Analyze log, alert, and audit entries

The Log Analysis view provides various tools to analyze logs, alerts, and audit entries.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Logs.
  2. Select Analyze.

Log Analysis view

Use this view to analyze log data.

Option Definition
Toolbar
Stop Aborts the running query.
Save Saves a snapshot of entries.
Columns
  • Column Selection — Opens the Column selection dialog box.
  • Save Your Local Settings — Saves the current column selection as your personal settings for the selected log data type.
  • Reset to Default Settings — Discards changes to the column selection and reverts to the previously saved default settings.
Aggregate
  • Sort by Column — Sorts the log data by column type.
  • Aggregate by Service — Combines the log data by Service.
  • Aggregate by Situation — Combines the log data by Situation.
Statistics menu Shows the monitored data as charts. Select one of the predefined statistical items or select Select to create a custom statistical item.
Visualizations
  • Attack Analysis — Displays information in Situations of the type Attack or Successful Attack.
  • Audit Map — Displays information about how users manipulate elements.
  • Application and Executable Usage — Shows users and the applications that they use and access. Indicates allowed and disallowed connections between users and applications.
  • Service Map — Displays access to services in the network.
Option Definition
Log entry table — Several menu options are available when you select a log entry and right-click.
Whois Looks up the selected IP address in the online Whois database.
New Host Opens the Host Properties dialog box that allows you to create a Host element using the IP address in the log entry.
Details Shows the Details view of the selected record.
Logs by Record Returns from the Log Analysis view to the Logs view.
Tools Copy — Copies the entry details to the clipboard.
View Rule Views the rule that generated the log entry (if applicable).
Add Filter: <field name> Adds the item and its value as a new filter row in the Query pane.
Filter: <field name> Opens the Filter Properties dialog box that allows you to create a Filter element.
Option Definition
Query pane — Allows you to filter the records displayed in the Logs view.
Query drop-down list Select a Log Data Context to limit the type of log data that it displayed. To select a Log Data Context that is not in the list, select Select. To create a Log Data Context, select New.
New Adds a filter to the Filter list.
Save Saves the changes.
Time limit drop-down list
  • No Limit — All logs are queried.
  • Custom — Define a custom time period from which log entries are queried.
Open Calendar Select the dates from where you want to query data.
Apply Retains and applies your changes.
Option Definition
Fields pane
Category drop-down list
  • Watchlist — Allows you to create a customized list of fields to show in entries.
  • All — Allows you to view all fields in entries.
Field The name of the field.
Value The value in the field.