Track LogStats Log Count

Document created by RSA Information Design and Development Employee on May 25, 2016Last modified by RSA Information Design and Development Employee on Feb 14, 2020
Version 218Show Document
  • View in full screen mode

Log Decoders have the ability to track the log count and last received time for each event source and forwarder that reports to it.

View Log Stats Information

To view Logs Stats information:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. Select a Log Decoder service and click View > Stats.
  3. Click the Log Stats tab.

Enable Source and Forwarder Tracking

However, this behavior is not enabled by default. To enable source and forwarder tracking, start capture and then perform the following procedure.

  1. Access the REST API by entering the following URL in a web browser: http://logDecoderIP:50102, where logDecoderIP is the IP address of the Log Decoder.
  2. Click decoder, then config. This displays all the configuration parameters for the Log Decoder.
  3. Scroll down until you find Log Stats Enabled (log.stats.enabled).
  4. In the text field, type true, and click Set.

Once set, all subsequent logs received by the Log Decoder will increment the count and update the last received time for the event source that generated the log, and the forwarder that delivers the log to Log Decoder (if there is one).


The Log Stats tab displays the following information.


Event Source Type

The name of the log parser for this event source.


The address of the device that delivered the log to the {nlc}} (as determined by the network connection).

Event Source

The address or hostname of the device that generated the log.

Log Count

The number of logs encountered with this source or forwarder since log stat collection was enabled.

Last Received Time

The time that this source or forwarder was last encountered.

If you restart capture (or if you set log.stats.enabled to false), the statistics are reset.

You are here
Table of Contents > Track LogStats Log Count