EventTracker Enterprise Log Search Version 8.x

Publication Date: May 24, 2017

EventTracker Enterprise Log Search

Abstract This document describes the EventTracker Log Search application and its available features for all v8.x versions. Event Log Search is a flexible and powerful interface to extract precise matches from large amounts of data. Audience Power users can formulate effective queries to obtain the most relevant information.

The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

1 EventTracker Enterprise Log Search

Table of Contents Abstract ...... 1 Audience ...... 1 Operators ...... 3 Complex Example Queries ...... 6 Keyword Indexing ...... 9 Keyword Indexer Console ...... 9 Index CAB files ...... 11 Reset Index ...... 13 Search Keywords in Event Properties ...... 13 Search by Event Categories ...... 17 Basic Search...... 17 Examples for Basic Search...... 17 Standard Columns Search ...... 20 To view ...... 20 Examples for Standard Columns Search ...... 22 Basic Search in v8.x ...... 24 Advanced Search ...... 29 Examples for Advance Search ...... 29 Advanced search in v8.x ...... 38 RegEx in Log Search ...... 39 Log Watch ...... 40 Pivot Table...... 45 Smart Tokens ...... 58 Limitations ...... 63 Glossary ...... 65

2 EventTracker Enterprise Log Search

Operators

Operator Description

Reserved Operators for Log Search

Column based operator

AND Example: id:3405 AND Logon Type: 3 AND operator is used to perform a logical id is Standard (Event ID) column conjunction on two expressions. Logon Type is Custom (Event Description) column result = expression 1 AND expression 2 Details: This query matches the Search Field(s) and Used to search Standard column, Custom returns the matching records that contain ‘Event ID column or combination of both. 540’ and ‘Logon Type 3’

OR Example: id:3405 OR Logon Type: 3 OR operator is used to perform a logical id is Standard (Event ID) column disjunction on two expressions. Logon Type is Custom (Event Description) column result = expression 1 OR expression 2 Details: This query matches the Search Field(s) and Used to search Standard column, Custom returns the matching records that contain ‘Event ID column or combination of both. 3405’ or ‘Logon Type 3’

Value based operator

&& Example #1: id:5156 && 3223 (no matching) && operator is used to perform a logical id is Standard (Event ID) column conjunction on two expressions. Details: This query fetches no matching records result = expression 1 && expression 2 since no event log will contain two event ids for the same event. Used to search values in Standard column and Custom column.

|| Example: id:5447 || 3406 || operator is used to perform a logical Id is Standard (Event ID) column conjunction on two expressions. Details: This query matches the Search Fields and result = expression 1 || expression 2 returns the matching records that contain ‘5447’ or ‘3406’. Used to search values in Standard column and Custom column.

3 EventTracker Enterprise Log Search

Split operator

: Example: Id: 4656 Colon (:) operator is used to split Id is Standard (Event ID) column Standard/Custom column and its value. : is Separator 4656 is Value Details: This query matches the Search Fields and returns the matching records that contain ‘4656’.

Range operator

- Search range of values. Applicable only for event ids. This operator is used to search range of values. Applicable only for Event ID (Standard column). Example: Id: 4000 - 5000 Id is Standard (Event ID) column : is Separator 4000 – 5000 is Range of values Details: This query matches the Search Fields and returns the matching records that contain range of values between ‘4000’ and ‘5000’

Wildcard Characters

* Example: id:32* Search any character/string. Id is Standard (Event ID) column Each * represents just one or more words. Details: This query matches the Search Fields and EventTracker Log Search utility treats the * as a returns the matching records that contain values placeholder for a word or more than one word. that start with ‘32’ i.e. 3225, 3226, 3227 etc. Applicable for all types of search i.e. Standard and Custom column searches.

? Example #1: id:32?0 Search a single character. Id is Standard (Event ID) column Each ? represents just one character. Details: This query matches the Search Fields and EventTracker Log Search utility treats the ? as a returns the matching records that contain any placeholder for a character. single character in between ‘32’ and ‘0’ i.e. 3200, 3210, 3220 etc. Applicable for all types of search i.e. Standard and Custom column searches.

4 EventTracker Enterprise Log Search

Example #1: id:3??0 Id is Standard (Event ID) column Details: This query matches the Search Fields and returns the matching records that contain any two characters in between ‘3’ and ‘0’ i.e. 3200, 3210, 3220 etc.

Exact Match: Query returns the result that Example #1: *document \and settings* contains the exact phrase searched for. Applies Query Result: to Basic Search and Custom column Search. Event id: 1002 Put quotation ‘ ‘ marks around your search Source: Microsoft-Windows-KnownFolders terms. Event type: Warning Use escape character \ to suppress the special Log type: Microsoft-Windows-Known Folders API meaning of reserved operators. Service For example if you try Process AND ID, AND will Description: Error 0x80070002 occurred while be considered as an operator, Process and ID as verifying known folder {FDD39AD0-238F-46AF- two different strings whereas your query is ADB4-6C85480369C7} with path intended to search the input as one whole 'C:\Windows\system32\config string. In that case use \ character to suppress or \systemprofile\Documents'. ignore the meaning of AND operator.

\OR \AND \&& \||

5 EventTracker Enterprise Log Search

Complex Example Queries

Example Query Output

Local Port: 3725 || 3727 OR Remote Port: 389 Socket DELETED: (ldap) || 445 (microsoft-ds) Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 3725 Remote Address: POP1.TOONS.LOCAL Remote Port: 389 (ldap) Connection active time: 105 secs Last known Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: N/A Socket DELETED: Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 3726 Remote Address: POP1.TOONS.LOCAL Remote Port: 389 (ldap) Connection active time: 105 secs Last known Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: N/A

Local Port: 2235 && 2866 AND Remote Port: 2967 Invalid (no matching). Too many port numbers for && 139 (netbios-ssn) Local Port and Remote Port.

Local Port: 2235 && 2866 OR Remote Port: 2967 Invalid (no matching). Invalid (no matching). Too && 139 (netbios-ssn) many port numbers for Local Port and Remote Port.

6 EventTracker Enterprise Log Search

Remote Port: 2* Socket CREATED: Type: TCP Status: New Local Address: web1.toons.local Local Port: 2635 Remote Address: POP1.TOONS.LOCAL Remote Port: 2967 Connection State: ESTAB Process ID: 2900 Process Name: Rtvscan.exe Image File Name: C:\Program Files\Symantec AntiVirus\Rtvscan.exe Socket DELETED: Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 139 (netbios-ssn) Remote Address: DUMMY.TOONS.LOCAL Remote Port: 2311 Connection active time: 10466 secs Last known Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: N/A

Remote Port: 3??? Socket CREATED: Type: TCP Status: New Local Address: web1.toons.local Local Port: 445 (microsoft-ds) Remote Address: DUMMY1.TOONS.LOCAL Remote Port: 3084

7 EventTracker Enterprise Log Search

Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: N/A Socket DELETED: Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 139 (netbios-ssn) Remote Address: DUMMY2.TOONS.LOCAL Remote Port: 3442 Connection active time: 49 secs Last known Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: N/A Socket CREATED: Type: TCP Status: New Local Address: web1.toons.local Local Port: 445 (microsoft-ds) Remote Address: DUMMY1.TOONS.LOCAL Remote Port: 3821 Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: N/A

NOTE: Log Search Utility is case insensitive, which means you may enter characters, strings, phrases, column names, and values in upper or lower case. While searching Standard columns and Custom columns the operators can also be preceded and succeeded by spaces. For example: Event ID: 861, Event ID: 861, event id: 861, event id: 861.

8 EventTracker Enterprise Log Search

Keyword Indexing Keywords are unique words or short phrases used to make searching easier. To make the most of this feature, you must know the unique Keyword associated with the logs.

CAB files should be there in the for the Keyword Indexer to index. By default, Keyword Indexer 1. Indexes all unique words present in the CAB files that are generated in the past 24 hours. Keywords include unique words found in Event Properties (Standard Columns) and Description. 2. Displays match count versus day chart for the past 7 days data, for the indexed CAB files might contain data for the past 7 days.

Keyword Indexer maintains a master history file (History.xml) for the CAB files that are indexed and for each CAB file maintains an XML file (etar1271127929-14505.cab.xml) that contains a list of unique words indexed along with the count. All these files are stored in the default EventTracker installation path (…\Program Files\Prism Microsystems\EventTracker\Keyword Indexes). When you present a query, Log Search Utility first consults the XML files; if the data searched for present in the indexed CAB files, returns the result set. If the data searched for is not in the indexed CAB files, then it searches the unindexed CAB files and returns the result set. This way Keyword Indexer speeds up the search and finds processes to a great extent. In the result set, clickable links are provided for values of Event Properties and Columns, Values and unique words in Event Description. Keyword Indexer Console

Keyword Indexer Console helps to

• select CAB files for a time period of your interest • select root folder to store the XML files • start, stop and reset index • enable or disable log search with indexing • set purge frequency • set indexing frequency

NOTE:

To configure Remote Indexing, please refer the Guide. 1. To configure the indexer service, open the patch installation folder (\\\EventTracker\RemoteIndexer ).

9 EventTracker Enterprise Log Search

2. Double-click Prism.Keyword.Indexer.Console.exe. 3. Click Enable Keyword Indexer checkbox to enable keyword indexing.

Figure 1

10 EventTracker Enterprise Log Search

Field Description

Keyword Indexer

Start Time / End Time Select the date from the control or type the date and time range for which you need to index the CAB files. This facility is provided to if you wish to index appended CAB files.

Indexer Root Click the Browse button to select the root folder and then click the Set Root Dir for Indexer Service button. Indexer service stores the XML files in this folder.

Index Now Keyword Indexer enables this button when you stop the EventTracker Indexer service. You need to stop this service before you attempt to index the CAB files. Click this button to start indexing.

Stop Indexing Click this button to stop the indexing process.

Reset Indexing Click this button to remove all keyword index information. Keyword Indexer displays the confirmation message box. Click Yes to remove or No to retain.

Keyword Indexer Configs

Set Indexer for Log Search Select this check box if you wish to search logs for match counts. Clear this check box if you wish to search logs for event counts. Match counts and event counts need not be the same.

Indexer file purge freq [in By default, Keyword Indexer maintains indexing data for 365 days and days] purges data older than that.

Indexer Service freq [in By default, EventTracker Indexer service indexes the CAB files once in days] 24 hours. Set how often you need the EventTracker Indexer service to index keywords.

Index CAB files

This option helps you index appended CAB files. 1. Stop the EventTracker Indexer service. 2. Set the time frame.

11 EventTracker Enterprise Log Search

Keyword Indexer considers CAB files of that period only for indexing. 3. Click Index Now.

Keyword Indexer displays the confirmation message box.

Figure 1

4. Click Yes to proceed.

Keyword Indexer displays the indexing status.

Figure 2

5. Click Stop Indexing to abort the indexing process.

After indexing, Keyword Indexer displays the success message box.

12 EventTracker Enterprise Log Search

Figure 3 Reset Index

This option helps you remove all index files. 1. Click Reset Index.

Keyword Indexer displays the success message after successfully deleting the Keyword Index folder.

Figure 4

Search Keywords in Event Properties On the Home page, Log Search Utility displays the tree view of keywords found in the Event Properties. Since keywords are extracted from the CAB files, Log Search Utility does not display the tree view if there is no CAB file generated for the current day. 1. Expand a node that you wish to view match counts.

Example: Computer

13 EventTracker Enterprise Log Search

Figure 5

2. Click the name of the computer.

EventTracker Log Search utility displays the Match Counts graph.

14 EventTracker Enterprise Log Search

Figure 6

Each disk on every cylinder represents one CAB file. 3. To search an unindexed event, select Click here hyperlink.

(OR) Click a disc on a cylinder to search the search string (computer:MCLOON) in that particular CAB file. EventTracker Log Search utility displays the result set in Log Search Timeline window.

15 EventTracker Enterprise Log Search

Figure 7: Output in v8.0

Figure 8: Expanded Output in v8.0

For more details refer Basic Search.

16 EventTracker Enterprise Log Search

Search by Event Categories 1. Click a Knowledge Category.

Example: *All audit events. EventTracker Log Search utility displays the Log Search Timeline window. Each disk on every cylinder represents one CAB file. 2. Move the mouse pointer over the disk to view date and time details.

3. Click a disc on a cylinder to search the search string (*All audit events) in that particular CAB file.

EventTracker Log Search utility returns the result set in Log Search Timeline window.

Basic Search Basic Search is an ideal way to search a word or phrase related to the information you're looking for. The search is done through Event Properties (standard columns) and Event Description (custom columns). Log Search Utility displays the tree view of keywords found in the Event Properties. Since keywords are extracted from the CAB files, Log Search Utility does not display the tree view if there is no CAB file generated for the current day. Examples for Basic Search

Valid Query Search Field(s) Result

Open Process Source Event id: 5156 Source: Microsoft-Windows-Security-Auditing Details: This query matches the Domain Event type: Audit Success Search Field(s) and returns the User Log type: Security matching records that contain ‘Open’ ‘Process’ or ‘Open Description Description: Process’ Event id The Windows Filtering Platform has permitted a Log Time connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 192.168.x.x Source Port: 137 Destination Address: 192.168.x.x Destination Port: 137 Protocol: 17

17 EventTracker Enterprise Log Search

Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44

A process has exited: 3376 Event ID Process ID: 3376 Details: This query matches the Description Image File Name: C:\Program Files\Prism Search Field(s) and returns the Microsystems\EventTracker\CollectionPointConsole.exe matching records that contain User Name: DEVTEST1$ the exact value. Domain: TOONS Logon ID: (0x0,0x3E7)

SYMANTEC TAMPER PROTECTION ALERT *.exe Description Target: C:\Program Files\Symantec Details: This query matches the AntiVirus\Rtvscan.exe Search Field(s) and returns the Event Info: Open Process matching records with the Action Taken: Logged column and its value that ends Actor Process: C:\Program Files\Prism with the phrase searched for. Microsystems\EventTracker\Agent\etagent.exe (PID 4084) Time: Thursday, April 17, 2008 12:10:48 AM

SYMANTEC TAMPER PROTECTION ALERT *agent.exe Description Target: C:\Program Files\Common Files\Symantec Details: This query matches the Shared\SPBBC\SPBBCSvc.exe Search Field(s) and returns the Event Info: Open Process matching records with the Action Taken: Logged column and its value that ends Actor Process: C:\Program Files\Prism with the phrase searched for. Microsystems\EventTracker\Agent\etagent.exe (PID 4084) Time: Thursday, April 17, 2008 8:04:15 AM

SYMANTEC TAMPER PROTECTION ALERT ms*agent.exe Description Target: C:\Program Files\Symantec Details: This query matches the AntiVirus\SavRoam.exe Search Field(s) and returns the Event Info: Open Process matching records with the Action Taken: Logged phrase searched for. Actor Process: C:\Program Files\Prism The result may contain any Microsystems\EventTracker\Agent\etagent.exe (PID character/string/phrase in 4084) between ms and agent. Time: Thursday, April 17, 2008 8:06:11 AM

SYMANTEC TAMPER PROTECTION ALERT e?t Description Target: C:\Program Files\Common Files\Symantec Details: This query matches the Shared\ccEvtMgr.exe

18 EventTracker Enterprise Log Search

Search Field(s) and returns the Event Info: Open Process matching records with the Action Taken: Logged phrase searched for. Actor Process: C:\Program Files\Prism Microsystems\EventTracker\Agent\etagent.exe (PID The result may contain any character e and t. 4084) Time: Thursday, April 17, 2008 3:03:46 PM Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary User Name: DEVTEST1$ Primary Domain: TOONS Primary Logon ID: (0x0,0x3E7) Client User Name: DEVTEST1$ Client Domain: TOONS Client Logon ID: (0x0,0x3E7) Privileges: SeTcbPrivilege

SYMANTEC TAMPER PROTECTION ALERT SYMANTEC && EventTracker Description Target: C:\Program Files\Symantec symantec && eventtracker AntiVirus\Rtvscan.exe Details: This query matches the Event Info: Open Process Search Field(s) and returns the Action Taken: Logged matching records that contain Actor Process: C:\Program Files\Prism both the values. Microsystems\EventTracker\evtProcessEcFile.exe (PID 2576) Time: Tuesday, December 02, 2008 12:28:32 PM

Socket DELETED: UDP || TCP Source Type: UDP UDP||TCP Domain Status: Deleted udp || tcp User Local Address: web1 Local Port: 1477 Udp||tcp Description Connection active time: 52 secs Details: This query matches the Process ID: 3864 Search Field(s) and returns the Process Name: UserActivity.exe matching records that contain Image File Name: C:\Program Files\Prism either one of the values. Microsystems\EventTracker\UserActivity.exe Socket DELETED: Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 1386 Remote Address: POP1.TOONS.LOCAL Remote Port: 1026 Connection active time: 114 secs

19 EventTracker Enterprise Log Search

Last known Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: N/A

Standard Columns Search

Standard columns are the fields that define event properties. With this you can focus your search on Standard columns. To view Event Viewer

1. Select the Start button, select All Programs, and then select . 2. Select Administrative Tools, and then select EventViewer. (OR) Select the Start button; enter Run in the search field. Run window displays. Enter eventvwr in the Open text box and then select the OK button. Event Viewer displays.

Figure 9

20 EventTracker Enterprise Log Search

3. Click Event Properties to view details.

General tab displays by default for that particular event property selected.

Figure 10 4. Click Details tab to view more information.

21 EventTracker Enterprise Log Search

Figure 11 Examples for Standard Columns Search

Valid Query Search Field(s) Result

Event Type : 1 Event Type Log Type: System Event Type : Error 1= Error Event Type: Information EventType : 2 2= Warning Category: 2 EventType : Warning 3= Information Event ID: 3225 Event_Type : 3 4= Audit Success Source: EventTracker Event_Type : Information 5= Audit FAIL Domain: DEVTEST1 Details: This query matches Computer: TOMCRUISE the Search Field(s) and User: Administrator returns the matching records that contain the exact value searched for.

src : Symantec AntiVirus Log Type: Application Event Type: Error source : Symantec Event Source AntiVirus Category: 0 Details: This query matches Event ID: 45

22 EventTracker Enterprise Log Search

the Search Field(s) and Source: Symantec AntiVirus returns the matching Domain: NT AUTHORITY records that contain the Computer: TOMCRUISE exact value searched for. User: SYSTEM

Log Type: Application Event Type: Error Category: 0 Event ID: 45 Source: Symantec AntiVirus user : System Domain: NT AUTHORITY UserName : System Computer: TOMCRUISE User_Name : System User: SYSTEM Details: This query matches Event User SYMANTEC TAMPER PROTECTION ALERT the Search Field(s) and Event Description Target: C:\Program Files\Common Files\Symantec returns the matching Shared\ccEvtMgr.exe records that contain the Event Info: Open Process exact value searched for. Action Taken: Logged Actor Process: C:\Program Files\Prism Microsystems\EventTracker\Agent\etagent.exe (PID 4084) Time: Wednesday, April 16, 2008 11:37:23 PM

SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec desc : Open Process Shared\ccEvtMgr.exe Description : Open Process Event Info: Open Process Details: This query matches Action Taken: Logged the Search Field(s) and Event Description Actor Process: C:\Program Files\Prism returns the matching Microsystems\EventTracker\Agent\etagent.exe records that contain the (PID 3340) exact value searched for. Time: Tuesday, December 02, 2008 12:13:01 PM

Log Type: Security Event Type: Success Audit Category: 5 Domain:TOONS Event ID: 592 Details: This query matches Source: Security the Search Field(s) and Domain Domain: TOONS returns the matching Event Description Computer: WEB1 records that contain the User: WEB1$ exact value searched for.

23 EventTracker Enterprise Log Search

Basic Search in v8.x 1. Logon to EventTracker Enterprise. 2. Select the Search menu. Basic Search window displays.

Figure 12

3. Select any of the items (e.g.: User: network service) for performing basic search from the Trending today pane. The Trending today column can be further sorted by either Frequency or Alphabetical option as highlighted in the figure above.

4. For, performing a search on the logs processed on the current day, click the logs processed today hyperlink to view all logs processed since 12:00 A.M till current time.

24 EventTracker Enterprise Log Search

Figure 14

NOTE: If the user wants to enable the smart tokens icon, he can go to the username at the top right and select Advanced hyperlink. In the user preference window, select Show Knowledge Object as “Yes” and click on Save.

In Standard Tokens pane, click View values icon.

Standard Tokens details display.

25 EventTracker Enterprise Log Search

Figure 15

5. Click Event ID hyperlink. Log Search automatically redirects to Knowledge Base. 6. Click Refine icon to refine the result set. The Refine Dialog displays.

26 EventTracker Enterprise Log Search

Figure 16

7. Enter the Event description and Filter description if required.

8. Select the required options, and then select the Refine button to narrow down the search results. The refined query search results are displayed.

27 EventTracker Enterprise Log Search

Figure 17

9. To export data to excel, click the Export icon. 10. To do a new search, click New Search icon. 11. To add search results to Logbook, click Add to logbook icon. Logbook window displays.

Figure 32

12. Enter the File Name:. 13. Select the Add new button to add data to a new logbook. (OR) Select the Add to existing button to add data to an existing logbook. Logbook window displays.

28 EventTracker Enterprise Log Search

14. Enter relevant data and then select the Save button.

Please refer EventTracker v8.0 Enterprise User Guide for further details regarding the usage of Logbook. Advanced Search Advanced Search offers numerous options for making your searches more precise and getting more useful results. Examples for Advance Search

Valid Search String Search Field(s) Match String Sample

search in standard and/or Standard column and/or Example #1: custom column(s) custom columns Search in Standard column Id: 5156 id: is Standard column 5156 is Value Details: This query matches the Search Field(s) and returns the matching records that contain the exact value searched for. Event id: 5156 Source: Microsoft-Windows-Security-Auditing Event type: Audit Success Log type: Security Description: The Windows Filtering Platform has permitted a connection.

Application Information: Process ID: 4 Application Name: System

Network Information: Direction: Inbound Source Address: 192.168.x.x Source Port: 137 Destination Address: 192.168.x.x

29 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample Destination Port: 137 Protocol: 17

Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44

Example #2: Search in Custom column

Source Network Address: 127.0.0.1 Source Network Address: is Custom column 127.0.0.1 is Value Details: This query matches the Search Field(s) and returns the matching records that contain the exact value searched for.

Event id: 4624 Source: Microsoft-Windows-Security-Auditing Event type: Audit Success Log type: Security Description: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DUMMY$ Account Domain: TOONS Logon ID: 0x3E7

Logon Type: 7

30 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample Impersonation Level: Impersonation

New Logon: Security ID: S-1-5-21-903365541-1942580562- 2730907773-1139 Account Name: alice Account Domain: TOONS Logon ID: 0x218391 Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe

Network Information: Workstation Name: DUMMY Source Network Address: 127.0.0.1 Source Port: 0

Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

Other sample examples: Event ID: 5156 OR user: alice

Event ID: 5156 AND Source Network Address: 127.0.0.1 Event ID: 5156 OR Source Network Address: 127.0.0.1

31 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample

Source Network Address: 127.0.0.1 AND Source Port: 4769 Source Network Address: 127.0.0.1 OR Source Port: 4769 all these words Description Process ID Details: This query matches the Search Field(s) and returns the matching records that contain that contain ‘Process’ and ‘ID’ Event id: 5156 Source: Microsoft-Windows-Security-Auditing Event type: Audit Success Log type: Security

Description: The Windows Filtering Platform has permitted a connection.

Application Information: Process ID: 4 Application Name: System

Network Information: Direction: Inbound Source Address: 192.168.x.x Source Port: 137 Destination Address: 192.168.x.x Destination Port: 137 Protocol: 17

Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept

32 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample Layer Run-Time ID: 44 this exact wording or phrase Description Process ID Details: This query matches the Search Field(s) and returns the matching records that contain the exact phrase ‘Process ID’

Event id: 4670 Source: Microsoft-Windows-Security-Auditing Event type: Audit Success Log type: Security

Description: Permissions on an object were changed.

Subject: Security ID: S-1-5-18 Account Name: DUMMY$ Account Domain: TOONS Logon ID: 0x3E7

Object: Object Server: Security Object Type: Token Object Name: - Handle ID: 0xccc

Process: Process ID: 0xb74 Process Name: C:\Windows\System32\SearchIndexer.exe

Permissions Change: Original Security Descriptor:

33 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-117416528- 2204451360-1913602512-1355018040-

1234992034)(A;;GA;;;BA)(A;;GA;;;SY) New Security Descriptor: D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-117416528- 2204451360-1913602512-1355018040-1234992034)

(A;;GA;;;BA)(A;;GA;;;SY)(A;;SWRPRC;;;S-1-5-5-0-914314) one or more of these words Description ESTAB OR 80 Details: This query matches the Search Field(s) and returns the matching records that contain any one of the value searched for. Event id: 4689 Source: Microsoft-Windows-Security-Auditing Event type: Audit Success Log type: Security Description: A process has exited. Subject: Security ID: S-1-5-21-903365541-1942580562- 2730907773-1659 Account Name: john Account Domain: TOONS Logon ID: 0x1e82b

Process Information: Process ID: 0x620 Process Name: C:\Program Files\Prism Microsystems\EventTrackerWeb\bin\Prism.SparseMatrixI ndexer.exe Exit Status: 0x0 event Id Range Standard column ID: 800-900 Details: This query matches the Search Field(s) and

34 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample returns the matching records that contain range of event ids searched for.

Log Type: Security Event Type: Success Audit Category: 6 Event ID: 850 Source: Security Domain: NT AUTHORITY Computer: WEB1 User: SYSTEM

Log Type: Security Event Type: Failure Audit Category: 5 Event ID: 861 Source: Security Domain: NT AUTHORITY Computer: WEB1 User: SYSTEM systems or groups: By default, search is done in all systems. You can also select systems or groups by clicking Select Systems or Groups hyperlink.

But don’t show Logs that have any of these unwanted Description Details: This query matches the Search Field(s) and words returns the matching records that do not contain the value searched for.

Example #1: search in standard column: id:3225 Event id: 3203 Source: EventTracker

35 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample Event type: Information Log type: System

Description: Detected Service was restarted successfully. Name: TrapTracker Receiver Type: Service One or more of these words: iexplore.exe || firefox.exe Query result: Standard Columns Event id: 4673 Source: Microsoft-Windows-Security-Auditing Event type: Audit Failure Log type: Security Description: A privileged service was called. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Service: Server: Security Service Name: - Process: Process ID: 0x5a0 Process Name: C:\Windows\System32\svchost.exe

Service Request Information: Privileges: SeTcbPrivilege

36 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample

Example #2: search in standard column: id:3225 One or more of these words: Local Port: 3167 || 2484 Query result: Standard Columns Log Type: System Event Type: Information Category: 2 Event ID: 3225 Source: EventTracker Domain: TOONS Computer: WEB1 User: susan Event Description Socket DELETED: Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 2484 Remote Address: POP1.TOONS.LOCAL Remote Port: 445 (microsoft-ds) Connection active time: 147 secs Last known Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: N/A

Standard Columns Log Type: System Event Type: Information

37 EventTracker Enterprise Log Search

Valid Search String Search Field(s) Match String Sample Category: 2 Event ID: 3225 Source: EventTracker Domain: TOONS Computer: WEB1 User: susan Event Description Socket DELETED: Type: TCP Status: Deleted Local Address: web1.toons.local Local Port: 3167 Remote Address: POP1.TOONS.LOCAL Remote Port: 135 (epmap) Connection active time: 99 secs Last known Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: N/A

To filter out records that matches Local Port: 3167 or 2484 in event description, frame your query as search in standard column: id:3225 any of these unwanted words: Local Port: 3167 || 2484 Records that match unwanted words (Local Port: 3167 || 2484) are filtered out.

Advanced search in v8.x Regular expression, log watch, Pivot Table and Smart Token features have been explained below. The rest of functionality is same as Advanced Search in v7.6.

38 EventTracker Enterprise Log Search

RegEx in Log Search

In Advanced Log search, you can now search using regular expression.

1. Select Add search criteria icon. 2. In Search in drop down menu, select RegEx

Figure 18

3. Select Operator drop down.

Figure 19

4. Enter search criteria in Search for box. 5. Click Help icon for additional information. 6. Select the Search button.

39 EventTracker Enterprise Log Search

Figure 20 Log Watch

Log Watch is a feature to monitor incoming data continuously as per user query. 1. To access Log Watch, select the Tools menu, and then select Log Watch.

Advanced Log Search window displays.

40 EventTracker Enterprise Log Search

Figure 21

2. The Add to log watch option is enabled by default.

Ex: Let us search for a category ‘All error events’.

a. Click Add knowledge category icon.

Knowledge category window displays. b. Select *All error events, and then select the OK button.

41 EventTracker Enterprise Log Search

Figure 22

The search criteria displays in Custom criteria pane.

42 EventTracker Enterprise Log Search

Figure 23

3. Click the Search button. Log Watch Timeline window displays Search results.

NOTE: Only a single Knowledge category can be displayed.

43 EventTracker Enterprise Log Search

Figure 24

4. To view Standard Tokens detail, click the dropdown icon .

Figure 25

5. Click Help icon.

44 EventTracker Enterprise Log Search

Knowledge Objects details display if it has been enabled in User Preference settings

Figure 26

The details to enable Knowledge Objects - User Preference settings is explained in Chapter 1 Get Started. Pivot Table The Pivot table feature can be accessed only if the Smart token option is enabled. If you want a search result based on Interesting Tokens as columns with an added benefit of few standard columns, the Pivot Table can help you. How to use the Pivot Table? The Pivot table feature can be accessed only if the Smart token option is enabled. If you want a search result based on Interesting Tokens as columns with an added benefit of few standard columns, the Pivot table can help you. It will display the specified tokens in columns and enable you to draw charts, once it is exported to Excel.

• To perform a search: 1. Click the-- button 2. Go to -- option The Advanced Log Search dialog box is displayed.

45 EventTracker Enterprise Log Search

Figure 27

3. Click on the checkbox-- for enabling the Pivot table feature.

NOTE: If the Show Knowledge Objects option is selected as Yes in Advanced>User Preference, then the Smart Token option will be checked by default.

46 EventTracker Enterprise Log Search

Figure 28 4. Select the system name and your preferred date/ time range. 5. Click on the-- button. 6. Results will be displayed based on the provided search criteria.

47 EventTracker Enterprise Log Search

Figure 29

7. Select the Knowledge object from the drop down box and click the icon to generate the Pivot Table. 8. Select the Knowledge Object from the dropdown list.

48 EventTracker Enterprise Log Search

Figure 30

7. Preferred tokens can be added to your customized column, where you can re-arrange them by simply dragging and dropping. An example is shown in the below mentioned figure:

49 EventTracker Enterprise Log Search

Figure 31

9. Click the-- button for filtering your search result.

Figure 32

10. The search result will be displayed.

50 EventTracker Enterprise Log Search

Figure 33

NOTE: When the search is in progress, no options such as Save, Export and Filter will be available.

• The search result can further be refined by selecting a particular token column and clicking the- - option. The filtered results will be available for viewing. • The filtered results can also be viewed in ascending/descending order simply by clicking options like - - and --.

51 EventTracker Enterprise Log Search

Figure 34

• Use the icon to auto resize the columns. • For viewing the raw Event Information, click on the icon.

52 EventTracker Enterprise Log Search

Figure 35

• The search criteria can also be saved for viewing later. This can be done by following the below mentioned steps:

Step 1: Click the icon for saving the filtered token criteria. Step 2: Give a title and click the -- button. For Example: EventTracker Report

Figure 36

The search result will be saved and the below message will be displayed.

53 EventTracker Enterprise Log Search

Figure 37

Step 3: Now, for viewing the saved search results, click on -- .In the Advanced Log Search window, click on the “Saved searches” hyperlink.

Figure 38

Step 4: The Saved search hyperlink will redirect you to the box displaying the saved search results.

54 EventTracker Enterprise Log Search

Figure 39

• For viewing all your personal saved search, click on the icon . All the searches performed by you will be visible. On the other hand, if you want to view all the saved search result, you can do that directly by clicking on the icon.

Note: The saved search criteria(s) can also be exported to excel files for analysis and visualization purposes. How to edit a Saved search?

For editing the saved search criteria, click the Saved search hyperlink. The saved result will be displayed.

55 EventTracker Enterprise Log Search

Figure 40

• Click on the icon and start editing the saved searches. • After editing and performing the search, the new search result can also be saved with a new title for viewing later.

Figure 41

56 EventTracker Enterprise Log Search

How to Add Knowledge Objects? For adding Knowledge objects and viewing a search result based on that, the below mentioned steps should be followed: Step 1: Open the Advanced Log Search window from the-< Advanced search>- option.

Figure 42

Step 2: Click the icon to add knowledge object. Step 3: Click on ‘Search’ button. The search page will be displayed and then you can further perform log search. NOTE:

• When adding the Knowledge Objects from Advanced Search, the other two criteria(s) i.e. add search criteria ( ) and add knowledge category ( ), gets hidden.

57 EventTracker Enterprise Log Search

• It should also be noted that Windows Standard Token is a default token offered by EventTracker in log search, which cannot be edited and saved. Smart Tokens Every Knowledge Object that is defined has finite Smart Tokens. From a visualization and analytical perspective, only a few or specific Smart Tokens will be important, which needs to be searched. The Smart Token feature will make the searching process hassle-free and will also help in performing a filtered search to get the detailed information on a specific token, when required. The Smart Token option remains disabled by default. The user needs to enable the option to continue with the search. How to Perform a Search on Smart Tokens? To perform a filtered search on Smart Tokens from the Knowledge Objects available, you need to follow the below mentioned steps: Step 1: Click the -- option from the EventTracker menu.

Figure 43

Step 2: Go to the -- option.

The Advanced Log Search dialog box is displayed.

58 EventTracker Enterprise Log Search

Step 3: Enable the option-- by clicking the check box (if it is not enabled).

Figure 44

Step 4: Click the -- button

The Knowledge Objects will be listed under the Smart Tokens column on clicking the icon .

The figure is displayed below:

59 EventTracker Enterprise Log Search

Figure 45

Step 5: Select any of the listed Knowledge object and click the icon to search Smart Tokens.

Example: The Knowledge Object EventTracker is selected here as shown in the figure above. The Smart Tokens of the Knowledge Object ‘EventTracker’ displays in column.

Figure 46

Step 6: For performing a search based on a particular Smart Token, click on the token.

60 EventTracker Enterprise Log Search

In the example, the token Name is chosen. The search result will be displayed with all the matched information.

Figure 47

Step 7: Now, if you want to refine your search further, you can do that by selecting the Token, i.e. (Name) and clicking the button, to view the values.

61 EventTracker Enterprise Log Search

Figure 48

Step 8: Click on any of the listed value to generate a filtered search result. In the example, a search is performed on the (Application Experience) The search result is displayed.

Figure 49

62 EventTracker Enterprise Log Search

Limitations

• Maximum two columns (Standard, Custom or combination of both) can be searched at a time using either AND or OR operator.

Search String Column Type Status

Src:EventTracker AND id : 3221 src is Standard Valid id is Standard Details: Within the permitted number of columns.

Src:EventTracker AND id : 3221 src is Standard Invalid AND desc = ISA id is Standard Details: Exceeded the permitted number of columns. desc is Custom

Src:EventTracker OR id : 3221 src is Standard Valid id is Standard Details: Within the permitted number of columns.

Src:EventTracker OR id : 3221 OR src is Standard Invalid desc : ISA id is Standard Details: Exceeded the permitted number of columns. desc is Custom

Src:EventTracker AND id : 3221 src is Standard Invalid OR desc : ISA id is Standard Details: Exceeded the permitted number of columns. desc is Custom

• Custom columns along with Standard columns can be searched with AND operator and not with the OR operator.

Search String Column Type Status ID is Standard ID:528 AND Local Port : 80 Valid Local Port is Custom ID is Standard ID:528 OR Local Port : 80 Invalid Local Port is Custom

63 EventTracker Enterprise Log Search

• Multiple Custom columns can be searched using either AND or OR operators.

Search String Column Type Status

Local Port : 80 Local Port is Custom Valid

Remote Port : 90 Remote Port is Custom Valid

Remote Port : 90 AND Remote Port is Custom Valid src:Syslog src is Standard

Local Port : 80 AND Remote Local Port is Custom Valid Port : 90 Remote Port is Custom

Local Port : 80 OR Remote Local Port is Custom Valid Port : 90 Remote Port is Custom

• Multiple values can be specified using the combination of && || operators.

Search String Column Type Status id is Standard Valid id : 3221 || 3222 id is Standard Valid id : 3221 || 3222 || 3223 id is Standard Invalid id : 3221 || 3222 && 3445

• Custom columns can’t be searched in Refine Description.

Search String Column Type Status

ISA || http Basic search Valid

Local Port : 80 Local Port is Custom Invalid

64 EventTracker Enterprise Log Search

Glossary

Term Meaning

Knowledge Category Classification of events by source.

Column based operator Used to search Standard column, Custom column or combination of both.

Custom column Custom columns are the strings extracted from the event description.

Escape character Escape character suppresses the special meaning of reserved operators.

Event ID A number identifying a particular event.

Event Type Event Type Description

A significant problem, such as loss of data or loss of functionality. Error For example, if a service fails to load during startup, an Error will be logged. An event that is not necessarily significant, but may indicate a Warning possible future problem. For example, when disk space is low, a Warning will be logged. In event that describes the successful operation of an application, Information driver, or service. For example, when a network driver loads successfully, an Information event will be logged. An audited security access attempt that succeeds. For example, a Audit Success user's successful attempt to log on the system will be logged as a Success Audit event. An audited security access attempt that fails. For example, if a user Audit Failure tries to access a network drive and fails, the attempt will be logged as a Failure Audit event. Log Type Log Type Function Records events as determined by each software vendor. Available in Application log all Windows systems. Records events based on how audit policy is configured. Available in Security log all Windows systems. Records events for Windows components. System log Available in all Windows systems.

65 EventTracker Enterprise Log Search

Directory Records events for . Domain controllers only. Service log Records events for DNS servers and name resolution. DNS servers DNS Server log only. File Replication Records events for domain controller replication. Domain controllers Service log only. Log Type Log Type Description 2 Interactive (logon at keyboard and screen of system) Network (i.e. connection to shared folder on this computer from 3 elsewhere on network or IIS logon - Never logged by 528 on W2k and forward. See event 540) 4 Batch (i.e. scheduled task) 5 Service (Service start up) Unlock (i.e. unattended workstation with password protected screen 7 saver) NetworkCleartext (Logon with credentials sent in the clear text. 8 Most often indicates a logon to IIS with ‘basic authentication’) 9 New Credentials RemoteInteractive (Terminal Services, Remote Desktop or Remote 10 Assistance) CachedInteractive (logon with cached domain credentials such as 11 when logging on to a laptop when away from the network)

Operator An operator is a reserved word or a character used primarily to perform operation(s)

Range operator Used to search range of Event IDs.

Split operator Used to split column and its value.

Standard column Standard columns are the fields that define event properties.

Value based operator Used to search values in Standard column and Custom column.

Wildcard A wildcard is a symbol that takes the place of a special character or set of characters.

66