Exploring Access and Audit Logs
Luminate Security Administration Console provides an interface for exploring access and audit logs. This capability is available via the "Explore" tab:
The interface provides a flexible query language from free text searches to complex queries. Below guide explains the query language and describes how an administrator can create queries of varying complexity to retrieve the relevant information.
The queries syntax is based on Apache Lucene Query Syntax.
Simply type your text string in the search box.
This search will look for either of the three words truth, or and dare
You can search for the entire phrase, by surrounding it with double quotes:
You can use the AND / OR / NOT keywords, to perform complex search
The above will return results when either of the words will appear in an entry.
NOTE: AND / OR / NOT keywords must be capitalized.
To create a more fine-grained query, you can use the name of the field as a prefix to the value followed by colon “:”
Will return all entries where the HTTP status code equals 200
From here, you can use all of the above rules, to create complex and exact queries:
You can mix and match the keywords and exact phrases to drill down and filter your data.
The search fields can be found in each entry in the Explore tab in Luminate Security Administration Console.
The fields can be found when drilling in to each event (click on an event -> Show More) - surrounded in green in the image below.
The format of the query, as mentioned above, will be field:value. For example:
In case of nested fields – surrounded in purple – the format will be field.sub-field:value. For example:
Partial value search:
When searching for values inside fields, partial match is also supported.
The easiest way to do this is by using wildcards, for example:
In this case, the results will contain all requests (to various HTTPS Applications and Services) that contain the word "plugin" (not necessarily start with it, but contain it), but do not contain "_plugin".
Exploring logs supports fuzzy searches based on the Levenshtein Distance, or Edit Distance algorithm. To do a fuzzy search use the tilde, "~", symbol at the end of a Single word Term.
The above will look for anything with a spelling similar to "plagin" in the request field.
Date and Time range search:
Timestamp of every event is contained in the "@timestamp" field. Search queries can refer to time ranges (combined with all of the above examples) using the following format:
In this example, the range shown will be between 12 AM of July 1st, 2018 to 12 AM of August 20th, 2018. More complex and non continuous date and time ranges can be obtained from combining multiple ranges using logical operators AND, OR and NOT.