2.1.18. Log Analytics

2.1.18.1. Displaying Log Analytics summary

Log Analytics summary has a search box. By enter a search condition and click the [ Search ] button (icon), search results are shown in the detail screen.
検索ボックス

2.1.18.2. Log Analytics detail screen

Contents of the Attack Details are not available for downloading via [ download results ].
詳細検索
In some cases such as when a search is made by using the search box of this summary function or the previous search results are remained, the detail screen may be opened with research results being shown.

In the default settings, the number of search results of all devices' 48-hour-log shown on a page is set to 10 logs; and they are set to be listed in time stamp's descending order. You can change these research criteria at the advanced search form section.

If the search results have become more than "the number of showing lines", move the page by clicking the page navigation, such as [ First ] [ Previous ], [ Next ] and [ Last ].
検索結果

At the Raw Log section, contents for the first log are displayed fully but those for the second log or later are displayed partially. By placing a mouth pointer, the indicated log's Raw Log is shown entirely.
Rawログ
You can also see each log's entire Raw Log at the log field that is displayed by clicking [ + ] located at the left-end of the screen.
Rawログ

2.1.18.3. Search Box

You can search various parameters by filling in parameters to the search box.
When you push any key, such as the space key or the arrowmark key, at the edit field, the items which you can specify as search conditions will display at the screen.
検索条件

You can specify any kinds of search conditions in combination with these items, parameters, and various operators such as [ And ] or [ OR ].
The mark of [ * ] ( asterisk mark ) can be used as a wildcard.
You can not use the two-byte characters, such as Japanese, for search conditions. Capital characters and small characters are recognized as being different, respectively.

Following describes an example on how to fill in the search box.

Example: How to Input in the Ssearch Box.

Descriptions

[ * ] ( asterisk mark )

Searches for all the logs.
However, you are noted that only logs within the time range specified in ["Advanced Search Form"] will display at the search result.
src_ip:10.0.0.1

Searches for the specific log of a source IP Address, [ 0.0.0.1 ].

src_port:22

Searches for a specific log of the Source Port: [ 22 ].

dst_ip:10.0.0.1

Searches for a specific log of a Destination IP Address: "10.0.0.1".

dst_port:80

Searches for the specific log of the Destination Port: [ 80 ].

type:utm

Searches for the log type, [ UTM ].

type:traffic

Search logs which log type is traffic.

src_ip:10.0.0.1 AND dst_port:22

Searches for the specific log of the Source IP Address: [ 10.0.0.1 ] , as well as the log of the Destination port log: [ 22 ].

src_ip:10.0.0.1 OR src_ip:10.0.0.2

Searches for the specific log of the Source IP Address: either [ 10.0.0.1 ], or [ 0.0.0.2 ].

NOT(src_ip:10.0.0.1 OR src_ip:10.0.0.2)

Searches for the specific logs of the Source IP Address: neither [ 10.0.0.1 ] nor [ 0.0.0.2 ].


2.1.18.4. Advanced Search Form ( Specifying a search query )

At the Advanced Search Form ( when specifying a search query) , by default, the screen shows the following information and its statuses in the log display mode: All the devices, information and status for the last 48 hours (JST), ten logs for one page, and time stamps displayed in the descending order.
You can change these research criteria at the advanced search form section.
検索クエリ

Items

Descriptions

Select a Device (Device Name)

When your mark to the device check box, that device will be searched for.

"Start"/ "End"

These are start date and end date of the search period [ time range ]. You need to specify both the start date and end date by clicking the calendar button.

Time Zone

Time zone of start and end date/time in the log display mode Select either UTC or JST. In the simplified statistics analysis mode, UTC is used irrespective of this selection.

Specified Time

Select either [ within ] or [ outside ] the [ time range ] from the start date to the end date.

Log Display Mode

Display the logs at the search result.

Simplified Statistic Analysis Mode ( "Grouped" at the screen)

Display the simplified statistic analysis (by selecting [ Grouped ] at the screen) by fields as the search result.

The number of displayed lines

This is the log number to be displayed at one page under the log display mode.

Data Sorting

Specify the data sorting at the log preview mode.

filter

With source and/or destination IP address and port No., search results can be filtered.
If you want to pick up search results which exactly match with the entered value, select "MUST": if you want to exclude search results which contain the entered value, select "MUST_NOT".

The time range to be searched is specified "within past 48 hours after the time when opening the detail screen of [ Log Analysis ].
If you have added the display lines, then sometimes the search time may take longer, or the warning message from the Web browser may display.

2.1.18.5. Save Search Queries

You can save your search query with the unique naming as a search condition other than [ Select time range ].
Saving queries
After specifying the search conditions, input the name of search query into the red-pane filed below, and then click [ Save Query ].
クエリの保存
You can NOT use the 2-byte characters, such as Japanese. NOTE: Any English alphabetic letter are always saved as big characters.
The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].

Recalling the saved queries
By either clicking the red-pane button, or pushing a space key / a arrow mark key and so on, a saved query will display. If you have clicked a query name being used, the search conditions will display. Specify the [ Select time range ], every time you search for any query.
クエリの呼び出し

The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].

Deleting the saved queries
Once you have clicked the [ × ] at a search query name, you can remove a saved query.
クエリの削除

Then, a conformation dialog will display at the screen.
Confirmation
Once you have clicked [ OK ] a the confirmation daialog, you can remove a saved query.

2.1.18.6. Log Field

At the detail screen on Log Analytics , you can display the log divided for each factor at the log field.
Once you click [ + ] button at the left-corner at the search result screen, the relevant log filed will display.
ログフィールド

You can add these factors, such as items and variables, to search conditions, by clicking the green [ + ] button at the log field.
要素追加

For example: firstly, making a search on all logs with * (asterisk); then, add an element that "dst_ip 10.1.144.3" at the logs fields by clicking [ + ]. The search box will show "* destip:10.1.144.3" and search results will be refreshed.
要素追加2

[ Matching Queries ] shows the availability to search for the logs by using saved search query.
Once you have clicked the [ Load Rule ] button of the Query Name, the saved search query will be called, then the result screen will also update.
規則インポート

The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].

2.1.18.7. Simplified Statistic Analysis Mode ( "Grouped" at the screen)

You can verity the log number for each specified item at the [ Grouped ] mode ( Simplified Analysis mode ).
簡易統計モード

The items to be able to specify are as same as ones to be able to verify at the log filed. Once you have clicked the edit field, these items will display.
表示設定

You can add multiple Items, whereas you NOT make a combination with some items.
If you add any item unavailable to be combined with, the warning will display at the screen.
表示設定_警告

If this warning has displayed, you are required to remove the last added item promptly, and then to change item combination.
You can remove the relevant item by clicking the [ × ] button .
表示設定_項目削除

The search result of Simplified Analysis mode ( Grouped) will display as the log number for one specified item.
If you specify multiple fields, the first item will become as a main key, and be counted in combination with every item.
簡易モード_検索結果

Even if JST is selected for the time zone in terms of time zone specification, UTC is used in the simplified statistics analysis mode.

2.1.18.8. Downloading search results

By clicking [ download results ], you can download search results in CSV file format.
RAW結果ダウンロード

Download target field
As clicking [ download results ], the [ Select the fields to export ] screen will appear. Select fields which you want to download.
All of the fields are selected as default. The field which is not download target need to be unselected by clicking X button.
対象フィールド

Click [ Reset ] to remove all fields selected.
対象フィールド reset

Unselected field can be re-selected by clicking any area of the blank.
対象フィールド select

Download will start by clicking [OK].
As clicking [ OK ], the selected fields are recorded; the screen with the same selected fields will be opened when you click [ download results ].
CSV files show the fields in the select order you made on this screen.
対象フィールド ok

Download Target Log
The downloaded items is not all logs of the search results but the specific volume logs displayed for one result page or the simplified analysis ( Grouped ) results.
In case you set the results size to 10 in flat mode, only 10 logs displayed on the page are downloaded when the [ download results ] button is clicked even if there are 1,007 cases found.
If you have set up the simplified analysis mode (Grouped), only the count result for one item will be always downloaded, excluding logs.

Delimiters for CSV file
In flat mode, the delimiter for CSV file is "tab".
In grouped mode, the delimiter for CSV file is ", (comma)".