2.1.18. Log Analytics

2.1.18.1. Log Analytics Summary Display

There is the [ Search box ] to display the Log Analytics summary. Click [ Search Box ] after input the search conditions. So, the search result will appear at the screen.
検索ボックス

2.1.18.2. Detail Screen on Log Analytics

On the detail screen of Log Analytics , you can search logs, simple statistics, and download RAW logs.
詳細検索
When you utilize the search-box in the summary, or when the previous search result still remains at the screen, the detail screen may be opened with your search-results shown at the display.

By default, you can display a time stamp of every ten logs in the descending order. To change these conditions, you can change [ Specify Search Queries ] .

If the search results have become more than "the number of showing lines", move the page by clicking the page navigation, such as [ First ] [ Previous ], [ Next ] and [ Last ].
検索結果

At the screen, only the fist log can show all the [Raw] logs, whereas the second log and later display just a part of their [Raw] logs. When you clicked any specific log, the overall [Raw] itself of the clicked log will display.
Rawログ
RAW logs can be seen at log field displayed by clicking [+] at left-side.
Rawログ

2.1.18.3. Search Box

You can search various parameters by filling in parameters to the search box.
When you push any key, such as the space key or the arrowmark key, at the edit field, the items which you can specify as search conditions will display at the screen.
検索条件

You can specify any kinds of search conditions in combination with these items, parameters, and various operators such as [ And ] or [ OR ].
The mark of [ * ] ( asterisk mark ) can be used as a wildcard.
You can not use the two-byte characters, such as Japanese, for search conditions. Capital characters and small characters are recognized as being different, respectively.

Following describes an example on how to fill in the search box.

Example: How to Input in the Ssearch Box.

Descriptions:

[ * ] ( asterisk mark )

Searches for all the logs.
However, you are noted that only logs within the time range specified in ["Advanced Search Form"] will display at the search result.
src_ip:10.0.0.1

Searches for the specific log of a source IP Address, [ 0.0.0.1 ].

src_port:22

Searches for a specific log of the Source Port: [ 22 ].

dst_ip:10.0.0.1

Searches for a specific log of a Destination IP Address: "10.0.0.1".

dst_port:80

Searches for the specific log of the Destination Port: [ 80 ].

type:utm

Searches for the log type, [ UTM ].

type:traffic

Search logs which log type is traffic.

src_ip:10.0.0.1 AND dst_port:22

Searches for the specific log of the Source IP Address: [ 10.0.0.1 ] , as well as the log of the Destination port log: [ 22 ].

src_ip:10.0.0.1 OR src_ip:10.0.0.2

Searches for the specific log of the Source IP Address: either [ 10.0.0.1 ], or [ 0.0.0.2 ].

NOT(src_ip:10.0.0.1 OR src_ip:10.0.0.2)

Searches for the specific logs of the Source IP Address: neither [ 10.0.0.1 ] nor [ 0.0.0.2 ].


2.1.18.4. Advanced Search Form ( Specifying a search query )

At the Advanced Search Form ( when specifying a search query) , by default, the screen shows the following information and its statuses in the log display mode: All the devices, information and status for the last 48 hours (JST), ten logs for one page, and time stamps displayed in the descending order.
These conditions can be changeable by using [ Advanced Search Form ] .
検索クエリ

Item

Descriptions:

Select a Device (Device Name)

When your mark to the device check box, that device will be searched for.

"Start"/ "End"

These are start date and end date of the search period [ time range ]. You need to specify both the start date and end date by clicking the calendar button.

Time Zone

Time zone of start and end date/time in the log display mode Select either UTC or JST. In the simplified statistics analysis mode, UTC is used irrespective of this selection.

Specified Time

Select either [ within ] or [ outside ] the [ time range ] from the start date to the end date.

Log Display Mode

Display the logs at the search result.

Simplified Statistic Analysis Mode ( "Grouped" at the screen)

Display the simplified statistic analysis (by selecting [ Grouped ] at the screen) by fields as the search result.

The number of displayed lines

This is the log number to be displayed at one page under the log display mode.

Data Sorting

Specify the data sorting at the log preview mode.

Filter

You can refine the search result by [ filter ] in the Source IP Address, the Source Port Number, the Destination IP Address, and the Destination Port Number.
If you would like to completely match with your input variables, select [ MUST ], whereas you need to select [ MUST_NOT ], if you would like to exempt your input variables.

The time range to be searched is specified "within past 48 hours after the time when opening the detail screen of [ Log Analysis ].
If you have added the display lines, then sometimes the search time may take longer, or the warning message from the Web browser may display.

2.1.18.5. Save Search Queries

You can save your search query with the unique naming as a search condition other than [ Select time range ].
Save Query
After specifying the search conditions, input the name of search query into the red-pane filed below, and then click [ Save Query ].
クエリの保存
You can NOT use the 2-byte characters, such as Japanese. NOTE: Any English alphabetic letter are always saved as big characters.
The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].

Call the Saved Query
By either clicking the red-pane button, or pushing a space key / a arrow mark key and so on, a saved query will display. If you have clicked a query name being used, the search conditions will display. Specify the [ Select time range ], every time you search for any query.
クエリの呼び出し

The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].

Remove a Saved Query
Once you have clicked the [ × ] at a search query name, you can remove a saved query.
クエリの削除

Then, a conformation dialog will display at the screen.
Confirmation
Once you have clicked [ OK ] a the confirmation daialog, you can remove a saved query.

2.1.18.6. Log Field

At the detail screen on Log Analytics , you can display the log divided for each factor at the log field.
Once you click [ + ] button at the left-corner at the search result screen, the relevant log filed will display.
ログフィールド

You can add these factors, such as items and variables, to search conditions, by clicking the green [ + ] button at the log field.
要素追加

For example, if you add the factor, [ dst_ip 10.1.144.3 ], by clicking the green [ + ] at the log field after searching for all of logs by using [ * ](asterisk mark)", the search result will update after inputting [ * destip:10.1.144.3 ] in the search box.
要素追加2

[ Matching Queries ] shows the availability to search for the logs by using saved search query.
Once you have clicked the [ Load Rule ] button of the Query Name, the saved search query will be called, then the result screen will also update.
規則インポート

The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].

2.1.18.7. Simplified Statistic Analysis Mode ( "Grouped" at the screen)

You can verity the log number for each specified item at the [ Grouped ] mode ( Simplified Analysis mode ).
簡易統計モード

The items to be able to specify are as same as ones to be able to verify at the log filed. Once you have clicked the edit field, these items will display.
表示設定

You can add multiple Items, whereas you NOT make a combination with some items.
If you add any item unavailable to be combined with, the warning will display at the screen.
表示設定_警告

If this warning has displayed, you are required to remove the last added item promptly, and then to change item combination.
You can remove the relevant item by clicking the [ × ] button .
表示設定_項目削除

The search result of Simplified Analysis mode ( Grouped) will display as the log number for one specified item.
If you specify multiple fields, the first item will become as a main key, and be counted in combination with every item.
簡易モード_検索結果

Even if JST is selected for the time zone in terms of time zone specification, UTC is used in the simplified statistics analysis mode.

2.1.18.8. Downloading search results

By clicking [ download results ], you can download search results in CSV file format.
RAW結果ダウンロード

Download target field
As clicking [ download results ], the [ Select the fields to export ] screen will appear. Select fields which you want to download.
All of the fields are selected as default. The field which is not download target need to be unselected by clicking X button.
対象フィールド

By clicking [Reset], all of selected item will turn to be unselected.
対象フィールド reset

Unselected field can be re-selected by clicking any area of the blank.
対象フィールド select

Download will start by clicking [OK].
As clicking [ OK ], the selected fields are recorded; the screen with the same selected fields will be opened when you click [ download results ].
In CSV file, field will be sorted according to the selection order.
対象フィールド ok

Download Target Log
The downloaded items is not all logs of the search results but the specific volume logs displayed for one result page or the simplified analysis ( Grouped ) results.
In case you set the results size to 10 in flat mode, only 10 logs displayed on the page are downloaded when the [ download results ] button is clicked even if there are 1,007 cases found.
If you have set up the simplified analysis mode (Grouped), only the count result for one item will be always downloaded, excluding logs.

CSV File Delimiter Character
In the log display mode, the CSV file delimiter character is [ tab ].
At the simplified analysis mode, the CSV file delimiter character is [ , ] (comma).