5.1 Running an Event Search

Users can run simple or advanced searches. Basic event information includes event name, source, time, severity, information about the initiator (represented by an arrow icon), and information about the target (represented by a bull’s-eye icon)

5.1.1 Running a Basic Search

By default, the search results include all events generated by the Sentinel system operations. These events are tagged with the Sentinel tag. If no query is specified and you click Search for the first time after the Sentinel installation, the default search returns all events with severity 3 to 5. Otherwise, the Search feature reuses the last specified search query.

To search for a value in a specific field, use the ID of the event name, a colon, and the value. For example, to search for an authentication attempt to Sentinel by user2, use the following text in the search field:

evt:LoginUser AND sun:user2

An advanced search can narrow the search for a value to a specific event field. The advanced search criteria are based on the event IDs for each event field and the search logic for the index. Advanced searches can include the product name, severity, source IP, and the event type. For example:

  • pn:NMAS AND sev:5

    This searches for events with the product name NMAS and severity five.

  • sip:10.0.0.01 AND evt:"Set Password"

    This searches for the initiator IP address 10.0.0.1 and a “Set Password”event.

Multiple advanced search criteria can be combined by using various operators. The advanced search criteria syntax is modeled on the search criteria for the Apache Lucene open source package. For more information on building search criteria, see Section A.0, Search Query Syntax.

To run a basic text search:

5.1.2 Running an Advanced Search

An advanced search can narrow the search for a value to a specific event field. The advanced search criteria are based on the short names for each event field and the search logic for the index. For more information on the field names, their descriptions, the short names that are used in advanced searches, and for information on the fields are visible in the basic and detailed event views, see Table E-1, Event Fields. For more information on the search procedure, see Section 5.1.1, Running a Basic Search.

NOTE:For more information on the tag names, click the search tips link.

To search for a value in a specific field, use the short name of the field, a colon, and the value. For example, to search for an authentication attempt to Sentinel Log Manager by user2, use the following text in the search field:

evt:<eventmane> AND sun:user2

Other advanced searches could include the product name, severity, source IP, and the event type. For example:

  • pn:NMAS AND sev:5 (This search is for events with the product name NMAS and severity five.)

  • sip:123.45.67.89 AND evt:"Set Password" (This search is for the initiator IP of 123.45.67.89 and an event of 'Set Password'.)

Multiple advanced search criteria can be combined by using the following operators:

  • AND (must be capitalized)

  • OR (must be capitalized)

  • NOT (must be capitalized and cannot be used as the only search criterion)

  • +

  • -

The following special characters must be escaped by using a \ symbol:

+ - && || ! ( ) { } [ ] ^ " ~ * ? : \

The advanced search criteria syntax is modeled on the search criteria for the Apache Lucene open source package. For more information on the search criteria, see Lucene Query Parser Syntax.

To run an advanced search:

  1. Log in to Sentinel Log Manager.

  2. Click New Search.

    A new tab is displayed.

  3. To search based on tags, you can do one of the following:

    • Click the tags widget , and select the tags from the pop-up, based on which you want to search the events.

    • Specify the following query:

      @<tagname>
      

      For example, @SentinelLogManager lists all the system events.

  4. Click Search.

  5. If distributed search is configured, click targets to select the server in a distributed environment, from which to search for events. For more information on Distributed Search, see Section 7.0, Searching and Reporting Events in a Distributed Environment.

5.1.3 Search Expression History

Sentinel Log Manager allows you to select a search expression from the search history list. The search history displays a maximum of 15 search expressions.When you enter a value in Search you can select one of the recently used searches and run it with the selected time parameters

Figure 5-1 Search Expression History List

  • When you enter a text value in Search, the closely matched search expressions appear in the recently used search expression list.

  • When the text is not entered in Search, the search history displays all the recently used search expressions. The most recent search expression appears at the top of the list.

  • For each user, a maximum of 250 search expressions is stored. If the number of search expressions exceeds 250, the oldest expressions are deleted from the list.