The Search feature includes a wide range of filter and group selections along with Boolean logic for targeting specific data sets. Search results are displayed on the Analyze page, where you can view the queried information in charts and graphs.

The tail option in search allows you to set up real-time queries that show whether logs or events matching a query are actively being generated and entering the system.

When searching by keyword, the term you enter needs to be an exact match with the item you are searching for. For example, if you wanted to search for "Global Admin" users, you would need to type Global Admin into the Search field. To run searches for all items containing a particular term, you need to include the prefix sql: and insert wildcard symbols (%) as appropriate. For example, if you wanted to run a keyword search for all users with "admin" somewhere in their titles, you would type sql:%admin% into the Search field.

When searching the Log Message field, sql: and % are not required.

The only required parameter for running a search is a time frame for your results.

Note that in deployments utilizing multiple Web Consoles, users can only access search or drill down results on the Web Console server from which the search or drill down originated. For example, if you perform a search on Web Console A and then log in to Web Console B, the search initiated on server A will not be available to you.

Search Filters

The following table describes the search filters available from the Search lists. 

Search Filter

Description

Account by Active Directory Group

The accounts with an Active Directory Group that are the recipients of the action.

Address

The email address involved in the activity, either the sender or recipient. In the Search Term field, type a full email address (for example, name@company.com).

Command

The name of an executed command within the metadata (for example: login, get, or put).

Common Event

A short, plain-language description of the log that determines its classification.

When you select Common Event, the Search Term field becomes a typeahead field. For example, if you type "audit," a list opens with all Common Events that match "audit." You can then select an item from the list.

Domain

Windows or DNS domain either referenced by a log or impacted by log activity.

Group

User group or role referenced or impacted by the log activity. This group is typically an Active Directory group name or other type of logical container.

Host List (Impacted)

Host List (Origin or Impacted)

Host List (Origin)

The host involved in the log activity, which may include the IP address, host name, or Ethernet address:

  • Host (Impacted) is the destination.
  • Host (Origin) is the source.

With Host filters, you can attain results for a Host List, IP Address List, or IP Range List as follows:

  • Host List. Begin typing the name of a Host List in the Search field to display the available lists containing matching characters. Search results are based on the contents of the Host List that you select from the list.
  • IP Address List or IP Range List. Type an IP Address or IP Range List name in the Search field. Search results are based on the contents of the IP Address List or the IP Range List that you select from the list.

To run a Host List search, you need to select from the host lists that have already been created in the Client Console. You cannot create new host lists on the Web Console, and you cannot type free text or non-lists as search criteria for the Host List filter.

Hostname (Impacted)

Hostname (Origin or
Impacted)

Hostname (Origin)

The name of the host involved in the log activity (for example, a DNS name or a Netbios name):

  • Hostname (Impacted) is the destination.
  • Hostname (Origin) is the source.

Interface (Impacted)

Interface (Origin or Impacted)

Interface (Origin)

The interface number of a device or physical port number of a switch:

  • Interface (Impacted) is the destination interface.
  • Interface (Origin) is the source interface.

IP Address (Impacted)

IP Address (Origin or Impacted)

IP Address (Origin)

The IP addresses for the log activity:

  • IP Address (Impacted) is the destination address.
  • IP Address (Origin) is the source address.

Known Application

Known application or service, such as HTTP, POP3, or Telnet. An application is "known" if LogRhythm Enterprise can match the protocol number from the log to a service name in the Events Database.

Known Host (Impacted)

Known Host (Origin or Impacted)

Known Host (Origin)

The host record associated with a specific Entity:

  • Known Host (Origin) is the source of the log activity.
  • Known Host (Impacted) is the destination of the log activity.

When you select one of the Known Host fields, the Search Term field becomes a typeahead field.

Location (Impacted)

Location (Origin or Impacted)

Location (Origin)

The geographic area involved in the log activity:

  • Location (Origin) is the source area.
  • Location (Impacted) is the destination area.

When you select one of the Location fields, the Search Term field becomes a typeahead field.

The Location values are derived from the LogRhythm Enterprise's GeoLocation feature.

Log Source Entity

A logical collection of unique networks, devices, and systems.

When you select Log Source Entity, the Search Term field becomes a typeahead field.

Log Source Root Entity

The parent for a logical collection (Log Source Entity).
When you select Log Source Root Entity, the Search Term field becomes a typeahead field.

Log Source Type

Type of facility or source where the log originated.
When you select Log Source Type, the Search Term field becomes a typeahead field. For example, if you type "sys," a list opens with all log source types that match "sys." You can then select an item from the list.

MAC Address (Impacted)

MAC Address (Origin or Impacted)

MAC Address (Origin)

The MAC address involved in the log message:

  • MAC Address (Origin) is the source.
  • MAC Address (Impacted) is the destination.

When searching for MAC addresses, you must separate character strings using a colon (:) or a hyphen (-). For example:
AX:4T:77:98:KD:F6:L0
or
AX-4T-77-98-KD-F6-L0

MPE Rule Name

Message Processing Engine (MPE) rule, which identifies and normalizes log messages and then assigns them to a Log Type (Common Event).

When you select MPE Rule, the Search Term field becomes a typeahead field.

NAT IP Address (Impacted)

NAT IP Address (Origin or Impacted)

NAT IP Address (Origin)

The IP address that was translated via NAT device logs:

  • NAT IP Address (Origin) is the source.
  • NAT IP Address (Impacted) is the destination.

 

NAT TCP/UDP Port (Impacted)

NAT TCP/UDP Port (Origin or Impacted)

NAT TCP/UDP Port (Origin)

The TCP/UDP port that was translated via NAT device logs:

  • NAT TCP/UDP Port (Origin) is the source.
  • NAT TCP/UDP Port (Impacted) is the destination.

Network (Impacted)

Network (Impacted or Origin)

Network (Origin)

Network involved in the log activity:

  • Network (Origin) is the source network.
  • Network (Impacted) is the destination network.

When you select one of the Network fields, the Search Term field becomes a typeahead field.

Object

Object Name

Resource that is referenced or impacted by the log activity. An "object" can include a file, file path, registry key, etc.

The Object field contains the full path and name, but ObjectName only stores the object name.

Origin Login by Active Directory Group

The users within an Active Directory group that are the source of the log activity.

When you select Origin Login by Active Directory Group, the Term field to the left becomes a typeahead field.

Port

The port involved in the activity.
The Search Term field requires an exact value for a specific port, such as 80 or 8080.

Process ID

The ID associated with a process.

Process Name

Name or value that identifies a process (for example, "inetd" or "sshd").

Protocol

Network protocol applicable to the log message.

When you select Protocol, the Search Term field becomes a typeahead field.

Recipient

Email address or VOIP caller number. For non-email logs, this field could represent the user who received a form of information.

Sender

Email originator or VOIP caller number. For non-email logs, this field could represent the user who received a form of information.

Session

The user, system, or application session.

Severity

A value indicating the severity of the log.

Subject

Email subject line. For non-email logs, this field could represent the subject in some form of communicated information.

TCP/UDP Port (Impacted)

TCP/UDP Port (Origin or Impacted)

TCP/UDP Port (Origin)

The TCP or UDP port number:

  • TCP/UDP Port (Origin) is the source.
  • TCP/UDP Port (Impacted) is the destination.

 

URL

URL referenced or impacted by the log activity.

User (Impacted)

The user account that is the recipient of the action (for example, a password reset on a user account).

When you select the Account filter, you can get results for either an Active Directory Group or a user name string, as follows:

  • Active Directory Group. As you begin typing characters in the Search Term field, it displays a list of all Active Directory Group names that match those characters. If you select a group from the displayed list or if the text you typed matches an Active Directory Group name, results appear for the Active Directory Group.
  • User name string. Type the user name in the Search Term field. If the text you type does not match an Active Directory Group name, results appear for the corresponding user field (Login or Account, or both).

User (Login or Account)

The user login or account that is the source of the log activity.

When you select the User (Login or Account) filter, you can get results for either an Active Directory Group or a user name string, as follows:

  • Active Directory Group. As you begin typing characters in the Search Term field, it displays a list of all Active Directory Group names that match those characters. If you select a group from the displayed list or if the text you typed matches an Active Directory Group name, results appear for the Active Directory Group.
  • User name string. Type the user name in the Search Term field. If the text you type does not match an Active Directory Group name, results appear for the corresponding user field (Login or Account, or both).

User (Origin)

The user login that is the source of the log activity.

When you select the User (Origin) filter, you can get results for either an Active Directory Group or a user name string, as follows:

  • Active Directory Group. As you begin typing characters in the Search Term field, it displays a list of all Active Directory Group names that match those characters. If you select a group from the displayed list or if the text you typed matches an Active Directory Group name, results appear for the Active Directory Group.
  • User name string. Enter the user name in the Search Term field. If the text you enter does not match an Active Directory Group name, results appear for the corresponding user field (Login or Account, or both).

User by Active Directory Group

The user login within an Active Directory group that is the source of the log activity.

When you select User Active Directory Group, the Search Term field becomes a typeahead field.

Vendor Message ID

Unique vendor-assigned value that identifies the log message.

Version

A value that represents a version (OS version, patch version, doc version, etc.).

Event Classifications

Event classifications are log messages that are grouped into logical containers, which helps organize vast amounts of log data. You can view classifications in the Web Console data charts and also select them from the Search tool.

The following table describes the Event classifications.

ClassificationDescription

Access Failure

Failed read, write, or execute access on files, programs, and other relevant objects.

Access Granted

Activity related to granting of access rights and privileges.

Access Revoked

Activity related to revocation of access rights and privileges.

Access Success

Successful read, write, or execute access on files, programs, and other relevant objects.

Account Created

Activity related to user or system/computer account creation.

Account Deleted

Activity related to user or system/computer account deletion.

Account Modified

The modification of a user or group outside granting/revoking access. No group level or access level changes.

Activity

General system or network activity.

Attack

Activity that indicates a system or network attack, where it is either assumed to have been successful or cannot be assumed to have failed.

Authentication Failure

Failed user and system authentication activity, due to bad credentials or unauthorized attempt (user not allowed to log in).

Authentication Success

Successful user and system authentication activity, including a user or system gaining access through any method of authentication.

Compromise

Successful system or network compromise.

These types of logs are seen more on Host Intrusion Detection Systems (HIDS) than on network-based detection mechanisms.

Configuration

Activity pertaining to the state or configuration of a system where it is not related to a Policy.

Critical

Logs reporting critical conditions.

Denial of Service

Activity that indicates a Denial of Service attack, where it is assumed to have succeeded or cannot be assumed to have failed.

Error

Logs reporting error conditions.

Failed Activity

General system or network activity that was not successful, possibly due to preventative measures.

Failed Attack

Attack activity that was not successful, possibly due to preventative measures.

Failed Denial of Service

Denial of Service activity that was not successful, possibly due to preventative measures.

Failed Malware

Malware activity that was not successful, possibly due to preventative measures.

Failed Misuse

Activity that indicates a system or network misuse that was not successful, possibly due to preventative measures.

Failed Suspicious

Suspicious activity that was not successful, possibly due to preventative measures.

Information

Logs reporting general information.

Malware

Activity that indicates malware installation, propagation, or use.

Misuse

Activity that indicates system or network misuse.

Network Allow

Network activity that was allowed per a device policy.

Network Deny

Network activity that was not allowed per a device policy.

Network Traffic

Network traffic activity such as flows, connections, and usage statistics.

Other

Operations activity not otherwise classifiable.

Other Audit

Audited activity not otherwise classifiable.

Other Audit Failure

Failed audited activity not otherwise classifiable.

Other Audit Success

Successful audited activity not otherwise classifiable.

Other Security

Security activity not otherwise classifiable.

Policy

Activity pertaining to the policy of a network, system, device, or other relevant object. Includes configuration changes related to a Policy.

Reconnaissance

Activity that indicates system or network reconnaissance.

Startup and Shutdown

Activity pertaining to the starting and stopping of a system, device, application, or other relevant object.

Suspicious

Activity that is suspicious, but not known to be an attack or unauthorized.

Vulnerability

Logs reporting vulnerabilities.

Warning

Logs reporting warnings.