Review and Verify Raw Logs

Applies to Product: USM Appliance™ LevelBlue OSSIM®

When you examine an event, you can find additional information by examining the raw logs that the USM Appliance Logger stores. When retrieving information from the raw logs, you can perform a verification to ensure that the data has not been tampered with. This helps you meet governmental and other compliance mandates for archival and management. It also enables the forensic analysis of all events. The USM Appliance Logger signs the raw logs digitally before storing them.

Note: Beginning with version 5.4, USM Appliance uses DSA (Digital Signature Algorithm), in place of SHA-1, to sign raw logs.

Because it is still possible for individuals to tamper with logs, use this procedure to verify that no one has altered any of them.

To search for raw logs related to activity in an alarm

  1. Go to Analysis > Raw Logs and search for any raw logs related to activity that triggered an alarm.

  2. Fill in the Search field and click either Indexed Query or Raw Query.

    Indexed Query will search all the indexed fields filed within the logs directory. Raw Query will search the entire text logs located in /var/ossim/logs.

  3. Click any individual log to expand its details for further information.

  4. When your search returns the desired log, click Validate, located in the Signature column of the list.

    Validate feature for raw logs.

  5. If the log validation is successful, a popup will display with the full log verification results.

    Validate Signature pop-up.

    If the log was altered since its original signing, a popup will be displayed reading "Verification Failed."

  6. Important: If your logger is set for block signing, a signature may not yet be available if the log is only one hour old. If you want to have logs signed immediately, change the configuration of the logger to perform line signing. See Configure the Digital Signing of Raw Logs for more information.