The following information is available about the log messages:
Processed Timestamp: The date when SSB received the log message in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Timestamp: The timestamp received in the message — the time when the log message was created in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Facility: The facility that sent the message.
Priority: The priority value of the message.
Program: The application that created the message.
Pid: The program identifier of the application that created the message.
Host: The IP address or hostname of the client that sent the message to SSB.
Message: The text of the log message.
Tag: Tags assigned to the message matching certain pattern database rules.
Id: Unique ID of the message.
classifier.rule_id: ID of the pattern database rule that matched the message.
classifier.class: Description of the pattern database rule that matched the message.
Dynamic columns, created from additional name-value pairs, might also be available.
You can use wildcards and boolean expressions, and search specific parts of the log messages collected on SSB.
|
NOTE:
When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. By default, the indexer uses the following delimiter characters to separate the message into words (tokens): & : ~ ? ! [ ] = , ; ( ) ' ". For details on how to configure the delimiters used for indexing, see "Creating logstores" in the Administration Guide. |
|
NOTE:
It is not possible to search for the whitespace ( ) character in the MESSAGE part of the log message, since it is a hard-coded delimiter character. |
The following sections provide examples for different search queries:
For examples of exact matches, see Searching for exact matches and using complex queries.
For examples of using boolean operators to combine search keywords, see Combining search keywords.
For examples of wildcard searches, see Using wildcard searches.
For examples of searching for special characters, see Searching for special characters.
For examples of searching in a specific part of the message, see Searching in a specific part of the message.
For examples of searching name-value pairs, see Searching the name-value pairs of the message.
By default, SSB searches for keywords as whole words in the MESSAGE part of the log message and returns only exact matches.
Search expression | example |
Matches |
example Example EXAMPLE |
Does not match |
examples example.com query-by-example exam |
You can use boolean operators - AND, OR, and NOT - to combine search keywords. Note that the boolean operators are case sensitive, and must be in all caps. More complex search expressions can also be constructed with parentheses.
Search expression | keyword1 AND keyword2 |
Matches | (returns log messages that contain both keywords) |
Search expression | keyword1 OR keyword2 |
Matches | (returns log messages that contain at least one of the keywords) |
Search expression | keyword1 AND NOT keyword2 |
Matches | (returns log messages that contain only keyword1) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: message:AND.
Use parentheses to create more complex search expressions:
Search expression | (keyword1 OR keyword2) AND keyword3 |
Matches | (returns log messages that contain either keyword1 and keyword3, or keyword2 and keyword3) |
You can use the ? and * wildcards in your search expressions.
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work when trying to find non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
Search expression | example? |
Matches |
example1 examples |
Does not match |
example.com example12 query-by-example example? |
Search expression | ?example? |
Matches |
1example2 |
Does not match |
example.com example12 query-by-example |
Search expression | example?? |
Matches |
example12 |
Does not match |
example.com example1 query-by-example |
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well. Wildcard characters also work in any message part, for example, program:postfix*.
Search expression | example* |
Matches |
example examples example.com |
Does not match |
query-by-example example* |
Search expression | *example |
Matches |
example query-by-example |
Does not match |
example.com example12 |
Search expression | *example* |
Matches |
example query-by-example example.com example12 |
Wildcard characters can be combined.
Search expression | ex?mple* |
Matches |
example1 examples example.com exemple.com example12 |
Does not match |
exmples query-by-example |
To search for the question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for.
|
NOTE:
Delimiter characters are an exception to the rule. It is not possible to search for delimiter characters, even when they are prefixed. |
To search for a special character, use a backslash (\).
Search expression | example\? |
Matches |
example? |
Does not match |
examples example1 |
To search for the backslash character, use two backslashes (\\).
Search expression | C:\\Windows |
Matches |
C:\Windows |
Search expression | nvpair:path=C:\\Program\ Files |
Matches |
C:\Program Files |
You can search in a specific part of the message using the <type>: prefix. The message: (or msg:) prefix means the message part and can be omitted. For example, use the program: prefix to search for the name of an application, or use the host: prefix to search for a host name, and so on.
Search expression | program:syslog-ng |
Matches | All log messages from the syslog-ng application. |
You can search the structured data part of log messages using the nvpair: prefix. Use the = delimiter to separate the name and the value of structured data parameters, and remove the quote marks from the values.
Search expression | nvpair:.sdata.win@18372.4.event_type=Alert |
Matches |
All log messages where there is a win@18372.4 element with the event_type="Alert" parameter. For example: [win@18372.4 EVENT_TYPE="Alert"] |
You can use the asterisk (*) wildcard to broaden the search to all structured data elements.
Search expression | nvpair:*event_type=Alert* |
Matches | All log messages where the "event_type" name has the "Alert" value. |
To search for a specific name, add the "=" character after the name.
Search expression | nvpair:*event_type=* |
Matches | All log messages where an "event_type" name exists. |
To search for a specific value, add the "=" character before the value.
Search expression | nvpair:*=Alert |
Matches | All log messages where a name has the "Alert" value. |
|
NOTE:
SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:
|
To decrease the load on SSB when searching and receive your search results faster, note the following points.
By default, you cannot browse encrypted logstores from the SSB web interface, because the required decryption keys are not available on SSB. To make browsing and searching encrypted logstores possible, SSB provides the following options:
Use persistent decryption key(s) for a single user.
For details, see Using persistent decryption keys.
Use decryption keys for the duration of the user session only.
For details, see Using session-only decryption keys.
Assign decryption keys to a logstore (making them available to every SSB user). This option might raise security concerns.
For details, see Assigning decryption keys to a logstore.
|
NOTE:
Do not use SSB's own keys and certificates for encrypting or decrypting. |
One Identity recommends:
Using 2048-bit RSA keys (or stronger).
Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.
You can upload decryption keys and bind them to your account. The decryption keys are stored on SSB, but they are only made available for this user account, and can also be protected (encrypted) with a passphrase.
To use persistent decryption keys
Select User menu > Private keystore. A pop-up window is displayed.
Select Permanent > , then select Certificate >
. A pop-up window is displayed.
Figure 139: User menu > Private keystore — Adding decryption keys to the private keystore
Paste or upload the certificate used to encrypt the logstore.
Select Key > . A pop-up window is displayed.
Paste or upload the private key of the certificate used to encrypt the logstore.
Repeat Steps 2-5 to upload additional keys if needed.
Select Security passphrase > Change, and enter a passphrase to protect the private keys.
Figure 140: User menu > Private keystore — Securing the private keystore with a passphrase
Click Apply.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy