Log Decoders have the ability to track the log count and last received time for each event source and forwarder that reports to it.
View Log Stats Information
To view Logs Stats information:
-
Depending on your version:
- For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
- For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
- Select a Log Decoder service and click View > Stats.
-
Click the Log Stats tab.
Enable Source and Forwarder Tracking
However, this behavior is not enabled by default. To enable source and forwarder tracking, start capture and then perform the following procedure.
- Access the REST API by entering the following URL in a web browser:
http://logDecoderIP:50102, where logDecoderIP is the IP address of the Log Decoder. - Click
decoder, thenconfig. This displays all the configuration parameters for the Log Decoder. - Scroll down until you find Log Stats Enabled (log.stats.enabled).
- In the text field, type true, and click Set.
Once set, all subsequent logs received by the Log Decoder will increment the count and update the last received time for the event source that generated the log, and the forwarder that delivers the log to Log Decoder (if there is one).
Details
The Log Stats tab displays the following information.
If you restart capture (or if you set log.stats.enabled to false), the statistics are reset.
Previous Topic:Implement Non-Standard Meta Keys Used in ESA Rules
Next Topic:Work With Event Stream Analysis Rules
You are here
Table of Contents > Content Procedures > Track LogStats Log Count