Perform this task to display log information by asset type and log level for quick and intuitive security status monitoring. It supports full-text search, real-time monitoring, log overview, and traceback and forensics. You can view multi-dimensional log statistics and all original log details.

Log types

The system classifies logs into the following types:

·     Security Logs

Record information about various attacks on customer networks, including the attack source, attack target, and attack event. Security logs include multiple subtypes of logs with different fields, convenient for users to obtain required key information based on log types.

·     Audit Logs

Record information about users’ access to resources such as endpoints and databases on the internal network and users’ online behaviors, helping the administrator adjust the audit and management polices based on users’ behaviors and regulate users’ behaviors. Audit logs include multiple subtypes of logs with different fields, convenient for users to obtain required key information based on log types.

·     Network Traffic Logs

Record traffic information and direction for each data flow based on which the administrator can set up informed, precise management policies for each flow.

·     Access Authorization Logs

Record information about user access to the network through access authorization devices. The administrator can use these logs to gain an insight into the user access authorization conditions across the network.

·     Security Policy Logs

A security policy log is output when a packet matches a security policy. These logs can help administrators to audit user behaviors or troubleshoot network issues.

·     Network Element Operation Logs

Record operations such as login, configuration, and authentication on devices. With these logs, you can track operations of administrators on devices, audit the operation behaviors of administrators, and troubleshoot device issues.

·     Database Logs

Record running information of databases, such as performance metrics, login, user information change, and operation duration. These logs help administrators monitor the running status of databases.

·     Endpoint System Logs

Record information and behaviors of endpoints, such as performance metrics, user login and logout, file operation, and process operations. These logs will help administrators to manage the endpoints.

·     Middleware Logs

Record all kinds of information of host middleware. From these logs, administrators can monitor the running status of middleware.

·     Trap Alarm Logs

Logs reported by devices through SNMP trap, mainly contain device operation information.

·     Network Element System Logs

Logs generated during the operation of devices. By viewing the system log information, you can track the operation process of the device, analyze the network status, and locate issue causes. These logs also provide a basis for fault diagnosis and device maintenance.

·     Endpoint Audit Logs

Record network access behaviors of endpoints, helpful for the administrators to manage endpoints.

·     Endpoint Antivirus Logs

Record virus information detected by the anti-virus software on endpoints, helping the administrators understand the virus infection status of the endpoints.

·     Other Logs

Logs failed to be parsed or not parsed by the system.

Perform a full-text search

Perform this task to view the analysis results of logs collected by the system. The key fields displayed depend on the log type. You can click Customize Columns to configure display columns for each log type based as needed. When you display logs of a specific type, the system displays the configured display columns for that type. When you display logs of two or more types, the system displays common fields by default. For more information about log types, see Log types.

Procedure

1.     Select Log Center > Full-Text Search.

2.     Enter the original log information or filters such as source IP address and destination IP address to display the logs of your interest. To restore the default filter criteria, click Reset.

Restrictions and guidel ines

·     If no parse result for a log type can be queried among all log types or all logs are categorized as Other logs, a log parse error might occur. Please contact H3C Support for troubleshooting.

·     The source IP in the endpoint anti-virus log is the endpoint IP.

Add filters

Perform this task to add a filter and select fields and enter field values for the filter to filter logs.

Procedure

1.     Select Log Center > Full-Text Search.

2.     Click + Filters, select the field to filter, select an operator, set the field value, and then click OK.

For example, to view all logs from the device at 10.135.155.1 between 2023-08-10 00:00:00 and 2023-08-11 00:00:00, follow the filter method shown below.

 

3.     To add multiple filter conditions, click Add Condition below the input field. You can use AND (logs must meet all conditions) or OR (logs that only need to meet any condition) to specify multiple filter conditions.

 

Restrictions and guidelines

·     The platform supports exact match and fuzzy match with wildcard characters. The following wildcard characters are supported:

○          A question mark (?) matches only one character. For example, 182.9.0.？ matches 182.9.0.0 through 182.9.0.9.

○          An asterisk (*) matches any number of characters. For example, 182.9.0.* matches 182.9.0.0 through 182.9.0.255.

·     Fuzzy match is not supported by fields of the numeric type. For example, the platform supports only exact match for the port number and log creation time

·     Log source device names do not support fuzzy match.

·     A maximum of 10 fields can be added to filter logs.

Filter original logs

Enter an original log or partial of the original log in the search box to obtain log information.

Procedure

1.     On the top navigation bar, click Logs. From the left navigation pane, select Full-Text Search. On the page that opens, select the types of logs to be filtered.

2.     Click the search box, enter information as the filter, and then click Search, as shown in the following figure:

 

Restrictions and Guidelines

·     You can enter a maximum of 1000 characters in the search box.

·     Fuzzy match is supported.

·     To view the original logs, click Details in the log list.

Export logs

Perform this task to export log messages that match filter conditions. You can export up to the most recent 10000000 log messages.

Procedure

1.     Select Log Center > Full-Text Search. Filter logs as needed, and then click Export. The system will export the log messages that match the filter conditions to an EXCEL file.

2.     To download a log file, click  in the upper right corner of the page, and then click Download for that log file in the download task list that opens.

Use the decoding assistant

Perform this task to convert strings in various encoding formats into readable formats. For example, HEX-encoded strings might be present in the fields such as access URL, attack payloads, and message headers. These strings can be converted into UTF-8 format for easy reading by using decoding assistant.

Procedure

1.     Select Log Center > Full-Text Search.

2.     Click Decoding Assistant. On the page that opens, paste the copied content into the input box on the left side of the page, and select the encoding format. Then, choose the appropriate encoding format for the target content on the right side, and click Decode to decode the source content. To copy the target content, click Copy.

Manage history search records

Perform this task to manage history search records. You can view, bookmark, or delete them.

Procedure

1.     Select Log Center > Full-Text Search.

2.     Click History Records to view history search records.

3.     Add history search statements to my favorites: Click the Add button next to a statement, enter a title, and then click Add.

4.     Delete a history search statement: Click the Delete button for the specified statement.

Restrictions and guidelines

The system can save up to 1000 history records. It automatically clears the oldest entries when this limit is exceeded.

Add filter conditions to my favorites

Perform this task to save frequently used filter conditions, including log types, search box content, filter conditions, and customized column fields.

Procedure

1.     Select Log Center > Full Text Search. Enter or add the required filter conditions.

2.     Add filter conditions to my favorites: Click the + Filters button in the upper-left corner of the page, set your filter criteria, click , enter a title, and then click Add.

3.     Use history filter conditions or filter conditions in my favorites: Click My Favorites in the upper-right corner, and then select and click your preferred conditions. The saved filter conditions will be automatically entered and results will be displayed.

4.     Delete a saved filter condition: Click My Favorites in the upper-right corner, and then click Delete next to the condition name.

Verify signatures

Perform this task to verify the authenticity and validity of log signatures signed by the signature verification server.

Procedure

1.     Select Log Center > Full-Text Search.

2.     Click  in the Actions column for a log entry to verify the log signature.

Restrictions and guidelines

·     Before using this feature, configure the parameters for the signature verification server.

·     After enabling the signature verification configuration, if you edit it (such as changing the key type or certificate serial number), signature verification will fail for logs stored before the modification.

Perform real-time monitoring

Perform this task to display logs from multiple perspectives, including asset type, log level, and custom group, providing diverse log information presentation.

Features

·     View logs by asset type

·     Search for logs by severity level

·     Display log sources in groups

Restrictions and guidelines

The source IP in the endpoint anti-virus log is the endpoint IP.

View logs by asset type

Perform this task to display asset reporting log trends and enriched log details. You can export logs in their original or enriched format. Log information is displayed in the following ways:

·     Log reporting trend graph

Displays the log reporting trend of assets within a statistical period in a fold-line graph.

·     Log list

List information about the logs reported from devices in the specified time span, including log type, log generation time, and log severity.

Procedure

1.     Select Log Center > Real-time Monitoring > Asset Type.

2.     To view detailed log information, click the Details button in the Actions column for a log entry.

3.     To view asset log reporting status, click the specified asset name in the navigation menu to check its log reporting details for a specific period.

4.     To filter logs, you can select a time span or log type.

5.     To export logs, click Export. In the dialog box that opens, select Export Original Logs or Export Enriched Logs, and then click OK. The target logs will be exported to a TXT file and saved locally. If no filters are set, the latest 10000 logs are exported.

Search for logs by severity level

Perform this task to obtain logs of different severities and information about enriched logs. The system displays detailed information about logs of each severity. The system also supports exporting original logs and enriched logs. The logs can be displayed in the following methods:

·     Log report trend

Use a line chart to display the log report trend of each severity in the specified time span.

·     Log list

List information about the logs of each severity in the specified time span, including log type, log generation time, and log severity.

Procedure

1.     On the top navigation bar, click Logs. From the left navigation pane, select Real-Time Monitoring > Severity.<

2.     To view the details of a log entry, click the  icon in the Actions column for the log entry.

3.     To view the logs of a severity, select a severity from the severity directory tree. Then, the system will display the enriched logs of the severity in the specified time span.

4.     To filter logs, you can select a time span or log type.

5.     To export logs, click Export. In the dialog box that opens, select Export Original Logs or Export Enriched Logs, and then click OK. The target logs will be exported to a TXT file and saved locally. If no filters are set, the latest 10000 logs are exported.

Display log sources in groups

Perform this task to group log sources as needed. Click a log source name to view logs reported by the log source. Logs are displayed in the following ways:

·     Log reporting trend graph: Displays the log reporting trend of assets within a statistical period in a fold-line graph.

·     Log list: The list displays log information reported by assets during the statistical period, such as log type, generation time, and log severity level.

The system also supports log export. You can select to export original logs or enriched logs as needed.

Procedure

1.     Select Log Center > Real-Time Monitoring > Custom Group.

2.     Edit groups: Click a node in the navigation menu. The  , and  buttons will be displayed. You can add, edit, or delete nodes as needed. When editing a node, you can edit the node name and associated log sources. After configuration, click OK to save your configuration.

3.     Search for assets: Enter the asset name in the search box in the navigation menu to search for matching assets.

4.     View detailed log information: Click the Details button in the Actions column for a log entry to see enriched log details.

5.     View asset log reporting status: Click the specified asset name in the navigation menu to check its log reporting details for a specific period.

6.     Search logs by criteria: Set the statistical period and log type to filter logs that meet your criteria.

7.     Log export: Click Export and select the logs to export (original or enriched logs). The system exports log data matching the query criteria as a TXT file and downloads it locally. If no search criteria are configured, the system exports the most recent 10,000 logs by generation time.

Restrictions and guidelines

·     Active log sources do not support custom grouping.

·     You can search for only asset names associated with log sources in the navigation menu.

View log summary

This page displays statistical information about logs received by the platform in statistical period from multiple dimensions. By default, the system displays NE operation log distribution by device IP, audit log distribution by category, security log distribution by attack type, device name, severity level, and destination IP. You can customize the data types and display methods as needed.

Procedure

1.     Select Log Center > Log Summary.

2.     Select the time span. By default, the system displays statistics about logs received within the most recent 24 hours.

3.     To customize the data to be displayed in a chart and the presentation of that chart, click Customize in the top right corner of a chart. In the dialog box that opens, configure the following parameters, and then click OK.

○          Chart Name: Set the chart name to be displayed in the upper left corner of the chart

○          Log Type: Select the type of data to be displayed. The statistics objects vary by log type.

○          Statistics Object: Select the types of data to be displayed.

○          Chart Type: Select the presentation of the chart. Options include line chart, pie chart, and bar chart.

Perform traceback and forensics

Perform this task to filter NAT logs that meet the specified criteria to obtain the internal endpoint address details, traceability process information, and NAT logs for the specified time period.

Procedure

1.     Select Log Center > Traceability & Forensics.

2.     After configuring the following parameters, click Search. The page will display the source tracing service chain and associated NAT logs after a period of time.

○          NAT Source IP: IP address before NAT translation.

○          Dest IP: Destination IP.

○          Source Tracking Time: Source tracing time range. The default is the last 24 hours.

○          NAT Source Port: Port before NAT translation. Optional.

○          Destination Port: Destination port. Optional.