2.4.19. Log Analytics¶
2.4.19.1. Log Analytics screen¶
Click [Logs&Reports].
The Log Analytics screen opens. The details screen may open with the search results displayed, such as when the previous search results remain.
In the initial state, the search results are displayed in descending order of time stamps, with 10 logs for 48 hours for all your devices. These conditions can be changed in [Select Device], [Specify Time Range], and [Specify Display] on the left side.
When the number of total search results becomes larger than the number of items shown on the page (results size), you can move to the first/previous/next/last page by clicking the page navigation button.
The entire raw log is displayed only for the first log, and only a part of the second and subsequent logs is displayed. Put your mouse pointer to see the entire raw log for that log.
You can also check the raw log in the log field displayed by clicking the [+] at the left end.
2.4.19.2. Search box¶
Search box allows you to look up items by entering parameters.
By pressing any key such as space or arrow key in the entry field, available search criteria are listed.
You can specify your search criteria by combining these items above and parameters and/or operators such as AND and OR.
In addition, you can also use asterisk (*) as a wildcard character.
Any 2-byte character such as Japanese letters are not accepted for creating search criteria. Capital and small letters are distinguished.
The following table shows entry examples.
Entry example |
Description |
|---|---|
| * | All logs will be searched.
Please mind that the search results displayed here is the logs made within a particular time range which is specified at the advances search form section.
|
| src_ip:10.0.0.1 | Logs, whose source IP address is 10.0.0.1, will be searched. |
| src_port:22 | Logs, whose source port is 22, will be searched. |
| dst_ip:10.0.0.1 | Logs, whose destination IP address is 10.0.0.1, will be searched. |
| dst_port:80 | Logs, whose destination port is 80, will be searched. |
| type:attack | Search logs with log type attack. |
| type:traffic | Logs, whose log type is traffic, will be searched. |
| src_ip:10.0.0.1 AND dst_port:22 | Logs, whose source IP address is 10.0.0.1 and destination port is 22, will be searched. |
| src_ip:10.0.0.1 OR src_ip:10.0.0.2 | Logs, whose source IP address is 10.0.0.1 or 10.0.0.2, will be searched. |
| NOT(src_ip:10.0.0.1 OR src_ip:10.0.0.2) | Logs, whose source IP address is neither 10.0.0.1 or 10.0.0.2, will be searched. |
2.4.19.3. Specifying search query¶
In the default settings for the specify search query section, the following options have been selected: all devices, within the last 48-hour (JST), log display mode, displaying 10 logs per a page and time stamp's descending order.
These conditions can be changed within the left red frame.
Item |
Description |
|---|---|
select devices (device names) |
Devices checked here become the search targets. |
from/to |
These are start date and end date of the search target time range. Click a date for each on the calendar to specify. |
Timezone |
The time zone for the start date and time and end date and time in log display mode. Select either UTC or JST. In simple statistics mode, UTC is used regardless of this specification. |
Time range inclusion |
Select either within or outside to define time range allowance for the start and end date. |
flat |
In flat mode, search results show logs. |
grouped |
In grouped mode, search results display logs' simple statistical data by field. |
result size |
This defines the number of logs displayed on a page in flat mode. |
sort by |
Specify the data displayed order in flat mode. |
Time range for search will be specified to "within 48-hour from when you opened a log analysis detail screen".
When choosing larger results size, it may take more time for searching or cause a web browser alert.
2.4.19.4. Saving search queries¶
You can save other search criteria than time range by naming them.
Specify a search criterion to be saved. Enter a search query's name in the entry field where the red-frame in the picture shows, and click [ Save Query ].
Any 2-byte character such as Japanese letters are not accepted. All alphabets will be saved in capital letters even when you enter them in small letters.
Search criteria other than time range are acceptable as a search query.
Click the search icon, which the red-frame in the picture shows, or press any key such as space or arrow key in the entry field for displaying the saved search query. By clicking a query which you want to use, the saved search criteria will be recalled. You will be required to specify the time range for every time you make a search.
Search criteria other than time range are acceptable as a search query.
To delete a saved query, click [ x ] on the left-side of each search query name.
The conformation dialog will appear.
By clicking [ OK ], the saved query which you chosen above will be deleted.
2.4.19.5. Logs fields¶
At the Log Analytics detail screen, you can sort logs by element and display them on the logs fields.
When clicking the [ + ] button shown at the left-side of the search results, the relevant log's logs fields are displayed.
By clicking the [ + ] button in green-color shown at the log field tab, you can add the relevant elements (items and values) to search criteria.
For example, after searching all logs with * (asterisk), if you add the element [date 2020-09-10 18:24:45] with [+] from the log field, [date:"2020-09-10 18:24:45]" will be added to the search box. The search results will be updated.
The [ matching queries ] shows whether the relevant logs are available for searching with the saved search queries or not.
If click the [ load rule ] button of the relevant query name, the saved queries are recalled and the research results displayed will be refreshed.
Search criteria other than time range are acceptable as a search query.
2.4.19.6. grouped¶
In grouped mode, you can check the number of logs by item you specified.
Items you can specify are those which you can check at the logs fields. If you click the entry field, they will be displayed.
You can add multiple items but some are not available for being combined.
In case you try adding those combining unable items, a warning message will appear.
If you got the warning message, please delete the last added item and change the item combination.
You can delete the items by clicking the [ × ] button.
In grouped mode, search results shows the number of logs by item you specified.
In case you specify multiple fields, the first item becomes a main key and the number of combinations consisting of it will be counted.
Even if JST is selected for the time zone specified in the time range, UTC is used in the simple statistics mode.
2.4.19.7. Download query log¶
You can download the search results as a CSV file by clicking [Download Query Log].
Fields to be downloaded
Click [Download Query Log] and select the fields you want to export.
In the default settings, all fields have been selected. Remove unnecessary fields which you won't download by clicking each field's [ x ] button.
Click [Reset] to exclude all selections.
You can select the removed fields again by clicking any place on the entry space.
Click [ OK ] to start downloading.
Click [OK] to memorize the selected field, and the next time you click [Download Query Log], the screen with the same field selected will open.
The fields are arranged in the txt file in the order selected on this screen. For example, if you selected only [rawlog] in the previous field, the screen will open with only [rawlog] selected next time.
Logs to be downloaded
Download available logs are not all of research results: only the logs listed on the fist page or simple statistic results.
If [Number of displayed lines] is set to 10 lines in the log display mode, even if there are 1,007 search results, only the 10 logs displayed on that page will be downloaded when the [Download Query Log] button is clicked. Will be done.
In grouped mode, only the Count section shows results by item: no any results on logs.
2.4.19.8. Attach log detailed information¶
If you subscribe the Managed WAF, you can see details such as URL and User Agents on the [ Attack Details ] section.
As the request for the Attack details is made when the [ + ] mark placed at the left-end of each log line is clicked, it will take some time to display.
Contents of the Attack Details are not available for downloading via [ download results ].