The administrator can examine logs from a previously generated log file. This makes it possible to review security threats and pattern anomalies that occurred in the past, before SmartEvent was installed. You can investigate threats such as unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service attacks, network anomalies, and other host-based activity.
The administrator can review logs from a specific timeframe in the past and focus on deploying resources on threats that have been active but may have been missed (for example, new events which may have been dynamically updated can now be processed over the previous period).
To detect suspicious logging activity (suspicious according to the Event Policy on the SmartEvent GUI > Policy tab), run the offline log file through the Correlation Unit.
The settings to generate of Offline logs are in: SmartEvent GUI client > Policy tab > General Settings > Initial Settings > Offline Jobs, connected to the Security Management Server or Multi-Domain Server.
The settings are:
SmartEvent Correlation Unit: The machine that reads and processes the Offline Logs.
Log Server: The machine that contains the Offline Log files. SmartEvent makes a query to this Log Server to find out which log files are available.
Log File - A list of available log files found on the selected Log Server. These log files are processed by the SmartEvent Correlation Unit. In this window, select the log file from which to retrieve historical information.
By default, you can import offline logs from the last 1 day. To import more days of logs, change the log indexing settings.
To change log indexing settings:
Note - Do this to make it possible to import logs that are older than 1 day before the SmartEvent Server was installed.
# evstop
$INDEXERDIR/log_indexer -days_to_index
<days><
days>
is the last number of days of logs to be indexed by the SmartEvent Server. For example, to import and index logs from the last 30 days of logs, give a value of 30.
Note - To decrease the performance effect while you index the offline logs, import only the necessary number of days of logs.
days_to_index
.# evstart
To allow the SmartEvent Server to index offline log files:
<log file name>.log*
to $FWDIR/log
. Copy the files to the Log Server that sends logs to the SmartEvent Server.To run SmartEvent offline jobs for multiple log files, see: sk98894.