Exporting the Logs
Export the logs that are created after you build a Universal DSM.
Typically you want a significant number of logs for review. Depending on the EPS rate of the unsupported log source, it might take several hours to obtain a comprehensive log sample.
When JSA can't detect the log source type, events are collected, but are not parsed. You can filter on these unparsed events and then review the last system notification that you received. After you reviewed the system notification, you can create a search that is based on that time frame.
- To look at only the events that are not parsed, filter
the logs.
Click the Log Activity tab.
Click Add Filter.
Select Event is Unparsed.
Tip Type inside the Parameter text box to see the Event is Unparsed item.
Select a time frame.
If you see Information events from system notifications, right-click to filter them out.
Review the Source IP column to determine what device is sending the events.
You can view the raw event payloads. Typically, manufacturers put identifiable product names in the headers, so you can set your search to Display: Raw Events to show the payloads without having to manually open each event. Sorting by network can also help you find a specific device where the event originated from.
- Create a search for exporting the logs.
From the Log Activity tab, select Search >Edit Search.
For the Time Range, specify as enough time, for example 6 hours, from when the log source was created.
Under Search Parameters, from the Parameter list, select Log Source (Indexed), from the Operator list, select Equals, and from the Log Source Group list, select Other, specify the log source that was created when you built the Universal DSM.
Note Depending on your settings, you might see Log Source in the Parameter list instead of Log Source (Indexed).
Click Search to view the results.
- Review the results in the console to check the payload.
- Optionally, you can export the results by clicking select Actions >Export to XML > Full Export (All Columns).
Don't select Export to CSV because the payload might be split across multiple columns, therefore making it difficult to find the payload. XML is the preferred format for event reviews.
You are prompted to download a compressed file. Open the compressed file and then open the resulting file.
Review the logs.
Event payloads are between the following tags:
<payloadAsUTF> ... </payloadAsUTF>
The following code shows an example payload:
<payloadAsUTF>ecs-ep (pid 4162 4163 4164) is running... </payloadAsUTF>
A critical step in creating a Universal DSM is reviewing the logs for usability. At a minimum, the logs must have a value that can be mapped to an event name. The event name must be a unique value that can distinguish the various log types.
The following code shows an example of usable logs:
May 20 17:16:14 dropbear[22331]: bad password attempt for 'root' from 192.168.50.80:3364 May 20 17:16:26 dropbear[22331]: password auth succeeded for 'root' from 192.168.50.80:3364 May 20 16:42:19 kernel: DROP IN=vlan2 OUT= MAC=00:01:5c:31:39:c2:08:00 SRC=172.29.255.121 DST=255.255.255.255 PROTO=UDP SPT=67 DPT=68
The following codes shows an example of slightly less usable logs:
Oct 26 08:12:08 loopback 1256559128 autotrace[215824]: W: trace: no map for prod 49420003, idf 010029a2, lal 00af0008 Oct 26 16:35:00 sxpgbd0081 last message repeated 7 times Nov 24 01:30:00 sxpgbd0081 /usr/local/monitor-rrd/sxpgbd0081/.rrd (rc=-1, opening '/usr/local/monitor-rrd/sxpgbd0081/.rrd': No such file or directory)