Applies to Product:

USM Appliance™

LevelBlue OSSIM®

Raw logs can be searched for further analysis and review. Raw log searches are case-sensitive. You can perform either an indexed query or a raw query using one or more of the tags provided in this section as your search criteria.

• Indexed queries search the logs that have been indexed by USM Appliance.
• Raw queries search all logs.

For this reason, the Indexed Query is usually faster than the Raw Query. USM Appliance indexes new raw log entries on an hourly basis.

Search the Raw Logs with Indexed Query or Raw Query

To perform either an indexed or raw query

1. On the Raw Logs page (Analysis > Raw Logs), type the case-sensitive string into the Search field.

   As soon as you start entering a value in the Search field, USM Appliance displays a list of tags in the following syntax: <tag>=<string>, <tag>!=<string>

   For example

   plugin=SSH, src=10.151.184.70, src_port!=80

2. Click the appropriate tag containing your string.

   Warning: You cannot enter the query as free text.

   

   If you use multiple tags, USM Appliance combines them for you and infers use of the AND operator.

   For a list of valid tags, see the Raw Log Search Tags List below.

3. Click either INDEXED QUERY or RAW QUERY.

   INDEXED QUERY will search all the indexed fields within the logs directory. RAW QUERY will search the entire text logs located in /var/ossim/logs.

   Note: If using the "data" tag, you can only click RAW QUERY, because the "data" tag only searches the non-indexed text.

4. If you want to create a new query after completing the first one, click the "x" next to the original query to remove it or use the keyboard delete key.

Raw Log Search Tags List

Tag	Definition	Valid Input Value String
sensor	Name of a USM Appliance Sensor or Sensor in the network.	Text string or numeric string Example: ThatSensor
src	Source IP address, hostname, or network to search on.	Text string or numeric string Example: src=10.10.10.10
dst	Destination IP address, hostname, or network to search on.	Text string or numeric string Example: dst=10.10.10.10
IP	IP address, hostname, or network to search on.	Numeric string Example: IP=10.10.10.10
data	Greps across the DATA field constituting the raw text of the log. Can only be used in RAW QUERY search.	Alphanumeric string; special chars allowed. Example: data=preauth
plugin; datasource	Name of plugin or datasource in your network.	Text string Example: datasource=USM Appliance NIDS-spp_portscan
dsgroup; plugingroup	Name of USM Appliance and user-created groups of datasources. Note: dsgroup and plugingroup are synonymous.	Text string Example: dsgroup=get IP request
src_port	Source port number (integer) as defined in port table in ossim-db.	Numeric string Example: src_port=898
dst_port	Destination port number (integer) as defined in port table in ossim-db.	Numeric string Example: dst_prt=898
product_type	Device type, based on taxonomy.	Text string Example: product_type=Authentication and DHCP
category, event_category	Event category type as defined in the category and subcategory tables in ossim-db	Text string Example: category=access-ACL Permit
username	User name, based on IDM plugin.	Case-sensitive string Example: sfukuda
filename	Name of any file included in the logs.	Case-sensitive string Example: survey-031415.txt
entity	Predefined user group name, typically, based on organizational structure.	Alphanumeric string; special chars allowed. Example: Accounting Dept
userdata1 ~ userdata9	Additional data fields for user input.	Case-sensitive string Options: name, username, file hash, URL, IP, and any data possibly present in a log file.

Special Characters in Search Strings

USM Appliance treats some characters as delimiters while indexing raw log entries, therefore, they cannot be used in an indexed query.

These characters include:

space

:

;

,

=

[

]

(

)

"

Note: A back slash ('\') or a forward slash ('/') works in both Indexes Query and Raw Query searches.

Save and Run a Query

If you have search queries that are frequently used or important, you can save them to quickly run them again as needed.

To save a query

1. Perform a search in the search field.
2. Click Predefined Searches.
3. In the Select a Predefined to Search popup, give the search a name and click Add.
4. Click the Diskette icon () to save the query.

To run a saved query

1. Click Predefined Searches.

2. In the Select a Predefined to Search popup, select the query name.

To delete a saved query

1. Click Predefined Searches.
2. In the Select a Predefined to Search popup, select the query you want to delete and click the Trash icon ().
3. Click OK to confirm deletion.