EventTracker Enterprise Log Search Version 8.x Publication Date: May 24, 2017 EventTracker Enterprise Log Search Abstract This document describes the EventTracker Log Search application and its available features for all v8.x versions. Event Log Search is a flexible and powerful interface to extract precise matches from large amounts of data. Audience Power users can formulate effective queries to obtain the most relevant information. The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided. EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1 EventTracker Enterprise Log Search Table of Contents Abstract .................................................................................................................................................................... 1 Audience .................................................................................................................................................................. 1 Operators ..................................................................................................................................................................... 3 Complex Example Queries ...................................................................................................................................... 6 Keyword Indexing ........................................................................................................................................................ 9 Keyword Indexer Console ....................................................................................................................................... 9 Index CAB files ................................................................................................................................................... 11 Reset Index ........................................................................................................................................................ 13 Search Keywords in Event Properties ...................................................................................................................... 13 Search by Event Categories ....................................................................................................................................... 17 Basic Search................................................................................................................................................................ 17 Examples for Basic Search..................................................................................................................................... 17 Standard Columns Search ..................................................................................................................................... 20 To view Event Viewer ........................................................................................................................................ 20 Examples for Standard Columns Search .......................................................................................................... 22 Basic Search in v8.x ............................................................................................................................................... 24 Advanced Search ................................................................................................................................................... 29 Examples for Advance Search ............................................................................................................................... 29 Advanced search in v8.x ........................................................................................................................................ 38 RegEx in Log Search ........................................................................................................................................... 39 Log Watch .......................................................................................................................................................... 40 Pivot Table.............................................................................................................................................................. 45 Smart Tokens ..................................................................................................................................................... 58 Limitations .................................................................................................................................................................. 63 Glossary ...................................................................................................................................................................... 65 2 EventTracker Enterprise Log Search Operators Operator Description Reserved Operators for Log Search Column based operator AND Example: id:3405 AND Logon Type: 3 AND operator is used to perform a logical id is Standard (Event ID) column conjunction on two expressions. Logon Type is Custom (Event Description) column result = expression 1 AND expression 2 Details: This query matches the Search Field(s) and Used to search Standard column, Custom returns the matching records that contain ‘Event ID column or combination of both. 540’ and ‘Logon Type 3’ OR Example: id:3405 OR Logon Type: 3 OR operator is used to perform a logical id is Standard (Event ID) column disjunction on two expressions. Logon Type is Custom (Event Description) column result = expression 1 OR expression 2 Details: This query matches the Search Field(s) and Used to search Standard column, Custom returns the matching records that contain ‘Event ID column or combination of both. 3405’ or ‘Logon Type 3’ Value based operator && Example #1: id:5156 && 3223 (no matching) && operator is used to perform a logical id is Standard (Event ID) column conjunction on two expressions. Details: This query fetches no matching records result = expression 1 && expression 2 since no event log will contain two event ids for the same event. Used to search values in Standard column and Custom column. || Example: id:5447 || 3406 || operator is used to perform a logical Id is Standard (Event ID) column conjunction on two expressions. Details: This query matches the Search Fields and result = expression 1 || expression 2 returns the matching records that contain ‘5447’ or ‘3406’. Used to search values in Standard column and Custom column. 3 EventTracker Enterprise Log Search Split operator : Example: Id: 4656 Colon (:) operator is used to split Id is Standard (Event ID) column Standard/Custom column and its value. : is Separator 4656 is Value Details: This query matches the Search Fields and returns the matching records that contain ‘4656’. Range operator - Search range of values. Applicable only for event ids. This operator is used to search range of values. Applicable only for Event ID (Standard column). Example: Id: 4000 - 5000 Id is Standard (Event ID) column : is Separator 4000 – 5000 is Range of values Details: This query matches the Search Fields and returns the matching records that contain range of values between ‘4000’ and ‘5000’ Wildcard Characters * Example: id:32* Search any character/string. Id is Standard (Event ID) column Each * represents just one or more words. Details: This query matches the Search Fields and EventTracker Log Search utility treats the * as a returns the matching records that contain values placeholder for a word or more than one word. that start with ‘32’ i.e. 3225, 3226, 3227 etc. Applicable for all types of search i.e. Standard and Custom column searches. ? Example #1: id:32?0 Search a single character. Id is Standard (Event ID) column Each ? represents just one character. Details: This query matches the Search Fields and EventTracker Log Search utility treats the ? as a returns the matching records that contain any placeholder for a character. single character in between ‘32’ and ‘0’ i.e. 3200, 3210, 3220 etc. Applicable for all types of search i.e. Standard and Custom column searches. 4 EventTracker Enterprise