13.2. Analytics Search

The Analytics search tab displays a list of all log events from the connected sensors and Log Analyzer log events. To search for events of interest, use the search field to create an SQL-like search query. To formulate a query, use field names, field values, keywords, and operators. For the query syntax, refer to the section Data Search and Filtering. The query can also be written using the Google/RE2 syntax in a MATCH operator.

By clicking Add rule, you can add a new analytics rule that will use the search query you have entered as the filter query. For more details on analytics rules, see the section Analytics.

In addition, by clicking Add condition, you can create a condition from the entered search query and add it to the analytics rule created earlier. When adding a condition, specify the analytics rule and a name for the condition.

The selected event can be added to an incident by clicking Add to incident. For more details about incidents, see the chapter Incident Settings.

Two event data views can be used: table and plain text. To switch to the desired view, click Switch to plain text view or Switch to table view.

The Analytics search tab displays the following event information.

Name in database

Name in search query

Description

Node

node

The node name of the NGFW or LogAn device.

Time

date

The time when the event occurred or the analytics rule was triggered. Displayed in the timezone set in UserGate LogAn.

First event time

triggeredAlertFirstEventDate

For the triggered alert log: the time of the first event included in the triggered alert for the analytics rule.

Last event time

triggeredAlertLastEventDate

For the triggered alert log: the time of the last event included in the triggered alert for the analytics rule.

Source

source

The log where the event was recorded: LogAn, NGFW, endpoint, or triggered alert logs.

Severity

severity

The event category for NGFW and LogAn event logs:

  • Info: events that normally do not require administrator attention.

  • Warning: events that indicate possible problems.

  • Error: events that indicate errors.

  • Critical: events that indicate critical errors that can affect functionality.

Component

component

The component where the event occurred (e.g., updates, settings, console authorization, analytics, etc.). Applicable to NGFW and LogAn event log records.

Event type

event

The event type from an NGFW or LogAn event log (e.g., check, download, update installation, successful/failed authorization, parameter search, etc.).

User

user

The name of the user whose account was used to log in to the NGFW, LogAn, or endpoint device. Applicable to NGFW, LogAn, and endpoint event log records as well as web access, traffic, IDPS, and triggered alert log records.

Module

module

The module where the event occurred (e.g., Web console, Core, VPN server, etc.). Applicable to NGFW and LogAn event log records.

Change tracker

changeTracker

The type of the change (LogAn or NGFW event log). The possible change types can be specified by the user.

Data

data

Detailed information about the event. Applicable to endpoint event log and syslog records.

Information

details

Detailed information about the event from Log Analyzer and NGFW event logs.

Rule

rule

The name of the analytics, firewall, content filtering, SCADA, or IDPS rule.

Action

action

The action configured in the firewall, content filtering, SCADA, or IDPS rules:

  • Allow (allow/pass/allow_webaccess): for firewall, IDPS, or content filtering rules.

  • Safe browsing ('safe browsing').

  • Captive portal ('captive portal').

  • Warning (warning): for content filtering rules.

  • Alert (alert): applicable to DoS protection in a zone.

  • NAT (nat).

  • DNAT (dnat).

  • Port forwarding ('port forwarding').

  • Policy-based routing ('policy based routing').

  • Network mapping ('network mapping').

  • Deny (deny/drop/deny_webaccess): for firewall, IDPS, or content filtering rules.

  • Decrypt (decrypt): for inspection rules.

  • Log (log): for IDPS rules.

  • Pass (pass): for SCADA rules.

  • Drop (drop): for SCADA rules.

Application

application

Application name. Applicable to traffic, IDPS, syslog, and endpoint rule and application log records.

Network protocol

networkProtocol

The transport connection protocol used to access the resource. Applicable to traffic, IDPS, and endpoint rule log records.

Application protocol

httpProtocol

The HTTP protocol version. Applicable to web access log records.

URL categories

urlCategory

Categories to which the website belongs. Applicable to web access and endpoint rule log records.

Reasons

  

The reasons (e.g., for blocking) from the web access log.

HTTP method

method

The HTTP method (the main operation on the resource).

  • OPTIONS: used to determine the web server capabilities or connection parameters for a specific resource.

  • GET: used to request the content of the specified resource.

  • HEAD: similar to GET, except that the body is omitted from the server response.

  • POST: used to send user data to the specified resource.

  • PUT: used to upload the request content to the URI specified in the request.

  • PATCH: similar to PUT but applied only to a part of the resource.

  • DELETE: deletes the specified resource.

  • TRACE: returns the received request so that the client can see what information is added or modified in the request by intermediate servers.

  • CONNECT: transforms the request connection into a transparent TCP/IP tunnel.

Applicable to web access log records.

HTTP status code

statusCode

The status code from the first line of the HTTP server response. Applicable to web access log records.

Content type

mime

The type of the content. Applicable to web access and endpoint rule logs.

URL

url

The URL of the resource that was accessed. Applicable to web access log records.

Referer

referer

The URL of the previous page (if any). Applicable to web access log records.

Operating system

operatingSystem

The operating system type on the user device. Applicable to web access and IDPS log records.

Useragent

userAgent

Browser useragent. Applicable to web access log records.

Signatures

signature

The name of the triggered IPS signature. Applicable to IDPS log records.

Source zone

zoneSource

Source zone. Applicable to web access, traffic, SCADA, and IDPS log records.

IP source

ipSource

The source IP address for the traffic. Applicable to web access, traffic, SCADA, IDPS, and endpoint rule log records.

Source port

portSource

The source port number used for connection. Applicable to web access, traffic, IDPS, and endpoint rule log records.

Source MAC address

macSource

Source MAC address. Applicable to traffic and IDPS log records.

Destination zone

zoneDest

The destination zone. Applicable to web access, traffic, IDPS, and endpoint rule log records.

IP destination

ipDest

The destination IP address for the traffic. Applicable to web access, traffic, SCADA, IDPS, and endpoint rule log records.

Destination port

portDest

The destination port number used by the transport protocol. Applicable to web access, traffic, SCADA, IDPS, and endpoint rule log records.

Destination MAC address

macDest

Destination MAC address. Applicable to traffic and IDPS log records.

NAT source IP

natIpSource

The NAT source IP address (if NAT rules are configured). Applicable to traffic log records.

NAT source port

natPortSource

The NAT source port (if NAT rules are configured). Applicable to traffic log records.

NAT destination IP

natIpDest

The NAT destination IP address (if NAT rules are configured). Applicable to traffic log records.

NAT destination port

natPortDest

The NAT destination port (if NAT rules are configured). Applicable to traffic log records.

Bytes sent/received

bytesSent/bytesRecv

The amount of data sent and received. Applicable to traffic and web access log records.

Packets sent/received

packetSent/packetRecv

The number of packets sent and received. Applicable to traffic and web access log records.

Endpoint/sensor

sensor

The name of the endpoint device/sensor. Applicable to endpoint event log records.

Counter

counter

The name of the counter added to the WMI and SNMP sensor. Applicable to endpoint event log records.

SNMP object

snmpObject

The SNMP object ID (SNMP OID). Applicable to endpoint event log records.

SNMP object type

snmpObjectType

The SNMP object type. Applicable to endpoint event log records.

Status

status

The result of the WMI or SNMP query (OK or Error). Applicable to endpoint event log records.

Error

error

The WMI or SNMP error that occurred as a result of the query. Applicable to endpoint event log records.

SCADA protocol

scadaProtocol

The SCADA (Supervisory Control And Data Acquisition) protocol:

  • IEC 104.

  • Modbus.

  • DNP3 (Distributed Network Protocol).

  • MMS (Manufacturing Message Specification).

  • OPC UA (Open Platform Communications Unified Architecture).

Applicable to SCADA log records.

Log level

logLevel

The type of the event:

  • Audit Success: a security log event that occurs on successful access to the audited resources.

  • Audit Failure: a security log event that occurs on failed access to the audited resources.

  • Error: points to significant problems that can cause loss of functionality or data.

  • Information: an informational event that usually does not require administrator attention.

  • Warning: points to problems that do not need urgent fixing but can cause errors in the future.

Applicable to endpoint event log records.

Log event source

logEventSource

The name of the software that logged the event. Applicable to endpoint event log records.

Log category

logCategory

The log category that is needed to classify the events. The data is taken from Windows EventLog. Each source can define its own category IDs. Applicable to endpoint event log records.

Incident category

taskCategory

The category of the task. Applicable to endpoint event log records.

Computer name

computerName

The full name of the endpoint device. Applicable to endpoint event log and syslog records.

Log event code

logEventCode

The log event code corresponding to a specific event. Applicable to endpoint event log records.

Log event ID

logEventId

The log event ID that determines the primary ID of the event. Applicable to endpoint event log records.

Log event type

logEventType

The type of the log event. This is a numeric parameter that represents the log level:

  • 1: error log level.

  • 2: warning log level.

  • 3: information log level.

  • 4: audit success log level.

  • 5: audit failure log level.

Applicable to endpoint event log records.

Insertion string

insertionString

Contains the EventData block of the Windows event. Applicable to endpoint event log records.

Log file

logFile

Shows information from the endpoint event log, i.e. important software and hardware events. The following log file types exist:

  • Application (application log file): for application and service events.

  • Security (security log file): for audit system events.

  • System (system log file): for device driver events.

  • CustomLog: contains events logged by applications that create a custom log. The use of a custom log allows an application to control the log size or attach access control lists for security purposes without affecting other applications.

Applicable to endpoint event log records.

Command

scadaCommand

The SCADA control command (e.g., read or write). Applicable to SCADA log records.

Registry address

scadaAddress

The address of the register on which the operation (read or write) should be performed. Applicable to SCADA log records.

ASDU number

scadaAsdu

The ASDU address (COA, or Common Object Address). Refers to the IEC-104 protocol. Applicable to SCADA log records.

Device ID

scadaDevice

The unique device number from the OPC server database. Used with the OPC UA protocol. Applicable to SCADA log records.

Variable name

scadaVarname

The name of the variable. Parameter is mainly used for real-time data exchange. Refers to the MMS protocol. Applicable to SCADA log records.

Hash

hash

The application's hash. This is a parameter in the endpoint application log.

Object

facility

The event's category. Applicable to syslog records. The possible values are:

  • Kernel messages.

  • User-level messages.

  • Mail system.

  • System daemon.

  • Security/authorization.

  • Syslog messages.

  • Line printer subsystem.

  • Network news subsystem.

  • UUCP subsystem.

  • Clock daemon.

  • Security/authentication.

  • FTP Daemon.

  • NTP subsystem.

  • Log audit.

  • Log alert.

  • Clock daemon 2.

  • Local 0-Local7.

Severity

syslogSeverity

The event severity for syslog.

  • Emergency: a critical state that affects system health.

  • Alert: a state that requires immediate intervention.

  • Critical: a state that requires immediate intervention or signals a fault in the system.

  • Error: non-critical system faults.

  • Warning: warnings on potential errors that can occur if no action is taken.

  • Notice: events that are related to unusual system behavior but are not errors.

  • Info: informational alerts.

  • Debug: information useful to developers for debugging applications.

Process ID

processId

The process identifier. Applicable to syslog records.

Device

device

A device that was added to or removed from the device. This is a parameter of the endpoint hardware log.

Device ID

deviceId

The identifier of the device that was added to or removed from the device. This is a parameter of the endpoint hardware log.

The administrator can select to display only the columns they need. To do that, point the mouse cursor to the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.