Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Log Activity Monitoring

 

By default, the Log Activity tab displays events in streaming mode, allowing you to view events in real time.

For more information about streaming mode, see Viewing Streaming Events. You can specify a different time range to filter events by using the View list box.

If you previously configured saved search criteria as the default, the results of that search are automatically displayed when you access the Log Activity tab. For more information about saving search criteria, seeSaving Search Criteria.

Viewing Streaming Events

Streaming mode will enable you to view event data that enters your system. This mode provides you with a real-time view of your current event activity by displaying the last 50 events.

If you apply any filters on the Log Activity tab or in your search criteria before enabling streaming mode, the filters are maintained in streaming mode. However, streaming mode does not support searches that include grouped events. If you enable streaming mode on grouped events or grouped search criteria, the Log Activity tab displays the normalized events. See Viewing normalized events

When you want to select an event to view details or perform an action, you must pause streaming before you double-click an event. When the streaming is paused, the last 1,000 events are displayed.

  1. Click the Log Activity tab.
  2. From the View list box, select Real Time (streaming).

    For information about the toolbar options, see Table 4-1. For more information about the parameters that are displayed in streaming mode, see Table 4-7.

  3. Optional. Pause or play the streaming events. Choose one of the following options:
    • To select an event record, click the Pause icon to pause streaming.

    • To restart streaming mode, click the Play icon.

Viewing Normalized Events

Events are collected in raw format, and then normalized for display on the Log Activity tab.

Normalization involves parsing raw event data and preparing the data to display readable information about the tab. When events are normalized, the system normalizes the names as well. Therefore, the name that is displayed on the Log Activity tab might not match the name that is displayed in the event.

Note

If you selected a time frame to display, a time series chart is displayed. For more information about using time series charts, see Time Series Chart Overview.

By default, the Log Activity tab displays the following parameters when you view normalized events:

Table 1: Log Activity Tab - Default (Normalized) Parameters

Parameter

Description

Current Filters

The top of the table displays the details of the filters that are applied to the search results. To clear these filter values, click Clear Filter.

Note: This parameter is only displayed after you apply a filter.

View

From this list box, you can select the time range that you want to filter for.

Current Statistics

When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including:

Note: Click the arrow next to Current Statistics to display or hide the statistics

  • Total Results Specifies the total number of results that matched your search criteria.

  • Data Files Searched Specifies the total number of data files searched during the specified time span.

  • Compressed Data Files Searched Specifies the total number of compressed data files searched within the specified time span.

  • Index File Count Specifies the total number of index files searched during the specified time span.

  • Duration Specifies the duration of the search.

    Note: Current statistics are useful for troubleshooting. When you contact Juniper Customer Support to troubleshoot events, you might be asked to supply current statistical information.

Charts

Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display. For more information about configuring charts, see Chart Management.

Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To displayed charts, you must remove the ad blocker browser extension. For more information, see your browser documentation.

Offenses icon

Click this icon to view details of the offense that is associated with this event. For more information, see Chart Management.

Note: Depending on your product, this icon is might not be available. You must have JSA.

Start Time

Specifies the time of the first event, as reported to JSA by the log source.

Event Name

Specifies the normalized name of the event.

Log Source

Specifies the log source that originated the event. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.

Event Count

Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are detected within a short time.

Time

Specifies the date and time when JSA received the event.

Low Level Category

Specifies the low-level category that is associated with this event.

For more information about event categories, see the Juniper Secure Analytics Administration Guide.

Source IP

Specifies the source IP address of the event.

Note: If you select the Normalized (With IPv6 Columns) display, refer to the Source IPv6 parameter for IPv6 events.

Source Port

Specifies the source port of the event.

Destination IP

Specifies the destination IP address of the event.

Note: If you select the Normalized (With IPv6 Columns) display, refer to the Destination IPv6 parameter for IPv6 events.

Destination Port

Specifies the destination port of the event.

Username

Specifies the user name that is associated with this event. User names are often available in authentication-related events. For all other types of events where the user name is not available, this field specifies N/A.

Magnitude

Specifies the magnitude of this event. Variables include credibility, relevance, and severity. Point your mouse over the magnitude bar to display values and the calculated magnitude.

If you select the Normalized (With IPv6 Columns) display, then the Log Activity tab displays the following extra parameters:

Table 2: Table 14. Log Activity tab - Normalized (With IPv6 Columns) Parameters

Parameter

Description

Source IPv6

Specifies the source IP address of the event.

Note: IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination IPv6 columns.

Destination IPv6

Specifies the destination IP address of the event.

Note: IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination IPv6 columns.

  1. Click the Log Activity tab.
  2. Optional: From the Display list box, select Normalized (With IPv6 Columns). The Normalized (With IPv6 Columns) display shows source and destination IPv6 addresses for IPv6 events.
  3. From the View list box, select the time frame that you want to display.
  4. Click the Pause icon to pause streaming.
  5. Double-click the event that you want to view in greater detail. For more information, see Event details.

Viewing Raw Events

You can view raw event data, which is the unparsed event data from the log source.

When you view raw event data, the Log Activity tab provides the following parameters for each event.

Table 3: Raw Event Parameters

Parameter

Description

Current Filters

The top of the table displays the details of the filters that are applied to the search results. To clear these filter values, click Clear Filter.

Note: This parameter is only displayed after you apply a filter.

View

From this list box, you can select the time range that you want to filter for.

Current Statistics

When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including:

Note: Click the arrow next to Current Statistics to display or hide the statistics

  • Total Results Specifies the total number of results that matched your search criteria.

  • Data Files Searched Specifies the total number of data files searched during the specified time span.

  • Compressed Data Files Searched Specifies the total number of compressed data files searched within the specified time span.

  • Index File Count Specifies the total number of index files searched during the specified time span.

  • Duration Specifies the duration of the search.

    Note: Current statistics are useful for troubleshooting. When you contact Juniper Customer Support to troubleshoot events, you might be asked to supply current statistical information.

Charts

Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display.

Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To displayed charts, you must remove the ad blocker browser extension. For more information, see your browser documentation.

Offenses icon

Click this icon to view details of the offense that is associated with this event.

Start Time

Specifies the time of the first event, as reported to JSA by the log source.

Log Source

Specifies the log source that originated the event. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.

Payload

Specifies the original event payload information in UTF-8 format.

  1. Click the Log Activity tab.
  2. From the Display list box, select Raw Events.
  3. From the View list box, select the time frame that you want to display.
  4. Double-click the event that you want to view in greater detail. See Event details.

Viewing Grouped Events

Using the Log Activity tab, you can view events that are grouped by various options. From the Display list box, you can select the parameter by which you want to group events.

The Display list box is not displayed in streaming mode because streaming mode does not support grouped events. If you entered streaming mode by using non-grouped search criteria, this option is displayed.

The Display list box provides the following options:

Table 4: Grouped Events Options

Group option

Description

Low Level Category

Displays a summarized list of events that are grouped by the low-level category of the event.

For more information about categories, see the Juniper Secure Analytics Administration Guide.

Event Name

Displays a summarized list of events that are grouped by the normalized name of the event.

Destination IP

Displays a summarized list of events that are grouped by the destination IP address of the event.

Destination Port

Displays a summarized list of events that are grouped by the destination port address of the event.

Source IP

Displays a summarized list of events that are grouped by the source IP address of the event.

Custom Rule

Displays a summarized list of events that are grouped by the associated custom rule.

Username

Displays a summarized list of events that are grouped by the user name that is associated with the events.

Log Source

Displays a summarized list of events that are grouped by the log sources that sent the event to JSA.

High Level Category

Displays a summarized list of events that are grouped by the high-level category of the event.

Network

Displays a summarized list of events that are grouped by the network that is associated with the event.

Source Port

Displays a summarized list of events that are grouped by the source port address of the event.

After you select an option from the Display list box, the column layout of the data depends on the chosen group option. Each row in the events table represents an event group. The Log Activity tab provides the following information for each event group.

Table 5: Grouped Event Parameters

Parameter

Description

Grouping By

Specifies the parameter that the search is grouped on.

Current Filters

The top of the table displays the details of the filter that is applied to the search results. To clear these filter values, click Clear Filter.

View

From the list box, select the time range that you want to filter for.

Current Statistics

When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including:

Note: Click the arrow next to Current Statistics to display or hide the statistics.

  • Total Results Specifies the total number of results that matched your search criteria.

  • Data Files Searched Specifies the total number of data files searched during the specified time span.

  • Compressed Data Files Searched Specifies the total number of compressed data files searched within the specified time span.

  • Index File Count Specifies the total number of index files searched during the specified time span.

  • Duration Specifies the duration of the search.

    Note: Current statistics are useful for troubleshooting. When you contact Juniper Customer Support to troubleshoot events, you might be asked to supply current statistic information.

Charts

Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the chart from your display.

Each chart provides a legend, which is a visual reference to help you associate the chart objects to the parameters they represent. Using the legend feature, you can perform the following actions:

  • Move your mouse pointer over a legend item to view more information about the parameters it represents.

  • Right-click the legend item to further investigate the item.

  • Click a legend item to hide the item in the chart. Click the legend item again to show the hidden item. You can also click the corresponding graph item to hide and show the item.

  • Click Legend if you want to remove the legend from your chart display.

    Note: The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display.

    Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To display charts, you must remove the ad blocker browser extension. For more information, see your browser documentation.

Source IP (Unique Count)

Specifies the source IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses.

Destination IP (Unique Count)

Specifies the destination IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses.

Destination Port (Unique Count)

Specifies the destination ports that are associated with this event. If there are multiple ports that are associated with this event, this field specifies the term Multiple and the number of ports.

Event Name

Specifies the normalized name of the event.

Log Source (Unique Count)

Specifies the log sources that sent the event to JSA. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.

High Level Category (Unique Count)

Specifies the high-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories.

For more information about categories, see the Log Manager Administration Guide.

Low Level Category (Unique Count)

Specifies the low-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories.

Protocol (Unique Count)

Specifies the protocol ID associated with this event. If there are multiple protocols that are associated with this event, this field specifies the term Multiple and the number of protocol IDs.

Username (Unique Count)

Specifies the user name that is associated with this event, if available. If there are multiple user names that are associated with this event, this field specifies the term Multiple and the number of user names.

Magnitude (Maximum)

Specifies the maximum calculated magnitude for grouped events. Variables that are used to calculate magnitude include credibility, relevance, and severity.

Event Count (Sum)

Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time.

Count

Specifies the total number of normalized events in this event group.

  1. Click the Log Activity tab.
  2. From the View list box, select the time frame that you want to display.
  3. From the Display list box, choose which parameter you want to group events on. See Table 2.

    The events groups are listed. For more information about the event group details, see Table 1.

  4. To view the List of Events page for a group, double-click the event group that you want to investigate.

    The List of Events page does not retain chart configurations that you might have defined on the Log Activity tab. For more information about the List of Events page parameters, see Table 1.

  5. To view the details of an event, double-click the event that you want to investigate. For more information about event details, see Table 2.

Viewing Event Details

You can view a list of events in various modes, including streaming mode or in event groups. In, whichever mode you choose to view events, you can locate and view the details of a single event.

The event details page provides the following information:

Table 6: Event Details

Parameter

Description

Event Name

Specifies the normalized name of the event.

Low Level Category

Specifies the low-level category of this event.

For more information about categories, see the Juniper Secure Analytics Administration Guide.

Event Description

Specifies a description of the event, if available.

Magnitude

Specifies the magnitude of this event.

Relevance

Specifies the relevance of this event.

Severity

Specifies the severity of this event.

Credibility

Specifies the credibility of this event.

Username

Specifies the user name that is associated with this event, if available.

Start Time

Specifies the time of the event was received from the log source.

Storage Time

Specifies the time that the event was stored in the JSA database.

Log Source Time

Specifies the system time as reported by the log source in the event payload.

Source and Destination information

Source IP

Specifies the source IP address of the event.

Destination IP

Specifies the destination IP address of the event.

Source Asset Name

Specifies the user-defined asset name of the event source. For more information about assets, see Asset management.

Destination Asset Name

Specifies the user-defined asset name of the event destination. For more information about assets, see Asset management

Source Port

Specifies the source port of this event.

Destination Port

Specifies the destination port of this event.

Pre NAT Source IP

For a firewall or another device capable of Network Address Translation (NAT), this parameter specifies the source IP address before the NAT values were applied. NAT translates an IP address in one network to a different IP address in another network.

Pre NAT Destination IP

For a firewall or another device capable of NAT, this parameter specifies the destination IP address before the NAT values were applied.

Pre NAT Source Port

For a firewall or another device capable of NAT, this parameter specifies the source port before the NAT values were applied.

Pre NAT Destination Port

For a firewall or another device capable of NAT, this parameter specifies the destination port before the NAT values were applied.

Post NAT Source IP

For a firewall or another device capable of NAT, this parameter specifies the source IP address after the NAT values were applied.

Post NAT Destination IP

For a firewall or another device capable of NAT, this parameter specifies the destination IP address after the NAT values were applied.

Post NAT Source Port

For a firewall or another device capable of NAT, this parameter specifies the source port after the NAT values were applied.

Post NAT Destination Port

For a firewall or another device capable of NAT, this parameter specifies the destination port after the NAT values were applied.

Post NAT Source Port

For a firewall or another device capable of NAT, this parameter specifies the source port after the NAT values were applied.

Post NAT Destination Port

For a firewall or another device capable of NAT, this parameter specifies the destination port after the NAT values were applied.

IPv6 Source

Specifies the source IPv6 address of the event.

IPv6 Destination

Specifies the destination IPv6 address of the event.

Source MAC

Specifies the source MAC address of the event.

Destination MAC

Specifies the destination MAC address of the event.

Payload information

Payload

Specifies the payload content from the event. This field offers 3 tabs to view the payload:

  • Universal Transformation Format (UTF) - Click UTF.

  • Hexadecimal - Click HEX.

  • Base64 - Click Base64.

Additional information

Protocol

Specifies the protocol that is associated with this event.

QID

Specifies the QID for this event. Each event has a unique QID. For more information about mapping a QID, see Modifying Event Mapping

Log Source

Specifies the log source that sent the event to JSA. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.

Event Count

Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time.

Custom Rules

Specifies custom rules that match this event. .

Custom Rules Partially Matched

Specifies custom rules that partially match this event.

Annotations

Specifies the annotation for this event. Annotations are text descriptions that rules can automatically add to events as part of the rule response.

Identity information JSA collects identity information, if available, from log source messages. Identity information provides extra details about assets on your network. Log sources only generate identity information if the log message sent to JSA contains an IP address and least one of the following items: User name or MAC address. Not all log sources generate identity information.

Identity Username

Specifies the user name of the asset that is associated with this event.

Identity IP

Specifies the IP address of the asset that is associated with this event.

Identity Net Bios Name

Specifies the Network Base Input/Output System (Net Bios) name of the asset that is associated with this event.

Identity Extended field

Specifies more information about the asset that is associated with this event. The content of this field is user-defined text and depends on the devices on your network that are available to provide identity information. Examples include: physical location of devices, relevant policies, network switch, and port names.

Has Identity (Flag)

Specifies True if JSA has collected identify information for the asset that is associated with this event.

For more information about which devices send identity information, see the Juniper Secure Analytics Configuring DSMs.

Identity Host Name

Specifies the host name of the asset that is associated with this event.

Identity MAC

Specifies the MAC address of the asset that is associated with this event.

Identity Group Name

Specifies the group name of the asset that is associated with this event.

Event Details Toolbar

The events details toolbar provides several functions for viewing events detail.

The event details toolbar provides the following functions:

Table 7: Event Details Toolbar

Return to Events List

Click Return to Events List to return to the list of events.

Offense

Click Offense to display the offenses that are associated with the event.

Map Event

Click Map Event to edit the event mapping. For more information, see Modifying Event Mapping.

False Positive

Click False Positive to tune JSA to prevent false positive events from generating into offenses.

Extract Property

Click Extract Property to create a custom event property from the selected event.

Previous

Click Previous to view the previous event in the event list.

Next

Click Next to view the next event in the event list.

PCAP Data

Note: This option is only displayed if your JSA Console is configured to integrate with the Juniper Junos OS Platform DSM. For more information about managing PCAP data, see PCAP Data.

Print

Click Print to print the event details.