Export Large Sums of Logs to CSV or PDF File

The following article describes how to export large sums of logs, i.e. log quantities greater than the first page of results, from the Alert Logic® console into .csv or .pdf files.

Note: OmniBox log search is only available for customers with Alert Logic Cloud Defender or Log Manager entitlements.

Solution

Note: The limit for OmniBox export is 200,000 lines for a .csv file and 20,000 lines for a .pdf file. The limit for MDR export is CSV-only and is limited to 10,000 lines. The Alert Logic console will prompt you to make a saved search to save the full result within the console.

Note: Long search periods will need to be broken into individual sections such as quarters or months to keep the results below 10,000 lines for export.

Improved Log Search Instructions

1. Within the Alert Logic console, navigate to the Log Search page.
   
   Alert Logic Essentials, Professional, or Enterprise customers can find this at the main menu () > Investigate > Search > Log Search.
   
   Alert Logic Cloud Defender or Log Manager customers can find it at Search > Log Search BETA.
   
   
2. Create your desired log query either by typing logical operators into the search bars or utilizing Search Assistant. Set your desired time frame by clicking on the down arrow next to "last hour." For information on using the Log search bar, see the Search: Log Messages documentation.
   
   
3. Run the search by clicking Search, and then click the down arrow to the right of Search > Save and Schedule Search.
   
   
   
   
4. A side bar will appear, within which you must name your search and create a schedule for it. Click Save to confirm that your search has been saved.
   
   
5. Access your newly saved search by clicking on the Saved Searches button at the top right of the page. You can then search for your newly created Saved Search.
   
   
6. You will see the Name, Description, and Group that the Saved Search resides in, along with the Scheduled Search Result. Click on the schedule to see all previous runs of this search to either view or export the results. 

All of your newly saved search results will be exported to a downloadable CSV file.

OmniBox Log Search Instructions

Note: OmniBox log search is only available for customers with Cloud Defender or Log Manager entitlements.

To download more than the first page of log message results of a search query, you will need to create a Saved View.

1. Within the Alert Logic console, click Search in the main menu.
   
   
2. Click Log Messages in the submenu.
   
   
3. Create the log search query, which can include desired dates, message types, tokens, and contexts. Once you're done creating the search query, click on the star icon to save the view.
   
   
   
   
4. A form titled Add new Saved view displays. Name your Saved view, select any applicable groups, and choose who to share the view with. Once you've completed the form, click Create new view.
   
   
   
   
5. To access your newly created saved view, click on the bookmark icon and find the view you just saved. You can type the name of the view into the search bar on the right-hand side of the page if necessary.
   
   
   
   
6. Once you have found and clicked on your desired saved view, click Add schedule.
   
   
   
   
7. Under the Options section, select the Generate PDF check box and/or the Send documents as email attachments check box associated with "When complete generate .csv and:" as needed.
   
   - If neither check box is selected, a .csv file is generated when the report is run and can be accessed by clicking the Show schedules list option for your saved view. (This option is shown in the image above.  
   
   - If only the Generate PDF check box is selected, both a .csv file and a .pdf file are generated when the report is run. These files can also be accessed by clicking the Show schedules list option.
   
   - If both the Generate PDF check box and the Send documents as email attachments check box are selected, both a .csv file and a .pdf file are generated when the report is run, and both files are sent to you as attachments in an email notification.
   
   
   
   
8. Under the Scheduling section, select the time frame in which to run the saved view. Your options for running the report include just once immediately, once at a later date and time of your choosing, or on a recurring basis of your choosing.
   
   
9. Click Add new schedule to schedule your saved view report to be run.

When your saved view report has been run, you will receive an email from the Alert Logic Notification service with the .csv and/or .pdf file attachments that you requested, as well as links to the files stored in the Alert Logic console.