Log Activity Monitoring
By default, the Log Activity tab displays events in streaming mode, allowing you to view events in real time.
For more information about streaming mode, see Viewing Streaming Events. You can specify a different time range to filter events by using the View list box.
If you previously configured saved search criteria as the default, the results of that search are automatically displayed when you access the Log Activity tab. For more information about saving search criteria, seeSaving Search Criteria.
Viewing Streaming Events
Streaming mode will enable you to view event data that enters your system. This mode provides you with a real-time view of your current event activity by displaying the last 50 events.
If you apply any filters on the Log Activity tab or in your search criteria before enabling streaming mode, the filters are maintained in streaming mode. However, streaming mode does not support searches that include grouped events. If you enable streaming mode on grouped events or grouped search criteria, the Log Activity tab displays the normalized events. See Viewing normalized events
When you want to select an event to view details or perform an action, you must pause streaming before you double-click an event. When the streaming is paused, the last 1,000 events are displayed.
Click the Log Activity tab.
From the View list box, select Real Time (streaming).
For information about the toolbar options, see Table 4-1. For more information about the parameters that are displayed in streaming mode, see Table 4-7.
Optional. Pause or play the streaming events. Choose one of the following options:
To select an event record, click the Pause icon to pause streaming.
To restart streaming mode, click the Play icon.
Viewing Normalized Events
Events are collected in raw format, and then normalized for display on the Log Activity tab.
Normalization involves parsing raw event data and preparing the data to display readable information about the tab. When events are normalized, the system normalizes the names as well. Therefore, the name that is displayed on the Log Activity tab might not match the name that is displayed in the event.
If you selected a time frame to display, a time series chart is displayed. For more information about using time series charts, see Time Series Chart Overview.
By default, the Log Activity tab displays the following parameters when you view normalized events:
Parameter |
Description |
---|---|
Current Filters |
The top of the table displays the details of the filters that are applied to the search results. To clear these filter values, click Clear Filter. Note:
This parameter is only displayed after you apply a filter. |
View |
From this list box, you can select the time range that you want to filter for. |
Current Statistics |
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including: Note:
Click the arrow next to Current Statistics to display or hide the statistics
|
Charts |
Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display. For more information about configuring charts, see Chart Management. Note:
If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To displayed charts, you must remove the ad blocker browser extension. For more information, see your browser documentation. |
Offenses icon |
Click this icon to view details of the offense that is associated with this event. For more information, see Chart Management. Note:
Depending on your product, this icon is might not be available. You must have JSA. |
Start Time |
Specifies the time of the first event, as reported to JSA by the log source. |
Event Name |
Specifies the normalized name of the event. |
Log Source |
Specifies the log source that originated the event. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources. |
Event Count |
Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are detected within a short time. |
Time |
Specifies the date and time when JSA received the event. |
Low Level Category |
Specifies the low-level category that is associated with this event. For more information about event categories, see the Juniper Secure Analytics Administration Guide. |
Source IP |
Specifies the source IP address of the event. Note:
If you select the Normalized (With IPv6 Columns) display, refer to the Source IPv6 parameter for IPv6 events. |
Source Port |
Specifies the source port of the event. |
Destination IP |
Specifies the destination IP address of the event. Note:
If you select the Normalized (With IPv6 Columns) display, refer to the Destination IPv6 parameter for IPv6 events. |
Destination Port |
Specifies the destination port of the event. |
Username |
Specifies the user name that is associated with this event. User names are often available in authentication-related events. For all other types of events where the user name is not available, this field specifies N/A. |
Magnitude |
Specifies the magnitude of this event. Variables include credibility, relevance, and severity. Point your mouse over the magnitude bar to display values and the calculated magnitude. |
If you select the Normalized (With IPv6 Columns) display, then the Log Activity tab displays the following extra parameters:
Parameter |
Description |
---|---|
Source IPv6 |
Specifies the source IP address of the event. Note:
IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination IPv6 columns. |
Destination IPv6 |
Specifies the destination IP address of the event. Note:
IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination IPv6 columns. |
Click the Log Activity tab.
Optional: From the Display list box, select Normalized (With IPv6 Columns). The Normalized (With IPv6 Columns) display shows source and destination IPv6 addresses for IPv6 events.
From the View list box, select the time frame that you want to display.
Click the Pause icon to pause streaming.
Double-click the event that you want to view in greater detail. For more information, see Event details.
Viewing Raw Events
You can view raw event data, which is the unparsed event data from the log source.
When you view raw event data, the Log Activity tab provides the following parameters for each event.
Parameter |
Description |
---|---|
Current Filters |
The top of the table displays the details of the filters that are applied to the search results. To clear these filter values, click Clear Filter. Note:
This parameter is only displayed after you apply a filter. |
View |
From this list box, you can select the time range that you want to filter for. |
Current Statistics |
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including: Note:
Click the arrow next to Current Statistics to display or hide the statistics
|
Charts |
Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display. Note:
If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To displayed charts, you must remove the ad blocker browser extension. For more information, see your browser documentation. |
Offenses icon |
Click this icon to view details of the offense that is associated with this event. |
Start Time |
Specifies the time of the first event, as reported to JSA by the log source. |
Log Source |
Specifies the log source that originated the event. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources. |
Payload |
Specifies the original event payload information in UTF-8 format. |
Click the Log Activity tab.
From the Display list box, select Raw Events.
From the View list box, select the time frame that you want to display.
Double-click the event that you want to view in greater detail. See Event details.
Viewing Grouped Events
Using the Log Activity tab, you can view events that are grouped by various options. From the Display list box, you can select the parameter by which you want to group events.
The Display list box is not displayed in streaming mode because streaming mode does not support grouped events. If you entered streaming mode by using non-grouped search criteria, this option is displayed.
The Display list box provides the following options:
Group option |
Description |
---|---|
Low Level Category |
Displays a summarized list of events that are grouped by the low-level category of the event. For more information about categories, see the Juniper Secure Analytics Administration Guide. |
Event Name |
Displays a summarized list of events that are grouped by the normalized name of the event. |
Destination IP |
Displays a summarized list of events that are grouped by the destination IP address of the event. |
Destination Port |
Displays a summarized list of events that are grouped by the destination port address of the event. |
Source IP |
Displays a summarized list of events that are grouped by the source IP address of the event. |
Custom Rule |
Displays a summarized list of events that are grouped by the associated custom rule. |
Username |
Displays a summarized list of events that are grouped by the user name that is associated with the events. |
Log Source |
Displays a summarized list of events that are grouped by the log sources that sent the event to JSA. |
High Level Category |
Displays a summarized list of events that are grouped by the high-level category of the event. |
Network |
Displays a summarized list of events that are grouped by the network that is associated with the event. |
Source Port |
Displays a summarized list of events that are grouped by the source port address of the event. |
After you select an option from the Display list box, the column layout of the data depends on the chosen group option. Each row in the events table represents an event group. The Log Activity tab provides the following information for each event group.
Parameter |
Description |
---|---|
Grouping By |
Specifies the parameter that the search is grouped on. |
Current Filters |
The top of the table displays the details of the filter that is applied to the search results. To clear these filter values, click Clear Filter. |
View |
From the list box, select the time range that you want to filter for. |
Current Statistics |
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including: Note:
Click the arrow next to Current Statistics to display or hide the statistics.
|
Charts |
Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the chart from your display. Each chart provides a legend, which is a visual reference to help you associate the chart objects to the parameters they represent. Using the legend feature, you can perform the following actions:
|
Source IP (Unique Count) |
Specifies the source IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses. |
Destination IP (Unique Count) |
Specifies the destination IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses. |
Destination Port (Unique Count) |
Specifies the destination ports that are associated with this event. If there are multiple ports that are associated with this event, this field specifies the term Multiple and the number of ports. |
Event Name |
Specifies the normalized name of the event. |
Log Source (Unique Count) |
Specifies the log sources that sent the event to JSA. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources. |
High Level Category (Unique Count) |
Specifies the high-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories. For more information about categories, see the Juniper Secure Analytics Administration Guide. |
Low Level Category (Unique Count) |
Specifies the low-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories. |
Protocol (Unique Count) |
Specifies the protocol ID associated with this event. If there are multiple protocols that are associated with this event, this field specifies the term Multiple and the number of protocol IDs. |
Username (Unique Count) |
Specifies the user name that is associated with this event, if available. If there are multiple user names that are associated with this event, this field specifies the term Multiple and the number of user names. |
Magnitude (Maximum) |
Specifies the maximum calculated magnitude for grouped events. Variables that are used to calculate magnitude include credibility, relevance, and severity. |
Event Count (Sum) |
Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time. |
Count |
Specifies the total number of normalized events in this event group. |
Click the Log Activity tab.
From the View list box, select the time frame that you want to display.
From the Display list box, choose which parameter you want to group events on. See Table 2.
The events groups are listed. For more information about the event group details, see Table 1.
To view the List of Events page for a group, double-click the event group that you want to investigate.
The List of Events page does not retain chart configurations that you might have defined on the Log Activity tab. For more information about the List of Events page parameters, see Table 1.
To view the details of an event, double-click the event that you want to investigate. For more information about event details, see Table 2.
Viewing Event Details
You can view a list of events in various modes, including streaming mode or in event groups. In, whichever mode you choose to view events, you can locate and view the details of a single event.
The event details page provides the following information:
Parameter |
Description |
---|---|
Event Name |
Specifies the normalized name of the event. |
Low Level Category |
Specifies the low-level category of this event. For more information about categories, see the Juniper Secure Analytics Administration Guide. |
Event Description |
Specifies a description of the event, if available. |
Magnitude |
Specifies the relative importance of a particular offense. Magnitude is a weighted value calculated from relevance, severity, and credibility. |
Relevance |
Specifies the relative impact of an event, category, or offense on the network. |
Severity |
Specifies the relative threat that a source poses on a destination. |
Credibility |
Specifies the integrity of an event or an offense. Credibility increases as multiple sources report the same event or offense. |
Username |
Specifies the user name that is associated with this event, if available. To access more information that is associated with a selected user name, right-click the user name for View Assets and View Events menu options. |
Start Time |
Specifies the time of the event was received from the log source. |
Storage Time |
Specifies the time that the event was stored in the JSA database. |
Log Source Time |
Specifies the system time as reported by the log source in the event payload. |
Source and Destination information |
|
Source IP |
Specifies the source IP address of the event. |
Destination IP |
Specifies the destination IP address of the event. |
Source Asset Name |
Specifies the user-defined asset name of the event source. For more information about assets, see Asset management. |
Destination Asset Name |
Specifies the user-defined asset name of the event destination. For more information about assets, see Asset management |
Source Port |
Specifies the source port of this event. |
Destination Port |
Specifies the destination port of this event. |
Pre NAT Source IP |
For a firewall or another device capable of Network Address Translation (NAT), this parameter specifies the source IP address before the NAT values were applied. NAT translates an IP address in one network to a different IP address in another network. |
Pre NAT Destination IP |
For a firewall or another device capable of NAT, this parameter specifies the destination IP address before the NAT values were applied. |
Pre NAT Source Port |
For a firewall or another device capable of NAT, this parameter specifies the source port before the NAT values were applied. |
Pre NAT Destination Port |
For a firewall or another device capable of NAT, this parameter specifies the destination port before the NAT values were applied. |
Post NAT Source IP |
For a firewall or another device capable of NAT, this parameter specifies the source IP address after the NAT values were applied. |
Post NAT Destination IP |
For a firewall or another device capable of NAT, this parameter specifies the destination IP address after the NAT values were applied. |
Post NAT Source Port |
For a firewall or another device capable of NAT, this parameter specifies the source port after the NAT values were applied. |
Post NAT Destination Port |
For a firewall or another device capable of NAT, this parameter specifies the destination port after the NAT values were applied. |
Post NAT Source Port |
For a firewall or another device capable of NAT, this parameter specifies the source port after the NAT values were applied. |
Post NAT Destination Port |
For a firewall or another device capable of NAT, this parameter specifies the destination port after the NAT values were applied. |
IPv6 Source |
Specifies the source IPv6 address of the event. |
IPv6 Destination |
Specifies the destination IPv6 address of the event. |
Source MAC |
Specifies the source MAC address of the event. |
Destination MAC |
Specifies the destination MAC address of the event. |
Payload information |
|
Payload |
Specifies the payload content from the event. This field offers 3 tabs to view the payload:
|
Additional information |
|
Protocol |
Specifies the protocol that is associated with this event. |
QID |
Specifies the QID for this event. Each event has a unique QID. For more information about mapping a QID, see Modifying Event Mapping |
Log Source |
Specifies the log source that sent the event to JSA. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources. |
Event Count |
Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time. |
Custom Rules |
Specifies custom rules that match this event. . |
Custom Rules Partially Matched |
Specifies custom rules that partially match this event. |
Annotations |
Specifies the annotation for this event. Annotations are text descriptions that rules can automatically add to events as part of the rule response. |
Event Collector |
Specifies the ID of the Event Collector component that parsed the event |
QID Event ID |
The primary value set by a DSM to identify an event. JSA uses this field together with the Event Category to map to a QID record for the event. |
QID Event Category |
The secondary value set by a DSM to identify an event. JSA uses this field together with the Event ID to map to a QID record for the event. |
Log Source Identifier |
Specifies the Log Source Identifier of the log source that received the event. If the event is routed to a SIM Generic Log type log source, set this value as the Log Source Identifier value when you create a log source to collect this event. |
Truncated |
Specifies whether the event payload was truncated because it exceeded the maximum allowable size of 32 KB for JSA. The parameter is only set to True if the payload was truncated before storage because it exceeded the maximum allowable size for JSA. The parameter is set to False if the payload was not truncated at all. It is also set to False if the payload was truncated by the log source protocol that collected it based on the maximum payload size parameter that was set in the log source configuration. |
Stored for Performance |
Set to True if an event was routed directly to storage due to performance problems. If the parameter is set to False, and the event has a Low Level Category of Stored, JSA attempted to parse it but the event was unrecognized by all available log sources that have a matching Log Source Identifier. In both cases, the event was stored without any parsing or normalization. |
Identity information JSA collects identity information, if available, from log source messages. Identity information provides extra details about assets on your network. Log sources only generate identity information if the log message sent to JSA contains an IP address and least one of the following items: User name or MAC address. Not all log sources generate identity information. |
|
Identity Username |
Specifies the user name of the asset that is associated with this event. |
Identity IP |
Specifies the IP address of the asset that is associated with this event. |
Identity Net Bios Name |
Specifies the Network Base Input/Output System (Net Bios) name of the asset that is associated with this event. |
Identity Extended field |
Specifies more information about the asset that is associated with this event. The content of this field is user-defined text and depends on the devices on your network that are available to provide identity information. Examples include: physical location of devices, relevant policies, network switch, and port names. |
Has Identity (Flag) |
Specifies True if JSA has collected identify information for the asset that is associated with this event. For more information about which devices send identity information, see the Juniper Secure Analytics Configuring DSMs. |
Identity Host Name |
Specifies the host name of the asset that is associated with this event. |
Identity MAC |
Specifies the MAC address of the asset that is associated with this event. |
Identity Group Name |
Specifies the group name of the asset that is associated with this event. |
Event Details Toolbar
The events details toolbar provides several functions for viewing events detail.
The event details toolbar provides the following functions:
Parameter |
Description |
---|---|
Return to Events List |
Click Return to Events List to return to the list of events. |
Offense |
Click Offense to display the offenses that are associated with the event. |
Anomaly |
Click Anomaly to display the saved search results that caused the anomaly detection rule to generate this event. Note:
This icon is only displayed if this event was generated by an anomaly detection rule. |
Map Event |
Click Map Event to edit the event mapping. For more information, see Modifying Event Mapping. |
False Positive |
Click False Positive to tune JSA to prevent false positive events from generating into offenses. |
Extract Property |
Click Extract Property to create a custom event property from the selected event. |
Previous |
Click Previous to view the previous event in the event list. |
Next |
Click Next to view the next event in the event list. |
Click Print to print the event details. |