EventLog Analyzer provided a dedicated section for 'Search' (Click the 'Search' tab in the GUI), where you can search the raw logs and detect network anomalies like mis-configurations, viruses, unauthorized access, applications errors, etc.
The procedure to search th logs is given below:
Searching a specific Host(s), Host Group(s) or Log Type(s)
To narrow down the search to a specific host(s) or group of hosts, type in the host name(s) or group(s) name in the text box provided or else use the 'Pick Host' link to select the host(s) or host group(s). You can also narrow down the search to the type of log (example: Windows Event Log, Syslog, Oracle Logs), by selecting it from the Log Types list.
By default (if the host name(s) or group(s) name are not provided, and 'All Log Types' option remains unchanged), you can search across all hosts and all log types.
Types of Search
EventLog Analyzer supports both 'Basic' and 'Advanced' search. You can perform Wild-card search, Phrase search, Boolean search, Grouped search, and Range search
If you want to write your own expression (search criteria) and search the logs for existing field value(s), use the 'Basic' search link. In this option, you have to type in the search criteria.
Search for field values
Type the field value directly in to the Search box.
Search with fields
Type the field name and value directly in to the Search box. The expression for field name and value pair is <field name> = <field value>
Example: EVENTID = 7036
Use boolean operators to search
The expression with boolean operator is <field name> = <field value> <boolean> <field name> = <field value>. You can use the following boolean operators: AND, OR, NOT.
Example: HOSTNAME = 192.168.117.59 AND USERNAME = guest
Use comparison operators to search
The expression with comparison operator is <field name> <comparison operator> <field value>. You can use the following comparison operators: =, !=, >, <, >=, <=.
Example: HOSTNAME != 192.168.117.59
Use wild-card characters to search
The expression with wild-card character is <field name> = <partial field value> <wild-card character>. You can use the following wild-card characters: ? for single character, * for multiple characters.
Example: HOSTNAME = 192.*
Use phrase to search
The expression with phrase is <field name> = <"partial field value">. Use double quotes ("") to define phrase in the field value.
Example: MESSAGE = "session"
Use range to search
The expression to search for a range of values is <field name> = field values [<from> TO <to>]. Use square brackets '' to define 'from' TO 'to' range of field values.
Example: USERNAME = [k To z]
Use grouped fields to search
The expression to search with grouped fields is (<field name> = <field value> <logical operator>.<field name> = <field value>) <logical operator>.<field name> = <field value>. Relate the field value pairs logically and group them using brackets '()' and relate the grouped fields logically.
Example: (SEVERITY = debug or information) and HOSTNAME = 192.168.117.59
To build complex search expressions with the aid of a search builder, use the Advanced link.
Set criteria to search
You can have one or more fields in a group and one or more groups to specify criteria filters for search. The fields in a group are related using Boolean operator and the groups are also related in the same way.
If you have defined the criteria, click 'Apply' button. The search criteria expression appears in the text box. Click 'Go' button to preview the search results. It is displayed in a graph and the entries are listed below.
Clear the search
'Clear Search' clears the search query.
Save the search
If you are satisfied with the preview of the search result, you can save the search query by clicking 'Save Search' and the corresponding search result as a report profile.