NIST Syslog Browser Tutorial

 

  1. General interface

  2. Change the IP filter

  3. Using filters

  4. Using display tab

  1. General interface

    The interface shows first a table of messages received by the IP 129.6.58.234. Messages are automatically filtered using the IP address used by your browser. To change the IP filters look at this section.
    When you click on a message, the screen divides in two to diplay in elegant display the details of the message selected. On the top there is the message number, clicking on the number allows to see the message in a separate window. Then two buttons on the right are provided. One to display the audit message that the syslog server has been able to parse. If some fields have not been parsed correctly they won't appear here. The "Raw Syslog message" is used to display the message received by the syslog server before parsing.


  2. Change the IP filter

    If your machine sending syslog messages is not the same as the one you are using to browse the log, you can change the IP filtered clicking on the current IP shown.

    A box will appear, type the IP address used to send syslog messages and press the enter key.

    The message shown will be filtered now with this new IP adress.

  3. Using filters

    4. On the left of the screen, there is two panels one for display option in green and one pink for using filters. You can use serveral filters in the same time to perform complex requests on the database.

     

    The list of parameters that can be used concern both syslog messages and audit log messages :

    Filter Syslog/Audit Log Field Remark
    Event Code Audit Log EventIdentification -Event Type Code  
    EventDate Audit Log EventIdentification -Event Date Time Formatted like "2008-01-06T16:02:04Z"
    UserID Audit Log ActiveParticipant - UserID  
    AuditSourceID Audit Log AuditSourceIdentification - AuditSourceId  
    DeviceIP Syslog N/A IP of the device which sent the message
    InvolvedIP Audit Log ActiveParticipant network access point ID and ActiveParticipant user_id The syslog browser try to make a DNSName Lookup, so it's possible to find an IP with its DNS Name
    Tag Syslog   Tag specified in the syslog message
    Syslog Message Type Audit Log   Several value : Import/Export/Query/User Authentication
    Message parsed Audit Log    
    Message not parsed Audit Log    

  4. Using display tab

    The Display tab allows to increase the number of messages displayed in one page, to refresh automatically the page every x minute. Refresh a page every 1/10 of minutes is also possible entering 0.1. To cancel the automatic refresh, type "0". It's possible to search messages received for a specific date.