Raw Log Management

Raw logs in USM Appliance consist of event data stored in the Logger after a Sensor parses and normalizes raw data from devices, sends them to the Server, and then the Server forwards them to the Logger. The AlienVault USM Appliance Logger securely archives raw event data as logs without any filtering. Raw logs are an invaluable asset for forensic analysis and compliance mandates. You can review logs to find details about specific incidents, search the logs for instances using a specific IP address, or analyze the patterns of multiple attacks.

This section covers the following subtopics:

When you select the Analysis > Raw Logs option, USM Appliance displays the following page.

Raw Logs Display

This page provides access and display of all the normalized events that the USM Appliance Logger saved to its archived log files for long-term storage and forensic investigation. The USM Appliance Logger digitally signs and timestamps the archived log files to ensure their integrity and guarantee, for compliance reporting, that the data in log files has not been tampered with. From the Raw Logs page, you can click the icon to validate that any particular event has not been altered.

By default, the Raw Logs page displays a raw log event trending graph, which shows the number of events occurring within a specified interval of time. You can click on any of the bars to display only the events that occurred within that time frame.

The USM Appliance web UI provides another option, Show the Main Chart, which provides another view of raw log events. You can also click the icon to alternate the display to a collection of pie charts that show the distribution of events by sensor, event types, sources, and destinations.

Below the trending chart, you can specify the duration of the time frame, such as last 2 hours, last 24 hours, or last week. In addition, you can specify a logical expression search string query to filter the event display. Below the trending chart, and Search areas, the web UI provides a tabular display of events matching a selected time frame, or matching an indexed or raw query.