Print Download PDF Send Feedback

Previous

Next

Importing Offline Log Files

The administrator can examine logs from a previously generated log file. This makes it possible to review security threats and pattern anomalies that occurred in the past, before SmartEvent was installed. You can investigate threats such as unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service attacks, network anomalies, and other host-based activity.

The administrator can review logs from a specific timeframe in the past and focus on deploying resources on threats that have been active but may have been missed (for example, new events which may have been dynamically updated can now be processed over the previous period).

Offline Work For Correlated Events

To detect suspicious logging activity (suspicious according to the Event Policy on the SmartEvent GUI > Policy tab), run the offline log file through the Correlation Unit.

The settings to generate of Offline logs are in: SmartEvent GUI client > Policy tab > General Settings > Initial Settings > Offline Jobs, connected to the Security Management Server or Multi-Domain Server.

The settings are:

Importing Log Files from SmartEvent Servers

By default, you can import offline logs from the last 1 day. To import more days of logs, change the log indexing settings.

To change log indexing settings:

Note - Do this to make it possible to import logs that are older than 1 day before the SmartEvent Server was installed.

  1. Run: # evstop
  2. Run: $INDEXERDIR/log_indexer -days_to_index <days>

    <days> is the last number of days of logs to be indexed by the SmartEvent Server. For example, to import and index logs from the last 30 days of logs, give a value of 30.

    Note - To decrease the performance effect while you index the offline logs, import only the necessary number of days of logs.

  3. In the Logs > Storage page of the SmartEvent Server, Make sure that Delete Index files older than is not selected, or is selected with an equal or larger number of days than configured in days_to_index.
  4. Run: # evstart

To allow the SmartEvent Server to index offline log files:

  1. Copy the log files and related pointer files <log file name>.log* to $FWDIR/log. Copy the files to the Log Server that sends logs to the SmartEvent Server.
  2. Optional: Do an Offline Work for Correlated Events procedure for each log file. This procedure is done to run the log files through the Correlation Unit for correlation analysis according to the Event Policy (defined in SmartEvent GUI client).

    To run SmartEvent offline jobs for multiple log files, see: sk98894.