LogAn является продуктом компании UserGate, входящим в состав экосистемы UserGate SUMMA. LogAn устанавливается на отдельном сервере, использование которого позволяет обеспечить высокую надёжность и хорошую масштабируемость системы. LogAn предоставляет возможность осуществления сбора и анализа данных с различных устройств, мониторинга событий безопасности и создания отчётов. For more details on LogAn, refer to the corresponding documentation.
Для отправки данных на сервер LogAn, его необходимо назначить, используя шаблон конечных устройств. To send logs and telemetry data from UG Client to the UG LogAn server, a port from the range 22000-22711 is used that is automatically allocated in MC for this endpoint device; the data is transferred via UGMC. The configuration of a LogAn server for endpoint devices is done using endpoint templates. For more details, see the General Settings section.
Using the received data, LogAn analyzes past events and monitors user activity. Events received from UGC managed devices are recorded in the following logs:
-
Endpoint events
-
Endpoint rules
-
Endpoint applications
-
Endpoint hardware.
Для просмотра данных с устройств UGC используется раздел веб-консоли Журналы и отчёты ➜ Журналы ➜ Конечные устройства.
The generation of these logs is discussed below in the Endpoint events, Endpoint rules, Endpoint Application Log, and Endpoint Hardware Log sections.
Endpoint Event Log
The endpoint event log (Endpoint events) shows events received from endpoint devices that are managed using the UserGate Client software.
To assist in finding the events you need, you can filter the records by various criteria, such as date range, severity, or event type, etc.
In addition, LogAn provides an advanced search mode where you can create complex search filters using a specialized query language whose syntax is described later in the Advanced Search Mode section.
After configuring the desired parameters, you can save the resulting filter by clicking Save as. The list of saved filters can be viewed in the Favorite filters tab.
The administrator can select the columns that will be logged. To do that, point the mouse cursor at the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.
The endpoint events log shows the following information:
|
Name |
Description |
|---|---|
|
Node |
The ID of the endpoint device or node on which the sensor is running. |
|
Time |
Event time Displayed in the timezone set in LogAn. |
|
Endpoint/sensor |
The name of the computer. |
|
Log level |
The event type:
|
|
Data |
Detailed information about the event. |
|
Log event source |
The source of the logged events. |
|
Log category |
The log category that is required to classify the events. The data is taken from Windows EventLog. Each source can define its own category IDs. Applicable to endpoint event log records. |
|
Incident category |
The category of the incident. |
|
Computer name |
The full name of the computer. |
|
Username. |
The name of the user whose account was used to log in to the endpoint device. |
|
Log event code |
The code corresponding to a specific event. |
|
Log event ID |
The ID of the log event that determines the primary ID of the event. |
|
Log event type |
The type of the log event corresponding to a specific log level:
|
|
Insertion string |
Contains the EventData block of the Windows event. |
|
Log file |
The type of the log file where the event is recorded:
|
С использованием кнопки Показать можно просмотреть выбранную запись журнала событий конечных устройств.
Click Add to incident to add the log record to the incident information.
By clicking Export as CSV, the administrator can save the filtered log data in a .csv file for subsequent analysis.
Endpoint Rule Log
Журнал правил конечных устройств отображает события срабатывания правил межсетевого экрана конечных устройств, в настройках которых включена функция Журналирование. The configuration of firewall rules is discussed in the Network Policies section.
To assist in finding the events you need, you can filter the log records for firewall rule triggers by various criteria such as the date range, rule name, etc.
In addition, UserGate LogAn provides an advanced search mode where you can create complex search filters using a specialized query language whose syntax is described later in the Advanced Search Mode section.
After configuring the desired parameters, you can save the resulting filter by clicking Save as. The list of saved filters can be viewed in the Favorite filters tab.
The administrator can select the columns that will be logged. To do that, point the mouse cursor at the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.
The endpoint rule log shows the following information:
|
Name |
Description |
|---|---|
|
Node |
The endpoint device ID. |
|
Time |
The time when the rule was triggered. Displayed in the timezone set in LogAn. |
|
Endpoint device |
The name of the computer. |
|
Action |
The action to be taken when the rule is matched:
|
|
Rule |
The name of the firewall rule. |
|
Application |
The application used to access the resource. |
|
Domain |
The domain name to which the connection was established. |
|
URL categories |
The website categories that apply to the destination address. The categories will be displayed only if there are rules with the URL categories match condition. |
|
Content type |
Displays the content type. |
|
Network protocol |
The transport protocol used to connect to the resource. |
|
Source IP |
The source IP address for the traffic. |
|
Source port |
The port number used for connection. |
|
IP dest |
The destination IP address for the traffic. |
|
Destination port |
The destination port number used by the transport protocol. |
Нажав кнопку Показать, можно просмотреть подробную информацию о выбранной записи журнала правил конечных устройств.
Click Add to incident to add the log record to the incident information.
By clicking Export as CSV, the administrator can save the filtered log data in a .csv file for subsequent analysis.
Endpoint Application Log
The endpoint application log (Endpoint applications) shows the applications that were run on the endpoint devices.
To assist in finding the events of interest, the records can be filtered by various criteria.
In addition, UserGate LogAn provides an advanced search mode where you can create complex search filters using a specialized query language whose syntax is described later in the Advanced Search Mode section.
You can save the configured filter by clicking Save as. The saved filter will be available in the Favorite filters tab.
The administrator can select the columns that will be logged. To do that, point the mouse cursor at the name of any column, click the arrow that will appear to the right of the column name, choose Columns, and select the desired parameters in the context menu.
The endpoint application log shows the following information:
|
Name |
Description |
|---|---|
|
Node |
The endpoint device ID. |
|
Time |
The time when the application was started on the endpoint device. Displayed in the timezone set in LogAn. |
|
Endpoint device |
The name of the computer. |
|
Action |
Application start or stop. |
|
Hash |
The application hash. |
|
Application |
The name of the application that was started or stopped. |
|
Version |
The application version. |
|
Subject |
The certificate owner. |
|
Issuer |
The issuer of the application's certificate. |
|
Process ID |
The process ID (PID) of the application. |
|
User |
The user who started the application. |
|
Command line |
The command used to start the application. |
Click Show to open a window with the details for the application log record.
Click Add to incident to add the log record to the incident information.
By clicking Export as CSV, the administrator can save the filtered log data in a .csv file for subsequent analysis.
Endpoint Hardware Log
The endpoint hardware log (Endpoint hardware) shows information about devices connected to UGC managed devices.
To assist in finding the events of interest, the records can be filtered by various criteria.
In addition, LogAn provides an advanced search mode where you can create complex search filters using a specialized query language whose syntax is described later in the Advanced Search Mode section.
You can save the configured filter by clicking Save as. The saved filter will be available in the Favorite filters tab.
The administrator can select the columns that will be logged. Для этого необходимо навести указатель мыши на название любого столбца, нажать на появившуюся справа от названия столбца, нажать на появившуюся справа от названия столбца стрелку, выбрать Столбцы и в появившемся контекстном меню выбрать необходимые параметры.
The endpoint hardware log shows the following information:
|
Name |
Description |
|---|---|
|
Node |
The endpoint device ID. |
|
Time |
The date and time when the event was logged. |
|
Endpoint device |
The name of the endpoint device. |
|
Action |
Adding or removing the device. |
|
Device |
The name of the device that was added or removed. |
|
Device ID |
The ID of the added or removed device. |
|
Service |
The drivers used for working with the device. |
Нажатие кнопки Показать позволяет открыть окно с информацией о записи журнала аппаратуры конечных устройств.
Click Add to incident to add the log record to the incident information.
By clicking Export as CSV, the administrator can save the filtered log data in a .csv file for subsequent analysis.