The MSActivator can collect, index and store events received from devices. Once indexed, the logs are fully searchable from the user interface.
The diagram below shows the syslog processing steps from the device to Elasticsearch.
Log Analysis Portal
Log analysis over multiple devices is available by accessing the analytics from the customer tenant page, 'LOGS & REPORTS' tab.
Or for a single device, from the devices page, in the 'Logs' sub-task.
The main diffrences between these 2 levels of access is the ability, on the customer tenant, to perform a log analysis over multiple devices and/or multiple vendors.
The page is divided into 3 sections:
- on the top, the default text search form
- on the left, the search options
- on the main part, the search results
This is the list of devices with log collection enabled. Select the devices you want to include.
Time Range Selection
When device logs are collected and parsed, the log timestamp is extracted and indexed in the field fw_time. The timestamp is typed as a date by the Elasticsearch engine, which will allow to search by time range. By default, the search on logs is done on all logs that have a timestamp between the current time minus 24 hours and the current time plus 24 hours.
You can search within (default) or outside the specified time range by using the “time range inclusion” radio buttons.
By default, the time range calendar is set to the UTC time zone. It is possible to change it to another time zone. If you need assistance changing default timezones, please contact UBIqube support.
The list of timezone to display can be configured with the MSActivator configuration tool
Results Viewing Options
You can adjust the grouping, list size, and sort method using the radio button selections below.
Results per Page
By default, the search results are limited to 10 results per page. You may select to display up to 1,000 results per page. The number of results is limited to 1000 in order to avoid displaying performance issues (web browsers may experience poor performance when trying to display thousands of results per page).
Paging Through the Results
You can navigate through the results pages using the “previous” and “next” buttons.
Result can be grouped (aggregated) by fields based on the field value.
For example, results can be grouped by date, source IP, destination IP, etc. This is useful to get information on how many source IP/destination IPs occur per day.
Once grouping is selected, the result details can be viewed by expanding the line item:
The filter applies on the source IP, the destination IP, and the destination port of the logs.
Each search field is associated with a list of operators to apply on the search. The three possible operators are MUST, MUST_NOT and SHOULD.
- If MUST is selected, the search result will only contain results that match the associated condition.
- If MUST NOT is selected, the search result will not contain any result that matches the associated search terms.
- If SHOULD is selected, the search result will contain results matching the search terms, but can also contain results matching other terms.
By default, the operator is MUST.
Filter on Source and Destination IP
The source IP and destination IP accepts single IPs, IP ranges, or subnets. The following queries are valid examples:
Search all logs with 10.1.111.252 as the source IP:
Search all logs with the source IP within the range 10.1.111.1-10.1.112.1:
Search all logs with the source IP out of the the subnet 10.1.11.1/24:
Filter on Destination Port
Search on destination port will accept arguments such as single port (ex: 22), port list (ex: 22,161,514) or port range (ex: 20-25).
The following query examples are valid:
Search all logs with destination port 22:
Search all logs with source port in the range 6000-7000:
Search all log with destination port not in the list 22,443,161:
Full Text Search
Text search allows searching directly in the raw log. This search field supports the search engine query syntax.
When the results per page size is set to 10 or 50, the results page will dynamically be refreshed based on the terms in the text search input field. For larger results per page size, you will need to click search before the results refresh.
Once a search returns any hits, several option are available to the user for the employment of the results.
For each result, the user can view the details of the result by expanding the result row (click the green "+"):