2.2.17. Log Analytics

2.2.17.1. Displaying Log Analytics summary

Log Analytics summary has a search box. By enter a search condition and click the [ Search ] button (icon), search results are shown in the detail screen.
検索ボックス

2.2.17.2. Log Analytics detail screen

Contents of the Attack Details are not available for downloading via [ download results ].
詳細検索
In some cases such as when a search is made by using the search box of this summary function or the previous search results are remained, the detail screen may be opened with research results being shown.

In the default settings, the number of search results of all devices' 48-hour-log shown on a page is set to 10 logs; and they are set to be listed in time stamp's descending order. You can change these research criteria at the advanced search form section.

When the number of total search results becomes larger than the number of items shown on the page (results size), you can move to the first/previous/next/last page by clicking the page navigation button.
検索結果

At the Raw Log section, contents for the first log are displayed fully but those for the second log or later are displayed partially. By placing a mouth pointer, the indicated log's Raw Log is shown entirely.
Rawログ
You can also see each log's entire Raw Log at the log field that is displayed by clicking [ + ] located at the left-end of the screen.
Rawログ

2.2.17.3. Search box

Search box allows you to look up items by entering parameters.
By pressing any key such as space or arrow key in the entry field, available search criteria are listed.
検索条件

You can specify your search criteria by combining these items above and parameters and/or operators such as AND and OR.
In addition, you can also use asterisk (*) as a wildcard character.
Any 2-byte character such as Japanese letters are not accepted for creating search criteria. Capital and small letters are distinguished.

The following table shows entry examples.

Entry example

Description

*
All logs will be searched.
Please mind that the search results displayed here is the logs made within a particular time range which is specified at the advances search form section.
src_ip:10.0.0.1

Logs, whose source IP address is 10.0.0.1, will be searched.

src_port:22

Logs, whose source port is 22, will be searched.

dst_ip:10.0.0.1

Logs, whose destination IP address is 10.0.0.1, will be searched.

dst_port:80

Logs, whose destination port is 80, will be searched.

type:utm

Log, whose log type is utm, will be searched.

type:traffic

Logs, whose log type is traffic, will be searched.

src_ip:10.0.0.1 AND dst_port:22

Logs, whose source IP address is 10.0.0.1 and destination port is 22, will be searched.

src_ip:10.0.0.1 OR src_ip:10.0.0.2

Logs, whose source IP address is 10.0.0.1 or 10.0.0.2, will be searched.

NOT(src_ip:10.0.0.1 OR src_ip:10.0.0.2)

Logs, whose source IP address is neither 10.0.0.1 or 10.0.0.2, will be searched.


2.2.17.4. Specifying search query

In the default settings for the specify search query section, the following options have been selected: all devices, within the last 48-hour (JST), log display mode, displaying 10 logs per a page and time stamp's descending order.
You can change these research criteria at the advanced search form section.
検索クエリ

Item

Description

select devices (device names)

Devices checked here become the search targets.

from/to

These are start date and end date of the search target time range. Click a date for each on the calendar to specify.

Timezone

This is the time zone applying to the start and end date specified above. Select either UTC or JST.

Time range inclusion

Select either within or outside to define time range allowance for the start and end date.

flat

In flat mode, search results show logs.

grouped

In grouped mode, search results display logs' simple statistical data by field.

result size

This defines the number of logs displayed on a page in flat mode.

sort by

Specify the data displayed order in flat mode.

filter

With source and/or destination IP address and port No., search results can be filtered.
If you want to pick up search results which exactly match with the entered value, select "MUST": if you want to exclude search results which contain the entered value, select "MUST_NOT".

Time range for search will be specified to "within 48-hour from when you opened a log analysis detail screen".
When choosing larger results size, it may take more time for searching or cause a web browser alert.

2.2.17.5. Saving search queries

You can save other search criteria than time range by naming them.
Saving queries
Specify a search criterion to be saved. Enter a search query's name in the entry field where the red-frame in the picture shows, and click [ Save Query ].
クエリの保存
Any 2-byte character such as Japanese letters are not accepted. All alphabets will be saved in capital letters even when you enter them in small letters.
Search criteria other than time range are acceptable as a search query.

Recalling the saved queries
Click the search icon, which the red-frame in the picture shows, or press any key such as space or arrow key in the entry field for displaying the saved search query. By clicking a query which you want to use, the saved search criteria will be recalled. You will be required to specify the time range for every time you make a search.
クエリの呼び出し

Search criteria other than time range are acceptable as a search query.

Deleting the saved queries
To delete a saved query, click [ x ] on the left-side of each search query name.
クエリの削除

The conformation dialog will appear.
Confirmation
By clicking [ OK ], the saved query which you chosen above will be deleted.

2.2.17.6. Logs fields

At the Log Analytics detail screen, you can sort logs by element and display them on the logs fields.
When clicking the [ + ] button shown at the left-side of the search results, the relevant log's logs fields are displayed.
ログフィールド

By clicking the [ + ] button in green-color shown at the log field tab, you can add the relevant elements (items and values) to search criteria.
要素追加

For example: firstly, making a search on all logs with * (asterisk); then, add an element that "dst_ip 10.1.144.3" at the logs fields by clicking [ + ]. The search box will show "* destip:10.1.144.3" and search results will be refreshed.
要素追加2

The [ matching queries ] shows whether the relevant logs are available for searching with the saved search queries or not.
If click the [ load rule ] button of the relevant query name, the saved queries are recalled and the research results displayed will be refreshed.
規則インポート

Search criteria other than time range are acceptable as a search query.

2.2.17.7. grouped

In grouped mode, you can check the number of logs by item you specified.
簡易統計モード

Items you can specify are those which you can check at the logs fields. If you click the entry field, they will be displayed.
表示設定

You can add multiple items but some are not available for being combined.
In case you try adding those combining unable items, a warning message will appear.
表示設定_警告

If you got the warning message, please delete the last added item and change the item combination.
You can delete the items by clicking the [ × ] button.
表示設定_項目削除

In grouped mode, search results shows the number of logs by item you specified.
In case you specify multiple fields, the first item becomes a main key and the number of combinations consisting of it will be counted.
../../../../_images/image0621.png

If you got the warning message, please delete the last added item and change the item combination.
You can delete the items by clicking the [ × ] button.
表示設定_項目削除

In grouped mode, search results shows the number of logs by item you specified.
In case you specify multiple fields, the first item becomes a main key and the number of combinations consisting of it will be counted.
簡易モード_検索結果

2.2.17.8. Downloading search results

By clicking [ download results ], you can download search results in CSV file format.
RAWログダウンロード

Fields to be downloaded
As clicking [ download results ], the [ Select the fields to export ] screen will appear. Select fields which you want to download.
In the default settings, all fields have been selected. Remove unnecessary fields which you won't download by clicking each field's [ x ] button.
対象フィールド

Click [ Reset ] to remove all fields selected.
対象フィールド reset

You can select the removed fields again by clicking any place on the entry space.
対象フィールド select

Click [ OK ] to start downloading.
As clicking [ OK ], the selected fields are recorded; the screen with the same selected fields will be opened when you click [ download results ].
CSV files show the fields in the select order you made on this screen.
対象フィールド ok

Logs to be downloaded
Download available logs are not all of research results: only the logs listed on the fist page or simple statistic results.
In case you set the results size to 10 in flat mode, only 10 logs displayed on the page are downloaded when the [ download results ] button is clicked even if there are 1,007 cases found.
In grouped mode, only the Count section shows results by item: no any results on logs.

Delimiters for CSV file
In flat mode, the delimiter for CSV file is "tab".
In grouped mode, the delimiter for CSV file is ", (comma)".

2.2.17.9. Attach log detailed information

If you subscribe the Managed WAF, you can see details such as URL and User Agents on the [ Attack Details ] section.
As the request for the Attack details is made when the [ + ] mark placed at the left-end of each log line is clicked, it will take some time to display.
Attackログ
Contents of the Attack Details are not available for downloading via [ download results ].