Working with Discover

For more information about Discover, refer to OpenSearch Dashboards.

Viewing logs

The logs aggregated and collected are sent to Insight. Insight stores the logs in the Audit Store. The logs from the Audit Store are displayed on the Insight Dashboard. Here, the different fields and the data logged is visible. In addition to viewing the data, these logs serve as input for Analytics to analyze the health of the system and to monitor the system for providing security.

View the logs by logging into the system and from the menu, select Discover, and select a time period such as Last 30 days.

Use the default index pty_insight_analytics*audits_* to view the log data. This default index pattern uses wildcard charaters for referencing all indexes. Alternatively, select an index pattern or alias for the entries to view the data from a different index.

After an index is deleted, the data associated with it is permanently removed, and without a backup, there is no way to recover it. For more information about indexes, refer to Managing indexes and OpenSearch Dashboards. For more information about managing Audit Store indexes, refer to Index state management (ISM).

Saved queries

Run a query and customize the log details displayed. Save the query and the settings for running a query, such as, the columns, row count, tail, and indexes for the query. The saved queries created are user-specific.

From Discover, click Open to use the following saved queries to view information:

• Policy search: This query is available to view policy logs. A policy log is a created during the the policy creation, policy deployment, policy enforcement, and during the collection, storage, forwarding, and analysis of logs.
• Security search: This query is available to view security operation logs. A security log is created during various security operations performed by protectors, such as, performing protect, unprotect, and reprotect operations.
• Signature Verification Search: This query is available to view signature verification information.
• Unsuccessful Security Operations: This query is available to view unsuccessful security operation-related logs. Unsuccessful Security Operations logs are created when security operations fail due to errors, warnings, or exceptions.

1. Log in to the Insight Dashboard using a web browser.

2. Select Discover from the menu, and optionally select a time period such as Last 30 days..

3. Select the index for running the query.

4. Enter the query in the Search field.

5. Optionally, select the required fields.

6. Click the See saved queries icon to save the query.

   The Saved Queries list appears.

7. Click Save current query.

   The Save query dialog box appears.

8. Specify a name for the query.

9. Click Save to save the query information, including the configurations specified, such as, the columns, row count, tail, indexes, and query.

   The query is saved.

10. Click the See saved queries icon to view the saved queries.