Quick Search Toolbar
The Quick Search toolbar provides an easy way to perform common analysis tasks. By default, the toolbar is located at the bottom of the Client Console window. It includes the following capabilities:
- Quick lookup of the events comprising an individual alarm based on ID.
- Quick lookup of an event based on ID.
- Quick search based on user activity.
- Quick search of host activity.
- Quick search of email address activity.
You can Run Correlate with the Quick Search toolbar to narrow the results from Tail, Investigation, or Personal Dashboard searches.
Search Details
The Quick Search toolbar performs a search based on the Search For options you select. The following is a list of those options with additional information where appropriate.
- Alarm. A record indicating that an alarm rule has been triggered by an event. Enter the id of the Alarm for which you are searching.
- Classification. LogRhythm uses classifications to group similar log messages into logical containers. These classifications provide organizations vast amounts of log data, making it easier to sort through and understand. Classifications fall under three main categories: Audit, Security, and Operations.
- Common Event. Specify the name of the event. Logs identified by Common Events matching the specified value will be searched. Wildcards are (*) allowed.
- Email Address. The value specified can exist in either the sender or recipient field.
- Event. A log having more immediate operational, security, or compliance relevance. Typically logs classified as errors, failures, or attacks are considered events.
- Host. The value specified can exist in either Origin or Impacted host fields. If the value entered is an IP address, Origin and Impacted IP is searched. If the value entered is a host name, Known Host records are searched for first. If one or more Known Hosts are found, Origin and Impacted Known Host is searched. If no Known Host is found, Origin and Impacted DNS host name is searched. Wildcards (*) allowed
- Log Host. Standard hostname given to the address of the loopback network interface. Localhost is specified where one would otherwise use the hostname of a computer.
- MPE Rule. Specify the name of the rule you are searching for. Logs matched by Message Processing Engine (MPE) Rules matching the specified value will be searched for. Wildcards (*) are allowed.
- Port. When searching for a TCP/UDP port, the value specified can exist in either the origin or impacted port field.
- User. When searching for a login, the value specified can exist in either the Login or the Account field.