History tab, you can browse through these previously saved sets of search criteria and run them again.

To run a previously saved index search

From the Search History tab, select the saved Index Search that you want to run and then click .

Using the Search Filters Tab

The Search Filters tab lists all saved search filters created on the Search History tab. The Search Filters tab includes the button in the toolbar making it convenient to run a previously saved search filter.

Users Guide 85


The Search Filters tab organizes search filters by their name and displays the search expression used for the search filter in the Expression column.

Note: All of your saved search filters show up on the Search Filters tab and on the Index Report tab.

To view or use a previously saved index search filter

1. Select the filter from the table and then click .

This copies the search expression and enters it in the search expression text box.

2. Press Enter to run the search filter.

This loads all the results of the search on the Search Results tab.

Using the Clipboard Tab

The Index Search Clipboard is an important tool for investigating and troubleshooting log events. For example, during your analysis of a certain event, you might find an item of interest in one or more log messages. Once identified, you can create a Clipboard and copy and paste the affected log message(s) onto the Clipboard.

You can create several clipboards until you have found everything you need to help you with your analysis as you drill down on the details.

You can share the clipped messages with other users to serve as a knowledge base for these users. After saving clipped messages to the clipboard, you can view them on Clipboard tab and on the Search Results tab.

The Clipboard tab provides a toolbar with several options for using clipped messages. These options include:

- Adds a new clipboard

- Deletes one or more clipped messages

- Allows you view or edit the clipped message

Adding a New Clipboard

You can add a clipboard from:

the Search Results page

the Clipboard tab

Note: You can add up to 1,000 messages to a Clipboard. Each user is able to create up to 100 Clipboards.

The procedures are essentially the same for adding a new Clipboard. The next procedure shows how to add a Clipboard from the Search Results tab.

86 Users Guide


To add a new Clipboard from the Search Results tab

1. On the Search Results tab, select messages to add to the clipboard from the search results.

To select more than one message to add to the Clipboard, hold the Shift key as you click on each message.

2. From the Clip selected message(s) drop-down menu, select New Clipboard.

The Add Clipboard dialog box opens.

3. Enter a name for clipboard in the Name field.

If you enter an existing clipboard name, the messages are added to that existing clipboard.

4. Add a description for the clipped message in the Annotate field and click Add.

Figure 73 Add Clipboard Dialog Box

The clipboard is added to the Clipboard tab and it is also available from the Search Results tab. You can go back and view or edit the clipped message(s) later on to allow for more analysis.

Viewing or Editing Clipped Messages

After saving clipped messages and annotating them, you can view or edit clipboards on the Clipboard tab.

To view or edit clipped messages

1. On the Clipboard tab, select the clipboard that you want to view or edit and click .

The Edit Clipboard dialog box appears. You can change the following:

the Name of the clipped message

the Annotation for the clipped message

remove one or more clipped log messages

Users Guide 87


Figure 74 Edit Clipboard Message

2. Modify the Name, Annotation, or remove log messages and click Update.

Deleting Clipped Messages

You can manage the clipboard table by deleting unwanted clipped messages.

To delete a clipped message

1. On the Clipboard tab, select the Clipboard you want to delete and click .

2. To delete more than one clipped message, hold down the shift key and select the messages you want to delete and then click .

The selected messages are deleted from the Clipboard tab.

88 Users Guide

Searching Collected Log Messages : Tag-Based Searches Using the Tag Picker Interface

Tag-Based Searches Using the Tag Picker InterfaceYou may use the new Tag Picker Interface to access saved search terms in order to quickly run an updated Index Report.

To update an Index Report using the Tag Picker Interface

1. Access the Index Search page by going to home: Search > Index Search. Click the arrow below the text box labeled “Enter your search expression... “. The Tag Picker Interface opens.

Figure 75 Tag Picker Interface

2. Select an Event Type and left-click. The selected Event Type appears in the Enter your search expression... text box.

Figure 76 Event Type Added to Search Expression Text Box

3. Add a Boolean operator (AND) to the search expression, and left-click a saved Field Tag. The selected Field Tag appears after the Boolean operator in the Search Expression text box.

Figure 77 Field Tag Added to Search Expression Text Box

4. Add a wild card (*) to recall all saved Field Tags with that name. Click Run.

Users Guide 89

Searching Collected Log Messages : Tag-Based Searches Using the Tag Picker Interface

Note: You can specify special characters such as spaces, forward-slashes (/) etc. inside the quotes for Field Tags. For example: Identity: “John Smith”; Domain: “domain name / JOHN SMITH”.

Figure 78 Tag-Based Search Results

5. Select View and display the Bar Chart for the search expression.

6. Compare with the previous saved Index Search results for this expression.

90 Users Guide

Searching Collected Log Messages : Using Regular Expression Search

Using Regular Expression SearchUse the RegEx Search Filter tab to find specific types of data based on search expressions and time intervals you define. RegEx Search provides more powerful search filter options than Index Search, though RegEx Search can take longer to process and is less interactive.

Figure 79 Regular Expression Search

To specify parameters for a new search

1. Select Search > Regular Expression Search from the navigation menu.

2. (Management Station only) Select the Appliance (or All Appliances) on which to run the search.

3. Select the Device Type.

Users Guide 91


4. Select the Source Device, or all devices, connected to the Appliance.

To view Global groups created on this Management Station, you must select All Appliances under Appliance.

5. Specify the Time Interval which to search for data passing through your Appliance.

6. Define your Search Filter. Select one of these options and specify any needed parameters.

Retrieve All—Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.

Pre-Defined—Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each appears. The maximum length for each field is 25 characters.

Use Words—Use a specific word(s) as a search parameter.

Use Exact Phrase—Use an exact phrase as a search parameter.

Regular Expression—Use a regular expression as a search parameter.

For more information about modifying or creating search expressions, see Using Search Filters on page 94.

7. Specify the Time Interval to search for data passing through your Appliance.

8. Set a time for the search; do one of the following:

Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately

Select a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.

9. Enter a Search Name for the search.

10. To generate the report, click .

Note: Concurrent Regular Expression Searches, apply only for Appliance models above the 1000 series. You can select the number of concurrent searches to perform. The default is one, but you can choose to perform two searches concurrently.

To generate a previously saved report

1. Select Search > Regular Expression Search from the navigation menu.

2. In the RegEx Search Filter tab, select the report from the Saved Custom Report drop-down menu.

To generate the report, click .

To export the report data to a file in CSV format, click .

To save a Custom Report

After specifying the parameters for your report, save the report:

1. Click to expand the Save Custom Report section.

2. Type a name for your report and provide a brief description.

92 Users Guide


3. If you do not plan to share the report with other users logging in to the Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.

4. If packages are present on the Appliance, the Add Report to Package drop-down menu is visible letting you select a package in which to include this report.

5. Click to save your changes.

Viewing Pending and Running Searches

The Pending Searches tab regularly refreshes to list all the pending and currently running RegEx searches on the Appliance. To force a refresh, click the tab name.

Viewing Running Searches

To view a list of all the searches that are currently running, see the Currently Running Searches table in the Pending Searches tab.

For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.

To suspend a running search, check its checkbox and click . A suspended search stops processing; its partial results until that point appear in the Finished Searches tab.

Figure 80 Running and Pending RegEx Searches

Viewing Pending Searches

To view a list of all the searches that are scheduled to run, see the Currently Pending Searches table in the Pending Searches tab.

Users Guide 93

Searching Collected Log Messages : Using Search Filters

For each pending search, this table lists the priority for the search, its schedule, timespan, name, owner, Regular Expression, and an estimate of the number of files to search.

To remove a pending search from the queue, check its checkbox and click . There is no confirmation prompt for removing a pending search.

To add a new RegEx search to the queue, click . The RegEx Search tab appears.

Viewing RegEx Search Results

You can view pending, running, or finished searches in the Finished Searches or Pending Searches tabs under Search > Regular Expression Search. To force a refresh of the tab and view the latest finished searches, click the tab name.

Viewing Finished Searches

To view the search results for any searches that have completed, click the number of matches for the report in the Finished Searches tab list.

Figure 81 Finished RegEx Searches

To view the search results for a particular search, click its number of Matches.

To view or download the search results in HTML, PDF, or CSV, click the format extension in the Download Size column. (Clicking the size number downloads the results as a CSV file.)

To delete a past search from the Appliance, select its checkbox and click .

Using Search FiltersSearch filters are user-created filters (saved search patterns) that can be used in:

Alerts

Real-Time Viewer

Index Search

RegEx Search

Index Reports

The All Search Filters tab lists all search filters:

You created in the Add Search Filter tab

94 Users Guide


You created and saved from the Index Search History tab (see Saving an Index Search as a Filter on page 84)

Available to you, including shareable filters created or owned by other users

The examples that follows assumes starting with a clean slate - a newly installed Appliance with no search filters in place.

Adding a Search Filter

To add a search filter for complex pattern matching, use the Add Search Filter tab.

To add a search filter

1. Select Search > All Search Filters from the navigation menu.

2. Click .

Figure 82 Adding a Search Filter - Steps 1, 2

3. Type a name for your new search filter.

4. Sharing - Read Only is the default setting for a new search filter; other users of this Appliance may see and use the new search filter. Set the radio button to No to prevent others from seeing and using the new search filter. Set the radio button to Read Write to allow others to see and modify the new search filter.

5. Type a brief description of the new search filter.

This description helps you remember what the filter is for, and describes it to other users if you shared the filter.

6. Select a search filter option and enter the search filter criteria (see Search Filter Options below).

For this example we will select the following option and a single filter criterion:

a. Select the radio button Use Exact Phrase.

b. Enter $username in the Use Exact Phrase text field.

7. Click .

Users Guide 95


Figure 83 Adding a Search Filter - Steps 3 - 7

Note: When adding the very first Search Filter to the Appliance, you may see the message “There is no Search Filter defined in the system” immediately after clicking Add. Refresh the Appliance memory by clicking Regular Expression Search in the navigation menu; then click Search Filters in the menu, and your new Search Filter will appear in the list.

Figure 84 Search Filter Added

Search Filter Options

There are four types of search expressions you can use when adding a search filter.

Table 20 Search Filter Comparison

Filter Type Search Criteria Use Pre-Defined RegEx Filters

Where Filter Is Used

Use Words A word, or two words with AND/OR

Yes RegEx Search, Alerts, Real-Time Viewer

Use Exact Phrase A phrase Yes RegEx Search, Alerts, Real-Time Viewer

Regular Expression

Regular expression Yes RegEx Search, Alerts, Real-Time Viewer

Boolean Expression

Keyword search using Boolean expressions

No Index Search and Index Report

96 Users Guide


Note: Custom reports allow whichever filter types apply to the custom report’s contents. For example, a custom report saved from an Index Search allows Boolean search filters. When creating a search filter to be used for index search/index report, make sure to choose the Boolean expression as filter type.

Use Words

Type a word as your search criteria. If you type more than one word, you can use the AND/OR drop-down menu.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RDIUS opened UDP handle string.

Use Exact Phrase

Type a phrase as your search criteria. The Appliance searches for strings including the phrase you specify.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RDIUS opened UDP handle string.

You can also define a parameter field using $fieldname. For example, $username $zipcode $phone displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word in the RegEx Search tab. For more information, see Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter on page 101.

Regular Expression

Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.

The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters which, instead of standing for themselves, are interpreted in a special way.

Note: Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” you should write url.domain=loglogic.com.

You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.

Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts, Real-Time Viewer, or RegEx Search, select the Pre-Defined radio button.

If you are creating a search filter for an alert, the search filter must be a RegEx expression.

Users Guide 97


Boolean Expression

Type a keyword search that uses Boolean operators such as AND, OR, or NOT. For example:

“Portmapped translation built for gaddr” and NOT 155.363.777.53

This searches indexed data only. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.

In addition to entering a keyword, you can also type:

Numbers and words which are three or more characters

Terms under three characters, preceded by =. For example, for terms such as user=a or priority=7 the a and 7 are indexed.

The Boolean Expression field is visible only if you enable Full Text Indexing from the General Settings tab. You cannot use Advanced Options with Boolean Search.

Your Boolean expression should be no longer than 1024 characters in length.

For more on using Boolean search strings, see the Search Strings topic in the Online Help.

Putting Your Logins Search Filter to Work

Complete the following steps to start using your Logins search filter:

1. Select Regular Expression Search from the navigation menu.

2. On the RexEx Search Filter tab that appears, select the Pre-Defined radio button.

3. In the Pre-Defined text field (Select Expression), click the drop-down menu arrow, select Logins search, and click on the filter name. The filter form reloads and now displays “Logins search” in the Pre-Defined text field (see Figure 30, below).

98 Users Guide


Figure 85 Adding a Pre-Defined Search Filter to RegEx Search Filter

Users Guide 99


Note that because you specified the parameter $username in the Use Exact Phrase text field when you defined your Logins search filter, the Appliance has opened a new text box next to username in which you may further define the type of user to search for.

4. Enter “admin” in the username text field to search for that class of user alone, or enter the wildcard * to search for logins from all users.

5. Select a Start Time to run your Logins search (immediately in this example).

6. Enter a name for your search in the Search Name text field.

7. Click the Save Custom Report menu expansion arrow and enter a Report Name and Report Description, and select whether to Share with Others.

8. Click Save Report.

9. Click Run.

Figure 86 Report of Logins by username admin t

10. Click the number of matches to see the detailed report of the logins by username admin.

Figure 87 Detailed Report of Logins by username admin

100 Users Guide


Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter

As shown above, when creating a pre-defined search filter, you can define a parameter field using the expression $fieldname. The value you enter in the parameter replaces $field. In our example, we chose $username as our expression, and typed admin into the User Name field. This caused the regular expression search to return admin users wherever $username was specified.

The maximum length for each $field is 25 characters. Regular expressions can be up to 255 characters in length.

This feature applies only to the Use Exact Phrase search filter and Regular Expression search.

Creating a Multi-Parameter Pre-Defined Regular Expression Search Filter

In the following example we will build on our single-parameter Logins search filter by adding two additional parameters: $zipcode and $phone.

1. Create a new pre-defined search filter exactly as the example Logins search filter we created above, except this time type $username $zipcode $phone in the Use Exact Phrase field.

2. Name your new search filter “Multi-parameter search” and click Add.

Figure 88 Add Multi-parameter Search Filter

Users Guide 101


Note: This time the new search filter appeared immediately after clicking Add, and both search filters are displayed in the list.

3. Select Search > Regular Expression Search, and select the Pre-Defined radio button; then select the pre-defined search filter that you just created (Multi-parameter search) from the drop-down menu.

4. The new form reloads, displaying each text field that corresponds to each new $field (search parameter) you will define for this new search filter. The maximum length for each $field is 25 characters.

5. Click Save Custom Report at the bottom of the form, and enter a report name and description.

6. Click Save Report.

7. Type $username $zipcode $phone in the Use Exact Phrase field.

102 Users Guide


Figure 89 Add Parameters to Multi-parameter Search Filter

In this example we typed $username $zipcode $phone in the Use Exact Phrase field. The Appliance generated a text field in the search form for the part after the $. We typed admin in the username field, and used the wildcard * in the zipcode and phone fields to return the maximum number of user logins.

We elected to Save Custom Report, and named it Multi-parameter search, and we selected Schedule to run immediately for the Hourly Period: Last 24 Hours. See the results of our multi-parameter search filter query in Figure 90.

Users Guide 103


The detailed Multi-parameter Search Report is revealed by clicking the number of matches returned by the search (see the arrow at the bottom of the top figure).

Note: You can define this parameter for the Use Exact Phrase or Regular Expression fields from the Add or Modify page for any search filter.

Figure 90 Multi-parameter Search Filter Results and Report

8. Click the Finished Searches tab to see the results of the Parameter Search.

Modifying a Search Filter

In the second example above we created a new search filter and added two more search parameters: $zipcode and $phone. As an alternative, we could have modified the first search filter we created, “Logins by username admin”. In the example below, you will see how to modify an existing search filter (assuming you no longer want to retain the original filter configuration).

104 Users Guide


To modify an existing search filter

1. Select Search > Search Filters from the navigation menu.

2. Click on the name of the filter you want to change.

The Modify Search Filter tab appears with the same options as Adding a Search Filter on page 95.

3. Modify the search filter name, description, filter options and criteria, or sharing with other users as needed.

Now we think that ip address would be more valuable to us than zipcode and phone, so we elect to modify our multi-parameter search filter to suit our new needs. We could also simply delete the filter and create a new one.

4. Click to modify the search filter.

Figure 91 Modify Search Filter

Figure 92 New Multi-parameter Search Filter

5. Select Regular Expression Search from the navigation menu.

6. Click the Pre-Defined radio button on the RegEx Search Filter tab.

Users Guide 105


7. Select Multi-parameter search from the drop-down menu in the Select Expression field (but do not enter search parameters until you complete Step 8 below).

8. Click the Save Report button at the bottom of the form and enter a new report name and description. Click Save Report.

9. Return to the search parameter text fields and enter your new parameters (username = admin, and ipaddress = wildcard *).

10. Click Run.

11. Click Finished Searches and then click the number of matches returned to see the results.

Figure 93 New Multi-parameter Search Results

106 Users Guide

Searching Collected Log Messages : Viewing Archived Data

Viewing Archived DataAdministration > Data Files lets you view all archived data files.

Figure 94 Archived Data Files

Because data files are compressed, you must save them to a local machine and decompress them for viewing. When you click a Data File Name, the Appliance initiates a file download to your local system.

Viewing Archived Data Files

The Data Files page lists all archived data files. The Appliance archives data on an ongoing, hourly basis. To download and view a data file, click its file name.

To view a Data File

1. To limit the list of data files by time, select the year, month, day, and time to view.

2. Click on the Data File Name for the file you want to view.

The Appliance downloads the data file to your local machine.

3. Unzip the downloaded file.

4. Open the downloaded file in a text editor.

For information about for each data file on the Data Files page, see the online Help.

Users Guide 107


Figure 95 Data File Download

Verifying the SHA Digest on Data Files

LogLogic lets you verify the integrity of your data files by verifying that the SHA Digest has not changed since the LogLogic Appliance captured the data. Use the Data Files page to verify the SHA Digest. Releases 4.9 and 5.0 support both SHA-256 and MD5 SHA Digests. Releases prior to 4.9.0 support only the MD5 SHA Digest. (See CLI section of the LogLogic Administration Guide for information on setting the Appliance Digest.)

Note: To further ensure the integrity of data on an ST Appliance, consider using a WORM (write once read many) storage server such as Network Appliance’s SnapLock. For more information on using SnapLock with LogLogic ST Appliances, see the LogLogic Administration Guide.

To verify the SHA Digest on data files

1. In the navigation menu, click Administration > Data Files.

The Data Files page appears.

2. Click the checkbox to the left of each data file to verify.

3. Click Verify to start the verification process.

When verification completes, a flag appears in the Digest Verified column:

A green flag indicates successful verification of the data files’s Digest. The timestamp next to the green flag identifies the date and time the verification succeeded.

A red flag indicates failed verification. Mouse over the failure message for more information on the reason. A failure can mean:

The file was modified. Mouse over the failure to view the new Digest.

The file is no longer accessible. The file might be inaccessible for various reasons such as the location of the file has changed or the network connection is down and your file is on a storage server such as a NAS or Centera.

108 Users Guide


Note: The verification process has a low priority in the Appliance. If the system is busy processing log data, the verification process might take longer than expected.

Listing Archived Passive (Non-Parseable) Files

The Data Files page lists all archived data files. The Appliance archives data on an ongoing, hourly basis. To download and view a data file, click its file name.

To view a Data File

1. To limit the list of data files by time, select the year, month, day, and time to view.

2. Click on the Data File Name for the file you want to view.

The Appliance downloads the data file to your local machine.

3. Open the downloaded file in a text editor.

Users Guide 109


110 Users Guide

Creating and Managing Alerts : Viewing and Handling Alerts

CHAPTER 5:

Creating and Managing Alerts

Alerts notify you of any unusual traffic on the network or detect anomalies on log sources or the LogLogic Appliance itself.

You can create alerts specific to your monitoring needs, and use alerts that come pre-configured with Compliance Suites or Log Source Packages. You can also update existing alerts or remove them as needed.

For any alert, you can designate alert trap receivers as well as email recipients so people can receive notification of alerts via email.

Contents

Viewing and Handling Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Adding a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Viewing and Handling AlertsThe Show Triggered Alerts page lists events triggered by rules defined for this Appliance to monitor and report on. The Show Triggered Alerts page lets you:

view all alerts

filter shown alerts by alert category and priority

view all system alerts only, regardless of priority

change the alert category to Acknowledged

delete the alerts permanently

(MA or Management Station only) view alerts on a specific managed Appliance or on all managed Appliances

When an alert is triggered, Alert Viewer shows the alert category as New.

To filter and view alerts

1. Choose Alerts > Show Triggered Alerts from the home page.

The Show Triggered Alerts page is displayed. (See Figure 96 on page 112.)

2. Select the type of alerts to display from the Show drop-down menu.

All States shows all alerts in all categories.

New or Acknowledged Alerts shows only alerts in the selected category.

3. Select the alert priority to view from the second drop-down menu. The options are:

To view all system alerts regardless of priority, select All System Alerts.

Users Guide 111

Creating and Managing Alerts : Viewing and Handling Alerts

4. (MA or Management Station only) Select the Appliance from which to view triggered alerts. To aggregate alerts from all managed Appliances into a single list, select All.

Figure 96 Show Triggered Alerts Page

The Show Triggered Alerts page displays the specified alerts with the following details:

To page through and move alerts

To page through multiple results to your query:

Use the navigation buttons to go to the first, previous, next, or last page, respectively

Type the page number and click to view the results on a specific page

To acknowledge or remove alerts:

To move alerts to the Acknowledged category, select their checkboxes and click .

To delete selected alerts, select their checkboxes and click .

To delete all alerts permanently, regardless of priority, click .

Tip: Move an alert to the Acknowledged category once you have been notified of the alert. Remove an alert once the cause of the alert is corrected.

Table 21 Alert Details

Element Description

Time Time the alert triggered.

Source IP Source IP address contained in the syslog message. If an alert is for multiple devices, Device Group is shown as the Source IP.

Priority The priority of the alert. An alert's priority is specified in the Manage Alerts tab.

Type The Log Appliance alert type. For a list of alert types, see Viewing and Handling Alerts on page 111.

Alert Destination Email addresses, trap receivers, or syslog receiver where notifications were sent when the alert triggered.

112 Users Guide

Creating and Managing Alerts : Managing Alerts

Managing AlertsManage Alert Rules lets you define rules to detect unusual traffic on your network or detect Appliance system anomalies. You can add, modify, o r remove alerts. You can configure alerts to generate SNMP events and/or send an email notification when the alert rule is triggered. Each Appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP server for the default alerts.

Note: Users with Administrator privileges can modify or delete any Alert. If you do not have Administrator privileges, you can modify or delete only the Alerts you create.

Figure 97 Manage Alert Rules

The Manage Alert Rules page displays the he following details:

Table 22 Manage Alert Rules Details

Element Description

Name Name of the alert.

Type Type of the alert.

Priority The defined priority of the alert.

Enabled Indicates whether the alert is active:

—You must assign a User and Alert Receiver for this alert.

—You must assign a Device for this alert.

Description Description of the alert.

Users Guide 113

Creating and Managing Alerts : Adding a New Alert

114 Users Guide

Preconfigured System Alerts

System Alerts notify you when system health and status criteria exceed acceptable bounds. All LogLogic Appliances include several system alerts that are preconfigured and enabled. By default, these alerts have:

Email notifications are sent to the Appliance admin user

Priority set to high

Default reset time of 300 seconds (except TCP Forward Falling Behind, which has a default reset time of 3600 seconds)

All these alert settings can be customized as needed.

Adding a New AlertAdding an alert to the Appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps and email user IDs).

Modifying an alert lets you change the same options available here for adding an alert.

IMPORTANT! When setting up an alert, do not pick search expressions with variables in them. Doing so treats variables as having a literal meaning.

To add an alert

1. Choose Alerts > Manage Alert Rules from the navigation menu.

The Manage Alert Rules page appears.

2. Click . The Manage Alert Rules Type tab appears.

Table 23 Preconfigured System Alerts

Alert Description Default

System Alert - CPU temperature

The temperature of the Appliance CPU has exceeded the specified High Threshold

70 degrees celsius

System Alert - Disk Usage

The usage of the specified drive on the Appliance has exceeded the specified High Threshold

90%

System Alert - Dropped Message

The number of messages dropped by the Appliance has exceeded the specified High Threshold

10 msg/sec

System Alert - Fail Over * A failover has occurred on the Appliance n.a.

System Alert - Migration Complete *

A data migration involving the Appliance is successfully complete

n.a.

System Alert - Network Connection Speed

The speed of the network connection for the Appliance has dropped below the specified Low Threshold

10-Half

System Alert - Network Interface

A problem occurred with the Appliance network interface

n.a.

System Alert - RAID Disk Failure

A failure occurred on an Appliance RAID disk n.a.

System Alert - Synchronization Failure *

A failure occurred during log data synchronization on the Appliance

n.a.

* Indicates System Alert not available on MA product family Appliances.


Figure 98 Manage Alert Rules Type Tab

3. In the Type tab, select an alert type.

Once you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, and Email Recipients tabs are enabled.

Table 24 Alert Types

Alert Type Triggered when...

Adaptive Baseline Alert

The messages/second rate rises above, or falls below, the nominal rate for the traffic.

Note: A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.

Cisco PIX/ASA Messages Alert

The messages/second rate for a specific PIX/ASA message code is above or below specified rates.

Message Volume Alert The messages/second rate is above or below specified rates. If the user sets the "Zero Message Alert" checkbox, an alert is triggered only if zero messages are received within the timespan set.

Network Policy Alert * A network policy message is received with an Accept or Deny Policy Action.

The Appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.

Parsed Data Alert Parsed data meets certain conditions specified for the alert.

Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See Parsed Data Alerts on page 117.

Pre-defined Search Filter Alert

A text search filter matches message fields. This uses one of the Appliance's saved RegEx Search Filters.

Ratio Based Alert The specified message count is above or below a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”

The Appliance checks for any conditions that would trigger a Ratio Based Alert every 60 seconds.

* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.** System Alerts do not have a Devices tab.

Users Guide 115


Note: System Alert is the only type of alert that can be created on an MA Appliance. For the ST Appliance, an Adaptive Baseline Alert and a Message Volume Alert can be created, along with a new System Alert. The LX Appliance can create all types of Alerts.

Tip: The Pre-defined Search Filter is disabled if there are no search filters defined on the Appliance. To create a Pre-defined Search Filter, use Search Filters to add the filter. A search filter for an alert can contain a RegEx expression only.

4. Set up the alert in the General tab.

Options on the General tab vary depending on the alert type. For a complete list of options for a specific alert type, see the Online Help for that alert type. These steps include typical options:

a. Enter a Name for the alert.

b. Set the alert Priority. (High is the default.)

c. Select to Enable the alert. This enables the alert once you click .

d. (Optional) Enter a specific SNMP OID to further define the alert.

For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.

e. Enter a Description for the alert.

Tip: Enter a name and description unique enough to easily identify the alert in a large list.

5. Specify log sources for the alert in the Devices tab.

All the log sources on the Appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.

Select the Track all devices individually checkbox to generate independent alert messages for each selected device. The reset time tracks for the group as a whole and you can change alert properties using one alert for the device group.

System Alert ** An Appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”.

By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.

VPN Connections Alert

A VPN connection is denied access and/or disconnected.

VPN Messages Alert Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN and Nortel Contivity devices.

VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria.

Table 24 Alert Types (Continued)

Alert Type Triggered when...

* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.** System Alerts do not have a Devices tab.

116 Users Guide


Note: When configuring any alerts (except for System Alerts) on logs transferred using LogLogic TCP, the alert reporting can be slightly less than real-time. Because LogLogic TCP sends data in chunks that the Appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 300 seconds.

6. Specify SNMP trap receivers for the alert in the Alert Receivers tab.

You can define alerts for both SNMP traps and users or for SNMP traps only. The Alert Receivers tab lists all the available traps and syslog for the Appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps.

7. Specify people to receive alerts via email in the Email Recipients tab.

Note: Email messages that include an alert are limited to 1024 bytes. Any additional alert text is truncated in the email message.

You can define alerts for both users and SNMP traps or for users only. Available Users lists all the users available for the Appliance.

For more information about adding users, see the LogLogic Administration Guide.

8. Click to add the new alert to the Appliance.

Note: The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed in these tabs so they’re automatically present when enabled again (via the Manage Devices, Alerts > Alert Receivers, or Manage Users tabs, respectively).

Parsed Data Alerts

Parsed Data alerts are created differently from other alert types. There is no Parsed Data alert type to select in the interface; its creation is based on a Pre-defined Search Filter alert.

1. Create a Pre-defined Search Filter:

a. Name the filter.

b. For filter type, select Use Exact Phrase.

c. For the DB table, specify _table=. (Only one _table= entry is allowed.)

d. Specify columns and values to match as name/value pairs separated by columns. For example:

_table=Authentication,actionID=2,statusID=4

2. Create a Pre-defined Search Filter alert:

a. Name the Search Filter alert with a prefix _parsed_. For example, _parsed_Login Failure.

b. Select the Pre-defined Search Filter you created for this alert.

Usage notes:

Parsed data alerts apply only to messages from configured log sources.

Parsed data alerts apply only to the tables configured in the alert.

Users Guide 117

Creating and Managing Alerts : Modifying or Removing An Alert

Do not configure the same alert for both real-time and pulled data files. Create separate alerts for each, with the same search expression.

Modifying or Removing An AlertYou can modify alert settings or remove alerts from the Manage Alert Rules page. The same tabs appear when you add an alert (see Adding a New Alert on page 114).

To edit, or remove an existing alert rule

1. Click the alert name in the Name column.

Figure 99 Access the Alert Rule

The General tab appears.

Figure 100 View or Edit the Settings for an Alert Rule

2. View the settings for the Alert Rule on the General tab, the Alert Receivers tab, and the Email Recipients tab. Change the settings and click Update or Cancel to retain.

3. To remove an existing alert, click the alert’s checkbox (see Figure 99) and then click . The Remove Alerts tab appears, where you can confirm or cancel the removal.

118 Users Guide

Generating Real-Time Reports :

CHAPTER 6:

Generating Real-Time Reports

Real-Time Reports let you search and generate reports for monitoring various real-time activities derived from the log data that is collected from your log sources. Each Real-Time Report category contains multiple specific reports.

The Real-Time Reports are a central component to LogLogic’s Agile Reporting, which lets you quickly view detailed information about your collected log data, catered to your specific needs.

Real-Time Reports can take longer than Saved Reports because they run against all up-to-the-minute raw log data, not against stored summarized log data.

Real-Time Reports capture all hits in collected raw log data that meet the report's criteria.

Contents

Preparing a Real-Time Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Threat Management Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Policy Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Table 25 Real-Time Report Categories - Advanced Options

Report Category Reports Provide Page

Access Control The number of times a log source executes an authentication rule page 135

Network Activity Information about connections on a log source page 142

Database Activity Various events occurring on database log sources page 154

Operational Information about syslog messages on log sources page 160

IBM i5/OS Activity Various events occurring on IBM i5/OS log sources page 165

IDS/IPS Activity Information about IDS/IPS systems page 168

Mail Activity Information about mail-related activities on mail server log sources

page 169

Policy Information about policies exercised on a log source page 174

Users Guide 119

Generating Real-Time Reports : Preparing a Real-Time Report

Preparing a Real-Time Report

Figure 101 Reporting Tools

To generate a Real-Time Report, refer to the procedure and illustrations shown in Generating a Report—An Example on page 122.

Select a Source or Sources and Search Filters1. In the navigation menu under Reports, select the category and type of report to

generate.

2. Click Create Report to open the Properties window.

3. Under Add Log Sources, click the down arrow next to Select and pick a filter (Name, IP Address, Group or Type) to filter returns.

4. If desired, add a second filter by clicking the + sign and repeating Step 3 as often as you like.

5. To delete a filter, click the - sign to remove the last selection made (repeat if needed). Do not click Cancel unless you want to cancel your report.

6. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.

7. Click OK to add the selected source and filters to the left-hand pane.

8. Select a device name (or names) by clicking its name or the checkbox next to it.

9. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.

10. Click Run to initiate a report of the selected source and devices with the filters you chose in Step 3.

Schedule and Run a Report1. When you click Run in Step 10, the Date and Time Range Picker pops up, with Last

Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today; Yesterday).

120 Users Guide


2. To select a different date range, click the small calendar icon to the right of the current Date and Hour display and chose any month and day for the start of the report period. Move to the right and click the second small calendar icon to chose any month and day for the end of the report period.

3. Click Run again to execute the report.

Resize & Move Columns, Create Charts, Print and Download a Report1. On the results page, you may resize and move the columns to the positions you prefer

by clicking on them and dragging.

2. To see detailed information for a particular Source Device, click the number of returns for the device in the Counts column.

3. Click <back to summarized results and then click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.

4. Reports may be downloaded in CSV, PDF, or HTML format by clicking on the icons below the Display Chart button.

Modify Report Settings and Schedule

1. Clicking the Edit Settings button pops up a Properties window again, this time allowing you to Add Columns and Filters if desired.

2. Enter your selections for Add Columns and Filters (if any) and click Save As.

3. Enter a name and description for the report in the pop-up. Select Share with others if desired. Click Save & Close.

4. Click Run Again to execute your report with the new filtering criteria. The new report will appear in the list of all Saved Reports.

5. From the list of Saved Reports, you may click Run or Edit to modify the report settings of any Saved Report.

6. Click the date range (blue type at top left) to modify the timeframe for your report. Apply Selections to add them to the report, then click Save As.

7. Again, enter a name and description of the report in the pop-up. Select Share with others if desired. Click Save & Close. The new report will appear in the list of all Saved Reports.

8. To search for a particular report or report series in the Saved Reports list, click in the Name field and enter a search term.

9. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.

10. You may Add a Schedule for a Saved Report by clicking the report Name and then clicking "Schedule selected" at the bottom of the page.

11. You may delete a Saved Report from the list by clicking the report Name and then clicking "Remove selected" at the bottom of the page. You will see a pop-up message asking you to Confirm Deletion.

Users Guide 121


Saving a Generated Report

There are several options for saving a generated report, available from the icons at the top of the report results:

Save as CSV – Save the report data in a comma-separated .csv file, viewable in spreadsheet applications such as Microsoft Excel

View as HTML – Open the report data formatted in a new browser window or tab, from which you can also download the HTML file for archival

View as PDF – Open the report data in a PDF file, which you can save for archival

Rerunning a Saved Report

To rerun a saved report, go to home: Reports > All Saved Reports and select a previously saved report. You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards.

Note: Wildcard searches are supported for IP addresses and detailed messages.

Generating a Report—An Example

This example shows how to generate a Network Activity report that displays denied connection activity related to the IP addresses you select. The steps below apply to the generation of all reports on the Appliance except the Check Point Policies report, which lists current Check Point Firewall policy rules on log sources connected to your Appliance.

The other exception is All Saved Reports, which lists previous search results, saved as reports, and selected to be shared with others at the time of generation.

To generate a Denied Connections Report

1. Select Reports > Network Activity > Denied Connections from the home page menu.

122 Users Guide


Figure 102 Menu – Reports > Network Activity > Denied Connections

2. Click the Create Report button.

Figure 103 Create Report Button

Users Guide 123


3. Select the log source connected to the Appliance.

Figure 104 Select Log Source

4. Add selected device to Log Source search. Click the Run button.

124 Users Guide


Figure 105 Add Selected Log Source

Users Guide 125


5. Specify the time interval to search for data passing through the Appliance.


6. On the Denied Connections results page, adjust the order and position of columns.

Figure 107 Denied Connections Results

126 Users Guide


7. Select Display Chart to graph the Denied Connections results. Pie chart and bar chart options are available. Mousing over the chart segments highlights the results.

Figure 108 Denied Connections Report – Pie Chart Display

8. Right-click a chart segment to print the data in the segment.

Figure 109 Pie Chart Segment Selected for Printing

Users Guide 127


Figure 110 Bar Chart Display of Denied Connections Report

9. At the top menu, select the CSV, PDF, or HTML icon to export the entire report to a file.

Figure 111 PDF Selected as Export Format

128 Users Guide


10. To choose another time to run the Denied Connections report, click the date range in the upper left section of the report. The Date and Time Range Picker opens.


11. Click the Edit Settings button to revise columns and filters in the report.

Users Guide 129


Figure 113 Revise Columns and Filters in the Denied Connections Report

To re-run and edit settings of a previously saved report (Denied Connections):

1. Select Reports > Network Activity > Denied Connections from the Home page.

130 Users Guide


Figure 114 Saved Report – Denied Connections

2. To run the saved report, click the Run icon and then click the Run button on the Date and Time Range Picker that pops up.

Figure 115 Denied Connection Report – Date and Time Range Picker

3. After the Denied Connections report opens, click the Edit Settings button.

Figure 116 Denied Connections Report – Edit Settings Button

4. When the Edit Settings window opens, click Properties... to open the Properties Dialog pane.

Users Guide 131


Figure 117 Denied Connections Report – Edit Settings Window

Figure 118 Denied Connections Report – Edit Settings Properties Dialog Pane

5. Enter your data and click OK.

6. To add a schedule for the Denied Connections report, select the desired Timeframe using the drop-down menus in the Scheduling pane, and choose the report format (PDF, HTML, CSV).

7. Click the Add Schedule button at the bottom of the Timeframe pane to confirm the schedule for the Denied Connections report.

132 Users Guide


Figure 119 Denied Connections Report – Edit Settings Properties, Schedule Timeframe Pane

8. Click Save and Close on the Properties... window to save your entries.

9. View the saved schedule for the Denied Connections report.

Figure 120 Schedule Information Added to the Denied Connections Report

10. To make further changes to the Denied Connections report, repeat Steps 1 — 9.

Available Operators

Table 26 on page 134 lists the available filter operators.

Note: Some report columns display as empty when the actual value is either null or an empty string.

If the value is null, you can filter using --null--.

If the value is an empty string, you can filter using two single quotes ".

Users Guide 133


Table 26 Optional Filter Operators

Operator Description

= Specifies an acceptable substitution for a word in a query.

!= Specifies to not substitute a word in a query.

in Displays data in the results that contains the specified word in a list.

not in Excludes data in the results that contains the specified word in a list

like Displays data that has a partial match to the value you type.

For example, you can use this operator to type a partial IP address such as 10.2.3.*. This type of search returns all IP addresses which contain these numbers.

not like Excludes data that contains a partial match to the value you type.

contain Displays data that matches the alphanumeric string you type.

For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not contain Excludes data that matches the alphanumeric string you type.

start with Displays data that begins with the alphanumeric value you type.For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not start with Excludes data that begins with the alphanumeric value you type.end with Displays data that ends with the alphanumeric value you type.

For example, you can use this operator to type a string such as 'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not end with Excludes data that ends with the alphanumeric value you type.

regexp Displays data in the results only that contains the regular expression you define.

not regexp Displays data in the results only that does not contain the regular expression you define.

> Displays only data in the results that is above a threshold number.

< Displays only data in the results that is below a threshold number.

between Displays data that is between (inclusive) the numeric values you type.

134 Users Guide

Generating Real-Time Reports : Access Control Reports

Access Control ReportsTo search for and generate reports on the number of times a selected log source executes an authentication rule, use Access Control reports.

The submenu that appears when you click home: Reports > Access Control lists which reports are available for each log source.

To access Access Control reports

Choose home: Reports > Access Control > report-name from the navigation submenu, where report-name is one of the Access Control reports.

Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Access Control report, and are explained in their respective sections linked from Table 27.

For information on using the generated report, see Saving a Generated Report on page 122.

Table 27 Access Control Reports

Report Reports Provide Page

Permission Modification

Changes made to user access during a specified time interval page 136

User Access Who has connected to a log source during a specified time interval

page 137

User Authentication

Who is authorized to connect to a log source during a specified time interval

page 138

User Created/Deleted

What users are created or deleted during a specified time interval page 139

User Last Activity Activity of users during a specified time interval page 140

Windows Events Data about all log events from the Microsoft Windows operating system

page 141

Users Guide 135


Permission Modification Reports

To search for and generate a report on activities related to modification of user permissions (for example, adding or deleting permissions) on selected log sources during a specified time interval, use the Permission Modification Real-Time Report.

Menu path: home: Reports > Access Control > Permission Modification

In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:


Table 28 Permission Modification Report Optional Filter Operators

Option Description

Source Device Description of the device that sent these log messages

User User who made changes

Actions Action taken to modify permission

Status Status of the change

Source IP IP address of the source host device

Source Domain Domain of the source host device

Target User User for whom modifications were made

Target IP IP address of the Appliance affected by the change

Target Domain Domain of the Appliance affected by the change

Type Type of changes made

Count Number of changes made

136 Users Guide


User Access Reports

To search for and generate a report on user activities in accessing resources (for example, service, file, directory, application) on selected log sources during a specified time interval, use the User Access Real-Time Report.

Menu path: home: Reports > Access Control > User Access




Table 29 User Access Report Optional Filter Operators

Option Description


User User who is making the inquiry



Target User User for whom inquiry is being made

Target IP IP address of the accessed Appliance

Target Domain Domain of the accessed Appliance

Action Action taken

Status Status of the connection

Type Type of connection

Count Number of connections

Users Guide 137


User Authentication Reports

To search for and generate a report on who has authenticated on selected log sources during a specified time interval, use the User Authentication Real-Time Report.

Menu path: home: Reports > Access Control > User Authentication


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Source IP, Status, and Count.


Table 30 User Authentication Report Optional Filter Operators

Option Description





Target User User for whom the inquiry is made

Status Status of the connection

Type Type of connection

Disconnect Reason Reason the connection was terminated


138 Users Guide


User Created/Deleted Reports

To search for and generate a report on what users have been created or deleted on selected log sources during a specified time interval, use the Users Created/Deleted Real-Time Report.

Menu path: home: Reports > Access Control > User Created/Deleted


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Source IP, Target User, Target IP, and Count.:


Table 31 User Created/Deleted Report Optional Filter Operators

Option Description




Target User User for whom the inquiry is being made


Action Action taken

Action Details Details of the action

Status Status of use


Users Guide 139


User Last Activity Reports

To search for and generate a report on the most recent activity of all users on selected log sources during a specified time interval, use the User Last Activity report.

Menu path: home: Reports > Access Control > User Last Activity




Table 32 User Last Activity Report Optional Filter Operators

Option Description


Time Time of connection

Connection ID ID number for the connection



Target User User for whom the inquiry is being made


Action Action taken

Action Details Details of the action

Status Status of the activity

Access Details Details of access

140 Users Guide


Windows Events Reports

To search for and generate a report on data on all Windows Event IDs, the number of events for each ID, and a description of each ID for selected log sources running the Microsoft Windows operating systems, use the Windows Events Real-Time Report. For example, the captured log events include application, security, and system events.

Menu path: home: Reports > Access Control > Windows Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, Event ID, and Count.


Table 33 Windows Events Report Optional Filter Operators

Option Description


Event ID Numeric ID corresponding to the source device

User User ID on the source device

Source Domain Domain name of the source device

Target User User ID of the destination device

Target Domain Domain name of the destination device

Action Action taken

Status Status of use

Type Content type of the object as seen in the HTTP reply header

Count Number of Windows events for the source device

Users Guide 141

Generating Real-Time Reports : Network Activity Reports

Network Activity ReportsTo search for and generate reports on information about connections on log sources, use Network Activity reports.

The Report Information tab that appears when you click on home: Reports > Network Activity > lists which reports are available for each log source.

To access Network Activity reports

Choose home: Reports > Network Activity > report-name from the navigation menu, where report-name is one of:


Optional filter operators are different for each Connectivity report, and explained in their respective sections linked from Table 34.


Table 34 Network Activity Reports


Accepted Connections IP connections accepted by a log source page 143

Active FW Connections Current active sessions from selected firewall log sources page 144

Active VPN Connections Current active sessions through various VPN log sources page 145

Application Distribution Messages, grouped by application ports, accepted by a log source

page 146

Denied Connections Connections denied by selected firewall log sources page 147

FTP Connections Syslog messages related to FTP traffic through a selected firewall log source

page 148

VPN Access Number of VPN connections that the log source completed or denied

page 149

VPN Sessions Data about separate invocations of devices during a specified time interval

page 150

VPN Top Lists Top users and IP addresses, and statistics page 151

Web Cache Activity Locally-stored web information served during a specified time interval

page 175

Web Surfing Activity Web information served during a specified time interval page 176

142 Users Guide


Accepted Connections Reports

To search for and generate a report on IP connections that were accepted by selected firewall log sources during a specified time interval, use the Accepted Connections Real-Time Report.

Note: Accepted Connections data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.

Menu path: home: Reports > Network Activity > Accepted Connections


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.

Note: Column headings differ for PIX and non-PIX devices.

* Note: Under certain conditions Network Address Translation (NAT) addresses can show up as 0.0.0.0 in real time reports such as Accepted Connections Reports. This is not a bug since System Alert messages of a certain type (e.g., FWSM-4-106100 in Cisco Catalyst 6500 Series Switches) do not have a translated (mapped) address present in the logs. Therefore, zero is correct because there is no relevant IP address in the parsed logs for FWSM-4-106100.


Table 35 Accepted Connections Report Optional Filter Operators

Option Description


Translated IP IP address as translated by the device*

Source IP IP address of the source host (non-PIX devices only)

Destination IP IP address of the destination host device (non-PIX devices only)

Port Protocol and port number (service) of the destination host

Description Description of the port (service)

Messages Number of log messages received representing this connection

In Bytes Number of incoming bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)

Out Bytes Number of outgoing bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)

Action Accept or encrypt - Identifies if the connection was accepted or accepted with encryption (Check Point Interface only)

Users Guide 143


Active FW Connections Reports

To search for and generate a report on current active sessions through selected Cisco PIX Firewall log sources, use the Active FW Connections Real-Time Report.

The Active Firewall Connection report is generated by monitoring the start and end messages of a particular connection in progress. Connections that have generated a start message but have not yet generated an end message are assumed to be active for a period of time before being timed-out.

Menu path: home: Reports > Network Activity > Active FW Connections

In Active FC Connections reports, you must specify the log source:




Note: The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.

Table 36 Active FW Connections Screen Elements

Element Description

IP Address IP address for the log source

Port Port number for the log source

Protocol Protocol type (from the drop-down menu)

Table 37 Active FW Connections Report Optional Filter Operators

Option Description

Create Time Time the session began

Connection ID in the log message assigned to the unique connection

Protocol IP Protocol (TCP, UDP, etc.) of the connection

Global Address/Port Public (NAT’ed) IP address of the source host (IP address only)

Local Address/Port IP address of the internal host device (IP address only)

Foreign Address/Port IP address of the external host device (IP address only)

Direction Inbound or Outbound connection attempt

144 Users Guide


Active VPN Connections Reports

To search for and generate a report on current active sessions through selected VPN and RADIUS log sources, use the Active VPN Connections Real-Time Report.

Menu path: home: Reports > Network Activity > Active VPN Connections




Note: The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.

Table 38 Active VPN Connections Report Optional Filter Operators

Option Description


Connections Number of log messages received representing connections

Users Guide 145


Application Distribution Reports

To search for and generate a report that summarizes accepted traffic by application ports through selected firewall log sources during a specified time interval, use the Application Distribution Real-Time Report.

Note: The Application Distribution data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.

Menu path: home: Reports > Network Activity > Application Distribution




Table 39 Application Distribution Report Optional Filter Operators

Option Description


Port Port number (service) of the connection

Protocol IP protocol (TCP, UDP, etc.) of the connection

Description Description of the port (service)

Messages Number of log messages received representing this connection

Src -> Dest Bytes Number of outbound bytes sent (not for Nortel VPN)

Bar Graph Percentage of total outbound bytes represented as a bar graph

Percentage Number of outbound bytes represented as a percentage

Dst -> Src Bytes Number of inbound bytes received (not for Nortel VPN)

Bar Graph Percentage of total inbound bytes represented as a bar graph

Percentage Number of inbound bytes represented as a percentage

146 Users Guide


Denied Connections ReportsTo search for and generate a report on denied connections by selected firewall log sources during a specified time interval, use the Denied Connections Real-Time Report.

Menu path: home: Reports > Network Activity > Denied Connections

In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select:

The type of information the Appliance aggregates for the generated report Various optional filter operators in the generated report for your Appliance

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following optional filter operators:

For help understanding the resulting report, see Saving a Generated Report on page 122.

Table 40 Denied Connections Report Summary Methods

Method Description

Src IP/Any--> Any/Port

Aggregates records from a specific Source IP and any port going to any destination IP and a specific destination port. The system derives the Source IP and destination port from your Device Type and Source Device selections.

Src IP/Any --> Dest IP/Port

Aggregates records from a specific Source IP and any port going to a specific Destination IP and specific Destination port. The system derives the Source IP and Destination IP from your Device Type and Source Device selections.

Denied by Port Aggregates records from the port numbers only

Table 41 Denied Connections Report Optional Filter Operators

Option Description


Attempts* Number of times log messages denied the connection

Src IP IP address of the source host device

Src Port Port number of the source host device

Dest IP IP address of the destination host device

Dest Port Port number of the destination host device

Protocol IP protocol (TCP, UDP, etc.) of the connection

Description Description of the destination port (service)

Access Group (Cisco PIX/ASA only) Lists any group of which you are a member

Rules (Check Point Interface only) Condition set on the firewall to complete the security policy; identifies what is allowed and not allowed through a specific interface.

Policy ID Unique policy identifier of the device on the firewall (Juniper Firewall only)

Direction (Check Point Interface, Cisco PIX/ASA/FWSM, Juniper Firewall, and Nortel Contivity only) Inbound or Outbound connection attempt. Direction is stored as a number internally, for INBOUND use 1, for OUTBOUND use 2, and for INTERNAL use 3.

* Note: “Attempts” for Cisco router by “src IP/any” will be larger than the number shown in the Denied Connections Report because IP packets are measured in this instance, instead of the actual number of messages sent.

Users Guide 147


FTP Connections Reports

To search for and generate a report on all syslog messages related to FTP traffic through the selected firewall device during a specified time interval, use the FTP Connections Real-Time Report.

Menu path: home: Reports > Network Activity > FTP Connections




Table 42 FTP Connections Report Optional Filter Operators

Option Description


Source Device IP IP address of the source device that sent these log messages

From IP address of the source device

To IP address of the destination device

Count Number of times syslog messages related to FTP traffic were generated

148 Users Guide


VPN Access Reports

To search for and generate reports on the VPN connections that the selected log sources either completed or denied during a specified time interval, use the VPN Access Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Access




Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.

Table 43 VPN Access Report Optional Filter Operators

Option Description


Public IP Public IP address originating the VPN connection

Group VPN group of which the source device is a part

User VPN user ID

Target User VPN user ID of the originating VPN connection

Connections Number of log messages received representing connections

Denies Number of denied connection messages received

Avg Duration Average duration of each connection

Byte Count Number of bytes transferred during the session

Avg Bandwidth (Bytes/Sec)

Average bandwidth used for each connection

Users Guide 149


VPN Sessions Reports

To search for and generate a report on data about VPN sessions (including initiation and conclusion times) on selected log sources during a specified time interval, use the VPN Sessions Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Sessions


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source Device, User, Avg Duration, Avg Bytes, and Count.



Table 44 VPN Sessions Report Optional Filter Operators

Option Description


User User ID

Target User User ID on the device with which the source device attempted to connect

Source IP IP address of the device that sent these log messages

Target IP IP address of the device with which the source device attempted to connect

Avg Duration Average duration of each connection

Avg Bytes Average number of bytes

Count Number of VPN sessions

150 Users Guide


VPN Top Lists Reports

To search for and generate a report on the top users, IP addresses, and other statistics, use the VPN Top Lists Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Top Lists



IMPORTANT! If you run a report for the Top Disconnect Reasons, the “unknown” that displays in the Disconnect Reasons column, represents the disconnect reasons reported by RADIUS. If you have not properly plugged in your RADIUS server, all reasons display as “unknown”. Click a Connections number or Source Device to drill-down and view the Disconnect Details column. This column displays the VPN syslog messages associated with the disconnect reason.


Table 45 VPN Top Lists Report Types

Report Type Description

Top Disconnect Reasons Top reasons for disconnects

Top Number of Denies Top number of denies by user or IP address

Top Number of Connections Top number of connections by user or IP address

Top Bytes Transferred Top number of bytes transferred by user or IP address

Top Bandwidth Top bandwidth by user or IP address

Top Connection Duration Top number of connection duration by user or IP address

Users Guide 151


Web Cache Activity Reports

To search for and generate a report on all URLs accessed through proxy or cache servers on specified log sources during a specified time interval, use the Web Cache Activity Real-Time Report.

Menu path: home: Reports > Network Activity > Web Cache Activity


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source Device, Source IP, Destination IP, Status, Size, and Count:

When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.


Table 46 Web Cache Activity Report Optional Filter Operators

Option Description


Source User User of the source device

Source IP IP address of the source device

Source Host Host name of the source device

Domain Name Domain name of the source device

Destination IP IP address of the destination device

Destination Port Port of the destination device

Peer IP IP address of the peer device

Peer Host Host name of the peer device

Peer Status A code that explains how the request was handled; for example, by forwarding it to a peer or returning the request to the source

Method Request method to obtain an object; for example, GET

URL URL requested

Cache Code Information on the result of the transaction: the kind of request, how it was satisfied, or in what way it failed

Status HTTP result codes


Size Number of bytes transferred

Count Number of cache views

152 Users Guide


Web Surfing Activity Report

To search for and generate a report on all URLs accessed via firewalls or web servers on selected log sources during a specified time interval, use the Web Surfing Activity Real-Time Report.

Menu path: home: Reports > Network Activity > Web Surfing Activity


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source Device IP, Source IP, Destination IP, Status, Size, and Count:

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.


Table 47 Web Surfing Activity Report Optional Filter Operators

Option Description

Source Device IP IP address of the device that sent these log messages

Source User User ID of the source device

Source IP IP address of the device originating the connection






URL URL requested

Status HTTP result codes



Count Number of syslog messages received for this connection and status code

Users Guide 153

Generating Real-Time Reports : Database Activity Reports

Database Activity ReportsTo search for and generate reports on various events occurring on database server log sources, use the Database Activity reports.

The Report Information tab that appears when you click home: Reports > Database Activity > lists which reports are available for each log source.

To access Database Activity reports

Choose home: Reports > Database Activity > report-name from the navigation menu, where report-name is one of:


Optional filter operators are different for each Database Activity report, and explained in their respective sections linked from Table 48.


Table 48 Database Activity Reports


All Database Events Event types occurring during a specified time interval page 155

Database Access All database server connections, including user access and failed user access attempts

page 156

Database Data Access User access and changes to data for a specified time interval page 157

Database Privilege Modifications

Database privilege changes, such as user reconfiguration and privilege manipulation

page 158

Database System Modifications

System database changes such as drops and table drops page 159

154 Users Guide


All Database Events Reports

To search for and generate a report on the event types that are occurring on specified database server log sources during a specified time interval, use the All Database Events Real-Time Report.

Menu path: home: Reports > Database Activity > All Database Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.


Table 49 All Database Events Report Optional Filter Operators

Option Description


Database Database name on which the action occurred

DB User User name of the database user whose actions were audited

Sys Priv System privileges granted or revoked

Database Object Name Name of the object affected by the action

Status Status or return code of the action completion (numeric value)

Severity Severity level of the event

OS User Operating system login user name of the user whose actions were audited

Event Type ID Database vendor audit code for the action type

Event Type Name Type of database event such as DROP_TABLE, SQL_UPDATE, or CREATE_TABLE (names vary by vendor)

Object Priv Object privileges granted or revoked on the database object

Count Number of log entries returned with the given parameters

Users Guide 155


Database Access

To search for and generate a report on all database server connections, including user access and failed user access attempts, on specified database server log sources during a specified time interval, use the Database Access Real-Time Report.

Menu path: home: Reports > Database Activity > Database Access




Table 50 Database Access Report Optional Filter Operators

Option Description

Source Device Description of the device that sent log data









Access Type The action or method used to access any database object



156 Users Guide


Database Data Access

To search for and generate a report on user access and changes to your data on specified database server log sources during a specified time interval, use the Database Data Access Real-Time Report.

Menu path: home: Reports > Database Activity > Database Data Access




Table 51 Database Data Access Report Optional Filter Operators

Option Description










Access Type The action or method used to access any database object



Users Guide 157


Database Privilege Modifications

To search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation, on specified database server log sources during a specified time interval, use the Database Privilege Modifications Real-Time Report.

Menu path: home: Reports > Database Activity > Database Privilege Modifications




Table 52 Database Privilege Modifications Report Optional Filter Operators

Advanced Option Description










Modification Type Modification action of a user, profile, or role privilege



158 Users Guide


Database System Modifications

To search for and generate a report on system database changes such as drops and table drops, use the Database System Modifications Real-Time Report.

Menu path: home: Reports > Database Activity > Database System Modifications




Table 53 Database System Modifications Report Optional Filter Operators

Option Description










Access/Modification Type

Modification action of a user, profile, or role privilege



Users Guide 159

Generating Real-Time Reports : Operational Reports

Operational ReportsTo search for and generate reports on information about syslog messages on log sources, use Event Logs reports.

The Report Information tab that appears when you click on home: Reports > Operational lists which reports are available for each log source.

To access Event Logs reports

Choose home: Reports > Operational report-name from the navigation menu, where report-name is one of:


Optional filter operators are different for each Event Logs report, and explained in their respective sections after the table.


Table 54 Event Logs Reports


All Unparsed Events

Syslog messages not parsed into the Security, System, or VPN Events reports

page 161

Security Events Firewall syslog messages classified as security messages page 162

System Events Firewall or Nortel VPN device syslog messages classified as system messages

page 163

VPN Events The number of VPN syslog messages based on search criteria page 164

160 Users Guide


All Unparsed Events

To search for and generate a report on syslog messages that are not parsed into the Security, System, or VPN Events reports, or into any other report table (for example, Authentication) for selected log sources during a specified time interval, use the All Unparsed Events Real-Time Report.

Menu path: home: Reports > Operational > All Unparsed Events

In addition to setting the common report options in Preparing a Real-Time Report on page 120, you can select optional filter operators in the generated report. Optional filter operators are not visible if you select the Boolean Search in the Search Filter criteria.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:


Table 55 All Unparsed Events Report Optional Filter Operators

Option Description

Source Device Description of the device that sent the log messages

Source Device IP IP address of the source device that sent the log messages

Facility Syslog facility associated with the message

Severity Severity code associated with the message

Count Number of times syslog messages were generated

Users Guide 161


Security Events Reports

To search for and generate a report on firewall syslog messages classified as security messages for selected log sources during a specified time interval, use the Security Events Real-Time Report.

Menu path: home: Reports > Operational > Security Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:


Table 56 Security Events Report Optional Filter Operators

Option Description

Source Device Description of the device originating the connection

Source Device IP IP address of the source device

Message Code Code number of the security message

Message Code Description

Description of the security message (Cisco PIX only)

Module Juniper Netscreen module name, that is, system (Juniper Firewall only)

Severity The severity codes are listed below:

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(Juniper Firewall only)

Count Number of syslog messages classified as security messages generated

162 Users Guide


System Events Reports

To search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages for selected log sources during a specified time interval, use the System Events Real-Time Report.

Menu path: home: Reports > Operational > System Events


Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. Optional filter operators are not visible if you select Boolean Search in the Search Filter criteria. By default, the following options are all selected:


Table 57 System Events Report Optional Filter Operators

Option Description


Source Device IP IP address of the source device that sent these log messages

Message Code Code number of the system message

Message Code Description

Description of the system message (Cisco PIX only)

Module Juniper Netscreen module name, that is, system (Juniper Firewall only)

Severity The severity codes are listed below:

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(Juniper Firewall only)

Count Number of system messages received for the specified code

Users Guide 163


VPN Events Reports

To search for and generate a report on Cisco VPN, CheckPoint VPN, Nortel VPN, or RADIUS syslog messages of the System Message type for selected log sources during a specified time interval, use the VPN Events Real-Time Report.

Menu path: home: Reports > Operational > VPN Events


By default, the following options are all selected:



Table 58 VPN Events Report Optional Filter Operators

Option Description

Time Time the syslog message was generated

Source Device IP address of the device originating the connection

Group VPN group name

User VPN user ID

Public IP Public IP address originating the VPN connection

Severity Severity Code associated with the message

Code Code number of the system message

Area Name of the defined VPN area

Detail Message Text of the syslog message

164 Users Guide

Generating Real-Time Reports : IBM i5/OS Activity Reports

IBM i5/OS Activity ReportsTo search for and generate reports on various events occurring on your IBM i5/OS log sources, use IBM i5/OS Activity reports.

The Report Information tab that appears when you click home: Reports > IBM i5/OS Activity lists which reports are available for each log source.

To access IBM i5/OS Activity reports

Choose home: Reports > IBM i5/OS Activity > report-name from the navigation menu, where report-name is one of:


Table 60 includes the optional filter operators for all IBM i5/OS Activity reports.

Table 59 IBM i5/OS Activity Reports


All Log Entry Types All recorded entry types page 166

System Object Access All failed access attempts throughout the system page 166

User Access by Connection All system access and system access attempts by users page 167

User Actions All user actions performed and attempted page 167

User Jobs All jobs that users are running page 167

Table 60 IBM i5/OS Activity Reports Optional Filter Operators

Option Field Description

Source Device devIP IP address of the device that sent log data

Journal Type jrnEntryType Two-character Audit Journal record (entry) type

Journal Description jrnTypeDesc Description of the journal entry type

Journal Job jobName Name of the job that caused the entry to be created

Journal User jrnUserName Profile name of the user associated with Journal Job

Journal Number jrnJobNbr Job number of the Journal Job

Journal Program jrnPgm Name of the program that created the entry

Journal Library jrnPgmLib Program library

Journal System Name jrnSyName Name of the system where the journal resides

Journal Remote Port jrnRmtPort Remote port of the system associated with the journal entry

Journal Remote Address jrnRmtIPAdr Network address of the system associated with this entry

Action action An action associated with the entry type

Action Description actionDesc Description of the action

Attribute Name attribute Name of an attribute that was the target of the action

Attribute Description attributeDesc Description of the attribute (if available)

Destination Server destServer Name of a remote workstation or server in a network event

DLO Folder DLOFolder Name of the Document Library Object folder

Users Guide 165



All Log Entry Types Reports

To search for and generate a report on all recorded entry types, use the All Log Entry Types Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > All Log Entry Types

System Object Access Reports

To search for and generate a report on all failed access attempts throughout the system, use the System Object Access Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > System Object Access

DLO User DLOUser Name of the Document Library Object owner or user creating or accessing the DLO

Entry Type entryType Type of event or entry in the journal type (can be considered a subtype of the journal type)

Entry Description entryDesc Description of the entry

Job Name jobName Name of the Journal Job or the job that was the target of the action described in the entry

Job Number jobNumber Number of the Journal Number or the job that was the target of the action described in the entry

Job User jobUser The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

Local IP Address lclIPadr Local IP address of the system involved in the network event

Object Library lib Library of the object that was acted on

Object Name obj Name of the object that was acted on

Object Type objType Type of object that was acted on

Remote IP Address rmtIPadr Remote IP address of the system involved in the network event

Source Server srcServer Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status status Status code

Status Description statusDesc Description of the status code (if available)

User ID/Profile user A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Count (computed by the Appliance)

A count of action attempts, entries, or other count information; dependent on Journal and Entry type

Table 60 IBM i5/OS Activity Reports Optional Filter Operators (Continued)

Option Field Description

166 Users Guide


User Access By Connection Reports

To search for and generate a report on all system access and system access attempts by users, use the User Access By Connection Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Access By Connection

User Actions Reports

To search for and generate a report on all user actions performed and attempted, use the User Actions Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Actions

User Jobs Reports

To search for and generate a report on all jobs that users are running, use the User Jobs Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Jobs

Users Guide 167

Generating Real-Time Reports : Threat Management Reports

Threat Management ReportsTo search for and generate reports on information about IDS/IPS log sources, use IDS/IPS Activity reports. The Report Information tab that appears when you click on home: Reports > Threat Management > IDS/IPS Activity lists which reports are available for each log source.

Preparing a Real-Time Report on page 120 includes the common options that you specify for Real-Time Reports.

IDS/IPS Activity

To search for and generate a report on all attack activities from IDS/IPS systems, use the IDS/IPS Activity Real-Time Report.

Menu path: home: Reports > Threat Management > IDS/IPS Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or Descending order. Choose sort order using the drop-down menu. The default is to display only Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:


Table 61 IDS/IPS Activity Report Optional Filter Operators

Option Description

Log Source IP IP address of the device that sent these log messages

Source IP IP address from which the attack originated

Source Port Port from which the attack originated

Destination IP IP address that was targeted

Destination Port Port that was targeted

Action Response of the intrusion prevention system (IPS) when it detects an attack reported by the IDS/IPS

Note: If you do not have an IPS associated with your IDS/IPS, you might not see any results if using this filter.

Signature ID Rule or numeric ID for the event

Note: The Signature ID from the vendor might be more consistent than the Signature.

Protocol Protocol of the destination device

Signature Identifier from IDS/IPS for an event

Sensor Device that sends events to a collector analysis system

Sensor IP IP address of the device that detected the event

Classification Type of attack

Priority Priority level of the attack

Count Number of attacks.

168 Users Guide

Generating Real-Time Reports : Mail Activity Reports

Mail Activity ReportsTo search for and generate reports on information about mail-related activities on mail server log sources, use Mail Activity reports.

The Report Information tab that appears when you click on home: Reports > Mail Activity lists which reports are available for each log source.

To access Mail Activity reports

Choose home: Reports > Mail Activity > report-name from the navigation menu, where report-name is one of:


Optional filter operators are different for each Mail Activity report, and explained in their respective sections linked from Table 62.


Table 62 Mail Activity Reports


Exchange 2000/03 Activity

All mail server activity for Microsoft Exchange servers page 170

Exchange 2000/03 Delay

All delays in mail activity for Microsoft Exchange servers page 171

Exchange 2000/03 Size Size for all mail server activity for Microsoft Exchange servers page 172

Exchange 2000/03 SMTP Activity

All SMTP events recorded by mail servers page 173

Users Guide 169


Mail Activity Reports

To search for and generate a report on all mail server activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Activity Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Activity


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Recipient Domain, Status, and Count are shown:


Table 63 Exchange 2000/03 Activity Report Optional Filter Operators

Option Description

Source Device Name of the Microsoft Exchange device

Message ID Numeric identifier of the message

Sender Email address of the sender

Sender Domain Domain name of the sender’s email

Recipient Email address of the recipient

Recipient Domain Domain name of the recipient’s email

Status Exchange status

Count Number of emails

170 Users Guide


Mail Delay Reports

To search for and generate a report on all delays in mail activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Delay Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Delay


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Recipient Domain, Average Delay, Max Delay, and Count are shown:


Table 64 Exchange 2000/03 Delay Report Optional Filter Operators

Option Description







Average Delay Average delay of each message

Max Delay Maximum delay of each message


Users Guide 171


Mail Size Reports

To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the Exchange 2000/03 Size Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Size


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device, Sender, Total Size (Bytes), Max Size (Bytes), and Count are shown:


Table 65 Exchange 2000/03 Size Report Optional Filter Operators

Option Description







Total Size (Bytes) Total number of bytes transferred

Max Size (Bytes) Maximum number of bytes transferred


172 Users Guide


Exchange 2000/03 SMTP

To search for and generate a report on all SMTP events recorded by selected mail servers during a specified time interval, use the Exchange 2000/03 SMTP Real-Time Report.

Menu path: Real-Time Reports > Mail Activity > Exchange 2000/03 SMTP


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, all options are shown except the Source User, Source Host, Domain Name, and Time Taken (ms):.


Table 66 Exchange 2000/03 SMTP Report Optional Filter Operators

Option Description


Source User User of the source device

Source IP IP address of the source device






URL Query URL requested

Status SMTP result codes


Time Taken (ms) Time to complete the event

Count Number of cache views

Users Guide 173

Generating Real-Time Reports : Policy Reports

Policy ReportsTo search for and generate reports on information about policies that were exercised on a log source, use Policy reports.

The Report Information tab that appears when you click on home: Reports > Policy Reports lists which reports are available for each log source.

To access Policy Reports

Choose home: Reports > Policy Reports > report-name from the navigation menu, where report-name is one of:

Preparing a Real-Time Report on page 120 includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.

Optional filter operators are different for each Policy report, and explained in their respective sections linked from Table 67.


Table 67 Policy Reports


Rules/Policies Information about enforcement of a particular rule or policy by a selected firewall device

page 175

Check Point Policies List of current Check Point Firewall policy rules on log sources connected to Appliances

page 176

Network Policies Number of times a particular network policy is exercised by a selected firewall device

page 177

174 Users Guide


Rules/Policies Reports

To search for and generate a report on information about enforcement of a particular rule or policy by selected firewall devices during a specified time interval, use the Rules/Policies Real-Time Report.

Menu path: home: Reports > Policy Reports > Rules/Policies


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display all the following options:


Table 68 Rules/Policies Report Optional Filter Operators

Option Description

Interface Name (or IP address) of the network interface that enforced the policy

Rule Rule number that was enforced (Check Point Interface only)

Policy Policy number that was enforced

Type Type of rule/policy that was enforced

Messages Number of messages received representing this policy

Bar Graph Number of messages received expressed as a bar graph

Percentage Number of messages received expressed as a percentage

Package Security policy package (Check Point Interface only)

Rule Description Displays Rule Details: Source, Destination, Service Description and Rule Actions: Permit, Deny, etc. (Check Point Interface only)

Users Guide 175


Check Point Policies Reports

To search for and generate a report listing current Check Point Firewall policy rules on log sources connected to your Appliance, use the Check Point Policy Real-Time Report.

Menu path: home: Reports > Policy Reports > Check Point Policy


Table 69 Check Point Policy Screen Elements

Element Description

LEA Server LEA servers connected to your system.

Package Security package that Check Point organizes for policy rules. For example, you can install one package on a firewall, but you can define several packages at the same time.

Rule Index Rule numbers (represents Check Point indices) the CPMI process retrieves. You can view Check Point policy rules only if you configured your LEA server to use auto discovery (CPMI).

Note: Rule 0 is not assigned by Check Point. It is assigned by LogLogic as a default for parsed messages that do not automatically have a rule number assigned by Check Point.

Rule Description for the rule.

176 Users Guide


Network Policies Reports

To search for and generate a report on the number of times a particular network policy has been exercised by selected firewall log sources during a specified time interval, use the Network Policies Real-Time Report.

Menu path: home: Reports > Policy Reports > Network Policies


You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:


When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

Table 70 Network Policies Report Optional Filter Operators

Option Description

Log Source IP IP address of the device that sent these log messages

Source IP IP address of the device that exercised the policy



Protocol Protocol of the destination device

Signature Identifier of the policy

Classification Classification of the policy

Priority Priority of the policy

Count Number of times a policy was exercised

Users Guide 177


178 Users Guide

Message Signatures : Creating Message Signatures

CHAPTER 7:

Message Signatures

Message Signatures is a powerful new capability that allows Appliance users to distinguish, process, and manipulate all unique log source messages, including those of type “general syslog.”

Creating Message Signatures

To create a Message Signature

1. Access Management > Message Signatures from the navigation menu.

Figure 121 Access Message Signatures

The Message Signatures page opens as shown below.

Figure 122 Message Signatures Page

2. Click the arrow next to the Patterns For field drop-down box and select a device type for which you wish to create a Message Signature. (See Figure 123 on page 180.)

Users Guide 179


Figure 123 Select a Log Source Device Type

3. Click Create. The Message Pattern Editor opens. (See Figure 124.)

Figure 124 Message Pattern Editor

180 Users Guide


4. On the General tab, highlight a message in the lower pane and double-click it. Your selection will appear in the Sample Message pane. (See Figure 125.)

Figure 125 Sample Message Selected

5. Enter a Pattern Name and Description (optional). Enable the pattern.

6. Click the Field Tags tab.

7. Highlight a portion of the Sample Message you want to use as a Field Tag and click Define Field. The portion selected will appear grayed-out. The application will recognize your selection as one of 15 common tags in the Tag Library, and supply a Name, Description, and Type. Further identifying information will appear in the Tag Attributes section. You can edit these entries, or select different choices from the Tag name: and Extract as: pop-up menus. (See Figure 126.)

Figure 126 Define Field in Selected Message

Users Guide 181


8. To edit your grayed-out selection, click on it and click Remove. (This does not remove the data, only the grayed-out condition.)

9. Click the Literal checkbox to define your tag with exactly the attributes you highlighted. Your selection will appear in bold face type. (See Figure 127.)

Figure 127 Select Literal Attribute

10. To create additional tags from your selected message, highlight another portion and click Define Field again. Your second tag candidate will appear grayed-out. Again you may accept or edit the default Name, Description, and Type.

11. In the Tag Name field, choose an existing field tag or create a new tag. (See Figure 128.)

Figure 128 Tag Name Selection

12. In the Tag Name field, choose an existing field tag or create a new tag.

13. Provide a Tag Description (optional).

182 Users Guide


14. Click Event Type tab.

15. Click the down arrow for Event name: and select one from the drop-down menu. Accept the Event description, or edit it. (See Figure 129.)

Figure 129 Event Type Name

16. Enter an Event value (optional).

17. Click Validation tab. And then click the Validate button. (See Figure 130.)

Figure 130 Validation Tab - Click Validate

The Tag Name is highlighted in color, and the Tag value extracted appears on the right.

Users Guide 183


18. Click Save. After a few moments the new Message Signature appears. (See Figure 131.)

Figure 131 New Message Signature Crated

The green bullet in the Status column indicates the system is ready to use the new pattern and extract the values in the log data.

Note: Please refer to the LogLogic Support Website for Knowledge Base articles on this topic.

184 Users Guide

Tag Catalog : Field Tags

CHAPTER 8:

Tag Catalog

LogLogic provides a set of useful field Tags and Event Types out of the box. You can create new Tags or Event Types, and edit the existing catalog.

Field TagsTo add a new user-defined field Tag

1. Click Management > Tag Catalog from the home page. (See Figure 132.)

Figure 132 Access Tag Catalog

The Tag Catalog opens, showing the existing Field Tags in the system. (Figure 133.)

Figure 133 Tag Catalog

Users Guide 185

Tag Catalog : Field Tags

2. Click Create to open the Create Field Tag window.

Figure 134 Create Field Tag

3. In the Tag Attributes area, enter a Name and a Description for the new field Tag. Select the Redact checkbox if you want to mask sensitive data in the presentation layer after a search is performed. (If Redact is checked, a search on the field Name will return stored results, but with **** in place of actual data.) Click OK when finished.

Figure 135 New Field Tag Added

The new field Tag will appear in the Actions column, and a checkmark will appear in the User Defined column. (Figure 135.)

4. To filter tags by name, type one or more letters in the Name field and press Enter. Corresponding named Tags will appear in the Tag Catalog list. To restore the entire list of field Tags, clear the entry in the Name field and press Enter. (Figure 136.)

Figure 136 Filter Tags by Name

186 Users Guide

Tag Catalog : Event Types

Users Guide 187

5. Place a checkmark in the Show Active checkbox to show only the active field Tags. Clear the checkbox to show all recorded field Tags.

Figure 137 Show Active Field Tags

To edit or remove an existing field Tag

1. To edit field Tag properties, click the Edit icon next to the Tag Name in the Actions column. The Edit Field Tag window appears.

Figure 138 Edit Field Tag

You can change the following Tag Attributes: Name, Description, and Redact condition. When finished click OK.

2. To remove a field Tag from the Tag Catalog, select one or more tag name and click Remove selected . Click Yes to confirm removal of the selected field Tag.

Event TypesYou can create a new Event Type, edit, or remove exisitng Event Types.

To add a new user-defined Event Type

1. Click Management > Tag Catalog from the home page.

2. Select the Event Types tab.

Figure 139 Tag Catalog Event Types

3. Click Create to open the Create Event Type window.

Tag Catalog : Event Types

Figure 140 Create Event Type

4. In the Event Type Attributes area, enter a Name and a Description for the new event type and click OK. The new Event Type will appear in the Actions column.

5. To filter Event Types by name, type one or more letters in the Name field and press Enter. Corresponding named types will appear in the Event Types Catalog list. (Figure 141) To restore the entire list of Event Types, clear the entry in the Name field and press Enter.

Figure 141 Filter Event Types by Name

6. Place a checkmark in the Show Active checkbox to show only the active Event Types. Clear the checkbox to show all recorded field Tags.

To edit or remove an existing Event Type

1. To edit Event Type Attributes, click the Edit icon next to the Event Types Name in the Actions column. The Edit Event Type window appears.

Figure 142 Edit Event Type

You can change the following Event Type Attributes: Name, and Description. When finished click OK.

2. To remove an Event Type from the Event Type Catalog, highlight one or more Event Types and click Remove selected . Click Yes to confirm deletion of the selected Event Type.

188 Users Guide

CHAPTER 9:

Dynamic Groups

With LMI 5, LogLogic introduces a new feature called Dynamic Groups. This chapter covers how to create a Dynamic Group on the LMI 5 Appliance.

Add Device GroupUse the Add Device Group tab to arrange your source devices into bundles or categories. A device must be part of the Available Devices list before it can be included in a group. If you are running a Management Station, you can multi-select and group devices across Appliances. You can view the groups you define here in the Management > Devices > Device Groups tab. (See Figure 143.)

Figure 143 Add Device Group

Device groups created across multiple Appliances have an * after the group name.

The fields on this page (Description, IP Address, Group Name, etc.) use regular expression patterns for filtering. The IP Address field also allows specifying addresses in CIDR notation.

To add a Device Group

1. Click Add New to open the Add Device Group tab. (Figure 144 on page 190.)

Users Guide 189

Dynamic Groups : Add Device Group

Figure 144 Add Device Group Tab

2. In the Group Name field, enter a unique name to identify this group of log sources.

3. Under Enable, select the Yes radio button to activate the group for use on the Appliance.

4. From the Group Type drop-down menu, select whether the group is:

Local - Group contains devices on the current Appliance only.

Global - (Management Station only) Group contains devices on multiple Appliances. Global groups can be created and accessed on Management Station Appliances only.

Note: Global groups cannot contain another global group as a member.

Global groups are marked in the Groups tab with an asterisk (*).

Select Static or Dynamic from the second drop-down. Dynamic enables the group to be automatically updated as new devices are added to the Appliance.

190 Users Guide


Note: The Dynamic option is available only for local groups, as Global Dynamic Groups are not supported.

5. In the Description field, enter a description for the group.

6. Under Available Devices, find the devices available that are available to add to the group. You can use one or any combination of the following fields:

In the Name Pattern field, enter a device name or partial name.

In the IP Pattern field, enter a device IP address or partial address. CIDR notation may also be used.

From the Device Type drop-down menu, select a device type.

Note: All Device Types is an option only for Dynamic Groups.

In the Desc Pattern field, enter a device description or partial description. The descriptions defined in the Add Device or Add File Transfer Device tabs are searched using this pattern.

(Global group only) From the Appliance drop-down menu, select All or a specific Appliance by its IP address. If you select All, only Global groups are listed. If you do not have any Global groups, All (all devices) appears. If you select a specific Appliance IP address, only devices from the selected Appliance are listed.

Click to search for devices based on the specified search criteria.

The Available Devices table lists all devices matching the criteria.

Notes:

1) All devices that appear in the Available Devices list when the Filter button is clicked will be added automatically to the Dynamic Group. It is actually not necessary to click the Filter button for this to occur. New devices auto-discovered or manually added to the system will be added automatically to the Dynamic Group if the device matches the pattern.

2) Dynamic Groups cannot contain Static Groups as members. However, Static Groups can contain Dynamic Groups as members.

7. (For Static Groups only) In the Available Devices table, check the checkbox for the devices to add to the group and then click .

The selected devices are added to the Current Devices in Group table. To remove a device from this table, check its checkbox and then click .

8. Click to add the group to the Appliance.

Notes:

1) A user must have "all device access" to create or update a Dynamic Group.

2) A user can be given explicit permission on the Dynamic Group, but if they do not have "all device access", they can see and use the Group, but cannot edit it.

Users Guide 191


192 Users Guide

Setting User Preferences : Viewing Your LogApp Account

CHAPTER 10:

Setting User Preferences

The admin tab on the home page allows you to set values for your Account Information, System Preferences, and to Change Password.

Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Changing Login Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Changing LogApp Account Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Viewing Your LogApp Account

To view your LogApp Account

1. Choose admin from the home page.

Figure 145 Your LogApp Account

2. Review and accept or change the default settings as explained in Table 71 on page 194.

Users Guide 193

Setting User Preferences : Changing Login Landing Page

Table 71 Account Options

3. Click Save.

Changing Login Landing PageThe Login Landing Page (Home) appears immediately upon logging in to the LMI Appliance. By default the LogLogic Overview Welcome screen is displayed. However, you can change your landing page at anytime.

To change your login landing page


2. Click the down arrow next to Login landing page and select the page among these other landing page options: My Dashboard, System Status, Triggered Alerts, Index Search, All Saved Reports, and All Saved Searches.

Element Description

Account Information

User Login The login name of the current user. This can be reset by the system administrator or user.

Email Address The email address of the current user. This can be reset by the system administrator or user.

System Preferences

Rows per Page The number of rows that display in each report page. Can be set from 10 to 1000 rows by user.

Page Refresh Rate The page refresh rate in seconds. Can be set from 30 to 600 seconds by user.

Emailed Chart Size The number of segments in display charts. Can be set from 3 to 30 segments by user.

Session Timeout Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).

Enable Multiline View

Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).

Login Landing Page The page that appears immediately after logging into the LMI Appliance. You can change this at any time. For instructions, see Changing Login Landing Page on page 194.

194 Users Guide

Setting User Preferences : Changing LogApp Account Password

Figure 146 Your LogApp Account - Login Landing Page

3. Click Save.

The next time you login to the Appliance, the alternate home page that you selected in this step will be displayed. You can change this destination at anytime.

Changing LogApp Account PasswordYou can change your password at any time.

To change your password


2. Click the Change Password button.

The Change Password dialog box appears. It displays date of last password update.

Users Guide 195

Setting User Preferences : Changing LogApp Account Password

Figure 147 Your LogApp Account - Change Password

3. In the Current Password field, enter your current password.

4. In the New Password field, enter your new password. Note the password requirements specified on the window.

5. In the Confirm New Password field, enter your new password again for verification.

196 Users Guide

Syslog Host Field Character Sets : Syslog Header Character Sets

APPENDIX A:

Syslog Host Field Character Sets

This appendix describes the acceptable character sets in an ASCII syslog header.

Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Syslog Header Character SetsTable 72 lists and describes the acceptable characters in an ASCII syslog header.

Table 72 Acceptable Alpha/Numeric Character Sets

Character Descriptions Examples

Alpha chars, upper or lower case A-Z and a-z

Numbers 0-9

Punctuation at @

underscore _

period .

backslash /

colon :

asterisk *

brackets [ ]

parenthesis ( )

plus +

minus -

space

tab

Users Guide 197

Syslog Host Field Character Sets : Exceptions

ExceptionsThe following exceptions are noted for ASCII syslog headers:

Some Unix/Linux syslog messages have a path in the process name. That is taken care of by looking for a leading backslash (/) and any number of the following characters:

Alpha characters, upper or lower case

A-Z

a-z

The numbers 0-9

Punctuation including:

underscore _

period .

dash -

Space and tab use depends on the log source. Some log sources have spaces at the point right before the log source target string is found. Others have only a tab. Specifically:

Windows messages require a space before the target string.

Cisco VPN3000 requires a tab.

198 Users Guide

Users Guide

Index

AAccepted Connections

Real-Time report 143Access Control

Real-Time report 135Active FW Connections

Real-Time report 144Active VPN Connections

Real-Time report 145alert receivers

defining alert 117Alert Viewer

using 111viewing alerts 111

Alert Widgets 48

alertsabout 111adding 114managing 113modifying 118parsed data alert 117removing 118selecting types 114tab description 113

All Database EventsReal-Time report 155, 166

All Unparsed EventsReal-Time report 161

appliancesintroducing 11system status 23

Application DistributionReal-Time report 146

archived dataviewing 107

archived data filespassive files 109viewing 107

BBoolean expression, entering 71

Cchange LogApp account password 195change Login Landing Page 194

Check Point PolicyReal-Time report 176tab description 176using 176

clipboardadding a new 86index search 86

configuring result settings 77

ConnectivityReal-Time report 142

considerations 9

conventions 9CPU Usage

tab description 32viewing 31

DDashboard 38Dashboard settings 55

data 9

Database AccessReal-Time report 156

Database ActivityReal-Time report 154

Database Data AccessReal-Time report 157

Database Privilege ModificationsReal-Time report 158

Database System ModificationsReal-Time report 159

Denied ConnectionsReal-Time report 147

devicesdefining alert 116

Eelements 9Event Logs

Real-Time reports 160examples

index search 71exceptions

syslog header 198Exchange 2000/03 SMTP Activity 169, 173

Exchange 2000/03 SMTP Activity Report 173

199

200

INDEX

expressionsindex search, entering 71

Ffilters

saving index search 85Finished Search

tab description 94using 94

FTP ConnectionsReal-Time report 148

Ggroups

global, in regex search 92

IIBM i5/OS Activity Reports

Real-Time report 165IDS

Real-Time report 168IDS Activity

Real-Time report 168index report 65

Index Searchsaving as a filter 84

index search 71adding a new clipboard for 86clipboard 86Clipboard tab 86configure results settings 77examples 71filter, reusing 86filters 85manage results 80narrowing the scope 72results 76results, viewing in context 81running 72Search Filters tab 85Search History tab 84Search Results tab 76using 71using history 84viewing trends 83

index search expression rules 71

index search filters 85

Llog message, viewing in context 81log messages

deleting clipped 88viewing or editing 87

Log Source Statustab description 34viewing 32

Login Landing Page 194LogLogic product families 19

LX appliances 19

MMA appliances 20

Mail ActivityReal-Time report 169, 170

Mail DelayReal-Time report 171

Mail SizeReal-Time report 172

Manage Widgets 39Alerts 48Summary 41System 52Trend 44

management stationviewing system status 27

managing search results 80

MD5 checksums, verifying 108

message rateviewing 30

MX appliances 20

My Dashboard 38

Nnavigation menu 11network infrastructure 21

Network PoliciesReal-Time report 177

PParameterized Pre-defined Regular Expression

Search Filters 101

parsed data alerts 117

Pending Searchtab description 93

Users Guide

Users Guide

INDEX

using 93Permission Modification

Real-Time report 136placeholders 9

Policy reportsReal-Time report 174

product families 19

RReal-Time reports

about 119Access Control reports 135common options 120Connectivity reports 142Database Activity reports 154event logs 160generating 120IBM i5/OS activity reports 165IDS reports 168Mail Activity reports 169Policy reports 174report types 119

Real-Time Viewercreating reports 57Log Messages screen 61saving reports 57using 57

Recent Messagestab description 36viewing 36

regular expression (regex) search 91view pending searches 93view running searches 93

related documents 7results

index search, index searchIn Context tab 81

rules, index search expression 71

Rules/PoliciesReal-Time report 175

Running Searchusing 93

Sscope

narrowing on index search 72screen output 9

searchabout 63features overview 63index report 65index search 71

index, running 72regular expression (regex) 91viewing search information 120

Search Filtersadding new 95modifying 104overview 94tab description 94

Search IP Addresssaving a report 92

Security EventsReal-Time report 162

ST appliances 21Summary reports

about 184Summary Widgets 41Syslog Header character sets 197

System EventsReal-Time report 163

System Object AccessReal-Time report 166

system prompts 9system status

viewing 23viewing (management station) 27

System Widgets 52

TTrend Widgets 44

trendsviewing 83

UUnapproved Messages

tab description 35viewing 35

User AccessReal-Time report 137

User Access By ConnectionReal-Time report 167

User ActionsReal-Time report 167

User AuthenticationReal-Time report 138

User JobsReal-Time report 167

User Last ActivityReal-Time report 140

user roles 11

users

201

202

INDEX

defining alert 117Users Created/Denied

Real-Time report 139

Vview data files 107

view LogApp account 193viewing

clipped log messages 87log message in context 81

viewing in context 81

viewing search results 76

VPN AccessReal-Time reports 149

VPN EventsReal-Time report 164

VPN SessionsReal-Time report 150

VPN/RADIUS Top ListsReal-Time report 151

WWeb Cache

Real-Time report 152Web Surfing

Real-Time report 153Widgets 38

Window EventsReal-Time report 141

Users Guide