Importing Offline Log Files

The administrator can examine logs from a previously generated log file. This makes it possible to review security threats and pattern anomalies that occurred in the past, before SmartEvent was installed. You can investigate threats such as unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service attacks, network anomalies, and other host-based activity.

The administrator can review logs from a specific timeframe in the past and focus on deploying resources on threats that have been active but may have been missed (for example, new events which may have been dynamically updated can now be processed over the previous period).

Offline Work For Correlated Events

To detect suspicious logging activity (suspicious according to the Event Policy on the SmartEvent GUI > Policy tab), run the offline log file through the Correlation Unit.

The settings to generate of Offline logs are in: SmartEvent GUI client > Policy tab > General Settings > Initial Settings > Offline Jobs, connected to the Security Management Server or Multi-Domain Server.

The settings are:

• Add - Configure an Offline Log File procedure.
  • Name - Lets you recognize the specified Offline Line log file for future processing.
  • Comment - A description of the Offline Job.
  • Offline Job Parameters:

    SmartEvent Correlation Unit: The machine that reads and processes the Offline Logs.

    Log Server: The machine that contains the Offline Log files. SmartEvent makes a query to this Log Server to find out which log files are available.

    Log File - A list of available log files found on the selected Log Server. These log files are processed by the SmartEvent Correlation Unit. In this window, select the log file from which to retrieve historical information.

• Edit - Change the parameters of an Offline Log File procedure.
• Remove - Delete an Offline Log File procedure. After you start an Offline Log File procedure you cannot remove it.
• Start - Run the Offline Log File procedure.
• Stop - Stop the Offline Log Files procedure. It does not delete the full procedure, but stops the procedure at the specified point.

Importing Log Files from SmartEvent Servers

By default, you can import offline logs from the last 1 day. To import more days of logs, change the log indexing settings.

To change log indexing settings:

Note - Do this to make it possible to import logs that are older than 1 day before the SmartEvent Server was installed.

1. Run: # evstop
2. Run: $INDEXERDIR/log_indexer -days_to_index <days>

   <days> is the last number of days of logs to be indexed by the SmartEvent Server. For example, to import and index logs from the last 30 days of logs, give a value of 30.

   Note - To decrease the performance effect while you index the offline logs, import only the necessary number of days of logs.

3. In the Logs > Storage page of the SmartEvent Server, Make sure that Delete Index files older than is not selected, or is selected with an equal or larger number of days than configured in days_to_index.
4. Run: # evstart

To allow the SmartEvent Server to index offline log files:

1. Copy the log files and related pointer files <log file name>.log* to $FWDIR/log. Copy the files to the Log Server that sends logs to the SmartEvent Server.
2. Optional: Do an Offline Work for Correlated Events procedure for each log file. This procedure is done to run the log files through the Correlation Unit for correlation analysis according to the Event Policy (defined in SmartEvent GUI client).

   To run SmartEvent offline jobs for multiple log files, see: sk98894.