search cancel

Exploring Access and Audit Logs

book

Article ID: 174957

calendar_today

Updated On:

Products

Secure Access Cloud

Issue/Introduction

Exploring Access and Audit Logs

Resolution

Luminate Security Administration Console provides an interface for exploring access and audit logs. This capability is available via the "Explore" tab:

The interface provides a flexible query language from free text searches to complex queries. Below guide explains the query language and describes how an administrator can create queries of varying complexity to retrieve the relevant information.

The queries syntax is based on Apache Lucene Query Syntax.

 

Free Text:  

Simply type your text string in the search box. 

Text Box

This search will look for either of the three words truth, or and dare 

You can search for the entire phrase, by surrounding it with double quotes: 

Text Box

You can use the AND / OR / NOT keywords, to perform complex search 

Text Box 

The above will return results when either of the words will appear in an entry. 

NOTE: AND / OR / NOT keywords must be capitalized.  

 

Field search: 

To create a more fine-grained query, you can use the name of the field as a prefix to the value followed by colon “:”  

Text Box

Will return all entries where the HTTP status code equals 200 

From here, you can use all of the above rules, to create complex and exact queries: 

Text Box

You can mix and match the keywords and exact phrases to drill down and filter your data. 

 

The search fields can be found in each entry in the Explore tab  in Luminate Security Administration Console.

The fields can be found when drilling in to each event (click on an event -> Show More) - surrounded in green in the image below.

Shape

The format of the query, as mentioned above, will be field:value. For example:

Text Box

In case of nested fields – surrounded in purple – the format will be field.sub-field:value. For example:

Text Box

 

Partial value search: 

When searching for values inside fields, partial match is also supported.

The easiest way to do this is by using wildcards, for example:

In this case, the results will contain all requests (to various HTTPS Applications and Services) that contain the word "plugin" (not necessarily start with it, but contain it), but do not contain "_plugin".

 

Fuzzy search: 

Exploring logs supports fuzzy searches based on the Levenshtein Distance, or Edit Distance algorithm. To do a fuzzy search use the tilde, "~", symbol at the end of a Single word Term.

The above will look for anything with a spelling similar to "plagin" in the request field.

 

Date and Time range search: 

Timestamp of every event is contained in the "@timestamp" field. Search queries can refer to time ranges (combined with all of the above examples) using the following format:

In this example, the range shown will be between 12 AM of July 1st, 2018 to 12 AM of August 20th, 2018. More complex and non continuous date and time ranges can be obtained from combining multiple ranges using logical operators AND, OR and NOT.

 

Attachments