Queries

Queries

Queries are the most powerful feature of Sentinel Log Manager Queries are used to

Search for event data

>

Searches both online data and archive

Powerful for forensics and research Queries can be saved as reports Lucene Query Language
>

Based on Lucene Indexes

(to be reviewed in depth later in this session)

Queries can be basic or advanced

Novell Inc. All rights reserved

Lucene Overview

Open source software http://lucene.apache.org/ Provides scalable, high-performance indexing Provides powerful, proven accurate, efficient search algorithms

ranked searching -- best results returned first many powerful query types: phrase queries, wildcard queries, proximity queries, range queries and more fielded searching (e.g., title, author, contents) date-range searching sorting by any field multiple-index searching with merged results allows simultaneous update and searching

Novell Inc. All rights reserved

Lucene Syntax Review

Lucene provides powerful text based search on the event files

Works on words <field tag>:search string These need to be in UPPERCASE in the query AND, OR (default), NOT Appendix Apache Lucene Query Parser Syntax

Lucene has several key words

Instructor led review of Lucene Query Syntax

Novell Inc. All rights reserved

Event Fields and Short Names

Log Manager offers a long list of fields for event querying

See Search Tips link Review with instructor Only tags can be used in queries

Event fields have full names and short tags

Novell Inc. All rights reserved

Basic Queries

A basic search runs against all of the event fields

No tag UTC time should be synchronized for queries to function properly Synchronization across client running query, server and event sources is required

Need for time synchronization

Basic search example walk through

Novell Inc. All rights reserved

Basic Search

Novell Inc. All rights reserved

Advanced Queries

Advanced queries are built using the search refinement panel

You can pick specific / additional fields Sorting method Uses AND to append additional conditions Top 10 or bottom 10 unique values can be drilled down to

Novell Inc. All rights reserved

Refining Queries

Novell Inc. All rights reserved

Refining Queries

1 0

Novell Inc. All rights reserved

Refine a Query

1 1

Novell Inc. All rights reserved

Refine a Query

1 2

Novell Inc. All rights reserved

Working with Query Results

Basic Event View Event Details View

Details Link Extended Information Link Raw Data Link

Results can be exported in zipped CSV format Results can be send to an action Queries can be saved as Reports

Need to specify a template name Provided parameters

1 3

Novell Inc. All rights reserved

Lab Exercise

Executing a basic query and review results

Change landing page to sev:[0 TO 5] and the last hour Create a query for the word root with no time limits Create a query where product name not Generic Event Collector Building on the query add event name is unsupported event Building on the query add also event name is collector message Export results

Advanced query exercise

1 4

Novell Inc. All rights reserved