2.2.20. Log Analytics¶
2.2.20.1. Log Analytics screen¶
Click [Logs&Reports].
The Log Analytics screen opens. The details screen may open with the search results displayed, such as when the previous search results remain.
In the initial state, the search results are displayed in descending order of time stamps, with 10 logs for 48 hours for all your devices. These conditions can be changed in [Select Device], [Specify Time Range], and [Specify Display] on the left side.
If the search results have become more than "the number of showing lines", move the page by clicking the page navigation, such as [ First ] [ Previous ], [ Next ] and [ Last ].
The entire raw log is displayed only for the first log, and only a part of the second and subsequent logs is displayed. Put your mouse pointer to see the entire raw log for that log.
You can also check the raw log in the log field displayed by clicking the [+] at the left end.
2.2.20.2. Search Box¶
You can search various parameters by filling in parameters to the search box.
When you push any key, such as the space key or the arrowmark key, at the edit field, the items which you can specify as search conditions will display at the screen.
You can specify any kinds of search conditions in combination with these items, parameters, and various operators such as [ And ] or [ OR ].
The mark of [ * ] ( asterisk mark ) can be used as a wildcard.
You can not use the two-byte characters, such as Japanese, for search conditions. Capital characters and small characters are recognized as being different, respectively.
Following describes an example on how to fill in the search box.
Example: How to Input in the Ssearch Box. |
Descriptions |
|---|---|
[ * ] ( asterisk mark ) |
Searches for all the logs.
However, you are noted that only logs within the time range specified in ["Advanced Search Form"] will display at the search result.
|
| src_ip:10.0.0.1 | Searches for the specific log of a source IP Address, [ 0.0.0.1 ]. |
| src_port:22 | Searches for a specific log of the Source Port: [ 22 ]. |
| dst_ip:10.0.0.1 | Searches for a specific log of a Destination IP Address: "10.0.0.1". |
| dst_port:80 | Searches for the specific log of the Destination Port: [ 80 ]. |
| type:utm | Searches for the log type, [ UTM ]. |
| type:traffic | Search logs which log type is traffic. |
| src_ip:10.0.0.1 AND dst_port:22 | Searches for the specific log of the Source IP Address: [ 10.0.0.1 ] , as well as the log of the Destination port log: [ 22 ]. |
| src_ip:10.0.0.1 OR src_ip:10.0.0.2 | Searches for the specific log of the Source IP Address: either [ 10.0.0.1 ], or [ 0.0.0.2 ]. |
| NOT(src_ip:10.0.0.1 OR src_ip:10.0.0.2) | Searches for the specific logs of the Source IP Address: neither [ 10.0.0.1 ] nor [ 0.0.0.2 ]. |
2.2.20.3. Advanced Search Form ( Specifying a search query )¶
At the Advanced Search Form ( when specifying a search query) , by default, the screen shows the following information and its statuses in the log display mode: All the devices, information and status for the last 48 hours (JST), ten logs for one page, and time stamps displayed in the descending order.
These conditions can be changed within the left red frame.
Items |
Descriptions |
|---|---|
Select a Device (Device Name) |
When your mark to the device check box, that device will be searched for. |
"Start"/ "End" |
These are start date and end date of the search period [ time range ]. You need to specify both the start date and end date by clicking the calendar button. |
Time Zone |
Time zone of start and end date/time in the log display mode Select either UTC or JST. In the simplified statistics analysis mode, UTC is used irrespective of this selection. |
Specified Time |
Select either [ within ] or [ outside ] the [ time range ] from the start date to the end date. |
Log Display Mode |
Display the logs at the search result. |
Simplified Statistic Analysis Mode ( "Grouped" at the screen) |
Display the simplified statistic analysis (by selecting [ Grouped ] at the screen) by fields as the search result. |
The number of displayed lines |
This is the log number to be displayed at one page under the log display mode. |
Data Sorting |
Specify the data sorting at the log preview mode. |
The time range to be searched is specified "within past 48 hours after the time when opening the detail screen of [ Log Analysis ].
If you have added the display lines, then sometimes the search time may take longer, or the warning message from the Web browser may display.
2.2.20.4. Save Search Queries¶
You can save your search query with the unique naming as a search condition other than [ Select time range ].
After specifying the search conditions, input the name of search query into the red-pane filed below, and then click [ Save Query ].
You can NOT use the 2-byte characters, such as Japanese.
NOTE: Any English alphabetic letter are always saved as big characters.
The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].
By either clicking the red-pane button, or pushing a space key / a arrow mark key and so on, a saved query will display. If you have clicked a query name being used, the search conditions will display. Specify the [ Select time range ], every time you search for any query.
The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].
Once you have clicked the [ × ] at a search query name, you can remove a saved query.
Then, a conformation dialog will display at the screen.
Once you have clicked [ OK ] a the confirmation daialog, you can remove a saved query.
2.2.20.5. Log Field¶
At the detail screen on Log Analytics , you can display the log divided for each factor at the log field.
Once you click [ + ] button at the left-corner at the search result screen, the relevant log filed will display.
You can add these factors, such as items and variables, to search conditions, by clicking the green [ + ] button at the log field.
For example, after searching all logs with * (asterisk), if you add the element [date 2020-09-10 18:24:45] with [+] from the log field, [date:"2020-09-10 18:24:45]" will be added to the search box. The search results will be updated.
[ Matching Queries ] shows the availability to search for the logs by using saved search query.
Once you have clicked the [ Load Rule ] button of the Query Name, the saved search query will be called, then the result screen will also update.
The other search conditions except for [ Advanced Search Form ] will be available to be saved as [ Search Query ].
2.2.20.6. Simplified Statistic Analysis Mode ( "Grouped" at the screen)¶
You can verity the log number for each specified item at the [ Grouped ] mode ( Simplified Analysis mode ).
The items to be able to specify are as same as ones to be able to verify at the log filed. Once you have clicked the edit field, these items will display.
You can add multiple Items, whereas you NOT make a combination with some items.
If you add any item unavailable to be combined with, the warning will display at the screen.
If this warning has displayed, you are required to remove the last added item promptly, and then to change item combination.
You can remove the relevant item by clicking the [ × ] button .
The search result of Simplified Analysis mode ( Grouped) will display as the log number for one specified item.
If you specify multiple fields, the first item will become as a main key, and be counted in combination with every item.
Even if JST is selected for the time zone in terms of time zone specification, UTC is used in the simplified statistics analysis mode.
2.2.20.7. Download query log¶
You can download the search results as a CSV file by clicking [Download Query Log].
Download target field
Click [Download Query Log] and select the fields you want to export.
All of the fields are selected as default. The field which is not download target need to be unselected by clicking X button.
Click [Reset] to exclude all selections.
Unselected field can be re-selected by clicking any area of the blank.
Download will start by clicking [OK].
Click [OK] to memorize the selected field, and the next time you click [Download Query Log], the screen with the same field selected will open.
The fields are arranged in the txt file in the order selected on this screen. For example, if you selected only [rawlog] in the previous field, the screen will open with only [rawlog] selected next time.
Download Target Log
The downloaded items is not all logs of the search results but the specific volume logs displayed for one result page or the simplified analysis ( Grouped ) results.
If [Number of displayed lines] is set to 10 lines in the log display mode, even if there are 1,007 search results, only the 10 logs displayed on that page will be downloaded when the [Download Query Log] button is clicked. Will be done.
If you have set up the simplified analysis mode (Grouped), only the count result for one item will be always downloaded, excluding logs.