Follow

Working With Search

Search Overview - Part 1: How to build a search and utilise it in a dashboard

 

Working with Logs

Events, such as device activity, source activity and user actions are collected and stored in the audit_logs and incident_logs tables for later interpretation. 

audit_logs

Under [SEARCHES] tab, select the audit_logs table to begin building your search against this data.

The following provides an example list of events captured:

  • Device state: eg. offline, online,
  • Device events: eg: start_feed, stopAll_feed, against source and table
  • [DEVICE] > [REMOTE SHELL]: commands run against a device and by whom.
  • Device configuration changes and updates.
  • Tunnel events: eg. open, start.

Access

Access to view this data is dependent on workgroup and your role within that workgroup:

  • User role(s) of type: owner

Building your search - resolved data vs raw data

Search fields contain a variety of resolved data and raw data. Where the data for a particular field is resolved, the option to search against that data is provided to the user as a pre-defined list in a dropdown. eg:

Fields containing resolved data:

  • [user_id] will resolve to a list of user names within the current workgroup.
  • Precise data matches can only be used for operators LIKE, IN, NOT IN

Fields containing raw data:

  • [action] being a potentially endless list is not provided as a resolved list for selection.
  • Precise data matches are not necessary for operators LIKE, IN, NOT IN. Hence, wildcards can be used.

 

incident_logs

Incident logs capture events from alerts that have been pre-created under the [ALERTS] tab. The extent and variety logged are only limited by the definition and number of the alerts you create.

Access

  • User role(s) of type: owner, admin, power, standard, read-only

Building your search - resolved data vs raw data

Like audit_logs, similar rules apply to searches against the incident_logs table.  Please refer to audit_logs for reference.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.