The Alert Logic® console utilizes OmniBox to search log messages. Utilize the following article to acquaint yourself with understanding OmniBox features, using OmniBox to find the log you're looking for, and using and saving common search queries.
The OmniBox can be found within the Alert Logic console in Search from the main menu, under the Log Messages sub-menu section.
Note: The following information applies only to customers with Alert Logic® Cloud Defender™ or Alert Logic Log Manager™ entitlements.
In This Article
OmniBox Search Features
The OmniBox has several features that customers can take advantage of in order to run various searches for log messages. This section gives you an overview of each feature and what it can be used for.
The date bar offers several ways to search and sort log messages by date.
Date bar features include:
- BETWEEN drop-down menu. This allows you to quickly choose a time frame that log messages were generated between.
- Date field boxes. These show you the exact dates and times of log messages that the search will run. The dates will change as you choose the BETWEEN parameters to their left.
- Sort icon drop down menu. This gives you the ability to choose the display order of the log messages that are returned from a completed search. The available options are listed here in the order that they appear in the drop-down menu in the Alert Logic console and the picture below. They include:
Message Type Bar
The message type bar is often used to specify a message type. It can also be used as a standalone feature, however.
Message type bar features include:
- NO FILTER drop-down menu. This allows you to choose a single message type for a search to return. The available filter options include:
The message bar allows you to include or exclude specific search terms from the log message query.
Bottom Icon Bar
The icon bar at the bottom of the OmniBox includes several more options for customizing your log message search.
The bottom icon bar features include:
- Save View icon. With this icon, you can save your current log search parameters for quick access later.
- Available Saved Views icon. This allows you to apply and run pre-built log searches.
- Context Map icon. With this icon, you can easily search for log types by context.
- Edit Query icon. This allows you to import or export for log queries in JSON format.
- Reset Query icon. This allows you to reset the query to default or the previous loaded specifications.
- Reset to Default icon. This allows you to reset the query to default.
- Export Log Messages icon. This allows you to export currently shown log messages in CSV format.
- Options icon. With this icon, you can make changes to display options and settings.
Using OmniBox Search
In order to best understand all of the capabilities of the OmniBox search function, start by running a default log search. Use the BETWEEN drop-down menu to specify a timeframe and click on the magnifying glass icon to initiate the search. Depending on the amount of log messages collected in your environment, this could take a moment.
Log Message Tokens
A search will generate several gray tokens, which are values pulled from the log messages.
You have the option to use these tokens to quickly change the search parameters of your log message query. A token that is clicked on will be added to the OmniBox search bar.
Now that a token has been added to the search parameters, you have options in the IS drop-down menu that you can use to further define your search query. This drop-down menu allows you to quickly search for a specific log message type by choosing IS or to exclude a specific type of log message from a search by choosing IS NOT.
You can specify several parameters for a search query by clicking on any of the tokens available. The token will be added to the query just as in the log message type example above.
You have the option to include search terms in your OmniBox search query via the text box.
The text box begins returning intelligent suggestions as soon as you start typing. These suggestions are based on log types, fields, IP addresses, host names, and other values present in the log messages. This feature is very dynamic and should return suggestions as long as something in your environment matches or is close to what you enter into the text box.
Aggregate All Logs Associated to Successful SSH Logins Within the Past 24 Hours
Follow the steps below to run a search query that will aggregate all logs associated to successful SSH logins within the past 24 hours:
- From the Date bar, click Between to open the drop-down menu and choose Last 24 Hours.
- Add the log source and choose the No Filter operator. Aggregate the search term.
- Add the message type and use the In filter options, which tells the search to include any log with the message type. Aggregate the search term.
- Add the user name and use the No filter operator. Aggregate the search term.
- Add the Src Host and use the No filter operator. Aggregate the search term.
- Add the Src Port and use the No filter operator. Aggregate the search term.
- Add the message and set the search term to count the number of messages if this has not already been done automatically.
When complete, the search should look like the screenshot below:
There are many different search terms within a log message to pivot your search around when creating an OmniBox search query.
The search terms below are some of the most common and useful for starting general OmniBox search queries. There are many additional search terms, and as you create your query, you can begin to use these terms to refine the query to exactly the logs you're looking to review.
- Message - This search term reviews the log message as a string text.
- Log source
- Message Type
- User Name
- Src Host and Dst Host
- Src Port and Dst Port
- Log Event Type
- Windows Event ID
- Error Code
When using search terms, you may also include a filter option. Filter options work much like an SQL query's operator in that it helps refine the search term's results.
Find the filter options by entering search text into the text bar and entering it into the OmniBox search. It will appear as a bar, similar to the Date and Message Type bars that always appear in the OmniBox.
Based on your search term, it may appear as red or gray. Each search term will provide you with its own specific set of variable options to filter the section by. The available filter options are extensive and may include:
- IS. The entire content within the search must match the value provided by the user to be included in the search results. This search will return log messages where the message content matches the exact string value input by the user.
- IS NOT. The entire content within the search must not match the value provided by the user to be included in the search results. This search will return log messages where the message content does not match the string value at all.
- CONTAINS ALL. The content within this search must include the string value(s) provided by the user in the log message's content to be included in the search results. This search will return log messages where the message content includes the entire string value(s).
- EXCLUDES ALL. The content within the search must not include the string value(s) provided by the user in log message's content to be included in the search results. The search will return log messages where the message content does not include the entire string value(s).
- IN. The content within this search must include at least one of the string values provided by the user. The search will return logs where the content matches at least one of the string values provided.
- NOT IN. The content within this search must not include any of the values provided by the user. The search will return logs where the content does not match any of the string values provided.
- CONTAINS ANY. The content within this search may include either string value, all the string values, or a subset of the string values provided by the user. The search will return log messages where the message content contains at least one of the string values provided.
- EXCLUDES ANY. The content within the search may not include any of the values provided by the user. The search will return log messages where the message content does not contain any of the string values provided.
- LIKE. This can use two wildcard symbols; the percent (%) and underscore (_) symbols. The percent symbol represents zero, one, or multiple characters, while the underscore symbol only represents a single character in the string value. Both wildcards may be used in combinations.
- NOT LIKE. Similar to Like above, this can use two wildcards; the percent (%) and underscore (_) symbols. Both wildcards may be used in combinations.
Use an Available Saved View
OmniBox comes pre-loaded with several pre-saved views for common log searches. You can access these by clicking on the Available Saved Views icon in the bottom icon bar. Click All to see a list of all of the available saved view groups.
Once you've selected a saved view group and the saved view you'd like to use, you have the option to either load the view immediately into the search or to add it to your schedule to be run on a date that you set. If you schedule the search to be run later, the results will be delivered to you via email.
Save a View You Created
Any search perimeters that you create can be saved in the Available Saved Views icon with the pre-created saved views. This will give you quick access to desired log results.
When your desired search parameters are loaded into the OmniBox, click the Save view star icon in the bottom icon bar. Give the view a name and select a group or groups to categorize the view into.
You have the option to choose who the saved view will be shared with. Alert Logic strongly recommends that you do not choose the No one option. If you choose the No one option, neither anyone in your company nor Alert Logic support or analysts will be able to access it. It is recommended that you at least choose the Others in my company option.
Once you've named, categorized, and shared your saved view, click Create new view and your view will now appear in the appropriate group and accessible via the Available Saved Views icon.