Log Search in EventLog Analyzer
EventLog Analyzer provides a robust search engine to help you retrive log data during investigations. You can search raw logs collected by the server and detect events of interest such as misconfigurations, viruses, unauthorized access, unusual logons, applications errors, and more.
EventLog Analyzer provides basic and advanced search functionalities. Types of search queries supported are wild-card, phrase, boolean, grouped searches.
How to search: Basic and Advanced
- Go to the Search tab.
- Click Pick device and select the devices across which you want to search. Click Add. If nothing is specified in this field, log search will be carried out across all available devices.
- Select log type from the drop-down box. By default the selection is All Log Types, and the search is carried out across all log types.
- Select the period as required.
- Search Help Card is a built-in guide that lists the types of search queries you can perform in the search box. You can also watch how to search tutorials.
- Use Basic search to enter your own search string/search criteria.
To build complex search expressions with the interactive search builder, click Advanced.
- Type the field value into the Search box.
- Type the field name and value into the Search box.
Click Search to see the results and result graph.
- Specify field values for your search criteria.
- Click '+' to add a field. Click '⨯' to remove a field.
- Select logical operator 'AND' and 'OR' between the fields.
- Click Add group to construct a new set of field values.
- Click Add.
Note: The result graph is displayed for a period of two weeks only.
Types of basic search queries
Using boolean operators:
You can use the following boolean operators: AND, OR, NOT.
Syntax: <field name>=<field value> <boolean> <field name>=<field value>.
Example: HOSTNAME = 192.168.117.59 AND USERNAME = guest
You can use the following comparison operators: =, !=, >, <, >=, <=.
Syntax: <field name> <comparison operator> <field value>.
Example: HOSTNAME = 192.168.117.59
You can use the following wild-card characters: ? for a single character, * for multiple characters.
Syntax: <field name> = <partial field value> <wild-card character>
Example: HOSTNAME = 192.*
Use double quotes ("") to specify a phrase as the field value.
Syntax: <field name> = "<partial field value>"
Example: MESSAGE = "session"
Using grouped fields:
Use round brackets () to enclose groups of search criteria and relate them to other groups or search criteria using boolean operators.
Syntax: (<search criteria group>) <boolean operator> <search criterion>
Example: (SEVERITY = debug OR FACILITY = user) and HOSTNAME = 192.168.117.59
Elasticsearch - Unarchive status
Logs stored in Eventlog Analyzer's Elasticsearch have a retention period that is customizable, and all logs beyond this period will be deleted. Apart from this, there is also an archive period beyond which, the logs will be archived and stored as a zip file. This is done to enhance memory utilization.
For example, if the archive period is set to 30 days and the retention period 90 days, logs less than 30 days old will be available for searching. And, logs older than 30 days but less than 90 days will be archived.
To search for logs beyond the archive period (30 days in this case), these archived logs need to be unarchived first before they can be made available for searching. This process takes some time depending on the log size. The log data will be available as and when a zip file gets unarchived.
- When logs beyond the archive period are being searched, a prompt is displayed with the following details:
Free space, Expected unarchive size, Number of zip, and whether the user wants to proceed with unarchiving or cancel the option and return to normal search.
- This flow for unarchiving logs is the same for all the other tabs of EventLog Analyzer such as Dashboard, Reports, Compliance, Correlation, and Alerts.