Create a SecondLook Restore

To complete the SecondLook Wizard in any LogRhythm deployment that uses multiple systems in a workgroup (i.e., systems that are not joined by a domain), the user must run the Client Console as an administrator or run the Client Console as a non-administrator and use a security group member. The security group must have read/write access to the Client Console logs and the active/inactive archives. To run the Client Console as an administrator, close the Client Console and then right-click on LogRhythm Client Console on the menu and click Run as administrator. Failure to do so can cause errors during the archive restoration.

Before restoring archived logs, ensure that a restore Data Processor has been configured.

To create a new restoration with SecondLook

Log in to the Client Console as an administrator or a user with access to SecondLook.
On the Tools menu, click Search, and then click SecondLook Wizard.
The SecondLook Wizard appears.
Select the Configure New SecondLook, and then click Next.
Configure the following:
- Date range. Time values are in local time.
- Data masking. Two options are available for data masking:
  - If you select the Disable Data Masking for restore check box, analysts are able to review all restored data for further investigation and analysis. You cannot select which rules in the deployment to mask and which not. Data masking remains in place for all data outside this specific SecondLook restore.
  - If you select the Enable MPE Timeout check box, it will handle the MPE Timeout logs during the retrieval process and SecondLook will produce the result without hanging the Wizard.
- Log Sources. The specific Log Sources to be restored.
Click Next.
The Log Source Review screen appears.
Review the logs to restore.

If your SecondLook restores involves a large number of logs or you do not want to review them, you can modify your LogRhythm configuration file. In C:\Program Files\LogRhythm\LogRhythmConsole, open lrconsole.exe. In the <appSettings> section, add <add key="SecondLookSkipReview" value="true"/> to skip the Log Source Review screen and get better SecondLook performance.
In the Log Source Review section you can select another Log Processing Policy if you want to process the logs differently from the current policy settings (custom policies can be created). For more information, see Log Processing Policies. To change the policy:
1. Select the Action check box for the log sources on which you want to apply a different policy.
2. Right-click the grid, click Action, and then click Change Log Processing Policy.
3. Select the policy to use for processing logs, and then click OK.
Click Next and select the Include and Exclude filters.
For both Include and Exclude filters, multiple filters can be specified:
- If more than one Exclude filter is specified and the log matches any single filter, the log is excluded.
- If more than one Include filter is specified and the log matches any single filter, the log is included.
- Each individual filter and the fields filtered on are listed in the grid.
SecondLook filtering is similar to Work with Filters in Investigations, but there are some differences as listed below.
- Include Filters. These filters identify log messages that SHOULD be restored. Only log messages that match one of the include filters and that don't match an exclude filter are restored. If no filters are specified, all log messages not matching an exclude filter are restored.
- Exclude Filters. These filters identify log messages that SHOULD NOT be restored. Log messages that match any of the exclude filters are not restored. If no filters are specified, only logs matching include filters are restored. If no exclude or include filters are specified all log messages are restored.
- Field Filter Values. When creating field filters, you can use the same Boolean expressions as with search criteria, and regular expression pattern matching is available for text-based fields. If creating criteria for a text based field, the following options are available:
  - Specifying if the criteria is a regular expression.
  - Indicating if case should be evaluated or ignored as part of the regular expression
When you are finished with filters, click Next.
Specify the log repository and recovery settings.
1. Select the repositories where logs should be restored. If you want to include live repositories as potential destinations, select the Include Live Repositories check box.
  
  It is recommended that Archives only be restored into Data Processors that are in the Online Archive Operating Mode, and that are not used for active log collection.
2. Specify the following recovery settings:
  - Maximum Log Messages to Recover
  - Data Processor insert timeout
  - Perform Content Scan
  - Warn but Restore
  - Continue on Log Insert Error
3. When finished, click Next to proceed.
Specify Search Paths.
1. Specify the paths to the directories where the archive files are stored.
  1. Click Add.
    - If the files are located on the local machine, browse to their location.
    - If the files are located on a network share, type or paste the UNC path to the share (for example, \\fileshare\archives) into the Network Share field and click Refresh.
  2. Browse to the directory of the files to be restored, select the correct directory, and then click OK.
2. If the directory specified should be automatically selected the next time a restoration is run, click the Update Defaults button, which saves the location as a default and displays it in this page the next time a restoration is run.
3. Select the check box for each search path you want to use.
4. Click any search path to modify the search depth at the bottom of the page. Search depth is the number of sub-folder levels to search for archive files.
5. Click Next.
The Save SecondLook Configuration page appears.
If you want to save the current SecondLook configuration, type a name and description, set access permissions, and then click Save.

If you are modifying a saved SecondLook and want to save under a new name, modify the name and click Save As.
When you are ready to run SecondLook, click Next or Start.
The confirmation message appears.
To start the restore process, click OK.
The restoration begins and the SecondLook Monitor shows progress.
After the restore process completes, you are prompted to view the restored logs.

Click Yes to view the logs, or click No to return to the SecondLook Monitor.
When the restore is complete, matching logs are available in the designated repository and can be queried using the Investigator. The log produced on the Monitor can be saved to a text file with a .LOG extension. Click Save Log in the upper right corner and select a location to save the file, naming it as appropriate.

For troubleshooting purposes, the Client Console's log file and SecondLook restore parsing log (scmpe.log) are located in the LogRhythm\logs directory within the user's Windows Roaming Profile directory.

The SecondLook parsing log contains the following details related to the restoration:

Parameter	Definition
MPE_LPS	The rate at which the MPE processed logs (logs per second).
MPE_ProcTime	The total amount of time the MPE spent actively processing logs (seconds).
MPE_LogsProcessed	The total number of logs that the MPE processed.
Rest_LPS	The average processing rate for logs that were restored, which are those that matched the restore filters.
Rest_ProcTime	The total amount of time the restoration has spent processing data, including all processing processes. This can be compared to MPE_ProcTime to ensure that the MPE is constantly processing data and does not have significant idle time.
Rest_LogsProcessed	The total number of logs processed by the restoration. Some logs are processed by the restoration that do not get processed by the MPE due to the time filter.
FileCopyBytes/Second	The data transfer rate achieved when copying files from the archive store to local temp storage (bytes per second).
DecompressBytes/Second	The rate at which files are decompressed after being copied (bytes per second).
FileReadLPS	The rate at which log messages are read from the file (logs per second).