CorreLog. Security Correlation Server Screen Reference Manual

Transcription

1 CorreLog Security Correlation Server Screen Reference Manual

2 CorreLog, Screen Reference Manual Copyright , CorreLog, Inc. All rights reserved. No part of this manual shall be reproduced without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibilities for errors or omissions. Nor is any liability assumed for damages resulting from the use of this information contained herein. This manual contains screenshots that may be slightly different from the version of the system you are using. Screenshots included in this manual are intended to be representative of the displays that you may see, depending upon factors such as whether you are using an OEM version, or the latest version of the software. For clarification on any particular function or feature contained in this manual, contact CorreLog support for more detailed information. CorreLog Screen Reference Manual, Page - 2

3 Table of Contents Section 1: Introduction.. 5 Section 2: Dashboard Screens.. 13 Section 3: Message Screens.. 25 Section 4: Message Config Screens.. 53 Section 5: Correlation Screens.. 87 Section 6: Alerts Screens Section 7: Ticket Screens Section 8: Reporting Screens Section 9. System Screens Section 10: Utility Screens Alphabetical Index CorreLog Screen Reference Manual, Page - 3

4 CorreLog Screen Reference Manual, Page - 4

5 Section 1: Introduction This document provides detailed descriptions of all major screens of the CorreLog Security Correlation Server, along with associated explanations and details. The manual lists these screens by major application function of the system. Screens are listed by the order in which the screens appear in CorreLog. The manual serves as a comprehensive site map for CorreLog, as well as a reference manual describing input fields, settings, screen functions, and screen values available to CorreLog operators. The "CorreLog Security Correlation Server" is a compact software system, which listens for Syslog and other messages within your enterprise. As these messages are received, they are logged, and cataloged into related groups of messages, and correlated to find meaning. The user can search this information, and can take automatic action when security violations occur. CorreLog is a fully web-based system, which leverages the capabilities of web browsers, operating with or without client Java enabled. The program has an easy-to-navigate, tab-based interface consisting of many different screens that are accessed through hyperlinks and buttons. The system is intended to be highly ergonomic, intuitive, and easy to operate. The manual provides screenshots and descriptive text for all screens. Although this manual provides usage information, it is not intended to be a comprehensive operation manual. Application and operation of the CorreLog server is documented in a companion manual, the "CorreLog User Reference Manual", which is available from the "Home" screen of the CorreLog server, and other locations. CorreLog Screen Reference Manual, Page - 5

6 Screen Overview CorreLog employs a web-based user interface that leverages the power of your web browser to configure and access data. The program uses standard browser features, and does not require client Java or JavaScript to fully operate. If Java is available to the client browser, it is used to implement minor and non-essential improvements to navigation. The actual order of tabs is governed strictly by the ordering of programs within the "sigma-web" directory of the CorreLog root directory, as discussed in the "CorreLog Sigma Framework" companion manual. Basic applications of CorreLog appear in the top-level screens, as follows: Dashboard Screens. The "Dashboards" screen is the entry point to the CorreLog dashboard facility, which permits the user to display real-time data about various elements of the system, such as message rates, top devices, top users, and many other data items. The user can create, modify, and delete dashboard configurations. The operator can make this the default login screen, and select a default dashboard, using the "User Preferences" screen of the system. Dashboards are discussed in Section 2 of this document. Message Group Screens. The CorreLog "Messages" application aggregates, processes and displays message data from network devices. This gives visibility into all received messages. The user can search raw message data, view data catalogs, and configure filters and overrides. The "Search" screen employs a high-speed indexed search engine supporting advanced searches, and a keyword index that lists all keywords (and their counts) for all messages received. Messages Group screens are discussed in Sections 3 and 4 of this document. Correlation Group Screens. The "Correlation" application processes the raw message data received by the "Messages" application. The correlation screens permit the user to establish associations between messages by creating "Threads", which consist of simple or complex match patterns, possibly controlled by "Triggers". The counters of these threads can then be alarmed via the "Alert" facility (described below.) These screens include a macro editor, address group editor, and a template capability, as well as an "Action" capability that can furnish automation and further data reduction based upon correlated data. Correlation Group screens are discussed in Section 5 of this document Alert Group Screens. The "Alerts" application continuously monitors CorreLog counters and states, and opens "Tickets" on the system (described below.) This group consists of several different facilities and CorreLog Screen Reference Manual, Page - 6

7 screens, each of which can open tickets assigned to users. Alert Group screens are discussed in Section 6 of this document. Ticket Group Screens. The "Tickets" application furnishes the highest level of message correlation by creating actionable incidents in a traditional incident management framework. Tickets are automatically opened by the "Alerts" and "Patterns" facilities. Tickets are assigned to either registered CorreLog users, or a user defined ticket group. This application can be interfaced directly to a third-party enterprise ticketing system. Tickets Group screens are discussed in Section 7 of this document. Report Group Screens. The "Reports" application provides general utility in the reporting of both raw and correlated message information. These screens include a "Query" search utility, and "Audit" capability", graphing facility, as well as a comprehensive reporting facility based on Microsoft Excel spreadsheets. In particular, the user can define new reports, and create new Excel templates, leveraging the power of Excel to perform highly customized analytical functions and graphical depictions of data. Excel reports can be distributed to users via RSS, which can be configured to publish daily, weekly, or monthly reports. Report information can also be loaded into an ODBC compliant SQL database. Reports Group screens are discussed in Section 8 of this document. System Group Screens. The "System" application screens provide various system functions, including support for user preferences, login management, scheduling of programs, and configuration of global parameters. Except for the user's preferences, these screens all require an "admin" type login to the CorreLog system (as configured in the "Login" screen of this group.) System Group screens are discussed in Section 9 of this document. In addition to the above screens, various utility screens (accessed by clicking on hyperlinks located throughout CorreLog) permit access to specialized data, details, and additional information. These utility screens are discussed in Section 10 of this document. Navigating Screens CorreLog is navigated by a series of tabs that appear at the top of all screens. The currently selected tab is always highlighted, providing an immediate indication to the user of the current area of operation within the CorreLog program. Some tabs display screens directly, whereas other tabs (distinguished with a trailing "/" slash character) reveal lower-level tabs. Tabs can be nested several CorreLog Screen Reference Manual, Page - 7

8 screens down into CorreLog. The user can switch to any location within CorreLog by clicking on a tab, which immediately transitions the user to the new screen. Clicking on the currently highlighted tab immediately resets the screen to the default values, as they appear on initial entry to the screen. Context Sensitive Help. A "Help" link is provided at the top right of every screen. Clicking on this link will display help on the current screen. This context sensitive help provides an excellent way to learn the various features of CorreLog. From the "Help" screen, the user can navigate back to the selected screen, and can access other online resources. Device Address Hyperlinks. Throughout CorreLog, wherever a device IP address appears, the operator can click on the IP address hyperlink to display information about the device. The "Device Information" screen permits the operator to ping the device and edit device parameters (such as special device commentary.) Additionally, the "Device Information" screen allows the operator to view all the messages associated with the device. Message Detail Hyperlinks. Throughout CorreLog, wherever a message is displayed, the user can click on the "Detail" hyperlink to display information about the message. The Message Detail Hyperlink permits the user to view related messages, including the contents of "Correlation Threads that the message is part of. Pinned Items. On various CorreLog screens, the user can pin items to the top of the list. The user clicks the "Edit" button, and then selects "Pin To Top". This keeps certain items (such as Correlation Threads, Alerts, Triggers, Actions, and Reports) at the top of the list of items. Pinned items are part of the user's preferences, and affect only the current user's login. Search Terms / Expandable Titles. On various CorreLog screens (including the "Devices", "Users", "Facilities", "Severities", and "Threads" screens) the user can click on the "Plus" icon to the left of the title to expand the options associated with the catalog of items. The user can graph the items in the catalog, and can further add "Search Terms" that will view specific items in the catalog. This provides an easy way to drill down into specific lists of items associated with a catalog of data. The "More" Menu. To the right of the "Help" link is the "More" menu, which displays selected utilities and CorreLog applications. The user clicks on the "More" link to display this menu, and then selects one of the menu links to display the new screen. CorreLog Screen Reference Manual, Page - 8

9 CorreLog Dialogs and Buttons CorreLog provides a consistent way of adding, editing and deleting information. On various CorreLog screens, the user can access Edit and Wizard dialogs. These are accessed via "AddNew" or "Edit" buttons. To add a new item to a list, the user clicks either "AddNew" or "Wizard" buttons. To modify an existing item, the user clicks the "Edit" button (usually represented as a #NN number to the left of the list item.) To delete an existing item, the user clicks the "Edit" button, and then clicks "Delete". The buttons on CorreLog screens and operate consistently as follows: Apply Button. This button appears wherever a match pattern field exists, and applies the settings of the match pattern (or other filter) and then refreshes the screen with the new information. Clear Button. This button clears the information from the display. On the "Messages Search" screen, the button temporarily clears the display of messages so that the operator can see any new messages that have arrived. Config Button. This button appears on various screens, and runs a special configuration screen associated with the data of the top-level screen. For example a "Config" button appears on the "Devices" screen to allow the operator to configure the device "Idle Time" value. Likewise, the "Config" button appears on the "Users" screen to allow the operator to configure user auto-discovery parameters. AddNew Button. This button appears on screens that permit the user to add items to the screen list, such as a new correlation thread, a new filter, a new alert, or other list item. The screen displays a dialog that allows the user to add information associated with the screen. Wizard Button. This button appears on various screens, and runs a wizard that guides the operator through the process of adding a new item. It performs a function similar to the "AddNew" button, but via a wizard interface. Edit Button. This button appears on parameter dialog screens. Additionally, on screens with a list of items, each item has an Edit button in the form "#NN" to the left of the item. The user can edit (or delete) the item via the edit dialog. Save Button. This button appears on "Add New" and "Edit" dialogs, and commits the data to the system, redisplaying the top-level screen showing the new or modified list item. CorreLog Screen Reference Manual, Page - 9

10 SaveNew Button. This button appears on "Edit" dialogs, and saves the edited item as a new item. The top-level screen is then displayed, showing both the old (unmodified) and the new item. Cancel Button. This button appears on "Add New" and "Edit" dialogs, and on wizard screens. The button causes the current screen to be abandoned, and returns the user to the top-level screen. Delete Button. This button appears only on "Edit" dialogs, and causes the current list item to be deleted. To delete an item, the user clicks "Edit" and then clicks the "Delete" button. Default Button. This button appears on certain parameter screens, and sets the current values to their installation defaults. The button can be used to restore the system defaults to their initial operating values. Reset Button. This button appears on various screens, and operates exactly as if the user clicked the "Cancel" screen, and then selected the edit screen again. The screen values appear exactly as they did on initial entry to the screen. Any changes made to the dialog are discarded. Refresh Button. This operates similarly to the "Apply" button, but simply refreshes the screen with the latest data. This button is mainly useful for fetching the latest system data (which may have been modified by another user, or by a system process.) User Defined Search Terms For each catalog of data (such as "Threads", "Devices", "Users", etc.) the user can define specific search terms that assist with viewing and analyzing message data. The operator defines a search term by clicking on the "Plus" icon to the left of each catalog item (that supports this feature.) This causes the title to expand, and show various items. Once a catalog title has been expanded, various hyperlinks are revealed, including the ability to "Graph" catalog message rates, and "Edit Search Terms" for the catalog. Clicking the "Edit Search Terms" displays a screen that allows the user to add search terms and labels, which will appear the next time that the user clicks the "Plus" icon for the title. This provides a simple way for the user to define data items (and taxonomies) of special interest. The user can simply click the "Plus" icon associated with any device, facility, user, thread, or other catalog item to view the search terms he or she has defined. For example, if the user has a thread called "Hardware Events", CorreLog Screen Reference Manual, Page - 10

11 the user can quickly drill down (after defining a search term) to view only the "Disk Hardware" events, or "Printer" events. "User Search Terms" are also available from any catalog of items by clicking the "Match" keyword in the filter bar of the catalog of items. (This keyword is hyperlinked on all screens where the "User Search Terms" function is supported.) Clicking on the "Match" keyword takes the user to the list of search terms he or she has defined for the particular catalog of items (identical to accessing this screen via the "Edit Search Terms" hyperlink described above.) From this location the operator can define or modify personal search terms, or can execute one of the existing search terms. User Defined Hyperlinks In addition to creating hyperlinks to search terms within catalogs, the user can define hyperlinks to arbitrary locations within the system, such as adapters, screens of special significance, or external programs. These hyperlinks appear in the banner of the program, inline with the "Search" and "More" hyperlinks in the upper right of the display. The user defines hyperlinks by clicking the "More" menu, and selecting "User Links" from the list. This launches a special editor screen that allows the user to define the label for the hyperlink, and the hyperlink value. The label can be any arbitrary 10-character label, whereas the value can be any legitimate URL value to a maximum of 200 characters. In particular, the hyperlink value can be the URL of a CorreLog screen copied and pasted directly from the browser into the edit field (including the prefix for the URL.) The hyperlink value can also be an external URL to some other web-enabled program or website. If the URL is greater than 200 characters then the URL is silently truncated. (In the special case of CorreLog internal URLs, this will generally have no affect on the ability to actually navigate to the selected location.) Note that "User Defined Hyperlinks", like "Search Terms" appear only for the particular user that has defined them; these are user preferences that do not affect the display of other users. The function furnishes a simple way of navigating to certain locations within the CorreLog system (or other location on the network) through a single mouse-click. How To Use This Manual This manual is intended for use by operators, administrators, and program developers, and is written to be complete documentation for all primary CorreLog screens. The manual focuses on screen purposes and functions, and does not necessarily discuss specific application and operation of screens. (This CorreLog Screen Reference Manual, Page - 11

12 information is available within other manuals in the CorreLog documentation suite, such as the "CorreLog User Reference" manual, accessed from the "Home" screen of CorreLog. If viewing this document with PDF Adobe Acrobat, you can access the help topics for any screen via the "Bookmarks" pane at the left of the screen. Otherwise, this manual provides a table of contents and an Alphabetical Index at the end of the document. A complete list of companion manuals is available after logging into CorreLog by accessing the "More" hyperlink (in the upper right corner of the CorreLog display) and then selecting "User Manuals". This provides a list of all the current manuals on the system. Additionally, other user manuals may exist, such as those related to specialized adapter software that has been added to CorreLog after the initial installation. All manuals can be found within the "CorreLog\s-doc" directory folder, which serves as the central repository for all online documentation within the system. For More Information For more information on CorreLog usage, refer to the "CorreLog User Reference Manual", available from the home screen of CorreLog. This manual provides important usage and background information regarding the system. CorreLog is committed to delivering the industry s best combination of log management and multi-platform security correlation. We are pleased to offer support for both evaluation and licensed versions of our product. If you have any difficulty with the CorreLog server installation or operation, we would like to assist you. CorreLog, Inc. Copyright , CorreLog, Inc. All rights reserved. CorreLog Screen Reference Manual, Page - 12

13 Section 2: Dashboard Screens CorreLog provides a comprehensive dashboard facility that allows users to view top-level CorreLog data, and drill down to view details. Each dashboard consists of various window panels. Each window panel can contain a user specified "Gadget". The particular gadgets are specified and configured via the "Edit Layout" button at the bottom of the screen, or by clicking the "Edit Gadget" icon at the upper right of each window panel. The user can create, modify, and delete dashboard configurations. The operator can make this the default login screen, and select a default dashboard, using the "User Preferences" screen of the system. The "drill-down" capability of dashboard screens is quite extensive, and allows the end user to navigate all significant areas of the program. For some users, the dashboard facility will be the principle (and perhaps only) screen used to assess the security of the organization and performance of the system. This section provides a description of primary Dashboard screens, including information on how to construct dashboards. A description of the actual gadgets available to users is not included here, but is available as an appendix to the "CorreLog User Reference Manual", and is available as online HTML help when constructing dashboards. CorreLog Screen Reference Manual, Page - 13

14 Dashboard Screen The top-level Dashboard screen, displayed when the user first clicks the "Dashboard" tab at the top of CorreLog screens, provides a flexible dashboard presentation system that can depict the real-time status of raw and correlated messages on the system. The operator can configure new dashboards, create "drill down" dashboards, and set a default dashboard in his or her user preferences. A typical dashboard is shown below. Each dashboard consists of various panels (specified in a selectable "layout" file) where each panel contains a "gadget". Various gadgets are provided with the base CorreLog installation, and other gadgets are available from a variety of sources. Each gadget contains an "Edit" button to permit configuration of detailed parameters, and a "Move" button that allows the gadgets to be dragged to new CorreLog Screen Reference Manual, Page - 14

15 locations on the dashboard. The actual dashboard layout (including panel titles, and links to other dashboards) is configured via the "Edit Layout" button at the bottom of the dashboard screen. Dashboard Tabs The "Dashboard" screens displays a series of tabs across the top, corresponding to up to eight different dashboards that can be accessed quickly. (Other dashboards, if they exist, can be accessed via the "drop-down" menu at the bottom of the display.) The operator can click the "Select Tab" link at the upper right of the dashboards to specify which dashboards are to be displayed as tabs. The first dashboard displayed, referred to as the "Default Dashboard", is also configurable in the user's preferences. To select the dashboard tabs of special interest, the operator clicks "Select Tab", and then selects each dashboard in the order that it is to be displayed at the top of the "Dashboard" screen. Dashboard Layout Files Each dashboard is based on a "Layout" file, selected via the "Edit Layout" button, or specified via the "Add New" wizard. (These buttons are found at the bottom of the screen.) Layout files reside in the "dash/layout" directory of the CorreLog root directory. In the basic CorreLog distribution package, various layout files are provided to support different screen resolutions (by default either 800, 1024, or 1280 screen widths.) These layout files are simply HTML files containing specific keywords and "IFRAME" references that can contain gadgets. Administrators can modify the existing layout files, or add new layout files that provide customized panel arrangements and other annotations. Any text editor, as well as a variety of HTML editors, can be employed to create new or modify existing layout files. No special caution is required in editing a dashboard, other than preserving the particular "@@" macro references in the file. These references are filled in with appropriate information when the dashboard is displayed, using the "HTML Macro" function documented in the "Sigma Web Framework" Users Manual. When creating a new layout file, the user simply preserves these references, or relocates these references within the new layout file. Dashboard Gadgets Within each panel of the dashboard, the user specifies a "Gadget" that depicts a particular type of data to be displayed. Each gadget depicts the data in a variety of formats, and with a variety of possible arguments. For example, the "Top Devices" gadget displays top device activity based upon various selectable criteria (such as most recently updated devices, or most active devices.) The CorreLog Screen Reference Manual, Page - 15

16 parameters of each gadget are similar, but can be slightly different depending upon the data being displayed. Generally, the user can qualify lists of items based upon match expressions, address groups, filters, or other items. For example, the "Top Devices" gadget allows the user to look at all top devices, or the top devices associated with a particular address group. Most gadgets support various "Display Modes", such as horizontal bar chart, pie chart, stack chart, or tabular display. These different display modes affect the look of the gadget, but not the particular data to that is displayed. Some of these display modes require Java, whereas others do not. The particular aesthetics of the dashboard are flexible, and completely controlled by the end user. Special Dashboard Features The dashboard facility is easy to use and intuitive to setup. The application supports a number of special features, outlined below. External Gadgets. In addition to the built-in CorreLog gadgets, users can add gadgets from other external locations, such as the "igoogle" and "Widgetbox" websites. The user cuts and pastes the gadget reference from these websites into a CorreLog dashboard using the "Text/HTML" gadget. This allows the user to add gadgets such as calendars, news feeds, clocks, and other external items into a CorreLog dashboard. Edit Gadget Button. The user can edit gadgets by clicking the "Edit Layout" button at the bottom of the screen, and then clicking the "Edit" button associated with the specific gadget. Or, the user can simply click the "Edit Gadget" button found at the upper right of each gadget window panel. This takes the user directly to the particular "Edit Gadget" screen, Move Gadget Button. The user can rearrange the layout of the gadgets using the "Move Gadget" button found at the upper right of each gadget window panel. The user clicks on this button, holds down the mouse button, and releases the mouse button in the windowpane of another gadget. (Note that the button must be released in the blue windowpane of the target gadget, and not in the main window of the gadget) This will swap the location of the two gadgets. Links To Other Dashboards. Each gadget has an optional "Panel Name" setting that allows the user to enter arbitrary identifying text for the windowpane, and link this text to another dashboard. This provides a simple mechanism for creating a hierarchy of dashboards, where the user drills down from one dashboard to a lower level dashboard. Dashboard User Preferences. Several user preferences are provided to specifically support dashboards: the user can select the dashboard screen CorreLog Screen Reference Manual, Page - 16

17 to be the default screen on login, and can specify a default dashboard to be displayed when the dashboard screens are viewed. Additionally, each user can control whether dashboards are opened in new windows, or in the current window. User preferences are accessed by clicking the "System" tab (and are also accessible from other locations, such as the "More" menu at the upper right of the screen.) Referencing Gadgets From External Screens. The user can display any CorreLog gadget on an external web page, allowing top-level system status to be depicted on third-party pages and portals. A website developer can simply view the source for a particular layout, and then cut and paste the IFRAME reference into another web page on the network. (These references are clearly commented and visible in the default layout files.) HTTP authentication is preserved, but can be disabled by the CorreLog administrator for gadgets via edits of the HTTP configuration file. Dashboard User Preferences The system supports various user preferences associated only with dashboards. (More information on user preferences is available in Section 8 of this document.) These user preferences are located in the "System > Prefs" tab of CorreLog, and are listed here. Initial Dashboard Screen. This user preference identifies the name of the dashboard that is displayed when the user first clicks the "Dashboard" tab at the top of the screen. The user can select any initial dashboard for display. This setting is only the initial dashboard, and does not restrict the user from accessing other dashboards via the "Dashboard Name" dropdown menu at the bottom of the "Dashboard" display. Open Dashboard Links In New Window. This user preference controls whether new dashboards (accessed by clicking on the hyperlinked title of a dashboard gadget pane) are opened in a new browser window, or whether the new dashboard is displayed in the main browser. This is a minor change to dashboard navigation behavior, and is provided to accommodate the particular preference of the operator. Use Java Applets in Dashboard. This user preference controls whether Java Applets are used to display pie charts, graphs, and other items. Each gadget has at least one "display mode" that does not require Java, and which is similar to the Java applet depiction. If the user selects "False", the non-java mode of the gadget is automatically selected for the user. In general, this will speed up the rendering of the dashboard with minor or insignificant loss of functionality. CorreLog Screen Reference Manual, Page - 17

18 Adding A New Dashboard The CorreLog dashboard facility permits easy creation and modification of dashboard depictions. Multiple dashboards can exist on the system. The default dashboard for a user is set in the CorreLog "System > Prefs" screen. 1. Click the "AddNew" button to start the dashboard wizard. (This button is found at the bottom of the dashboard screen.) The wizard queries for a dashboard name, queries whether to make the dashboard the default for the user, and queries for the layout file. (All of these items can be modified later.) 2. When the "Add New Dashboard" wizard finishes, the "Edit Dashboard" screen is displayed. The user can edit any of the parameters for the dashboard, or can save the dashboard with no changes. (The easiest way to get started is to save the dashboard file with no changes.) 3. When the dashboard file is saved, it appears as the current dashboard. If the user has not assigned any gadgets, all the windowpanes will be blank. Click on the "Edit Gadget" icon in the upper right of a windowpane. (The "Edit Gadget icon is a "Note" icon.) This will bring up the gadget editor for the particular windowpane. 4. On the "Gadget Editor" screen, select a gadget for the windowpane via the drop-down list. Brief help on gadgets is available via the "Gadget Help" hyperlink. The user can select any gadget from the drop-down list. 5. When the gadget is selected, the screen will refresh showing the various specific parameters associated with the gadget. Provide any parameters for the gadget. This includes an optional title for the windowpane, and hyperlink for that title. (Usually, the default values will be suitable to get started with.) 6. Click "Save" to save the gadget information. This returns to the "Edit Dashboard" screen (displayed in step 2 above.) Click "Save" on this screen to return to the top-level dashboard screen. The gadget will be displayed in the windowpane, and will reflect the current system data. The user can edit any windowpane using the "Edit Gadget" icon in the upper right of the dashboard. The user can rearrange gadget positions by clicking the "Move Gadget" icon, to the immediate left of the "Edit Gadget" icon, and dragging the gadget to another windowpane. To change the layout file or rename the gadget, the user can click the "Edit Layout" button at the bottom of the screen, which permits the user to access all the gadgets and global parameters of the dashboard. CorreLog Screen Reference Manual, Page - 18

19 Add New Dashboard Wizard The "Add New Dashboard" wizard screen is accessed by clicking on the "AddNew" button at the top of the display. This dashboard guides the user through the process of adding a new Dashboard on the system. The wizard queries for the name of the dashboard and the layout file for the dashboard. The wizard then creates the dashboard and launches the dashboard editor screen (discussed in the next section.) The screen is depicted below. The "Add New Dashboard" wizard is a standard CorreLog dialog, containing "Next", "Previous", "Reset", and "Cancel" buttons. The user fills out the data on each screen as prompted, and clicks "Next" to continue the wizard. To return to the previous screen, the operator clicks the "Previous" button. To reset the screen to entry values, the user clicks "Reset". To cancel the operation with no action, the user clicks "Cancel". Note that the user can change values supplied by the wizard, including the layout file specified on the second page, using the "Edit Dashboard" screen discussed in the next screen. CorreLog Screen Reference Manual, Page - 19

20 Edit Dashboard Screen The "Edit Dashboard Screen" allows the user to edit or delete an existing dashboard. This screen is accessed from the top level "Dashboard" screen by clicking the "Edit" button at the bottom of the dashboard display. This screen is also automatically launched by the "Add New Dashboard" screen when a new dashboard is created. A depiction of this screen is provided below. The "Edit Dashboard" screen allows the user to rename a dashboard, select a different layout file, and specify the gadgets for each dashboard pane. Additionally, the editor allows the user to specify optional panel titles for each dashboard pane, and allows the user to link a pane to another dashboard. Note that this screen provides one of two ways to change dashboard gadgets. The user can change a gadget either by clicking on the "Edit" button to display this panel, or by clicking on the "Note" icon in the upper right of each gadget depicted on the top-level dashboard screen. The "Edit Dashboard" screen provides the following fields. CorreLog Screen Reference Manual, Page - 20

21 Dashboard Name. This value, at the top of the display, is the name of the dashboard originally specified in the "Add New Dashboard" wizard. The name can be changed here, and the new name will appear in the dropdown list of dashboards selectable at the bottom of the main dashboard display. Dashboard Layout. This selection shows the current layout for the dashboard, and permits the user to select a different layout file. If the user selects a layout with fewer panels than the current layout, the list of dashboard gadgets is truncated. If the user selects a layout with more panels than the current layout, blank panels are added to the list. Panel #N Name. Each dashboard panel can be given an optional name, which annotates the main display in the title bar of the gadget. This is an arbitrary title that clarifies the purpose and intent of the dashboard. (Note that dashboard gadgets have their own "subtitles" that can be filled in by the user, so this particular name is the main title for the gadget.) Panel #N Link To Dashboard. If a dashboard panel is provided a "Name" (above) the user can link this title to another dashboard. This selection allows the user to select the dashboard that will be linked to the title, permitting the user to "drill down" into other dashboards from the main dashboard. Panel #N Gadget. This selection allows the user to select the dashboard gadget that will be displayed. The selection provides a complete list of all gadgets on the system. A description of these gadgets is available via the "Gadget Help" hyperlink Panel #N Edit Gadget Settings Button. This button allows the user to edit the particular settings of the dashboard, and displays the "Gadget Editor" screen appropriate for the selected gadget. This button saves the current settings before displaying the "Gadget Editor" screen. This is one way of editing a gadget's configuration (the other way being to click on the "Note" icon in the upper right of each gadget, in on the top-level dashboard.) CorreLog Screen Reference Manual, Page - 21

22 Edit Dashboard Gadget Screen The "Edit Gadget Screen" is displayed when the user clicks the "Note" icon in the upper right corner of each dashboard gadget on the top-level screen, and is also displayed when the user clicks the "Edit Gadget Settings" button on the "Dashboard Editor" screen. The exact screen depends upon the type of gadget being edited. A typical "Edit Gadget" screen is shown below. CorreLog provides a rich assortment of different dashboard gadgets, each with their own particular capabilities and functions. Additionally, each gadget provides a number of different display modes, options, and filters that can be used to adapt the range of data and appearance of the gadget. This provides a large amount of configuration and flexibility to the end-user. The particular values available for any gadget depend upon the gadget type. Typically, a default set of parameters (appropriate for many generic situations) is provided for each gadget, permitting a gadget to be selected without any special configuration by the operator. A few gadgets (notably the "Gauge-Alert" gadget) require the user to edit the gadget configuration, and select some parameter before the gadget can be used on the dashboard. CorreLog Screen Reference Manual, Page - 22

23 A partial list of configuration values is provided below. Panel Name. This field exists for all gadgets, and is an optional title that appears in the title bar of the gadget. If a Panel Name is provided, the value can be linked to another existing dashboard using the setting below. Panel Link to Dashboard. This selection exists for all gadgets, and allows the user to link the "Panel Name" value above to an existing dashboard. When the user clicks on the Panel name, the specified dashboard is selected. This allows users to drill down into new and specialized dashboards. Panel Gadget. This selection is a list of all gadgets on the system. When the user selects the gadget, the particular parameters associated with the gadget are displayed. Gadget Description. This value exists for all gadgets, and is a textual description of the gadget. Each gadget incorporates brief help. When a gadget is selected, this value changes, providing assistance to the operator. View External URL. This value exists for all gadgets, and is the URL for the gadget, which permits the gadget to be referenced by some other web page (such as a business information portal or third-party web application.) Click on the "+" character to view the external URL. Refresh Rate. This value exists for all gadgets, and indicates the refresh rate of the gadget. When the gadget automatically refreshes, the latest values for the gadget are displayed. Main Gadget Title. This value, if it exists, is a title that is displayed as part of the gadget. This title is configurable by the user, and is usually more specific than the "Panel Name" (described earlier.) The gadget automatically selects an appropriate value, which the user can change. X-Axis Title. This value, if it exists, is the title for the X-axis of a graph or bar chart. The gadget automatically selects an appropriate value, which the user can change. Data Source. This value, if it exists, describes the source of data. Many (but not all) gadgets allow the user to specify a particular data source, such as the name of a thread, alert, or other parameter. The gadget defaults to an appropriate value, which the user can change. CorreLog Screen Reference Manual, Page - 23

24 Match IP Address / Value. This value, if it exists, qualifies the data displayed by the gadget. For example, a gadget may permit a match pattern (such as a keyword found in all thread or alert titles.) This value typically lists the range of data displayed by the gadget. Display Mode. This value, if it exists, permits the user to change the display mode of the gadget, i.e. the appearance of the gadget. Each gadget can display data in different modes, such as "Pie Chart", "Stack Chart", "Bar Chart", etc. Some of the display modes may require Java, but each gadget has at least one display mode that does not (permitting dashboards to work without Java.) Highlight Color. This value, if it exists, allows the user to change the primary color or highlight color of the gadget. Colors include "Red, "Blue", "Orange", and "Green". The gadget defaults to an appropriate value, which the user can change. Enable Links & Drill Down. This value, if it exists, permits the user to disable links on the gadget that access additional information. This setting is useful for restricting data that might otherwise be available to nonprivileged users. Note that not all gadgets support all the above fields (unless otherwise noted.) Additionally, some gadgets (such as the Text-HTML gadget) have special fields not listed above. The operator should consult the "Gadget Help" hyperlink for specific notes about a particular gadget. Gadget Support For Java and Non-Java Browsers Some dashboard gadgets have specific "Display Modes" that require Java to display appropriately. However, each dashboard gadget has at least one display mode that does not require Java. This allows dashboards to work perfectly with client browsers that do not support Java or where Java is not enabled. Users can disable Java dashboard displays in their personal User Preferences via the "System > Prefs" screen. The user can set the value of "Use Java Applets in Dashboards" to be "False", which causes CorreLog to automatically substitute an appropriate non-java display mode for any Java based gadget. Generally, this has only minor consequences to the display, and will speed up the loading of the dashboard substantially. CorreLog Screen Reference Manual, Page - 24

25 Section 3: Message Screens The CorreLog "Messages" application aggregates, processes and displays Syslog message data from network devices. This gives visibility into all received messages. The user can search raw message data, view data catalogs, and configure filters and overrides. The user can also create new Syslog facilities, which can be used in the correlation process. The "Search" screen employs a high-speed indexed search engine supporting advanced searches, and a keyword index that lists all keywords (and their counts) for all messages received. Additional screens in this group allow the user to view messages by basic type, such as by device IP address, username, facility, and severity. The Message facility also includes an "Auxiliary Message" function, which allows the user to view messages that have been filtered from the main message stream, documented here. This section provides a description of primary Message screens on the system, including a discussion of purpose, general usage, and basic application. Note that the "Message" facility includes a comprehensive "Configuration" capability (available via the "Messages > Config" tab). Because of the number of configuration screens, these particular screens are included within a separate section of this manual; message configuration screens are not discussed here, and are documented in the section following this one. CorreLog Screen Reference Manual, Page - 25

26 Search Messages Screen The Search Message screen is the first screen displayed when the user selects the Messages tab at the top of the display. From that location, the operator can view the list of all received messages, displayed in reverse chronological order. The user can search for data, inspect keywords, or manually add messages to the system log. A depiction of this screen is shown below: The above screen is the first screen that is accessed when the user clicks the Messages tab, and provides access to all the messages contained in the entire system. The list of messages contains the following fields: Message Time. The first column shows the message time including both the date and time (with respect to the CorreLog platform server time), and including the elapsed time since the event occurred. CorreLog Screen Reference Manual, Page - 26

27 Message Address. The next column shows the name of the device that generated the message. The name is hyperlinked to the Device Information screen (discussed further below.) Message Facility. The next column shows the Syslog facility for the message. These facilities are also viewable via the Facilities screen. Message Content. The last column shows the message contents, including the severity. The color used to display the event message can be configured via the Configure Color Editor screen (discussed further below.) The user can click on the "Details" link to view detailed information about the message. Search Screen Controls At the top of the display are controls that allow the user to filter the list (thereby searching for specific keywords.) The user can also set the maximum page size, as well as access pages via hyperlinks. The Start Date defaults to the latest date when messages were last received (normally the current date if the system is actively receiving messages.) This Start Date item can delimit the search range, and items displayed. To modify the Start Date, Span Days", "Max List, or Filter setting, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the Start Date, "Span Days", Max List, and Filter settings back to their entry defaults. Search Function And Search Terms On the Search screen, messages are displayed in reverse order from when they were received, with most recent events first. Specifically, this screen is the entry point for the GenDex search engine, which permits fast searching of large amounts of data using an indexed search. By default, the screen displays all events. (The match pattern is the wildcard *.) The operator can modify the search pattern to be one or more keywords, or a keyword followed by a wildcard, or an IP address. This will display all the matching messages on the system. If the keyword is a number or an IP address, the screen displays the messages associated with the first IP address matching the search term. If the user selects a partial keyword, the screen finds the first matching full keyword, and performs the search using that keyword. CorreLog Screen Reference Manual, Page - 27

28 Search Screen Clear Button At the far right of the screen controls, as a special facility, is a Clear button. This button, when clicked, causes the screen to be temporarily cleared so that any new incoming events can be seen the next time the Apply button is clicked. To restore the list of all events, click a page number hyperlink, click the navigation tab, or click the Unclear button. This button is mainly useful for seeing how many messages are coming into the system, or when awaiting a particular event. The button does not delete or clear any data on the screen, but only clears the display temporarily, to mark the time. Whenever the screen is cleared, the elapsed time since the Clear button was clicked is shown at the bottom of the list of messages. Search Screen, Special Notes The keyword item, used to filter the display, defaults to *, which matches all events. The user can specify a keyword, or an IP address. The keyword must begin with two non-numeric characters, or an IP address, and can contain the * wildcard. The IP address can be specified as a partial match, but if the user specifies a non-numeric keyword, only full matches are displayed. To view new messages, as they come into the system, the operator clicks the screen tab, or clicks the Apply button. This will refresh the display showing the latest message information. When the user pages through the display (via the hyperlinked page buttons) new events are not shown. This assists in reviewing historical information without having the display constantly scrolling, which is particularly important if the CorreLog is logging many messages. Clicking on the Clear button temporarily clears the display until clicking a hyperlink page number refreshes the screen. The Apply button and the Search screen tab both perform similar functions of refreshing the screen. The Apply button is also used to modify the screen controls, such as modifying the filter or max list size. When any screen control is modified, the screen page number is set back to the first page. Finally, note that this screen uses an indexed search engine, which permits rapid searches of large amounts of data. The searches always start at the specified Start Date, and that particular pull down menu can be used to confine the search to a particular time range and before. This allows an operator to limit search results to data collected from an earlier date. CorreLog Screen Reference Manual, Page - 28

29 Advanced Search Screen The Advanced Search screen is displayed when the user clicks on the "Advanced Search" hyperlink on the main search screen, and is also accessed by clicking the "Search" hyperlink at the upper right of the display. This screen allows searches that include match patterns, exclude patterns, and matches of addresses, facilities, and time ranges. This screen is depicted below. The advanced search screen requires at least one "Primary Match" keyword, which serves as the index to the search. This primary match keyword must be a full keyword, without any wildcards. The user can then specify partial matches and exclude matches (using optional wildcards), as well as other parameters for the search. When the user clicks the "Search" button, the operator is returned to the top-level screen and the matched messages are displayed. CorreLog Screen Reference Manual, Page - 29

30 Keyword Index Screen The Keyword Index screen is displayed when the user clicks on the "Keyword Index" hyperlink on the main search screen. (This screen is also available via the "More" pull down menu at the upper right of the display.) This screen is updated every few minutes, and shows a full list of all the keywords for all messages collected on the system. The screen is depicted below: The user can click on the keyword hyperlink to initiate a search for the keyword, displaying all messages on the system that contain the keyword. The approximate number of messages containing the keyword (accurate as of the last hour) is shown in the "Count" column of the screen, useful for viewing how many messages are related to the keyword. By default, keywords are listed in alphabetical order. CorreLog Screen Reference Manual, Page - 30

31 Other Search Parameter Screens On the "Keyword Index" screen, the operator can access other parameters and settings that affect the search engine. The "Keyword Index" screen provides links across the top, which permit access to the following special screens: Site Dictionary. This link permits the user to access the "Site Dictionary", which can contain special keywords that are incorporated into the search. This screen is mainly provided for completeness. (The search engine indexes all the words in the "CO-dict.dat" file, as well as all device names, user names, and special terms that appear on the "Correlation > Threads" screen.) The operator can enter any keywords into the list, and these keywords will be indexed when they are found in incoming messages. Parameters Screen. This link permits the user to access special parameters related to the search engine as follows: The "Keyword Span Days" indicates the number of days that the "Keyword Index" traverses, by default one day; the "Max Keyword Count" value is the maximum number of keywords that will be indexed each day, by default one hundred thousand individual keywords; the "Write Interval" value indicates how often the keyword list is written to the disk, by default once each minute; the "Max Keyword Length" value is the maximum number of characters for any keyword, by default twenty characters; the "Max Keyword References" value indicates the number of times a word can occur before it is handled as a "common keyword", where a common keyword contains only indices to the most recent occurrences; the "Require Dictionary Match" value indicates that a match to a dictionary word is required. These settings will generally not be modified without the guidance of vendor support and professional services. Statistics Screen. This link permits the user to access statistics on the indexing process. The statistics may be useful to diagnose performance problems and anomalous behavior that may accompany the input message stream. The administrator can consult with vendor support for more information on these parameters, as needed. CorreLog Screen Reference Manual, Page - 31

32 Devices Catalog Viewer Screen The Devices Catalog Viewer screen is accessed by clicking on the Messages > Catalogs tab, and then selecting Devices. From that location, the operator can view a list of all devices that have sent messages, and can drill down on the device hyperlink to view a description of the device, including the device messages. A depiction of this screen is shown below. The above screen shows all the devices that have sent Syslog messages, in table format. By default, the list of devices is sorted in reverse chronological order. Each device entry contains the following items: Device Address. This field indicates the IP address of the device. Clicking on this link brings up the device viewer screen, which shows the DNS name (if any) and other notes about the device. This field also contains a status light (either green or red) indicating whether any CorreLog Screen Reference Manual, Page - 32

33 messages have recently been received within the "Message Idle Time Threshold" value, configured on the "Network Monitor" screen. (See additional notes below.) Last Message Time: This field indicates the date and time at which the last message was received for that device. This is the field that, by default, the screen uses to sort data. Therefore, the device that most recently generated a message is shown as the first item in the upper left of the screen. Elapsed Time. This field is related to the Last Event Time, and indicates the elapsed time (since the screen was refreshed) of the last message that was received from that device. Message Count Today. This field indicates the number of messages that have been received from that device since midnight, or since CorreLog startup. The field is set back to zero at midnight, and each time that the CorreLog Server is restarted. History. This field is an approximate count of the number of messages that have been received from that device since the device first issued a message. It represents the total number of messages received from the device since the CorreLog Server was originally installed and the device was discovered. Device Catalog Viewer Screen Controls At the top of the display are controls that allow the user to order the list by Time Count, History, or "Address", and other flags. By default, the screen is sorted by the time of the last event. Also, controls are provided to limit the listing to the Max-N devices, and filter the list (thereby searching for specific keywords.) The specific initial sort mode for this screen is configurable in the user's personal preferences. (See "User Preferences" screen, later in this section.) The Device Catalog Viewer contains a filtering function that permits the user to view only those devices that match a particular device group, and optional filter. Device groups are specified within the "Correlation > Config" tab of the program, also accessible via the "Device Group" hyperlink on this screen. This allows the user view only those devices of interest, and to search for devices on the system. Additionally, the user can search for devices based upon their message content using the "Match Device By Message" hyperlink. To modify the sort order, number of items displayed, or filter setting, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the control items back to their entry defaults. CorreLog Screen Reference Manual, Page - 33

34 The "Config" button, at the upper right of the display, permits the user to configure the "Network Monitor" controls, which governs the status lights and internal messages generated whenever a new device is found, or a device stops sending messages for a log period of time. (See "Status Lights" section, below.) Device Catalog Counters The History count is useful for determining historically how many messages have been logged by the system since it was first installed. The other Today field is useful for determining how many messages have been logged since midnight. These counters can be continuously monitored by the "Correlation Alerts" subsystem, discussed in later chapters. The History count represents the approximate number of events that exist on the system for that catalog, viewable when the user clicks on the IP address hyperlink. The value is approximate because it is possible that some of the earliest events have been tossed out due to the setting of the Keep Data parameter, discussed in the Configuration Parameter Editor screen. The CO-Devlog.exe program, running in background, refreshes this list approximately every 10 seconds. The data items shown are valid only within the last 10 seconds of system operation. Network Monitor Status Lights And Configuration A "status light" indicator is provided as part of the "Address" field of each device. This status indicator is either red or green, showing whether the device has received any messages since the "Message Idle Time Threshold" value configured in the "Config" screen. This provides a quick indication of whether the device is active or inactive, especially useful when searching for devices or sorting by some value other than "Time". Devices that have "red" indicators may no longer be active, or may be persistently offline. The default "Message Idle Time Threshold" is 24 hours (that is, the indicator turns from green to red if a device has not sent a message within one full day.) Approximately once each hour, CorreLog scans the list of devices and determines which devices (if any) have not sent a message within the configured "Message Idle Time Interval. If any device has not sent a message for that interval, or longer, CorreLog sends a message to itself indicating that the device is idle, and subsequently displays the "status light" as "red". The severity of the message is given by the "Address Idle Severity" setting of the "Advanced Device Configuration Screen", described in a later section. CorreLog Screen Reference Manual, Page - 34

35 Sorting and Pinning Devices By default, the list of devices is displayed so that the most recently updated devices are shown at the top of the list. The user an change the order of the sort mode to order the list by "Count", "History", "Address", or "Name" via the select menu at the top of the screen. The initial sort mode is configurable on the "User Preferences" screen. Additionally, the user can "pin" devices to the top of the screen. To accomplish this, the operator clicks the IP address hyperlink for the device, and then selects the "Pin Device To Top Of List" value to be "Yes". The device is then moved to the top of the display irrespective of the current sort mode, making it easy to find and watch the device. Similarly, the user can "unpin" a device by setting the "Pin Device" selection to "No", which will then cause the device to appear in the sorted list with no special ordering. When a device has been pinned, it is identified as such via a small pin icon next to the device IP address. If multiple devices are pinned, the pinned devices are sorted first, and then the non-pinned devices. This provides a method of organizing the list of managed devices so that the more interesting devices are kept at the top of the list, especially useful if there are many hundreds (or thousands) of devices on the system. Note that the "Pin Device" setting applies only to the current user. If a user pins one or more devices, they are pinned only for the specified user and not all users of the system. This allows users to pin and unpin devices without affecting any other user on the system. Device Catalog Viewer Screen, Special Notes Clicking on the hyperlink for the device name will display the Device Information Utility Screen, which describes the device. This screen is discussed in a later section. In particular, the user can click on the device IP address, and then click on the "All Messages For Device" hyperlink to view all messages received from the IP address. The initial sort mode setting (by default "Sort By Time") is a user preference, and can be adjusted so that the initial sort mode is "Sort By Name" or "Sort By Address" or one of the other sort mode options. See the "User Preferences" screen for more information. CorreLog Screen Reference Manual, Page - 35

36 Devices, Advanced Configuration Screen The "Advanced" button on the "Messages > Device" screen provides access to various more advanced settings of the system related to device discovery, the "Message Idle Time" monitor, and the ability to add and delete devices by list. The screen is depicted below: The above screen contains advanced settings and controls, available only to administrators, which affect the processing and monitoring of the system device list. The various fields and controls are as follows: Enable Device Auto-Discovery. This select menu controls whether devices are automatically added to the list when a new message source is received. By default, a device is automatically added (discovered) when a new device sends messages to the server. CorreLog Screen Reference Manual, Page - 36

37 Message Idle Time Threshold. This time indicates when "Address Idle" messages are sent, and also affects the settings of the status lights (red or green) on the "Messages > Devices" screen. The default setting is one day. The user can adjust the setting between one hour and eight days. Address Discovered Severity. This is the severity of "New Address Discovered" messages, which are sent whenever a new IP address is added to the system. This provides an indication of whether new addresses are being added to the "Devices" catalog. The default setting is "info". The user can disable these messages by setting the value to "disabled". Address Idle Severity. This is the severity of the "Address Idle" message sent for any device if it does not receive any messages for "Message Idle Time Threshold" duration, i.e. when the icon on the "Devices" screen transitions from green to red. The default setting is "notice". The user can disable these messages by setting the value to "disabled". Address Reactivated Severity. This is the severity of "Address Reactivated" messages sent for any device if it receives a message after "Message Idle Time Threshold" duration of inactivity, i.e. when the icon on the "Devices" screen transitions from red to green. The default setting is "disabled", indicating that no "Address Reactivated" messages are sent. Network Failure Threshold. This is the maximum number of "Address Idle" messages sent during any one-hour test. This limits the number of messages that may occur if there is a network failure. (Specifically, this prevents potentially thousands of messages from being sent if CorreLog loses its network connection.) The default value is 10 messages per cycle. Network Failure Severity. This is the severity of the message sent when the "Network Failure Threshold" is reached, and is useful for indicating a possible network failure, router failure, or loss of network connectivity with CorreLog or some main router. The default value is "critical". The user can disable these messages by setting the value to "disabled". Drop Inactive Devices. This setting indicates when a device (after it has stop sending messages for this period of time) is automatically dropped from the list of devices. This setting is useful for keeping the list of devices current. (The user may also delete devices manually, or via the "Delete Devices By List" button, described below.) Import New Devices By List. This button accesses a special screen that allows the user to add devices via a list. The "Import New Devices" screen allows the operator to cut and paste a list of devices into the system, where the list of devices is automatically added to the system. This usually CorreLog Screen Reference Manual, Page - 37

38 is not necessary, since devices are automatically added to the system (if the "Enable Auto-Discovery" setting on this screen is set to the default "True" value.) Delete Devices By List. This button accesses a special screen that allows the user to delete devices via a list. The "Delete Devices" screen allows the operator to cut and paste a list of devices into the system that will subsequently be deleted. This is one of several ways to delete devices (another way being to delete the device manually by deleting the catalog of devices.) Once a device is deleted, it may be automatically added back to the system if it begins sending messages again, and if the device is not filtered. Edit Device Types. This button accesses a special screen that permits the user to classify devices into various types. The values on the "Device Types" can be assigned to devices via the "Device Information" screen (accessed by clicking a device name hyperlink anywhere within the system) The device types are used in Audit reports and other locations, and are useful in identifying and organizing devices by type. The system comes with a limited number of generic device types, which can be further refined via this screen. Note that many of the parameters above are associated with detecting idle devices on the system, which allows an operator to determine whether a machine is still actively managed, or whether a problem or misconfiguration exists. The system periodically checks the device list, and issues notifications and advisories when one or more devices are not active. If during this periodic check, the number of idle addresses meets or exceeds the "Network Failure Threshold" limit, then a second message is sent indicating a possible network or router failure. The severity of this message is given by the "Network Failure Severity" setting. These two settings permit the user to perform an elemental (but highly useful) check of the network based solely on the messages received, and not relying on polling. CorreLog Screen Reference Manual, Page - 38

39 Device Group Viewer Screen The "Device Group Viewer" screen is accessed by clicking the "View Groups" link towards the top and upper-right of the "Device Catalog Viewer" screen. This link displays the various device groups (defined by the "Edit Correlation Address Groups" link) along with the rolled up status and counts for each group. This screen is depicted below: As depicted above, the screen shows each device defined within the "Correlation Address Groups" screen, shows the rolled-up status of each group including the number of devices in the group, and the total counts for the group for today and historically. The user can click on the hyperlinked device group name to return to the "Devices" screen, with the specified group selected. This provides a convenient method of assessing overall status of all devices with the various defined groups. CorreLog Screen Reference Manual, Page - 39

40 Users Catalog Viewer Screen The Users Catalog Viewer screen is accessed by clicking on the Messages > Catalogs tab, and then selecting Users. From that location, the operator can view a list of all Syslog messages cataloged by users of the enterprise. A depiction of this screen is shown below. The above screen provides a list of all the various users for messages that have been received by the system. By default, the list of users is sorted in reverse chronological order, and shows the most recently received message at the top of the list. Each row entry contains the following items: User Name. This field indicates the name of the user that the rest of the row data items apply to. It is hyperlinked to the Catalog Viewer screen discussed further below. CorreLog Screen Reference Manual, Page - 40

41 Last Message Time. This field indicates the date and time at which the last Syslog message was received for that user. This is the field that, by default, the screen references to sort the data. Therefore, the user who most recently sent a message is shown as the first row of the table. The time includes the elapsed time since the event and the time that the screen was refreshed. Last Address. This field indicates the IP address of the device that last sent a message with this user. The IP address is hyperlinked to the Device Information screen. Message Count Today. This field indicates the number of messages that have been received for that user since midnight. The field is set back to zero at midnight, and also each time that the CorreLog Server is restarted. History. This field is an approximate count of the number of messages that have been received for the user, which are still contained on the system (i.e. that have not been dropped, as per the Keep Data parameter, discussed further down in this section.) This is the number of events the CorreLog Server has received for the facility since the CorreLog Server was originally installed. Users Catalog Viewer Configuration The CorreLog User Monitor function automatically discovers users based upon pre-configured match patterns. Operators can add new users manually, and can modify the match patterns via the "Advanced" button at the top of the "Users" screen, documented in a later section. Once a user has been discovered, or a username has been manually added to the system, any occurrence of that username in any message is automatically tracked and recorded for the user. To prevent certain users from being discovered, specific usernames can be excluded from the list (via the "Advanced > Exclude User List" button.) Additionally, because some messages might contain keywords that match users (such as if a device name or domain name matches a user) these messages can be excluded from the list (via the "Advanced > Exclude Message Keyword List" button.) This provides a large degree of control over the user discovery process and user monitor. The "Users" screen comes pre-configured with rules needed to detect when users log into the network. However, it may be necessary to configure additional rules, depending upon the type of user detection that is required. More information is provided in the next section. CorreLog Screen Reference Manual, Page - 41

42 Users, Advanced Configuration Screen The "Advanced" button on the "Messages > Catalogs > Users" screen provides access to various more advanced settings of the system related to "User Name Auto-discovery", and the ability to add and delete users by list. The "Users Advanced Configuration" screen is depicted below: The above screen contains advanced settings and controls, available only to administrators, which affect the processing and monitoring of the system user list. The various fields and controls are as follows: Enable User Name Auto-Discovery. This select menu controls whether new user names are automatically added to the list of users based upon the "User Name Discovery Match Specifications (below.) To stop the discovery of user names, set the value of this field to "False". CorreLog Screen Reference Manual, Page - 42

43 Edit User Name Discovery Match Specifications. This button accesses the match specifications that specify the user name portion of received messages. When any message is received, these patterns check to see if a user name exists in the message. When a user name is detected, it is added to the system. Exclude User Names Containing '$' Chars. This select menu allows the operator to exclude user names containing a '$' character. These user names are common on Windows systems, and indicate machine-tomachine logons, which are ignored by default.) Exclude User Names Containing '/' Chars. This select menu allows the operator to exclude user names containing a '/' character. These user names typically indicate application program accounts, which are ignored by default. Drop Inactive Users. This setting indicates when a user name is automatically dropped from the list after a period of inactivity. This setting is useful for keeping the list of users current. (The operator may also delete user names manually, or via the "Delete Users By List" button, described below.) Edit User Name Exclusion List. This button accesses the special "User Name Exclusion List", which is a list of names that are never monitored. This setting can be used to eliminate those users or keywords from the list that are not interesting, or are not actual user names. The system comes pre-configured with a list of keywords, and the operator will add to this list (as needed) via this button. Edit Message Keyword Auto-Discovery Exclude List. This button allows the system to ignore certain types of messages, where a user name is never added. For example, messages associated with a failed logon attempt are excluded to prevent the list from being filled with mistyped user names. The system comes pre-configured with a list of exclusions, and the operator will add to this list (as needed) via this button. Import New Users By List. This button accesses a special screen that allows the operator to add user names via a list. The "Import New User Name" screen allows the operator to cut and paste a list of user name keywords into the system, where the list of keywords is automatically added to the system. This usually is not necessary, since user names are automatically added to the system (if the "Enable Auto-Discovery" setting on this screen is set to the default "True" value.) Delete Users By List. This button accesses a special screen that allows the operator to delete user names via a list. The "Delete User Name" CorreLog Screen Reference Manual, Page - 43

44 screen allows the operator to cut and paste a list of user name keywords into the system that will subsequently be deleted. This is one of several ways to delete managed user names (another way being to delete the user names manually by deleting the associated catalog.) Once a user name is deleted, it may be automatically added back to the system if it begins sending messages again, and if the user name is not excluded. Edit User Classes. This button accesses a special screen that permits the operator to classify user names. The values on the "User Classes" can be assigned to users via the "User Information" screen (accessed by clicking a user name hyperlink anywhere within the system) The user classes types are used in Audit reports and other locations, and are useful in identifying and organizing managed users. The system comes with a limited number of generic user classes, which can be further refined via this screen. User Discovery Detailed Notes The CorreLog system works best when enterprise usernames are distinctive, and do not correspond to common keywords with other meanings. If this occurs, the "Users" screen may have several usernames that are always being updates, which causes no harm but is also not necessarily reflective of user activity on the managed network. When a user first logs into any monitored system, the CorreLog server detects that rule, and parses the username, based upon a match pattern and field position of the user. After a user logs in, anytime the username appears in any received message, the message is recorded and cataloged for that user. Therefore, the match patterns specified on the "Config" screen represent "discovery" rules, used only to detect the name of the user. The user discovery match pattern can be specified two different ways. Positional Field Number. The operator can specify a match pattern and a numeric field number for the username. For example, if the operator knows that the forth word of some specific message is always a username, the operator can configure the match pattern and the word number of the message. Floating Field Position. The operator can specify a match pattern and use the "*" asterisk character as the field position. In this case, whatever the asterisk matches will be regarded as the username. This is typically the easiest way to discover usernames on the system, but requires fixed text before or after the username, and will not work if the username is embedded within message keywords that are not consistent. Experience CorreLog Screen Reference Manual, Page - 44

45 shows that, while some messages may require positional field numbers, the vast majority of users can be discovered using floating field positions. The default user discovery match patterns that come pre-defined with CorreLog are suitable for a wide variety of Unix and Windows platforms. These pre-defined match patterns all employ the "floating field position" specification described above, and will generally be sufficient to discover and track users on the network of a typical enterprise. Note that it is not necessary to specify every type of message associated with usernames as part of the username discovery screen. It is sufficient to specify a few critical patterns, needed to discover the users. Once the user has been discovered, any message containing that username is automatically tracked. CorreLog Screen Reference Manual, Page - 45

46 Facilities Catalog Viewer Screen The Facilities Catalog Viewer screen is accessed by clicking on the Messages > Catalogs tab, and then selecting Facilities. From that location, the operator can view a list of all messages cataloged by their Syslog facility code. A depiction of this screen is shown below. The above screen provides a list of all the facilities for messages that have been received by the system. The screen incorporates the standard Syslog facilities, as well as any user-defined facilities (created on the Configure Facility Overrides screen, discussed further below.) By default, the list of facilities is sorted in reverse chronological order, and shows the most recently received message at the top of the list. Each row entry contains the following items: CorreLog Screen Reference Manual, Page - 46

47 Facility Name. This field indicates the name of the facility that the rest of the row data items apply to. It is hyperlinked to the Catalog Viewer screen discussed further below. Last Message Time. This field indicates the date and time at which the last Syslog message was received for that facility. This is the field that, by default, the screen references to sort the data. Therefore, the facility that most recently sent a message is shown as the first row of the table. The time includes the elapsed time since the event and the time that the screen was refreshed. Last Address. This field indicates the IP address of the device that last sent a message with this facility. The IP address is hyperlinked to the Device Information screen. Message Count Today. This field indicates the number of messages that have been received for that facility since midnight. The field is set back to zero at midnight, and each time that the CorreLog Server is restarted. History. This field is an approximate count of the number of messages that have been received from that facility, which are still contained on the system (i.e. that have not been dropped, as per the Keep Data parameter, discussed further down in this section.) This is the number of events the CorreLog Server has received for the facility since the CorreLog Server was originally installed. Facilities Catalog Viewer Screen Controls At the top of the display are controls that allow the user to order the list by Time Count, or History. By default, the screen is sorted by the time of the last event. To modify the sort order, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the control items back to their entry defaults. Facilities Catalog Viewer Screen, Special Notes This screen catalogs messages by the Syslog facility code. This includes the standard twenty-four facilities, and also includes any facilities that have been configured by an operator using the Configure Facility Overrides screen, discussed below. See notes for the Device Catalog Viewer screen regarding usage of the Count Today and History values, and data refresh times. The notes there apply to this screen also, as well as to the Severities Catalog Viewer screen below. CorreLog Screen Reference Manual, Page - 47

48 Severities Catalog Viewer Screen The Severities Catalog Viewer screen is accessed by clicking on the Messages > Catalogs tab, and then selecting Severities. From that location, the operator can view a list of all messages cataloged by their Syslog severity code. A depiction of this screen is shown below. The above screen contains all the severities for messages that have been received by the system. By default, the list of severities is sorted in reverse chronological order, and shows the most recently received message at the top of the list. Each row entry contains the following items: Severity Name. This field indicates the name of the severity that the rest of the row data items apply to. A row exists for each standard Syslog severity. The severity name is hyperlinked to the Catalog Viewer screen discussed further below. CorreLog Screen Reference Manual, Page - 48

49 Last Message Time. This field indicates the date and time at which the last message was received with the specified severity. This is the field that, by default, the screen references to sort the data. Therefore, the severity of the most recently received message is shown as the first row of the table. The time includes the elapsed time since the event and the time that the screen was refreshed. Last Address. This field indicates the IP address of the device that last sent a message with the specified severity. The IP address is hyperlinked to the Device Information screen. Message Count Today. This field indicates the number of messages that have been received of the specified severity since midnight. The field is set back to zero at midnight, and each time that the CorreLog Server is restarted. History. This field is an approximate count of the number of messages that have been received of the specified severity, which are still contained on the system (i.e. that have not been dropped, as per the Keep Data parameter, discussed further down in this section.) This is the number of messages the system has received for the specified severity since the CorreLog Server was originally installed. Severities Catalog Viewer Screen Controls At the top of the display are controls that allow the user to order the list by Time Count, or History. By default, the screen is sorted by the time of the last message. To modify the sort order, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the control items back to their entry defaults. Severities Catalog Viewer Screen, Special Notes This screen is similar in appearance and operation to the Facilities Catalog Viewer screen, except rather than cataloging messages by Syslog facility, the messages are cataloged by Syslog severity. Unlike facilities, where users can define their own facility names, the Syslog severities are fixed at their standard values. See notes for the Device Catalog Viewer screen regarding usage of the Count Today and History values, data refresh times, and other screen characteristics. The notes there apply to this screen also, as well as to the Facility Catalog Viewer screen above. CorreLog Screen Reference Manual, Page - 49

50 Aux Filtered Data Viewer Screen The Auxiliary Filtered Data screen is accessed by clicking on the Messages > Catalogs" tab, and then selecting Aux. From that location, the operator can view a list of auxiliary files containing messages. Files are updated by rules configured in the "Messages > Config > Filters" screen. The "Aux" screen is depicted below: The screen displays the auxiliary file names, and data for each file. These files contain "non-indexed" data. The messages are not correlated, but they can be used in the various reporting tools of the system, making auxiliary files ideal for holding regular data from firewalls, VPN systems, or other systems that may send large amounts of data at regular interval. The actual filters, applied to all incoming messages, are specified at the "Configure Filters" screen, which is discussed in the next section of this manual. CorreLog Screen Reference Manual, Page - 50

51 The user can jump to this screen using the "Go To Filter Config" hyperlink at the top of the "Filter Screen" display. As discussed in that section, filters can be based upon severity, facility, message content, or time of day that the message was received. Types of Auxiliary Files And Filters There are various types of auxiliary files, configured via the "Config > Filters" screen, or via the "Config > Parms" screen, as described below. Main File. This file appears in the "Aux" tab if the user selects "Main" for any configured filter. This file is distinct in that it contains data that is not available to the "Query" facility. The file is mainly useful for completely eliminating data that is of absolutely no interest to the end user. Aux-1 to Aux-16 Files. These files appear in the "Aux" tab if the user selects them for any configured filter. These files can be reported upon (by all the report functions, including the "Query" function.) Additionally, these files can be archived before they are removed (as configured via the "Config > Parms" screen) Ddup File. This file appears if the user has configured the "De-Duplicate Message Seconds" value to be greater than zero on the "Config > Parms" screen. The file contains messages that have been removed from the system because of the de-duplication filter (which can be used to filter messages that are duplicate, and adjacent to each other in the message log.) Note that the Aux-1 through Aux-16 files are unique, because they work with the "Reporting" screens documented in later sections of this manual. The "Main" and "Ddup" files are special purpose and distinct, as described above. Adding Aux Filter Titles It is quite common to redirect data of a particular type (or from a particular device) to an auxiliary file. The data is retained on the system, can be searched, queried, and reported on, but is not passed through the correlation rules. This speeds up the program, prevents the correlation rules from being cluttered with a lot of uninteresting data, and helps organize the message data. To assist with organizing the data, the operator can click the "Advanced" button at the top of the display. This accesses the "Aux File Titles" screen. The screen permits the user to annotate the display with arbitrary text and notes, such as to describe the type of data that the Aux file contains. For example, if the "Aux-4" file is dedicated to data from a Firewall, the user can click "Config", and add descriptive text to the Aux-4 identifier such as "My Firewall Data". The text will CorreLog Screen Reference Manual, Page - 51

52 appear on the top-level "Messages > Aux" screen to help identify the purpose and intent of the filter and auxiliary file data. Aux Filtering Detailed Notes To view the data of an auxiliary file, users click on the filename (ranging from Main, Aux-1, through Aux-16, and optionally the De-dup file.) Users can search the filtered data via the "Search" field at the top of the display. This performs an "unindexed" search of the data. The user can also search the Aux-1 through Aux-16 files via the "Query" function, which permits the user to search these files using potentially complex match expressions. As an alternative to searching the data, certain "Report" functions permit reporting on filtered messages. For example, the operator can configure an "Excel" type report on filtered data to see the breakdown of filtered messages by device, user, facility, and severity. This capability is discussed in later sections of this manual, and is useful for auditing the type of data being filtered. By default, filtered messages are discarded at midnight. However, the user can elect to archive these messages along with other data via the "Messages > Config > Parms" screen. In this case, filtered messages are stored in the archive like any other data. In this case, the main purpose of the filters is not to discard data, but to take unimportant data out of the main message and correlation stream, which can increase the performance and usability of CorreLog. If data is archived (as described above, it can be data re-import to the CorreLog system using the CorreLog "Import" facility, discussed elsewhere in this manual. This provides a way of returning filtered messages to the main message stream. Finally, note that this screen is intended to support "destination filtering", i.e. data filtered by CorreLog. It is often the case that messages can be filtered at their "source". Syslog capable devices can usually limit the data being sent, so that uninteresting messages do not appear on the network. Source filtering can be used to augment the filtering strategy. Source filtering is a built-in function of the CorreLog Windows Agent, as well as the CorreLog UNIX Agents. The capability also exists (with varying degrees of control) within standard UNIX, Cisco, and firewall devices. The principle advantage of "source filtering" as opposed to "destination filtering" is that "source filtering" provides a way of preventing unimportant messages from appearing as network traffic. CorreLog Screen Reference Manual, Page - 52

53 Section 4: Message Config Screens In various locations throughout CorreLog a "Config" tab permits the user to provide specific configuration elements that affect screens. The "Message" application contains the largest number of configuration screens, necessary apply control and monitoring functions such as filters, overrides, and other system parameters. Message Configuration screens include the ability to set filters on data items, override message device, facility, severity, and mask certain text fields from messages. Additionally, the configuration screens provide specialized parameters of the system, such as parameters associated with message collection, and how colors are mapped to event severity. The "Message > Config" functions represent the largest single type of configuration screen within CorreLog, and is generally available only to those users who have been granted an "admin" type login to the system. These "Messages > Configuration" configuration screens are addressed separately in this section, to assist with organizing the content of this manual. Each configuration screen provides specific functionality described here, including the purpose, general usage, and application. Further information on message configuration parameters can be found in the "CorreLog User Reference Manual". CorreLog Screen Reference Manual, Page - 53

54 Configure Filters Screen The Configure Filters screen is accessed by clicking on the Config tab, and then selecting Filters. From that location, the operator can view, add, or edit the list of input filters for incoming messages. Filtered messages are not immediately discarded; they are retained and are viewable via the "Messages > Aux" screen. A depiction of the "Configure Filters" screen is shown below. The above screen provides a list of all the filters that are applied to incoming messages before they are further processed by the system. Filters can be added by clicking the AddNew button. An existing filter can be edited or deleted by clicking the Edit Filter button in the first row of the table. The Apply button permits the user to change the sort order, and refreshes the display with any items (useful if some other user is currently editing the items at the same time the operator is viewing the items.) CorreLog Screen Reference Manual, Page - 54

55 Each filter contains five fields, shown in the table. The sixth field indicates the number of Syslog messages since CorreLog program startup, which have been actually filtered. The filter items in this table correspond to the same general message matching specifications used in other locations of the program. For a message to be filtered, ALL OF the filter fields must be matched. The specific fields of the table are as follows: Filter Time. This is the time range when the filter applies. It is represented as a start time hour, in twenty-four hour format, and a time span in hours. To match all messages, the time span is set to 24-Hours. To match all events between 11:00 PM and 02:00 AM, the start time is set to 23:00 and the time span is set to 2 Hours. Filter Address. This is the address to filter. It can be a specific IP address, or a wildcard. The Filter Address of *.*.*.* is the default, and matches all IP addresses on the system. The IP address is the address of devices before any Address Overrides are processed. Filter Facility. This is the facility to filter. It is the message facility before any facility overrides are processed. The default setting is Any, which matches any Syslog facility code. Filter Severity. This is the severity to filter. It is the message facility before any severity overrides are processed. The default setting is Any, which matches any Syslog severity code. Filter Keyword. This is a single keyword in the message. It cannot contain blank spaces (but may contain a * character that spans spaces.) The default setting is * which matches all messages. Entries Filtered. The last column of the table does not correspond to a filter specification, but reports the number of entries that have been filtered. Filter Screen Controls At the top of the display are controls that allow the user to sort the list, or add a new filter to the list. To modify the sorting order, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the order mode to Default, which displays records in the order in which they were added to the system. CorreLog Screen Reference Manual, Page - 55

56 Adding A New Filter. The operator adds a new filter by clicking the AddNew button, filling out the form, and clicking Commit. This adds the filter, and redisplays the top-level screen showing the new filter. Editing An Existing Filter. The operator edits an existing filter by clicking the Edit button to the far left of the filter entry row, making modifications, and clicking Commit. This modifies the selected filter, and redisplays the top-level screen showing the modification. Deleting An Existing Filter. The operator deletes a filter by clicking the Edit button to the far left of the filter entry row, and then clicking Delete. This deletes the filter, and redisplays the top-level screen showing the filter now deleted. Filter Screen, Special Notes Access to this screen is limited to admin type logins. If the current login has user or guest access, then the screen may be viewed, but the user is blocked when clicking the AddNew or Edit button. Only admin type logins can modify system data. Before any data is saved or modified it is checked. If the check fails, then the user must click the back button in order to fix the problem, or click on the tab to restart the edit session. One special check that requires explanation: The user cannot simply click the AddNew button, and then click Commit, because this would result in a filter that would block ALL messages on the system. (This is because the Add New Filter screen uses defaults that match the most messages, to assist the operator in making small adjustments to selectively filter messages.) A message might match many different filters. In this case, the first filter matched will be the filter whose Entries Filtered value will actually increment. Although there is no limit to the number of filters, experience indicates that filtering can become quite confusing unless the operator carefully designs these filters. Often, the best practice is to pass as many messages as possible, and use filtering somewhat sparingly. The main use of this screen is to remove particular devices that may be hammering at the system, or totally irrelevant. Experience shows that the most common field modified is the IP Address field, selected to reject specific devices. CorreLog Screen Reference Manual, Page - 56

57 Configure Address Override Screen The Configure Address Override screen is accessed by clicking on the Config tab, and then selecting Overrides, and then selecting Address. From that location, the operator can view, add, or edit the list of message address overrides. A depiction of this screen is shown below. Address Overrides, defined by this screen, cause the device IP address field in a message to be replaced (under specific conditions) with a different IP address, thereby cataloging the message differently. One application of this function is to handle NAT (Network Address Translation) by substituting the name of the local IP address with its corresponding network address. The above screen provides a list of all the Address Overrides that are applied to messages immediately after filtering. Overrides can be added by clicking the AddNew button. An existing override can be edited or deleted by clicking the CorreLog Screen Reference Manual, Page - 57

58 Edit Override button in the first row of the table. The Apply button permits the user to change the sort order, and refreshes the display with any items (useful if some other user is currently editing the items at the same time the operator is viewing the items.) Each override contains five fields, shown in the table. To override a message, all of the first four fields must match the event message. The various fields are as follows: Match Address. This is the address to override. It can be a specific IP address, or a wildcard. The address of *.*.*.* is the default, and matches all IP addresses on the system. Match Facility. This is the facility to match in the message. The default setting is Any, which matches any Syslog facility code. Match Severity. This is the severity to match in the message. The default setting is Any, which matches any Syslog severity code. Match Keyword. This is a single keyword in the message to match. The specified keyword cannot contain blank spaces (but may contain a * character that spans spaces.) The default setting is * which matches all messages. The last column of the table indicates the IP address that will be substituted and logged whenever a message is received that matches the first four fields of the table entry. This value will be the particular value appearing in the "Messages > Search" facility, "Messages > Devices" screen, and various other locations on the system. CorreLog will treat the message exactly as if it came from the specified address. Address Override Screen Controls At the top of the display are controls that allow the user to sort the list, or add a new override to the list. To modify the sorting order, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the order mode to Default, which displays records in the order in which they were added to the system. Instructions on how to add, edit, and delete entries are provided in the description of the Configure Filters screen. To add an entry, click the AddNew button. To edit an existing entry, click the Edit button. To delete an existing entry, click the Edit button and then click the Delete button. CorreLog Screen Reference Manual, Page - 58

59 Address Overrides Screen, Special Notes Access to this screen is limited to admin type logins. If the current login has user or guest access, then the screen may be viewed, but the user is blocked when clicking the AddNew or Edit button. Only admin type logins can modify system data. Before any data is saved or modified it is checked. If the check fails, then the user must click the back button in order to fix the problem, or click on the tab to restart the edit session. One special check that requires explanation: The user cannot simply click the AddNew button, and then click Commit, because this would result in an entry that would override ALL messages on the system. (This is because the Add New Override screen uses defaults that match the most messages, to assist the operator in making small adjustments to selectively override messages.) A message might match many different overrides. In this case, the first override matched will be the one used. Although there is no limit to the number of overrides, experience indicates that these settings can become quite confusing unless the operator carefully designs these overrides. Experience shows that the most common field modified is the IP Address field, selected to reject specific devices. CorreLog Screen Reference Manual, Page - 59

60 Address Overrides, Advanced Screen The Address Overrides Advanced screen is accessed by clicking on the Advanced button of the "Address Overrides" screen. This screen provides special utility in automatically overriding addresses based upon message content, such as to permit tracking of devices in a DHCP environment. The screen consists of various parameters needed to automatically override device addresses for CorreLog Agent (and other) Syslog messages sources. The screen is depicted below. This screen is useful in environments where the "Address" portion of the message cannot depend on the actual IP address of the sending device, for example, in a DHCP environment. This screen is also useful in environments where the source device may first be passed through a router, a load balancer, or may be originating from a third-party syslog server. CorreLog Screen Reference Manual, Page - 60

61 In any of the above situations, the operator has several options as follows: Auto-Override With Agent Location Names. The operator can set the value of "Require Standard IP address" to be "No", and then set the "Auto- Override With Agent Location" to be "Yes". In this mode, CorreLog will look for the "Location:" keyword, and substitute the IP address with the location value. For CorreLog Agent programs, the location value is typically the setting of the %COMPUTERNAME% environmental variable of the source machine. More info is available on this feature within the "CorreLog User Reference" manual. Auto-Override with External DLL. The operator, with the assistance of vendor support, can construct highly detailed override strategies that rely on an external DLL and configuration file. This expands the override capability to include highly complex naming schemes that may exist in some enterprises. Auto-Override with Parse Specification. The operator can set the value of "Require Standard IP Addresses" to be "No", and then click the "Auto- Override with Parse Specification" button to configure a parse specification for the system, which parses a device name from a source message. A parse specification will typically be something such as the fourth word of a message from a particular data source, or some other parsed value. This is useful for handling situations such as message streams from an intermediate, a load balancer, or other network application and device. (This special screen is detailed in the next section.) Note that, for any of the above auto-override settings, the value of "Require IP Address" must first be set to "No" in order for the other auto-override controls to work correctly. Administrators should be cautious about automatic overrides, since it may result in the device list being cluttered with many non-device keywords. For example, if the operator configures the "Auto-Override with Parsed Value" incorrectly, many different non-device names may be added to the system. In this case, the operator will have to manually delete these devices (such as via the "Messages > Devices > Advanced > Delete Device By List" facility.) CorreLog Screen Reference Manual, Page - 61

62 Address Override, Parse Specification Screen As a special function, the system can automatically detect device names in an arbitrary message and use this value as the name of the device to manage. This value may be necessary for systems that use a single Syslog server as the data source, or use load balancing (or other routing) that obscures the sending device. This screen is accessed via the "Messages > Overrides > Address > Advanced" screen, when the user clicks the "Auto-Override With Parse Specification" button. The screen is depicted below: The above screen requires an "Administrator" login to access, and is necessary only in situations where the device name is contained in the message. Any changes to this screen require the operator to stop and restart the "Correlog Framework Service" for the changes to take effect." The screen should be used cautiously, because misconfiguration of the screen may cause the "Devices" CorreLog Screen Reference Manual, Page - 62

63 screen to be littered with bad device names, requiring the user to delete these devices manually. The screen contains the following specific fields and parameters. Enable Parsing Rules. This select menu must be set to "Yes" to enable the parsing rules. Additionally, the "Require IP Addresses" setting (of the parent screen) must be set to "No". The "Correlog Framework Service" must be stopped and restarted for these rules to take effect. Match IP Address / Group. This field contains the original address of the device or program sending messages. This is the address that appears on the "Devices" screen without the override herein, such as the address of a syslog server or load balancer. Match Message Expression. This field contains a match expression, which must be satisfied before parsing the device name. The value can contain a standard CorreLog expression, wildcard, keyword, macro, or list that must be contained in the message content before the parse specification (below) is executed. Bypass Local & CorreLog Messages. This select menu, if set to "Yes", bypasses the override of messages that are from the local host address of , or contain the "Location:" directive used by CorreLog agents. This is the default condition, to prevent parsing of internal CorreLog messages that may not follow a naming convention. Device Name Parse Specification. This field contains a standard parse specification that identifies the device name in the message. The value can be a word position (such as the "4") or a phrase with an asterisk (such as "device: *"). The device name is consistently parsed according to the operator specified rule. Note that only those messages originating at the "Match IP" address and which satisfy the "Match Message" expression are parsed. Format Device Name / Replace Text. This select menu permits additional processing of the parsed device name. For example, the device name may require additional formatting (such as to drop a domain prefix or suffix.) By default, no formatting is applied. If the user specifies "First Instance", "Last Instance", or "All Instances", then the "From Pattern" and "To Value" fields are applied. (See additional notes that follow.) From Pattern / Value. This field contains the text to replace, which can include a wildcard. For example, once a device name is parsed, the user can format the device name to remove any value following the first slash CorreLog Screen Reference Manual, Page - 63

64 character, specifying a "From Pattern" of "/* ". Note that the specified value must be double quoted. To Value. This field contains the text to replace the "From Pattern" with. The value can be a zero length string (by specifying two double quotes) in which case the text matching the "From Pattern" is removed from the device name. Test Parser. This button saves the match patterns, and then parses recent messages on the system to show the results of the match pattern. (See additional notes that follow.) To configure the parser, the operator should specify the match patterns required to parse the device names from incoming messages, and then test the parser via the "Test Parser" button. If the values are appropriate, the operator should subsequently stop and restart the "Correlog Server Framework" service (via the Windows Service Manager, or via a "net stop correlog" and "net start correlog" command prompt directive.) The functions provided by this screen may or may not be essential or required depending upon the configuration of the system within the enterprise. For example, if CorreLog is being fed by a Syslog server that already is collecting log data, it will be required to parse device names from the incoming messages in order to populate the "Devices" list properly. On the other hand, if CorreLog is being fed message information directly from a series of managed devices, this screen will probably never be used, and should be ignored by the operator. The "Replace" functions can be used to further format the device name. For example, the device name, in addition to being parsed from the system, may contain a prefix or suffix that needs to be chopped from the name. To accomplish this, the operator can configure the replace function with a "from" and "to" match pattern. The match patterns should be double quoted, and will apply ONLY to the parsed name. For example, to replace a ".com" suffix from the device name with the keyword "server), the operator can configure a "From" pattern of ".com", and a "To" pattern of "server". Likewise, to remove all the characters following a "/" character in the device name, the operator can configure a "From" pattern of "/*" (slash asterisk) and a "To" pattern of "" (i.e. a zero length string.) Finally, note that there are various preconditions to using this screen as follows: (1) the "Require IP Address" value must be set to "No" on the "Advanced" screen; (2) The "Enable Special Parsing Rules" must be set to "Yes" on this screen; (3) The "Match IP Address" and "Match Message" and "Parse Specification" must all be configured to match incoming messages and; (4) The CorreLog Framework Service must be stopped and restarted for the rules to take effect. CorreLog Screen Reference Manual, Page - 64

65 Configure Facility Override Screen The Configure Facility Override screen is accessed by clicking on the Config tab, and then selecting Overrides, and then selecting Facility. From that location, the operator can view, add, or edit the list of message facility overrides. A depiction of this screen is shown below. Facility Overrides, defined by this screen, cause the facility code in a message to be replaced (under specific conditions) with a new facility code, thereby cataloging the message differently. In particular, operators can use this capability to define new facility codes, which is a major extension to the Syslog protocol standard. The above screen provides a list of all the Facility Overrides that are applied to messages immediately after filtering, and after any Address Overrides have been applied (as discussed in the previous screen.) CorreLog Screen Reference Manual, Page - 65

66 New Facility Overrides can be added by clicking the AddNew button. An existing override can be edited or deleted by clicking the Edit Override button in the first row of the table. The Apply button permits the user to change the sort order. Each Facility Override consists of five different values, shown in the table. To override a message, all of the first four fields must match the event message, similar to the "Device Override" screen described above. The last column of the table indicates the name of the facility that will be logged whenever a message is received that matches the first four fields of the table entry. This facility can be one of the standard 24 facility codes of Syslog protocol, or can be a new facility defined by the user. (See below.) Facility Override Screen Controls At the top of the display are controls that allow the user to sort the list, or add a new override to the list. To modify the sorting order, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the order mode to Default, which displays records in the order in which they were added to the system. Instructions on how to add, edit, and delete entries are provided in the description of the Configure Filters screen. To add an entry, click the AddNew button. To edit an existing entry, click the Edit button. To delete an existing entry, click the Edit button and then click the Delete button. Defining New Facilities One of the important uses of this screen is to permit the creation of new facility codes. The Syslog protocol standard defines 24 different facility codes. Some of these codes, such as UUCP, are deprecated. This means that (depending upon the craftsmanship of the Syslog message designer) this message facility code is sometimes not as useful as it should be. Using the Facility Override screen, operators can change facilities based upon any field of the message, in particular the message content. For example, the user can define any message containing the keyword CorreLog to be part of the new correlate facility. This new facility is shown on the Search Messages screen, and in the Facilities Catalog screen. It can also be used with correlation functions. Note that this is a major extension to the standard Syslog protocol. Users can create lists of keywords that change the facility code, which can affect cataloging CorreLog Screen Reference Manual, Page - 66

67 and message routing. There is no limit to the number of new facility codes that CorreLog can create. Facility Overrides Screen, Special Notes Note the similarity between the Address Overrides, Facility Overrides, and Severity Overrides screens. These screens all perform similar operations, and have similar controls. What distinguishes these screens is the particular field in the incoming message that is edited and replaced. Access to this screen is limited to admin type logins. If the current login has user or guest access, then the screen may be viewed, but the user is blocked when clicking the AddNew or Edit button. Only admin type logins can modify system data. Before any data is saved or modified it is checked. If the check fails, then the user must click the back button in order to fix the problem, or click on the tab to restart the edit session. One special check that requires explanation: The user cannot simply click the AddNew button, and then click Commit, because this would result in an entry that would override ALL messages on the system. (This is because the Add New Override screen uses defaults that match the most messages, to assist the operator in making small adjustments to selectively override messages.) A message might match many different overrides. In this case, the first override matched will be used. CorreLog Screen Reference Manual, Page - 67

68 User Defined Facilities Screen The "User Defined Facilities" screen is accessed by clicking on the "User Defined Facilities" hyperlink, found on the "Facility Override" screen. This screen provides the special capability to define new user facilities, which can be assigned to messages via the "Facility Override" function. The facilities then appear throughout CorreLog, and can be used to organize, thread, and report on message data. The screen is depicted below. The "User Defined Facility" function is one of the more powerful (and obscure) functions of the CorreLog system. This facility allows an operator to extend the range of pre-defined facility codes to include more specialized facilities, thereby greatly expanding the utility of the facility codes. Syslog facility codes, while useful, have often been criticized as lacking scope and flexibility. Using the "User Defined Facility" function, operators can add new facilities for special purposes as depicted above. CorreLog Screen Reference Manual, Page - 68

69 Configure Severity Override Screen The Configure Severity Override screen is accessed by clicking on the Config tab, and then selecting Overrides, and then selecting Severity. From that location, the operator can view, add, or edit the list of message severity overrides. A depiction of this screen is shown below. Severity Overrides, defined by this screen, cause the severity code in a message to be replaced (under specific conditions) with a different severity code, thereby cataloging the message differently. In particular, since severities are often used in routing and suppressing notifications, operators can use this capability to affect message routing. The above screen provides a list of all the Severity Overrides that are applied to incoming messages immediately after filtering, and after any Address Overrides have been applied, and after any Facility Overrides have been applied (as discussed in the previous screens.) Note that the order in which this filtering and substitution takes place may be significant! CorreLog Screen Reference Manual, Page - 69

70 New Severity Overrides can be added by clicking the AddNew button. An existing override can be edited or deleted by clicking the Edit Override button in the first row of the table. The Apply button permits the user to change the sort order. Each Severity Override consists of five different values, shown in the table. To override a message, all of the first four fields must match the event message. These fields are the same as those used in the "Device Override" screen, described previously. The last column of the table indicates the value of the severity that will be logged whenever a message is received that matches the first four fields of the table entry. This severity will be one of the standard eight severities defined by the Syslog protocol standard, ranging from debug to emergency. Severity Override Screen Controls At the top of the display are controls that allow the user to sort the list, or add a new override to the list. To modify the sorting order, the operator makes adjustments and clicks the Apply button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the order mode to Default, which displays records in the order in which they were added to the system. Instructions on how to add, edit, and delete entries are provided in the description of the Configure Filters screen. To add an entry, click the AddNew button. To edit an existing entry, click the Edit button. To delete an existing entry, click the Edit button and then click the Delete button. Severity Overrides Screen, Special Notes Note the similarity between the Address Overrides, Facility Overrides, and Severity Overrides screens. These screens all perform similar operations, and have similar controls. What distinguishes these screens is the particular field in the incoming message that is edited and replaced. A message might match many different overrides. In this case, the first override matched will be used. (This is also true with regard to the other override editors, discussed previously.) CorreLog Screen Reference Manual, Page - 70

71 Configure Text Overrides Screen The Configure Text Override screen is accessed by clicking on the Config tab, and then selecting Overrides, and then selecting Text. From that location, the operator can view, add, or edit text overrides, which permit the user to mask out specific text content (such as credit card numbers or passwords) prior to logging a message to the CorreLog system. The screen is depicted below. The "Text Override" screen provides general utility in controlling whether specific text fields are logged and stored at CorreLog. This process is also known as "tokenization", and eliminates certain fields from the system as may be required under certain security compliance standards. The screen allows the user to specify a text field (along with an optional device IP address and message match pattern) that identifies text to be replaced with "#" characters. For example, if a Web server log contains credit card information, the CorreLog administrator can mask certain text from messages prior to storing the message, or passing the message through the system correlation rules. This CorreLog Screen Reference Manual, Page - 71

72 provides additional security on the system by preventing information from being stored. To add a text override, the user clicks the "AddNew" button, and then specifies an optional IP address and match phrase for messages that are to be overridden on the system. The match expression (if used) must be a single keyword or wildcard, similar to the match expressions employed by the other override screens. To actually override the message, the user specifies a phrase identifying the prefix or postfix (or both) that identifies the context of the phrase to be masked. Any characters matched by the "*" asterisk character will be replaced in the message with "#" characters prior to logging the message. Unlike the "Match Keyword", the "Mask Text Specification" can (and typically will) contain spaces and a single "*" character somewhere in the specification. Using this technique any part of the message that can be identified in context can have a portion of the message masked. For example, specifying the "Mask Text Specification" to be "Confidential *" will mask out any text following the keyword "Confidential" within the message. Specifying a "Mask Text Specification" of "User Password * Changed" will mask out any text between "User Password" and "Changed". Text Overrides Screen, Special Notes The "Text Overrides" screen is slightly different from the "Facility" and "Severity" overrides screens. The "Text Overrides" screen permits the user to specify an IP address and match keyword, but the user cannot specify a facility and severity code. (This is generally not a limitation, because specific textual information is being masked independent of the facility and severity of the message.) The "Text Overrides" screen additionally requires a "Text Mask Specification", which can include blanks, and which must include at least one "*" asterisk. The "Mask Text Specification" value can contain spaces, and these spaces must be present in the message. A message might match many different overrides. In this case, the first override matched will be used. (This is also true with regard to the other override editors, discussed previously.) CorreLog Screen Reference Manual, Page - 72

73 Text Overrides, Advanced Screen The Text Overrides Advanced screen is accessed by clicking on the Advanced button of the "Text Overrides" screen. This screen provides special utility in automatically hiding user names throughout the system, useful for maintain privacy standards in those organizations that require it. The screen consists of various parameters needed to mask user names, replacing user names with anonymous identifiers as described here. The screen is depicted below. User name masking, provided by this screen, is a special feature of the CorreLog Server, which can be used to hide any references to actual user names on the system. Among other applications, this function can be used to protect user privacy, and remove any possibility of operator bias when evaluating possible user threats. User masking affects only the display of users, and does not modify any message content on the system. Specific settings of the screen are as follows: CorreLog Screen Reference Manual, Page - 73

74 Auto-Mask User Name Enable. This setting is set to "Yes" to enable the user masking features. Subsequently, a unique identifier (such as "USER012817") replaces any user name appearing on any screen. User Mask Prefix. This setting allows the operator to specify the prefix to the user mask. The prefix (and unique user identification number) appears in place of each username on the system throughout the CorreLog Server. User Mask Seed Value. This setting allows the operator to specify a new seed value / offset that changes all the user identification numbers. This setting is useful if a masked user name is discovered. Adjusting this setting will shift all the user name identifiers to some new value. Audit Account Name. This setting is the name of the single account that is given permission to see the user names on the system. The operator can specify and CorreLog user name. If there is no user with the specified name, this setting is ignored. User Mask Exclusion List. This button accesses a list of user names that are excluded from the masking process, such as "Administrator", "root", or other common names that are not necessarily associated with a particular user of the system. To enable user name masking, the operator sets the value of "Auto-Mask User Names" to be "Yes". Optionally, the operator can also modify the mask prefix (which appears in the place of the masked user name), and establish an audit account that is used to see the unmasked user names. Additionally, the operator can specify an exclusion list of user names that are not masked (such as "Administrator", "root", etc.) Specific settings of this screen are as follows: Auto-Mask Users, Special Notes User Name Auto-masking, configured by this screen, does not actually override the data within the message database, but simply masks the user names depicted on CorreLog screens and contained in CorreLog reports. (This is different from the main "Text Override" facility, described earlier, which actually modifies message content before it is written to the disk.) In addition to masking user names on the system, user names are also masked in reports and any notifications and tickets generated by the system. CorreLog Screen Reference Manual, Page - 74

75 Message Forwarding Screen The Message Forwarding screen is accessed by clicking on the Config tab, and then selecting Forwarding. From that location, the operator can configure and view the current forwarding specifications (which sends messages to other Syslog collectors, or other copies of CorreLog.) A depiction of the screen is shown below: This screen permits the user to forward any message to up to four different locations, as well as the ability forward "Aux" messages to a single auxiliary location. (The "Aux" file forwarding specifications are also available for editing via the "Aux > Advanced" screen.) Each message is sent to the specified IP address, and each IP address has its own enable and formatting specifications. The top-level "Forwarding" screen depicts the state of the four main message forwarders, and sixteen auxiliary file forwarders. Additionally, the number of forwarded messages (since the forwarders were last changed) is depicted, providing an indication of the number of messages that have been sent. CorreLog Screen Reference Manual, Page - 75

76 The "Forwarding" screen is configured using the "Edit" button at the top of the screen, or by clicking "Edit" next to the forwarding specification. which allows the administrator to assign the various options associated with each forwarding facility of the system. The user specifies the "Enable", the "Send To" address, and in the case of the four main message forwarders, the user can also specify certain severity and facility match specifications. The "Enable" value for each forwarder is set to one of the following: Enable None. The default value of the "Enable" menu is "None", indicating that the forwarder is disabled. In order to forward messages, the operator must set the enable to some value other than "None", and must also specify a "Send To" address. Enable Relay. This setting of the "Enable" menu is mainly useful for forwarding messages to another CorreLog Server. The setting causes the messages to be forwarded to the specified "Send To" destination, where the original IP address of the device is preserved as part of the message. This setting is usually useful ONLY if the destination address is another CorreLog server. Enable Relay-ENC. This setting is identical to the "Relay" setting above, except that the transmission to the remote CorreLog Server is also encrypted using basic internal CorreLog pseudo-one-time pad encryption. Enable Forward. This setting of the "Enable" menu causes the messages to be forwarded to an arbitrary "Send To" destination, where the original IP address of the device that sent the message is included as the first word of the message. This setting is mainly useful when messages are being forwarded to a third-party SIEM system or data collector. Enable Proxy. This setting of the Enable menu is similar to the Enable Forward setting, except the message is sent without any modification to the header. No hostname or time value is inserted as part of the message. This setting has application in certain situations such as element managers, or in certain test situations. The "Aux" forwarders permit strategies where a single collection point exists for all messages, and these "Aux" messages (configured via the "Messages > Config > Filters" screen) are relayed to other copies of CorreLog, or other syslog collectors, For example, this facility permits individual firewalls or other devices to be separately managed by a second copy of CorreLog. A special "Forwarding Gadget" is available from the CorreLog dashboard that allows easy monitoring of the Forwarding mechanism, including counts of messages sent, messages bypassed, and forwarding errors. (See the list of dashboard gadgets for more information.) CorreLog Screen Reference Manual, Page - 76

77 Configure Colors Screen The Configure Colors screen is accessed by clicking on the Config tab, and then selecting Colors. From that location, the operator can view and edit the list of message severity colors, which affects the appearance of various other screens. A depiction of this screen is shown below. The Configure Colors screen is a standard CorreLog dialog. To edit parameter entries, the user clicks the Edit button, modifies the parameter, and then clicks the Commit button on the edit screen. The user can restore the preset default configuration by clicking on the Default button on the edit screen. If the Default button is accidentally clicked, the user can inspect the previous settings by clicking the Back button of the browser. This screen allows the user to edit the color specifications related to the various severity levels. The colors specified here appear in a variety of places, and allow a user to rapidly distinguish the severity of messages based upon the message color. Each Syslog severity has its own background color and text color. CorreLog Screen Reference Manual, Page - 77

78 User Defined Severity Labels In addition to permitting the user to specify the severity of colors, this screen permits the user to assign special tags and labels to each severity color, such as "Low", "Medium", "High". These values appear next to the severity labels, and are useful for identifying severities (along with colors) and working with those systems that may require labeling other than the standard syslog severities (for example, systems that require "Homeland Security" categories.) The user clicks the "Edit" button, and provides a value that appears in the "Label" column of the edit screen. Configure Color Screen, Special Notes The hex color values are standard HTML color codes, either "RRGGBB" hex codes or standard names such as "red", "blue", "green", etc. The text color should normally be selected to provide a high contrast with the text background (hence the text color is quite often either black or white"). Access to this screen is limited to admin type logins. If the current login has user or guest access, then the screen may be viewed, but the user is blocked when clicking the AddNew or Edit button. Only admin type logins can modify system data. Before any data is saved or modified it is checked. If the check fails, then the user must click the back button in order to fix the problem, or click on the tab to restart the edit session. For this particular screen (because of the vast assortment of valid HTML color specifications) the checks applied to user changes are somewhat superficial, hence the user can easily specify undesirable colors. The user can click the back button to correct this condition, or can click Edit and then Default to restore the installation default colors to the system. CorreLog Screen Reference Manual, Page - 78

79 Configure Parameters Screen The Configure Parameters screen is accessed by clicking on the Messages > Config tab, and then selecting Parms. From that location, the operator can view and edit various system global parameters that affect the appearance and performance of the system. A depiction of this screen is shown below. The Parms screen is a standard CorreLog dialog. To edit parameter entries, the user clicks the Edit button, modifies the parameter, and then clicks the Commit button on the edit screen. The user can restore the preset default configuration by clicking on the Default button on the edit screen. If the Default button is accidentally clicked, the user can inspect the previous settings by clicking the Back button of the browser. Data is stored in the "./config/slparms.cnf" file of the system. The following parameters are supported. CorreLog Screen Reference Manual, Page - 79

80 Default Message Encoding. This setting is adjustable only on the international versions of the program, and permits the user to specify the message type of incoming messages, such as GB2312 (for Chinese systems) or other supported languages. On English versions of the program, this value is always "Western". De-duplicate Msg Seconds. This setting is used to prevent duplicate messages from flooding the CorreLog system. If a duplicate message is received by the system in the specified number of seconds, then it is rejected. Before the message can be received again, there must be the specified number of seconds wait time. (Note: The message is entered into the "Messages > Aux" catalog for later review.) Max Non-Indexed Search. This setting controls the maximum number of messages that are scanned if the user searches for a keyword or phrase that does not contain a keyword, such as when a user searches for a number on the "Messages > Search" screen. Also, when searching in catalog screens, this is the maximum number of records that are searched. Setting this value too high can substantially slow down the search process. Max Search Time. This setting controls the maximum amount of time, in seconds, to spend doing a search of system data on the Advanced Search Screen, and catalog search screens. (The value does not affect "Query" type searches.) The value ensures that a CGI timeout will not prevent the search utility from returning results, if any. If a search time exceeds this about of time, any results acquired are displayed, and a special message appears at the bottom of the screen. Generally, this value is pertinent only if CorreLog is heavily loaded and executing on low-performance hardware. Last Message Repeated. This setting is used to specifically support Unix style "Last Message Repeated" events. When set to "auto", if a Unix box generates this event, CorreLog will automatically repeat the last message received from the box. This assists in correlation functions. Keep Online Days. This is an integer value representing the number of days to keep active on the system as an indexed part of the search engine. Any data that is older than this number of days is deleted. The CO-maint.exe program performs the data deletion nightly, at midnight. The setting provides a way to limit the amount of files and disk space required to support the program. Keep Archived Days. This is an integer value representing the number of days to keep archived files, in Gzip format, within the "./archive" directory of the system. Any archived data that is older than this number of days is deleted. The CO-maint.exe program performs the data archiving nightly, at CorreLog Screen Reference Manual, Page - 80

81 midnight. (See Section 4 of the CorreLog User Reference Manual for more information on the archiving function.) Archive Filtered Data. This setting controls whether filtered data is automatically archived each night along with non-filtered data. The filtered data is preserved in the "./archive/filt" directory in Gzip format. (See Section 4 of the CorreLog User Reference Manual for more information on the archiving function. Also, see information on the "Messages > Aux" screen in this section.) Syslog Directory Path. This is the path to the directory folder that contains Syslog files, by default the path../syslog within the CorreLog root directory. The value is useful if there is an expanse of Syslog data that fits more conveniently on a different disk (such as the F:/Syslog disk, for example.) An absolute path should be specified, or a pathname relative to the s-cgi directory. Catalog Directory Path. This is the path to the directory folder that contains Catalog files, by default the path../catalog within the CorreLog root directory. The value is useful if there is an expanse of catalog data that fits more conveniently on a different disk and folder (such as the F:/Catalog disk, for example.) An absolute path should be specified, or a pathname relative to the s-cgi directory. Archive Data Path. This is the path to the directory folder that contains compressed archive files and message digests, by default the path../archive within the CorreLog root directory. The value is useful if there is an expanse of archive data that fits more conveniently on a different disk and folder (such as the F:/Archive disk, for example.) An absolute path should be specified, or a pathname relative to the s-cgi directory. External Data Path. This is the path to a directory of files that is used by the "Reports > Query" tool, when searching external files. The value can be any windows pathname. By default, the value is set to the "../external" directory, which permits the user to search for files in the CorreLog\external" folder as a standard Query function. (See the "Reports > Query" screen for more information.) SNMP Utility Path. This value (and the value below) works strictly with the Device Information screen. If the net-snmp or equivalent software resides on the disk, then SNMP requests are made using that software to acquire the device system description, uptime, and other values. This assists the user in identifying the device that sent a message. If the path is invalid, or does not contain an snmpget.bat file, then no SNMP capability is enabled. (See the Device Information Screen, discussed further down in this section.) CorreLog Screen Reference Manual, Page - 81

82 SNMP Read Community. This value (and the value above) works strictly with the Device Information screen. The user can specify the SNMP read community to work with the SNMP Utility Path above, useful in identifying the type of device on the system that sent a message. If SNMP is not enabled, this field can be left blank. See notes above. Require Standard IP Addresses. This switch can be used to bypass the display and checking of IP addresses to accommodate textual names and Ipv6 values. By default, the system requires that addresses be in Ipv4 (dot) notation. This switch must be set to "Yes" in order to use the advanced features of the "Address Overrides" screen, discussed previously. (This menu option is also available on the "Messages > Overrides > Address > Advanced" screen.) When this value is set, the system can display hostnames or other values in place of the normal IP address for the device. Auto-Override Agent Addresses. This switch overrides addresses with the "Location:" keyword value generated by the CorreLog Agent programs, useful for operating in a DHCP environment. By default, the "Location" value of the agent is set in the agent "Message Prefix", and is the value of the "%COMPUTERNAME% environmental variable on the host platform. When this value is set to "Yes", IP addresses are automatically replaced by this value for CorreLog Agent programs, making the message independent of the IP address. See the "Messages > Overrides > Address > Advanced" screen for additional notes on this feature. This value has no affect unless the "Require Standard IP Addresses" switch (above) is set to "No". Auto-Override Addresses Externally. This switch overrides addresses with an external DLL, supplied by the vendor. This value is generally set only with the advice of vendor support and / or professional services. See the "Messages > Address > Advanced" screen for additional notes on this feature. Auto-Mask User Names. This switch masks user names appearing anywhere in the system, or in reports and notifications, useful for implementing user privacy and removing operator bias from the system. This value affects only the display, and does not affect message reception or logged content. See the "Messages > Overrides > Text > Advanced" screen for additional notes on this feature. At the top of the display are controls that allow the user to edit the list or refresh the display. The operator clicks "Edit" to modify the parameter values. The operator clicks the Commit button on the edit screen, which saves the data, and displays the modifications on the top-level screen. CorreLog Screen Reference Manual, Page - 82

83 A Default button is provided on the Edit screen, which will restore the installation default parameters. If the use clicks on the Default button, the defaults are immediately restored. If this occurs accidentally, then the administrator will need to click the back button, inspect the previous settings before clicking Default, and re-edit the parameters using the desired values. Configure Parameters Screen, Special Notes The "Require Standard IP Address", "Auto-Override Agent Addresses" and "Auto-Mask User Names" settings are all available on other screens. The parameter screen herein provides an alternate method of setting and auditing these values from a central location. Refer to the "Messages > Overrides > Address" and "Messages > Overrides > Text" screens for more information on the functions controlled by these three parameters. Note that the parameters on this screen affect all portions and all users of the system. As with the other Configure screens, the changes are applied to the central operating agents of the system. Hence, caution should be exercised when making these changes so as not to affect other users that may depend upon this data. Finally, note that the "System > Parameters" screen provides a similar function to the "Messages > Parameters" screen, but affects system parameters only, such as the login facility, screen colors, etc. This may cause some confusion to users, causing them to initially look in the wrong location for a parameter setting. As a general rule, any parameter that affects message delivery or any of the "Messages" or "Correlation" screens is available here. CorreLog Screen Reference Manual, Page - 83

84 Configure Keyword Index Parameters Screen The Configure Keyword Indexing Parameters screen provides special application in tuning the keyword indexing system used by the "Messages > Search" facility. The screen is accessed by clicking on the Messages > Config tab, and then selecting Parms, and then clicking the "Edit Keyword Indexing Parameters" button at the bottom of the screen. A depiction of this screen is shown below. This screen is provided mainly for use by CorreLog support. In general, these parameters should not be adjusted casually, because they can affect the performance of the "Search" function, and can substantially degrade the performance of CorreLog. A description of these parameters follows: Keyword List Span Days. This value is the number of days that the "Keyword Index" screen will span, by default 5 days. This does not affect CorreLog Screen Reference Manual, Page - 84

85 the number of days that the data is actually indexed, or the number of days that can be accessed via the high-speed search index. The value can be used to limit the number of items displayed when the user clicks the "Keyword Index" hyperlink. Max Keyword Count. This value is the number of keywords that will be indexed by the system. This value may be adjusted if there are a large number of keywords exists. Increasing this performance may substantially increase memory usage by the CO-Gendex.exe program. Keyword Index Write Interval. This value indicates how often the keyword index is written to the system. By default, the keyword index is refreshed every 60 seconds (unless no keywords are being received.) The value can be adjusted upward if the CO-Gendex.exe program is spending too much time writing to the keyword index file. Max Keyword Length. This value indicates the maximum size of any keyword. The value prevents long and meaningless character strings from being indexed by the system (as may occur if many different session identifiers or other keywords are present in the message stream. Max Keyword References. This is the maximum number of references for any keyword per day, by default 1000 keywords. Generally, if a keyword occurs more than 1000 times on the system in a single day, the keyword is not very pertinent, and further references to the keyword are discarded. (This assumes that users are mainly interested in seldom occurring keywords, which is almost always the case.) Require Dictionary Match. This special value changes the behavior of the keyword indexing system, so that a keyword is not indexed unless it occurs in an external dictionary. By default, no dictionary is included with CorreLog, hence this setting cannot be used without the assistance of CorreLog support. CorreLog provides various keyword dictionaries for CorreLog, available on request. At the bottom of the screen is a hyperlink that allows the user to view statistics associated with the keyword indexing process (i.e. the CO-Gendex.exe program.) Further information about that screen is provided in Section 9 of this manual. CorreLog Screen Reference Manual, Page - 85

86 CorreLog Screen Reference Manual, Page - 86

87 Section 5: Correlation Screens The "Correlation" application processes the raw message data received by the "Messages" application. The correlation screens permit the user to establish associations between messages by creating "Threads", which consist messages related by simple or complex match patterns, possibly controlled by "Triggers". The counters of these threads can then be alarmed via the "Alert" facility, which causes Syslog messages to be sent back to the messages application for further correlation. (Alerts are discussed in the next section.) The "Threads" screen permits the user to define arbitrary groups of messages using simple or complex expressions, identifying these messages by a user defined "Thread Title". The operator can define, edit, or delete threads to organize the incoming data. To view the messages related to a thread, the user clicks on the thread title hyperlink. The Correlation application also contains a "Config" tab that provides general utility in configuring the various elements of the correlation process. Detailed information regarding correlation techniques and usage can also be found in the "Advanced Correlation System User Guide". CorreLog Screen Reference Manual, Page - 87

88 Correlation Threads Screen The Correlation Threads screen is accessed by clicking on the "Correlation" tab at the top of the screen. It provides the first stage of correlation for the CorreLog system. This screen permits an operator to create and view "message threads", which are arbitrary catalogs of data based upon simple or complex match patterns. The Correlation Threads screen is depicted below. Correlation Threads, defined by this screen, are used to group together various messages by complex match patterns, time of day, devices, severities, and facilities. The user can view the particular event messages by clicking on the hyperlinked thread name. By default, threads are sorted by "Time" with the most recently updated threads displayed first. The top-level threads screen, in addition to permitting the user to view and create new threads, also shows summary statistics on each thread as follows: CorreLog Screen Reference Manual, Page - 88

89 Time Of Last Update. Beneath each thread is the date and time that the thread was last updated. This includes the date, the time, and the elapsed time since the thread was updated. Message Count Today. Next to the "Time of last update" field is a counter showing the number of messages received for the thread since midnight, or since the system was last started. Message History Count. Next to the "Message Count" field is a second counter showing the number of messages received for the thread since the thread was created. This shows an approximate count of all messages that have been correlated by the thread. Thread Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various thread parameters. Both "admin" and "user" type logins can add or modify threads. These thread parameters are as follows: Correlation Thread Title. This is the title of the thread, selected by the user, which identifies the type of data associated with the thread. This value appears as a hyperlink on the top-level "Threads" screen. Clicking on this hyperlink displays the threaded message list. Pin Thread To Top. This drop-down menu appears only on the "Edit" screen, and allows the user to pin the thread to the top of the list. This allows users to keep track of particular threads of interest. Each user can pin items without affecting other users. Match Time. This selection allows the user to qualify threaded messages based upon time of day. For example, a thread can contain only messages of a particular type that occur between 6:00 PM and 5:00 AM. By default, the thread collects message for all times. Match IP Address / Group. This input allows the user to identify the IP address, wildcard, or device group associated with thread messages. The user can specify that the thread collects messages for all devices, a particular device, a particular network address, or a specific device group. To specify a device group, the operator enters a value such as "@@mygroup@@", where "@@mygroup@@" has been configured in the "Correlation > Config > Address Groups" screen. Match Facility. This drop-down menu allows the user to qualify messages based upon a particular facility code. The user can confine a range of CorreLog Screen Reference Manual, Page - 89

90 messages to a particular syslog facility, including a user defined facility (documented previously.) Match Severity. This selection allows the user to qualify messages upon a particular severity or range thereof. By default, the thread contains messages of any severity. The user can further qualify the messages to be greater than warning, less than notice, etc. Match Trigger State. This selection allows the user to qualify a message based upon the state of a trigger (documented in later sections.) This allows the user to add a context to the message, where the thread contains only messages that follow earlier messages within a specific time interval. For example, the user can specify the "Coldstart" trigger to collect only those messages that follow a system startup. Match Expression. This text area is the main way of qualifying messages, and allows the user to enter simple or complex match patterns, logical combination of match patterns, macro definitions of match patterns, and logical combinations of macro definitions. The CorreLog expression facility is quite extensive, and documented in the "Advanced Correlation User Guide", as well as the "User Reference Manual." Brief help on match expressions is also available by clicking the "Expression Help" hyperlink to the left of this text area. Adding New Correlation Threads The CorreLog Server includes a set of "out-of-box" threads that are created upon installation. Users will typically modify and create their own threads of specific interest to their site requirements. An operator clicks the "AddNew" button to display the "Add New Correlation Thread" dialog. On this screen, the user specifies the various match patterns that are required for the incoming message to be correlated by the thread. The "Wizard" button, appearing at the top right of the screen (and also on the "Add New Correlation Thread" dialog) is of special assistance in guiding an operator through the process of creating a new thread. The "out-of-box" threads that come with CorreLog are fairly non-specific, and highly agreeable to further refinement. The operator can create a new thread from an existing thread using the "SaveNew" button on the "Edit" screen, which allows the user to tailor an existing thread by adding additional qualifiers (such as device names, times, or extra match patterns) and then save this change as a new thread on the system. For example, the "Object Deleted" thread, which is a standard "out-of-box" thread, can easily be modified to be a "Login Account Deleted" thread, or other thread specifically cataloging a particular type of object. Likewise, the "Logon Failure" thread can be modified and saved under a different name to become the "Domain Controller Logon Failure" thread, which watches logon failures to domain controllers. CorreLog Screen Reference Manual, Page - 90

91 The user can catalog messages by a variety of different criteria, including message device, facility, severity, time of day, and match expression. The "Match Expression" is special, and operates slightly differently from the various "Keyword" fields found in the filter and override screens. This field, in addition to accepting simple keywords and wildcard combinations, also permits logical conjunctions "AND", "OR", "XOR", and "NOT". These can be nested in parenthesis, such as "X AND Y OR (X AND NOT Z) OR NOT X". If a match string contains spaces, it must be contained in single or double matched quote marks. These expressions permit highly complex match patterns to be specified, which route messages to a particular thread for viewing and tabulation. More information on Correlation Features can be found in Section 5 of the CorreLog User Reference Manual. Sorting and Pinning Threads By default, the list of correlation threads is displayed so that the most recently updated threads are shown at the top of the list. The user an change the order of the sort mode to order the list by "Count", "History", or "Title" via the select menu at the top of the screen. Additionally, the user can "pin" threads to the top of the screen. To accomplish this, the operator clicks the "Edit" button for the Thread, and then selecting the "Pin Thread To Top Of List" to be "Yes". The thread is then moved to the top of the display irrespective of the current sort mode, making it easy to find and watch the thread. Similarly, the user can "unpin" a thread by setting the "Pin Thread" selection to "No", which will then cause the thread to appear in the sorted list with no special ordering. When a thread has been pinned, it is identified as such via a small pin icon next to the thread title. If multiple threads are pinned, the pinned threads are sorted first, and then the non-pinned threads. This provides a method of organizing the list of correlation threads so that the more interesting threads are kept at the top of the list, especially useful if there are many hundreds (or thousands) of threads on the system. Note that the "Pin Thread" setting applies only to the current user. If a user pins one or more threads, they are pinned only for the specified user and not all users of the system. This allows users to pin and unpin threads without affecting any other user on the system. CorreLog Screen Reference Manual, Page - 91

92 Thread Group Viewer Screen The "Thread Group Viewer" screen is accessed by clicking the "View Groups" link towards the top and upper-right of the "Correlation Threads" screen. This link displays the various thread groups (defined by the "Edit Correlation Threads Groups" link) along with the rolled up of counts for each thread group. This screen is depicted below: As depicted above, the screen shows each thread group defined within the "Correlation Threads Groups" screen, shows the rolled-up status of each group including the number of threads in the group, and the total counts for the group for today and historically. The user can click on the hyperlinked device group name to return to the "Threads" screen, with the specified group selected. This provides a convenient method of assessing overall status of all threads within the various defined thread groups. CorreLog Screen Reference Manual, Page - 92

93 Correlation Triggers Screen The Correlation Triggers screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then selecting "Triggers". The purpose of this screen is to watch for specific message patterns, and then set flags (with an expiration time) when messages are received. This supports other correlation features, such as "Threads", "Actions", and "Patterns". The "Correlation Triggers" screen is depicted below. Correlation Triggers, like Correlation Alerts, provide an important way of correlating activity on the system, and comprise a major function of the CorreLog Server. Operators can add new Triggers, or modify existing Triggers, based upon message content. CorreLog Screen Reference Manual, Page - 93

94 Trigger Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various trigger parameters. Both "admin" and "user" type logins can add or modify CorreLog alerts. These trigger parameters are as follows: Unique Trigger Name. This is the unique name of the trigger. The name must be brief and under 15 characters in length. (This short name is used in various drop-down menus, and can be used as a variable in expressions, so succinctness of the name is required.) Pin Trigger To Top Of List. This drop-down menu appears only on the "Edit" screen, and allows the user to pin the trigger to the top of the list. This allows users to keep track of particular trigger of interest. Each user can pin items without affecting other users. Trigger is Retriggerable. This input specifies whether a message that matches the "Set Trigger Expression" (defined below) causes the trigger expiration time to be reset. If the value is set to "Yes", the counter retriggerable, and the trigger timer is reset to zero. If the value is set to "No", the counter continues. This affects whether the trigger tracks the first matched message, or the last matched message. (In many cases, this is immaterial, but this setting may be important for some types of correlation.) Set Trigger Expression. This text area defines what messages set the trigger. The operator can specify a simple or complex match patterns, logical combination of match patterns, macro definitions of match patterns, and logical combinations of macro definitions. Brief help on match expressions is also available by clicking the "Expression Help" hyperlink to the left of this text area. The format of the match expression is identical to that found in the "Threads" facility. Clear Trigger Expression. This text area defines what messages clear the trigger. The format of the matched expression is identical to that of the "Set Trigger Expression". If a message matches the "Clear" expression, the trigger is immediately cleared. Otherwise, the trigger will be cleared when the "Trigger Expiration Time" (defined below) is reached. Trigger Expiration Time. This input specifies the time in seconds for the trigger to expire. If a "Clear" expression is not matched (or is not specified) the trigger will automatically clear when the expiration time is reached. The time left to expire appears on the top-level "Triggers" screen. CorreLog Screen Reference Manual, Page - 94

95 Trigger Expiration Severity. This input specifies the severity of a message that is generated if the trigger expires. By default, no message is generated when a trigger expires. The value can be used to correlation situations where an expected message (following an earlier message) does not occur, such as when an invalid login is not followed by a valid login within two minutes. Manually Set Trigger. This button allows the user to immediately set the trigger. When the trigger is set, this button changes and allows the user to manually clear the trigger. This allows the user to test trigger states and combinations without generating test messages. Trigger Active Instances Each "Trigger" has a top-level indicator used in the "Threads" and "Actions" screens, but can additionally have multiple separate instances that are dynamically created. The "Active Instances" link, in the third column of the table, allows the operator to drill down and view the currently active trigger instances, useful for determining the particular devices associated with the trigger message. When a trigger is set, a copy of the trigger is automatically created (associated with the sending device address). Therefore, a trigger reflects each device that has sent a message, as well as all aggregate messages. This capability is used in the "Alert > Patterns" screen, documented in a later section, and provides special utility in tracking the state of individual devices as well as aggregate messages. Additional Notes On Triggers Triggers are a more advanced feature of the CorreLog system, and are incorporated into the "Threads", "Correlation Actions", and "Patterns" screen. Triggers provide the ability to add context to the list of streaming messages. They can also be used in match expressions, as documented in the "Advanced Correlation User Guide, referenced as part of a match expression. In general, most correlation does not require trigger capability, and this function is not necessarily used at every site. However, if a particular type of correlation relies on message context of any type, where a series of messages relies on the reception (or non-reception) of a previous message the trigger facility is essential. Examples of this type of correlation including capturing data following an error condition, or after a system starts, or after some other type of message occurs that changes the meaning or significance of the messages that follow. CorreLog Screen Reference Manual, Page - 95

96 Correlation Actions Screen The Correlation Actions screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then clicking "Actions". This screen permits specific programs to be launched when certain patterns are detected in incoming messages. The "Correlation Actions" screen is depicted below. Detailed notes on the "Actions" screen, including how to configure specific actions (such as logging to a database or sending an SNMP trap) are provided in Section 6 of the CorreLog User Reference Manual. The CorreLog Server comes with several different action programs, including the RUNSQL, SENDTRAP, and SENDLOG programs. These programs (and additional notes) are found in the "actions" directory of the CorreLog root directory. Note that a similar action screen exists to support Tickets, as described in this section. The Correlation > Actions screen, described here, supports execution of actions from raw message data. CorreLog Screen Reference Manual, Page - 96

97 Correlation Action Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various action parameters. Both "admin" and "user" type logins can add or modify correlation items. These parameters are listed below: Pin Action To Top. This drop-down menu appears only on the "Edit" screen, and allows the user to pin the action to the top of the list. This allows users to keep track of particular action of interest. Each user can pin items without affecting other users. Match Time. This selection allows the user to qualify the execution of actions based upon time of day. For example, the operator can specify that a particular action occurs only between 6:00 PM and 5:00 AM. By default, the action can execute at any time. Match IP Address / Group. This input allows the user to identify the IP address, wildcard, or device group associated with an action. The user can specify that the action executes for all devices, a particular device, a particular network address, or a specific device group. To specify a device group, the operator enters a value such as "@@mygroup@@", where "@@mygroup@@" has been configured in the "Correlation > Config > Address Groups" screen. Match Facility. This drop-down menu allows the user to qualify actions based upon a particular facility code. The user can confine an action to a particular syslog facility, including any user-defined facility (documented previously.) Match Severity. This selection allows the user to qualify actions upon a particular message severity or range thereof. By default, an action will execute for messages of any severity. The user can further qualify the messages to be greater than warning, less than notice, etc. Match Trigger State. This selection allows the user to qualify the execution of an action based upon the state of a trigger (documented elsewhere in this section.) This allows the user to add a context to the action, where an action is executed only if a message has been preceded by an earlier specific message within a specified time interval. Match Expression. This text area is the main way of qualifying the execution of action programs and allows the user to enter simple or complex match patterns, logical combination of match patterns, macro definitions of match patterns, and logical combinations of macro definitions. The CorreLog expression facility is quite extensive, and CorreLog Screen Reference Manual, Page - 97

98 documented in the "Advanced Correlation User Guide", as well as the "User Reference Manual." Brief help on match expressions is also available by clicking the "Expression Help" hyperlink to the left of this text area. Action Description. This is optional and arbitrary text that can be included by the operator to describe the specified action's reason and intent. The value appears on the top-level "Actions" screen, and clarifies the purpose of the action. Action Program Name. This is the name of an action program residing in the "CorreLog\actions" folder. Various action programs come with the CorreLog system. The "Wizard" button at the top of the screen can assist with the selection of an action program. Action Program Arguments. This is the list of command line arguments to the action program. The particular arguments must be appropriate for the specified action program. The "Wizard" button at the top of the screen can assist with the selection of an action program. Sanitize Environmental Variables. This value is set to "Yes" or "No", and controls whether the environmental variables passed to the action program are safe to use in batch files. The default of "Yes" sanitizes the values of environmental variable values by eliminating special characters such as "( ) ; { } < >" and others. Add New Action Wizard Configuration of an action program is not difficult, however the operator must make sure that the action is supported at the site, and the arguments associated with the selected action program (if any) are appropriate. To assist with the configuration of a new action, the operator can click the "Wizard" button to add a new action to the system. The "Wizard" button appears on the top-level action screen, as well as the "Add New" screen, and provides help and narrative needed to guide the operator through the process of adding a new action to the correlation facility. More information on Actions is available in the "CorreLog User Reference Manual", including discussions of how to construct, modify, or adapt action programs. CorreLog Screen Reference Manual, Page - 98

99 Correlation Address Groups Screen The Correlation Address Group screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then clicking "Config", and then clicking "Address Groups". This screen permits users to define lists of IP addresses that can then be used in the Devices, Threads and Actions screens. The "Address Groups" screen is depicted below. Each group name is in the form and corresponds to a list of IP addresses or wildcards that are either matched or excluded by the correlation rules. Once a group is defined, it can be used in the "Match IP Address" field of the correlation "Threads" and "Actions" screen. The group also appears at the top of the "Devices" screen, in the "Match" drop-down menu. Address groups may be critical for organizing large numbers of managed devices into logical segments. Two different ways of grouping devices are supported by the program, selectable on the "AddNew" screen on the "Correlation > Config > CorreLog Screen Reference Manual, Page - 99

100 Address Groups" screen, depending upon the particular naming conventions for devices, and organization of the device data in the enterprise. Specifically, the "Address Spec" select menu, on the "AddNew" screen, allows the operator to identify the devices in an address group using the following two techniques. Include & Exclude List. The default way of specifying a group is to list match patterns that include and exclude devices by address. In this mode, each group consists of a list of matched IP addresses, and an optional list of excluded IP addresses. For a device to match a group, its IP address must match at least one of the "Include" addresses, and cannot match any of the "Exclude" addresses. Correlation List Macro. An alternate way of specifying a group is to use a "Correlation List Macro" (described in later sections.) This technique achieves the same purpose as the above technique, but simply lists individual addresses in a long list. For a device to match a group, the name or address of the device must be included in the list. This technique is useful when there is no logical naming scheme associated with devices, and the number of devices in a group exceeds 50 different devices. Note that the above techniques provide equivalent results (in grouping devices into logical segments). The main difference between these two techniques is that the "Correlation List Macro" permits more than 50 devices to be individually specified in those situations where no naming convention exists that may otherwise organize the devices. If the devices can be grouped via some naming convention, possibly by subnet or by some uniform addressing scheme, the "Include & Exclude List" address specification should be used. If more than 50 devices are to be assigned to a group, and no obvious technique can identify the devices by name or IP address, then the "Correlation List Macro" specification should be used. If less than 50 individual devices exist in a particular group the operator can select either type of "Address Spec" value above. Note that when the address group is created using one of the above "Address Spec" values, the "Address Spec" value cannot be changed without deleting the existing address group and re-creating the group using a different "Address Spec". To change an address group may require removal of the address group from the various dependents of the group, which may be a somewhat involved operation. Therefore, when creating an address group, the "Address Spec" value should be selected carefully if it is likely that the contents of the group will change dramatically. This is typically a concern only during initial system setup. CorreLog Screen Reference Manual, Page - 100

101 Correlation Thread Groups Screen The Correlation Thread Groups screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then clicking "Config", and then clicking "Thread Groups". This screen permits the administrator to define match patterns that group together threads (based upon common keywords in the thread titles.) The "Thread Groups" can then be selected from a drop-down menu on the top level "Correlation > Threads" screen, or selected as a user preference. This screen is depicted below: As shown above, the screen is a standard "CorreLog Dialog" screen, where the user adds new Thread Groups via the "AddNew" button, and edits or deletes groups via the "Edit" button. Each group will appear as a selection on the toplevel "Correlation > Threads", and is viewable via the "Thread Group Viewer" screen discussed previously. This serves to organize groups of messages into higher level groups. CorreLog Screen Reference Manual, Page - 101

102 Correlation Macros Screen The Correlation Macros screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then clicking "Config", and then clicking "Macros". This screen permits users to define complex correlation rules that can then be used in the correlation Threads and Actions screen to match specific messages on the system. Each macro name is in the form and corresponds to a simple or complex match expression, either a simple keyword or wildcard, or a parenthetically nested expression incorporating "and", "or", "not" and "xor" elements. (Expressions are documented in detail within later sections of this manual.) The macro can be used in the "Match Expression" fields of the correlation "Threads", "Triggers", and "Actions" screens of the system. Several macros can be used in a match expression, but macros cannot be nested. CorreLog Screen Reference Manual, Page - 102

103 Correlation Lists Screen The Correlation Lists screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then clicking "Config", and then clicking "Lists". This screen permits users to define special "List" type macros, which can contain potentially large numbers of items that can be used in expressions. The "Lists" screen is depicted below. Lists can be used anywhere that a regular macro is used. Each list is in the form "@@name@@", and corresponds to a long list of items. To match an item in the list (i.e. a whitelist) the operator simply references the list as part of a match expression. To exclude an item in the list (i.e. a blacklist) the operator creates an expression such as The CorreLog program can contain up to 50,000 items. Lists can be referenced in regular macros, but cannot be otherwise nested. Any match expression can consist of a combination of several lists, macros, and other match expressions. CorreLog Screen Reference Manual, Page - 103

104 List macros expand the ability to manage devices, messages, and other data items by long lists. These lists can be used in "Address Groups" (described earlier) as well as any location a macro is used. On the "AddNew" screen of the "Correlation > Config > Lists" screen, the operator simply identifies the list, and then enters the list values one line at a time. The list will be automatically sorted when it is saved, and will match any item in the list. Note that "Lists" can be configured so that partial matches are acceptable. The "Allow Partial Match" setting (on the "AddNew" and "Edit" screens) determines whether a partial match to a list item can occur as follows: Allow Partial Match = No. The default value of "Allow Partial Matches" is set to "No", indicating that an item (such as a message keyword, a device, a user) must precisely match the list item. For example, if the list contains a URL such as " then a message containing " will not match (because the URL in the message does not precisely match the URL in the list, as delimited by white space surrounding the word in the message.) Allow Partial Match = Yes. If "Allow Partial Matches" is set to "Yes", then the list item can match the FIRST part of the message item, delimited by any punctuation mark. For example, if the list item contains the URL such as " then a message containing " will match the list (since it matches the first part of the list item.) Note from the above discussion that the "Allow Partial Match" allows a word in a message to match the FIRST part of the list item, delimited by a punctuation mark. This behavior is specific, and mainly exists to support URL blacklists and white lists (where the user can construct URLs to specific websites without having to match all the various pathname components of the URL. ) The "Allow Partial Match = Yes" setting is generally appropriate for URLS, filenames, and possibly other types of message keywords such as usernames and IP addresses. It is not usually useful in other circumstances. To avoid this confusion, the operator can test list macros via the "More Menu > Expr Tool", available in the upper right corner of the web display, to verify that the intended behavior is satisfied by the macro settings. CorreLog Screen Reference Manual, Page - 104

105 Correlation Templates Screen The Correlation Templates screen is accessed by clicking on the "Correlation" tab at the top of the screen, and then clicking "Config", and then clicking "Templates". This screen is a wizard that allows the operator to load a template file on the system, or create a template file. The first screen of the "Correlation Templates" wizard is depicted below. The above wizard permits a user to save the existing correlation configuration to a template for later use, or load a previously saved configuration. When loading a configuration, the user can elect to replace the existing configuration with the template, in which case the existing configuration is discarded. Or, the user can "merge" a template with the existing configuration, in which case the template overwrites only those threads, alerts, actions, macros, and reports that exist in the template definition, preserving any other configuration items on the system. CorreLog Screen Reference Manual, Page - 105

106 Four different types of operations are supported by the wizard, selected via a drop-down menu on the first screen: LoadFrom. This operation will load the correlation threads, alerts, triggers, actions, reports from an external file. The operator can either "Merge" or "Replace" the correlation rules. When a "Merge" operation takes place, any existing thread with the same name as the configured in the template file will be preserved. SaveAs. This operation will save the correlation threads, alerts, triggers, actions, reports to a named template file. The operator can select the specific rules with a match pattern (for example, to save only those threads with "Windows" or "Detection" or some other keyword.) Verify. This operation will verify the selected thread for consistencies. This may be useful if the rule set has been manually edited. Note that you can load a template file that has not been verified, or whose verification has failed. The "Verify" operation can detect problems that may result from loading a template file. Delete. This operation will delete an existing template file. The template file will not be recoverable. This provides a simple mechanism of cleaning out and maintaining unused or unwanted template files. The user selects the type of operation on the first, screen, and the wizard will guide the user through the process of loading, saving, verifying, or deleting the template. Templates reside in the "config\$templ" directory of the system. Administrators can copy these files to a remote location (such as after a "SaveAs" operation) and then load these templates into a new CorreLog Server. This provides a simple way of copying an entire correlation "rule-set" to another CorreLog Server. Note that, in addition to any templates that the user saves, the CorreLog Server always creates a "Yesterday" template at midnight each night, and a "Sunday" template at midnight on Sunday morning. This furnishes an easy way for an administrator to revert to yesterday's rules, or last week's rules. CorreLog Screen Reference Manual, Page - 106

107 Section 6: Alerts Screens The "Alerts" screen permits the user to define thresholds on "Thread" (and other) counters. When an alert threshold is exceeded, a new syslog message is generated and fed back into the message log to annotate the message stream. Additionally, an alert can open a "Ticket" on the system, which can trigger special notifications and actions. Various types of alerts are available. Each alert defines a particular condition (either a rate or combination of events) that results in actionable data. Each alert provides the ability to assign an action to a user (via the "Tickets" facility, discussed in the next section.) Finally, each alert can trigger a "Ticket Action", such as sending or performing corrective action on a situation. Users can add, edit, or delete alerts. The user selects specific alert condition, compare function, threshold and interval. Additionally, the user specifies a new Syslog message, facility, severity, and indicates whether a second Syslog message is sent when the counter threshold returns to normal. The "Alerts" application also contains a "Config" tab that provides general utility in configuring the various elements of the correlation process. Detailed information regarding correlation techniques and usage can also be found in the "Advanced Correlation System User Guide". CorreLog Screen Reference Manual, Page - 107

108 Alert Counters Screen The Alert Counters screen is accessed by clicking on the "Alerts" tab at the top of the screen, and then selecting "Alerts". The purpose of this screen is to send messages back to the system when a specific counter is above (or below) a user specified limit, thereby correlating message rates. The "Alerts" facility can also open "Tickets", discussed in Section 7 of the CorreLog User Reference Manual. The alert messages are defined by the user, and can be further correlated. The "Correlation Alerts" screen is depicted below. Correlation Alerts provide an important way of correlating activity on the system, and comprise a major function of the CorreLog Server. Operators can add new alerts, or modify existing alerts, based upon any of the "Counter" values displayed on the various screens of the system. Alerts are discussed in detail within Section 5 of the CorreLog User Reference Manual. CorreLog Screen Reference Manual, Page - 108

109 Alert Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various alert parameters. Both "admin" and "user" type logins can add or modify CorreLog alerts. These alert parameters are as follows: System Counter Name. This drop-down menu lists all the thread titles, and other counter names available for alerting. The user selects the particular thread or system counter whose threshold will be continuously monitored. Pin This Alert To Top. This drop-down menu appears only on the "Edit" screen, and allows the user to pin the alert to the top of the list. This allows users to keep track of particular alerts of interest. Each user can pin items without affecting other users. Compare Function. This is the compare function to use in the threshold test. The user can specify either "Greater than or Equal To" or "Less Than Or Equal To", depending upon the nature of the alert. Threshold. This is the threshold for the comparison, an integer number. The threshold must be in the range of 1 to 50 counts per interval (where the interval is specified below.) This value works with the "Auto-Learn" function, and the user can get a suggestion of thresholds (based upon message history) by clicking on the "View Counter Threshold Hints" Test Interval. This is the interval for the test, in seconds. When the counter exceeds the threshold counts per time interval, an alert is generated. For example, if the compare function is GE, the threshold is 10, and the test interval is 60, then an alert is generated when more than 10 messages occur per minute. Match Alert Time. This is an optional time range that can be used to suppress the generation of alerts, such as restricting alerts to working hours or a second shift. By default, the match time will match all times of the day. Send Alert Message. This is the message that is sent back to the CorreLog message stream, and which also serves as the text of the ticket (if assigned to a user below.) The field includes a "Suggest" button that will suggest an appropriate message based upon the system counter name, severity, compare function, and test interval. CorreLog Screen Reference Manual, Page - 109

110 Insert Variable. This input allows the user to insert a variable into the "Send Alert Message" above. The user can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description. Enable Auto-Learning. This input allows the user to enable autolearning, documented in a later section. The auto-learn function automatically adjusts alert thresholds up or down based upon message history. Alert Facility. This is the syslog facility to be used when sending a message back to the message stream. The default value is "Alert", but the operator can specify some other facility appropriate for the alert. Alert Severity. This is the syslog severity to be used when sending a message back to the message stream, and also identifies the severity of any ticket assigned to a user (as described below.) The value should indicate the severity of the alert condition, ranging from "debug" to "emergency". Assign Incident To User. This input causes a ticket to be opened on the system containing the "Send Alert Message", assigned to the specified user. In addition to assigning a ticket to any CorreLog user, the operator can assign tickets to arbitrary "Ticket Users", defined in the "Tickets > Config" area of the program. When a ticket is opened, it can trigger specific actions, such as sending . Send Clear Severity. This input indicates that a "Clear" message is sent when the alert condition clears. This value should normally be set to "disabled" except in very specialized applications. (This setting, if not used carefully, can cause the alert to immediately be set again, causing a program loop.) CorreLog Screen Reference Manual, Page - 110

111 Alert Devices Screen The "Alert Devices" screen is accessed by clicking on the "Alerts" tab at the top of the screen, and then clicking "Devices". This screen operates in a fashion similar to the "Alert Counters" screen, except that the screen is used to track messages on a "per device" basis (whereas the "Alert Counters" screen tracks all messages across multiple devices.) The screen is depicted below. The Alert Devices function can reduce the number of threads on the system by specifically targeting all devices with a single configuration alert and threshold that is applied across all devices. Subsequently, if a message is received (that matches the alert pattern), a separate instance of the alert is created to track that particular device. For example, the user can set up a threshold of 3 invalid logins that is applied to each device independently (as opposed to all devices.) CorreLog Screen Reference Manual, Page - 111

112 The main benefit to using the Device Alert function is that each managed device, within a specified class of devices (or all users on the system), is individually tracked using one single alert threshold and match pattern. This provides a fairly obvious indication of what devices are being tracked at any given time, and how near to the specified threshold each individual device message count may be. Device Alert Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various alert parameters. Both "admin" and "user" type logins can add or modify CorreLog alerts. The specific device alert parameters are as follows: Pin This Alert To Top. This drop-down menu appears only on the "Edit" screen, and allows the user to pin the alert to the top of the list. This allows users to keep track of particular device alerts of interest. Each user can pin items without affecting other users. Match IP Address / Group. This value is the IP address wildcard or address group, which the device alert applies to. A message received from the specified address group (and which matches the "Match Expression" below) causes a Device Alert to be created or updated. Match Expression. This is the (possibly complex) keyword that matches the message, which creates or updates the device alert. Any message received from the Device Group (above) which matches this value, causes an Device Alert to be created or updated. Compare Function. This is the compare function to use in the threshold test. The user can specify only "Greater than or Equal To". Threshold. This is the threshold for the comparison, an integer number. The threshold must be in the range of 1 to 50 counts per interval (where the interval is specified below.) Test Interval. This is the interval for the test, in seconds. When the counter exceeds the threshold counts per time interval, an alert is generated. For example, if the compare function is GE, the threshold is 10, and the test interval is 60, then a Device Alert is generated when more than 10 messages occur per minute. Send Alert Message. This is the message that is sent back to the CorreLog message stream, and which also serves as the text of the ticket (if assigned to a user below.) The field includes a "Suggest" button that will suggest an appropriate message based upon the system counter name, severity, compare function, and test interval. CorreLog Screen Reference Manual, Page - 112

113 Insert Variable. This input allows the user to insert a variable into the "Send Alert Message" above. The user can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description. Alert Facility. This is the syslog facility to be used when sending a message back to the message stream. The default value is "Alert", but the operator can specify some other facility appropriate for the alert. Alert Severity. This is the syslog severity to be used when sending a message back to the message stream, and also identifies the severity of any ticket assigned to a user (as described below.) The value should indicate the severity of the alert condition, ranging from "debug" to "emergency". Assign Incident To User. This input causes a ticket to be opened on the system containing the "Send Alert Message", assigned to the specified user. In addition to assigning a ticket to any CorreLog user, the operator can assign tickets to arbitrary "Ticket Users", defined in the "Tickets > Config" area of the program. When a ticket is opened, it can trigger specific actions, such as sending . Device Alert Active Instances Each "Device Alert" can have multiple separate instances that are dynamically created when a message is received. These active instances persist until the alert is cleared, and then disappear. The "Active Instances" link, in the fourth column of the top-level screen table, allows the operator to drill down and view the currently active device instances. When a message is first received that matches the alert pattern, a copy of the device alert is automatically created, and identified by the sending IP address. Subsequently, as more messages are received from the device, the count per time interval is maintained. If the count exceeds the threshold, the alert is set which causes a ticket to be opened on the system. No further tickets are created while the alert is set. When the alert is cleared; it is then eliminated from the system (permitting the process to start over again.) A common application of the "Device Alert" screen is to track the number of invalid logons to devices on a per device basis. Other applications also, exist, such as tracking the number of error messages for each device. CorreLog Screen Reference Manual, Page - 113

114 Alert Patterns Screen The "Alert Patterns" screen is accessed by clicking on the "Alerts" tab at the top of the screen, and then clicking "Patterns". This screen monitors the state of triggers (defined in the previous screen) to detect when certain combinations of messages have been received during a specified duration of time. The screen is depicted below. The "Patterns" screen is one of various different ways to open "Tickets" on the screen, and feed back data into the event log. (Other methods include the "Alerts Counters," "Alerts Devices", and "Alerts Custom" facilities, explained elsewhere.) Unlike the other "Alerts" screen, which is used to determine when certain message rates are exceeded, the "Patterns" screen detects when certain combinations of states exist, such as multiple invalid logins followed by a successful login within 10 minutes. The functions provided by this screen are CorreLog Screen Reference Manual, Page - 114

115 subtle, distinctive, and are a central feature of the CorreLog correlation facility, discussed in detail within Section 5 of the CorreLog User Reference Manual. Pattern Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various pattern parameters. Both "admin" and "user" type logins can add or modify CorreLog patterns. These parameters are listed below: Trigger #1 State. This drop-down menu allows the user to specify the name of a trigger defined in the "Correlation > Triggers" screen. The operator can specify both the trigger name and the trigger state that must be satisfied to set the pattern. This first trigger name and state is required. Trigger #2 State. This drop-down menu allows the user to specify an optional second trigger name and state. Trigger #3 State. This drop-down menu allows the user to specify an optional third trigger name and state. Pattern Context. This drop-down menu allows the operator to specify the context for the pattern, either "All Messages", or "Same Device". If the context is "Same Device", a new pattern instance is created for each device that has set a trigger, thereby tracking activity on a single device. (See Pattern Active Instances, below.) Alert Message. This is the message that is sent back to the CorreLog message stream when the pattern is set. The message also serves as the text of the ticket (if assigned to a user below.) The field includes a "Suggest" button that will suggest an appropriate message based upon the specified trigger values. Insert Variable. This input allows the user to insert a variable into the "Alert Message" above. The user can incorporate various types of information in the alert message, such as the source IP address, related message content, and device description. Alert Facility. This is the syslog facility to be used when sending a message back to the message stream. The default value is "Alert". Alert Severity. This is the syslog severity to be used when sending a message back to the message stream, and also identifies the severity of any ticket assigned to a user (as described below.) The value should indicate the severity of the pattern detection. CorreLog Screen Reference Manual, Page - 115

116 Assign Incident To User. This input causes a ticket to be opened on the system containing the "Send Alert Message", assigned to the specified user. In addition to assigning a ticket to any CorreLog user, the operator can assign tickets to arbitrary "Ticket Users", defined in the "Tickets > Config" area of the program. Auto-Learn Parameters Screen Pattern Active Instances Patterns have two different contexts, selected on the "Edit" screen. A context of "All Messages" indicates that any message (which sets a trigger) from any device can update the pattern. A context of "Same Device" indicates that new patterns are created for each device, so that multiple patterns can be active at the same time, tracking the different device states. For "Same Device" patterns, each pattern have multiple separate instances that are dynamically created when a message is received. These active instances persist until the alert is cleared, and then disappear. The "Active Instances" link, in the third column of the top-level screen table, allows the operator to drill down and view the currently active pattern instances. When a message is first received that matches the pattern, a copy of the pattern is automatically created, and identified by the sending IP address. Subsequently, as more messages are received from the device, the pattern is maintained for the device. If the pattern is satisfied, the alert is set which causes a ticket to be opened on the system. No further tickets are created while the pattern alert is set. When the alert is cleared; it is then eliminated from the system (permitting the process to start over again.) The "Alerts Pattern" screen is one of several locations that spawn instances needed to track individual devices. Other program locations include the "Correlation Triggers" screen, and the "Alert Devices" screen. Each of these screens operate in a similar fashion, where the top-level screen reflects the overall rolled-up status, and the user can drill down via the "Active Instances" hyperlink to see the various separate instances. CorreLog Screen Reference Manual, Page - 116

117 Custom Alerts Screen The "Custom Alert" screen extends the range of the alerting facility to include execution of arbitrary alerting programs. These external programs are launched at schedule intervals. The output of the alerting program is read by CorreLog, compared to a user define match expression, and a threshold applied to the number of matches can open a ticket. The screen is depicted below. Custom alerts reference programs (typically batch files) residing in the "c-alerts" directory of the CorreLog system. Specific notes on these batch files and their operation can be found in that location. For assistance on Custom alerts, consult with CorreLog Support. Typical applications of Custom alerts include database queries, parsing of external log file information, and integration with third-party software. CorreLog Screen Reference Manual, Page - 117

118 Alert Formulas Screen The Alert Formulas screen is accessed by clicking on the "Alerts" tab at the top of the screen, and then clicking "Config", and then clicking "Alert Formulas". This screen allows the user to configure complex math formulas that reference multiple system counters. These formulas can then be used with the "Alert" screen discussed previously. The screen is depicted below. Among its other applications, this screen permits an operator to create a formula that assigns specific weights to certain counters, summing these different counters into a single value. The formula then appears in the "Alerts" screen (with a "Formula/" prefix) and can be selected within the "Alerts" component edit screen, where it can be alarmed with thresholds like any other system counter. This is an advanced function, existing to support highly complex correlation strategies. More information on Alert Formulas is provided in the "CorreLog Advanced Correlation System User Guide". CorreLog Screen Reference Manual, Page - 118

119 Alert Auto-Learning Screen The Auto-Learn Parameters screen is accessed by clicking on the "Alerts" tab at the top of the screen, and then clicking "Config", and then clicking "Auto- Learn". This screen displays parameters associated with the CorreLog Auto- Learn function, documented in Section 5 of the CorreLog User Reference Manual. The screen is depicted below. The CorreLog Auto-Learn function automatically adjusts alert thresholds and closes tickets based upon the activity of the system. By default, the auto-learn function executes each night, makes adjustments, and optionally closes any tickets where the source alert definition has been modified by the process. To edit parameter entries, the user clicks the Edit button, modifies the parameter, and then clicks the Commit button on the edit screen. The following parameters are supported. CorreLog Screen Reference Manual, Page - 119

120 Schedule Auto-Learning. This parameter controls when the auto-learn function executes, and can be the value of "Daily" or "Disabled". The default value of "Daily" schedules the auto-learn function to execute each day, shortly after midnight. Suppress Auto-Learning Until. This parameter controls when autolearning starts. Since the Auto-Learn function scans messages in each of the catalogs to determine appropriate thresholds, the auto-learn function operates much better when operating on large numbers of records. The user can adjust the number of messages required before any autolearning adjustments occur for a particular catalog. Stop Auto-Learning After. This parameter controls when auto-learning stops. By default, when ten days worth of data has been accumulated for a particular catalog, the Auto-learn process bypasses any further adjustments. The user can set this value higher than the "Keep Data" value to prevent the Auto-Learning process from ever stopping, or can set the value to days, which effectively never stops the nightly autolearn process. Adjust Alert Thresholds. This parameter controls how alert thresholds are adjusted, either "up", or "down", or "up and down". By default, alert thresholds are either increased or decreased, depending upon the number of messages received by a catalog. The adjustments can be confined to either increase (loosen), or decrease (tighten) alert thresholds. Adjust To Reduce Tickets. This parameter controls whether alert thresholds are adjusted in order to reduce open tickets. In addition to adjusting thresholds based upon the number of messages received, thresholds can be reduced if a lot of tickets exist on the system. (In that case, if more than five tickets are opened on the system, the auto-learn function increments the alert threshold to reduce the open ticket count.) Auto-Close-Tickets. This parameter controls whether tickets associated with alert thresholds are automatically closed by the system when these alerts are adjusted. This is useful for cleaning out tickets that may no longer be valid (because the alert threshold have been adjusted.) More information on CorreLog tickets is provided in a later section.) Auto-Learn Notify Severity. This parameter determines the severity of alerts generated by the auto-learn process. When the auto-learn process adjusts thresholds or closes tickets, the process will send an alert to CorreLog (which appears in the "Messages" tab) indicating this action. CorreLog Screen Reference Manual, Page - 120

121 Auto-Learn Execution Log The user can view the execution log of the last auto-learn process by clicking the "View Auto-Learn Execution Log" hyperlink on the top-level screen. This displays a transcript of the last auto-learn process run on the system, indicating the status of all alerts, whether any adjustments have been made to thresholds, and any tickets that have been automatically closed. When the auto-learn process closes a ticket, the "Resolution" field for that ticket is automatically filled in showing the reason for the closure, the previous alert threshold, and the current alert threshold. This provides an easy indication of whether any alert thresholds have been changed. Note that for auto-learn to take place, various conditions must exist, all of which are reflected in the auto-learn execution log. The number of records in the message catalog associated with the alert must be greater than the "Suppress" value described above. If there exists less than the "Suppress" value number of records, auto-learning is bypassed for the alert. The number of days worth of data in the message catalog associated with the alert must be less than the "Stop" value described above. If there exists more than the "Stop" value number of days worth of data, autolearning is bypassed for the alert. Auto-learning must be enabled for the alert (configured in the "Alert Edit" screen for the particular alert.) This is the default condition when a new alert is added to the system. The alert threshold must be greater than 1. (Auto-learning never takes place if the threshold is exactly 1, since this indicates that the alert is looking for a singular occurrence of a particular message.) The Auto-Learn Execution Log provides an indication of whether auto-learning has been bypassed for any of the above reasons. Auto-Learn Additional Notes The CorreLog Auto-Learn function greatly simplifies the setup and tuning of the system, and is especially important for "Unattended" types of installations, since the operator can simply install CorreLog and permit it to adjust itself based upon the types of messages the program receives. More information on Auto-Learning can be found in Section 5 of the CorreLog User Reference Manual CorreLog Screen Reference Manual, Page - 121

122 CorreLog Screen Reference Manual, Page - 122

123 Section 7: Ticket Screens The CorreLog "Tickets" application furnishes the highest level of message correlation by creating actionable incidents in a traditional incident management framework. Tickets are automatically opened by the "Alerts" and "Patterns" facilities. Tickets are assigned to either registered CorreLog users, or a user defined ticket group. The "Tickets" facility includes screens that display the open tickets for a user, and the closed tickets for a user, selectable via a drop-down menu. When a ticket is closed, it is not deleted from the system. Instead, it is placed in the "Closed" tab as a record of the incident. This preserves the ticket information and demonstrates that tickets are being reviewed (which is an important for many types of regulatory compliance, including PCI DSS, HIPAA, SOX, and other regulations.) In addition to viewing and processing opened and closed tickets, the "Tickets" application includes an "Action" facility that executes programs when tickets are opened and / or closed. This facility is similar to "Correlation Actions" discussed earlier, but operates independent of correlation actions, sending or providing other notifications when tickets are opened or modified. The "Ticket Actions" facility also allows the ticketing system to be easily interfaced to a thirdparty help desk system. Finally the "Tickets" screens include various specialized configuration screens and tools that can limit the number and type of tickets being opened on the system, and reduce the amount of notifications that are sent, especially during selected times and days of the week. CorreLog Screen Reference Manual, Page - 123

124 Tickets Screen The highest level of correlation on the system is the CorreLog "tickets" facility, which allows the user to view actionable incidents that have been detected on the system. Tickets are opened by "Correlation Alerts" when certain system counters violate user-defined limits. CorreLog keeps track of both open and closed tickets. The "Open Tickets" screen, displayed when the user first clicks the "Tickets" tab, is shown below. The CorreLog system opens tickets, and assigns the tickets to users or groups as defined on the "Alerts" screen. The ticket text is defined by the user on the "Alerts" screen, and can indicate a problem with one or more devices or systems. The "Related Messages" The user can also open tickets (such as to trigger notifications) by clicking the "AddNew" button on the "Open" ticket screen. (In this case, there are no related messages, or source alert definition.) To close a CorreLog Screen Reference Manual, Page - 124

125 ticket, the user either edits the ticket, or clicks the "Close All" button at the bottom of the screen. Each ticket contains the following information. Ticket Date and Time. The date and time that the ticket was opened is displayed on the top-level screen. This value cannot be changed or edited. Ticket Status. The ticket status is either "Opened" or "Closed". To view open tickets, the user clicks the "Opened" tab. Likewise, to view closed tickets, the user clicks the "Closed" tab. This value can be adjusted by clicking on the "Edit" button for the ticket, and then changing the "Ticket Status" value to be either "Opened" or "Closed". Ticket Assignee. Each ticket is assigned to a CorreLog user, defined in the system logins, or to a "Ticket Group" defined in the "Tickets > Config" tab. The assignee is configured in the "Alerts" screen, and can be modified by clicking the "Edit" button for the ticket. The user can view the tickets for a particular assignee via the "Assigned To:" pull down menu at the upper left of the screen. Ticket Severity. Each ticket is assigned a standard Syslog facility and severity, configured in the "Alerts" screen. The user can change the severity of a ticket by clicking the "Edit" button for the ticket. The facility cannot be changed. Ticket Text. Each ticket has a text value configured in the "Alerts" screen. The user can modify the ticket text by clicking the "Edit" button for the ticket. Additionally, the user can provide a comment or resolution for the ticket, which is retained with the ticket record. Related Messages. The related messages for the ticket (that is, the messages which caused the source alert to become triggered) are viewable by clicking the "View Related Messages" hyperlink associated with the ticket. This link is available from the top-level screen, or on the ticket's "Edit" screen. Source Alert Definition. The source alert definition, which caused the ticket to be opened, is viewable by clicking the "View Source Alert Def" hyperlink associated with the ticket. This link shows the alert definition, and further permits the user to modify this alert definition, such as change the ticket text, severity, or threshold. The CorreLog "Ticket" component can interface to third-party incident management systems by means of a simple API, and via a Common Management Database (CMDB). More information on the ticketing function is provided in the next section. CorreLog Screen Reference Manual, Page - 125

126 Ticket, Advanced Search Screen An "Advanced Ticket Search" function is available on both the "Open" and "Closed" tickets screen, accessed via the "Advanced Ticket Search" link towards the top of the screen. This function allows the user to search for specific tickets based upon a variety of criteria. The screen is depicted below: This screen provides more advanced functions than the simple "Match Ticket Text" field on the top-level screen, permitting the operator to search tickets based upon the Ticket UID, time, assignee, severity, commentary, related message and other criteria. The screen provides one of two different methods of searching ticket data using this criteria (the other being the "Reports > Query" screen, discussed elsewhere.) CorreLog Screen Reference Manual, Page - 126

127 Ticket Group Viewer Screen The "Ticket Group Viewer" screen is accessed by clicking the "View Groups" link towards the top and upper-right of the "Opened Tickets" and "Closed Tickets" screens. This link displays the various ticket groups (defined by the "Edit Ticket Groups" link) along with the rolled up of counts for each ticke group. This screen is depicted below: As depicted above, the screen shows each ticket group defined within the "Ticket Groups" screen, shows the rolled-up status of each group including the number of opened and closed tickets in the group, and the total counts for the group for today and historically. The user can click on the hyperlinked device group name to return to the "Tickets" screen, with the specified group selected. CorreLog Screen Reference Manual, Page - 127

128 Ticket Actions Screen The "Ticket Actions Screen" is accessed by clicking the "Tickets" tab, and then clicking on the "Actions" tab. This screen allows the user to configure specific actions that are executed when a ticket is opened, closed, or modified (depending upon the settings.) This screen operates similar to the "Correlation > Actions" screen discussed previously, except runs actions when high-level tickets are opened or modified. The screen is depicted below. Detailed notes on the "Actions" screen, including how to configure specific actions (such as logging to a database or sending an SNMP trap) are provided in Section 6 of the CorreLog User Reference Manual. The CorreLog Server comes with several different action programs, including the SENDMAIL program. Note that the "Correlation > Actions" program operates on raw messages, whereas the "Ticket > Actions" screen (herein) operates on tickets opened by the system. CorreLog Screen Reference Manual, Page - 128

129 Ticket Action Configuration Items When the user clicks on the "AddNew" or "Edit" button, CorreLog displays an input form that allows the user to create or modify the various action parameters. Both "admin" and "user" type logins can add or modify correlation items. These parameters are listed below: Pin Action To Top. This drop-down menu appears only on the "Edit" screen, and allows the user to pin the action to the top of the list. This allows users to keep track of particular actions of interest. Each user can pin items without affecting other users. Match User & State. This selection allows the user to qualify the execution of action programs based upon the "Ticket Assignee" (user) and the state ("Opened", "Closed", or "Changed". Setting the value to "All and "Open" (the default) executes the action whenever any ticket is opened. Match Time Range. This input allows the user to match a particular time of day when the action is executed, similar to the value found on other Correlog screens. By default, the action is executed for any particular time of day. Match Severity. This selection allows the user to qualify actions upon a particular ticket severity or range thereof. By default, an action will execute for tickets of any severity. The user can further qualify the messages to be greater than warning, less than notice, etc. Additional Match Expression. This field allows the user to specify a match pattern that further qualifies the ticket based upon the text of the ticket (including any $T_ values that have been used in the alert.) Normally, this value is "*" to match any ticket. The action can be restricted to match a keyword. NOTE this feature can be overused and cause confusion as to why certain tickets execute actions, or not. Hence, this function should be used cautiously. Ticket Action Description. This is optional and arbitrary text that can be included by the operator to describe the specified action's reason and intent. The value appears on the top-level "Actions" screen, and clarifies the purpose of the action. Ticket Action Program Name. This is the name of a ticket action program residing in the "CorreLog\t-actions" folder. Various action programs come with the CorreLog system. The "Wizard" button at the top of the screen can assist with the selection of an action program. CorreLog Screen Reference Manual, Page - 129

130 Ticket Action Program Arguments. This is the list of command line arguments to the action program. The particular arguments must be appropriate for the specified action program. The "Wizard" button at the top of the screen can assist with the selection of an action program. Sanitize Environmental Variables. This value is set to "Yes" or "No", and controls whether the environmental variables passed to the ticket action program are safe to use in batch files. The default of "Yes" sanitizes the values of environmental variable values by eliminating special characters such as "( ) ; { } < >" and others. Ticket Actions, Additional Notes Ticket actions are executed whenever a ticket is opened on the system, either automatically (by an alert) or manually (via the "Tickets > Opened" AddNew button.) The ticket action is executed ONLY if the ticket matches configuration parameters identified above. The operator can easily test a ticket action program by first configuring an action program (via the screen described herein), and then manually creating a ticket (via the "Tickets > Opened" screen.) If the operator manual opens a ticket that matches the ticket action parameters, the ticket action will be launched. For example, if the user wishes to check the interface, and a ticket action is configured to send , the operator can open a ticket via the "Tickets > Opened" AddNew button, and the text of the ticket will be sent via . A common confusion exists when the ticket action has multiple qualifiers, so that the ticket severity, additional match pattern, and / or "Match User & State do not match a ticket. Note that all the conditions of the ticket action must be satisfied or the action is not executed. In particular, the "Additional Match Expression" field matches the ticket text AFTER substitution of any $T_RELATED_MESSAGE, hence the action can actually depend (in this case) on the related message that caused the ticket to open. Further notes on tickets and actions, including a list of the environmental variables and types of action programs, exist in the "CorreLog User Reference Manual", included as part of the CorreLog installation. CorreLog Screen Reference Manual, Page - 130

131 Ticket Groups Screen The "Ticket Groups" screen is accessed by clicking the "Tickets" tab, and then clicking on the "Config" tab. This screen permits the user to configure special ticket assignees, and create simple ticketing system rules. This screen is depicted below: By default, tickets can be assigned to any registered CorreLog user via the "Alerts" screen. The "Ticket Groups" screen, shown here, permits the administrator to configure other assignees that do not necessarily have to be registered CorreLog users. This provides flexibility in assigning tickets to specific groups of interest. Additionally, the "Ticket Groups" screen provides a configuration Wizard that can be used to create a ticket group, as well as define a single correlation thread and alert. This affords a fast way to quickly configure new tickets and end-to-end correlation rules. CorreLog Screen Reference Manual, Page - 131

132 Ticket Parameters Screen The "Ticket Parameters" screen is accessed by clicking the "Tickets" tab, clicking on the "Config" tab, and the clicking the "Parms" tab. This screen provides various miscellaneous parameters that affect the ticket system operation. This screen is depicted below: The Parms screen is a standard CorreLog dialog. To edit parameter entries, the user clicks the Edit button, modifies the parameter, and then clicks the Commit button on the edit screen. The following parameters are supported. Ticket Action Master Enable. This setting is used to disable the execution of all actions on the system, useful as a master override and disable. If this value is set to "disable", then the only other parameter on this screen that is in effect is the "Auto-Close Duplicate Tickets" setting. Max Updates Per Minute. This setting controls the maximum number of executions per minute of the SENDMAIL ticket action. The CorreLog Screen Reference Manual, Page - 132

133 default value is ten executions per minute. This setting limits the load on the configured SMTP server and amount of ticket generated. Max Helpdesk Updates Per Minute. This setting controls the maximum number of executions per minute of the HELPDESK action. The default value is ten executions per minute. This setting limits the load on the configured Helpdesk server, if any. Max OpenTicket.exe Per Minute. This setting controls the maximum number of executions per minute of the "OpenTicket.exe" program, which is the command line utility to open tickets on the system. The setting is mainly useful with the "TICKET.bat" Correlation Action, and can be used to limit the number of tickets that are opened via scripted systems. Max McAfee EPO Updates Per Minute. This setting controls the maximum number of executions per minute of the SEND_EPO action. The default value is ten executions per minute. This setting limits the load of the configured McAfee epolicy Orchestrator server, if any. Throttle State Message Severity. This is the severity of the internal CorreLog message generated when any of the above controls is tripped. If any of the above "Messages Per Minute" throttles are activated, limiting the execution of a ticket action program, a message (of this specified severity) is generated. Auto-Close Duplicate Tickets. This setting changes the way that tickets are opened on the system as follows: if any ticket exists with the same day and content, the existing ticket is closed before the new ticket is opened. This can be used to reduce the number of open tickets. Note that the duplicate ticket must have BOTH the same day and content. Auto-Flag Related Devices and Users. This setting can be used to automatically set a visible flag for devices and users when a ticket refers to these items. The flags provide quick visual indication of concern. Flags can subsequently be cleared manually, or the user can automatically clear flags based upon the "Flag Expiration Time" value (described below.) Max $T_ Insert Size. This setting allows the user to specify the size of any ticket insert text, for example the max size of any related message that is included with the ticket text. (This prevents a large related message from using the entire text space of a ticket, for a more aesthetic and meaningful ticket.) Flag Expiration Time. This setting will automatically clear flags from devices and users (which may have been set via the "Auto-Flag Related Devices and Users" setting, described above.) After the specified period of CorreLog Screen Reference Manual, Page - 133

134 time (by default 1 day) a flagged device or user is automatically cleared, removing any visible flag indicator from CorreLog screens. Edit Ticket Resolution Flags. This button allows the operator to configure ticket resolutions, which appear on the "Close" screen. By default, the system comes with a generic set of ticket resolutions, such as "Known Issue" and "False Positive". The administrator can edit or add to the list of resolutions, which may subsequently be selected when closing a ticket. Edit Scheduled Disables. This button provides access to the "Ticket Action Disables" screen, discussed in the next section. The "Messages Per Minute" throttles furnish extra safety. Because CorreLog tickets are opened by the "Alert" or "Patterns" facility, and because these facilities limit the number of tickets by their nature (to some count per interval), the throttles on this screen will rarely be used. They are provided mainly for completeness, as a means of assuring that CorreLog does not overload the configured SMTP Server, EPO Server, or help desk system. The "OpenTicket.exe" program, which is a standard command line utility in the "system" directory of CorreLog, is controlled by the "Max OpenTicket.exe per minute" setting, which limits the rate at which a script can open tickets. Unlike the other message throttles (which deal mainly with notifications) this particular setting governs ticket generation by the "OpenTicket.exe" program. This utility is documented in more detail in the CorreLog User Reference Manual. The "Auto-Close Duplicate Tickets" setting reduces the number of opened tickets on the system. In those situations where the exact same ticket is opened repeatedly on the system, setting the "Auto-Close Duplicate Tickets" value to "Enable" will cause only one occurrence of the ticket to appear in the "Open" list, making the ticket more pertinent and obvious. The default value for this setting is "Disabled", because the chronology of opened tickets may be important to external programs, especially programs that monitor performance. Finally, the "Auto-Flag" settings are useful for providing visual indication of a user or device that has been referenced by a ticket. When this setting is set, a small flag graphic is placed next to devices and users when a ticket is opened on the system, so that these devices and users may be watched more carefully. Drilling down into the device or user hyperlink, and manually setting the flag to "No" can clear the flag. The flags are also cleared automatically based upon the "Flag Expiration Time" setting on this screen. CorreLog Screen Reference Manual, Page - 134

135 Ticket Action Disables Scheduling Screen The "Schedule Ticket Action Disables" screen is accessed exclusively from the Ticket Parameters screen (described previously) and allows the user to disable ticket action programs based upon a simple weekday schedule. This assists with suppressing ticket actions (such as messages) at certain predefined weekday times. This screen is depicted below: This screen operates as a standard CorreLog dialog. The user selects the start time and span hours for a given day, specifies an optional match severity, and clicks "Commit" to save the settings. Note that the particular "Disable Time Range" can overlap. For example, the operator can schedule Sunday at 23: hours, and Monday at 02: hours. In this case, the second disable is bypassed. Also note that the operator can disable ticket action programs only if they match a specific severity range (such as Less than or Equal to Notice.) CorreLog Screen Reference Manual, Page - 135

136 Ticket Maintenance Wizard The "Ticket Maintenance Wizard" is accessed by clicking "Tickets", and then "Config", and then the "Maintenance" tab. This screen provides the specialized function (available only to CorreLog administrators) of closing or deleting all the tickets on the system. This provides a way of easily maintaining the list of tickets, which would otherwise require manual closure of 1000 tickets at a time. The wizard screen is depicted below. The "Ticket Maintenance Wizard" addresses the problem where the system has many open tickets, and the administrator wants these tickets closed or deleted. This situation can occur if one or more users are not closing their tickets, or if the "Keep Data" setting is set to a high number. Note that large numbers of tickets do not necessarily degrade performance of CorreLog. The wizard is provided mainly for the convenience of the administrator, as an alternative to closing tickets on the main "Tickets" screen. CorreLog Screen Reference Manual, Page - 136

137 Section 8: Report Screens The CorreLog "Reports" application provides general utility in the reporting of both raw and correlated message information. Various diverse reporting tools are provided to support forensics, auditing, analysis, and management of event data. These CorreLog tools, accessed via the "Reports" tab, include a "Query" capability, which allows the user to perform complex queries on message (and other) data, as well as an "Audit" facility that creates reports suitable for audit and forensics. Other reporting applications include a graphing facility, as well as a comprehensive reporting facility based on Microsoft Excel spreadsheets. The "Reports" facility supports background job control, where the user executes a program needed to generate a report, and then monitors the progress of the background process via a status line depicted at the top of the report screen. Many reports (such as the "Excel", " ", and "Pivot" reports) are launched automatically at midnight or on demand via the web interface. In particular, the system comes with ready-to-run reports, ad-hoc reporting, and the ability to create new reports, all of which can be distributed via RSS or via standard . Report information can also be loaded into one or more ODBC compliant SQL database, allowing third-party report writers to access this data, and permitting complex queries of report data to be executed via a special ODBC support tool. CorreLog Screen Reference Manual, Page - 137

138 Report "Query" Screen The "Query" screen is accessed by clicking the "Reports" tab, and then clicking the "Query" tab. This screen can also be accessed from the main "Messages > Search" screen, or via the "Query" hyperlink at the top of the screen. The "Query" tool provides an alternate way of searching data from the "Messages > Search" screen, scanning all messages for simple or complex match patterns. The screen launches a background process to perform the query. The query results (and the status of the query) is depicted on the "Query" web page. This screen is shown below. The "Query" screen provides many different features to simplify the query operation of the operator. The user executes a Query by clicking the "Generate" button to display the query screen. The operator then fills out the query form and clicks "Confirm" to launch the query as a background. Process. CorreLog Screen Reference Manual, Page - 138

139 As the background process executes, results of the query are periodically displayed on the screen along with the progress of the query. The operator can terminate the background process and enter a new query via a "Terminate" button (which is shown only when a background query is running.) Additionally, the screen provides various functions to search the query results, as well as review and search query history. Search These Results Hyperlink. This link, at the top of the display, expands the "Search These Results" window, which allows the user to search the query results for an additional keyword, and to sort the query results in either ascending or descending order. Graph Results Hyperlink. This link, at the top of the display, provides a simple graph showing the message results over a period of time. The operator can drill down into the graph to see the messages for the time interval. This furnishes the operator with a time-view of the query results, especially useful for forensics. View History Hyperlink. This link, at the top of the display, accesses the "Query History" screen, which shows the last 10 queries executed by the user. On the "Query History" screen, the user can select the query and results for a past query, which loads these items into the main display. The user can also search history for specific keywords contained in any of the query results. Analyze Hyperlink. This link, at the top of the display, furnishes access to the "Analysis" function, which breaks the query results into a list of "Devices", "Users", "Facilities", "Severities" contained in the message. This "Analysis" function is similar to that found on "Catalog" displays, and allows the operator to view and drill down into smaller message sets. (See later sections on this screen.) Saved Queries Hyperlink. This link, at the top of the display, allows the user to view any saved queries. These "saved queries" are specific to the operator and simplify repetitive query operations. As the query runs, the progress of the background query is displayed above the screen hyperlinks. This query status updates approximately once each ten seconds to indicate the progress of the query. Additionally, the screen refreshes approximately every fifteen seconds (selectable by the user) to show the latest results, if any. Note that the user can leave the Query screen at any time, and then return to the Query screen to see the latest results or termination status of the query. The user does not have to wait on the screen for the background query to finish. The query CorreLog Screen Reference Manual, Page - 139

140 results are retained on the main screen until the next query, or until the user clicks the "Clear" button at the top of the screen. This allows the user to launch a long-running query, and then leave the screen to perform other CorreLog activities (or perform other web browsing of the network.) At a later time, the operator can return to the screen to collect the query results. Finally, note a user can execute that only one query at a time. The operator must terminate the current query before starting a new one. Each user can be executing their own queries without interference with other users of the CorreLog system. CorreLog Screen Reference Manual, Page - 140

141 Run Search Query Screen The "Run Search Query" screen is accessed by clicking on the "Generate" button of the top level "Query" screen, described above, or by clicking the "Query" hyperlink in the upper right of all CorreLog screens, or by clicking a "Go To Query" hyperlink found at the bottom of various search results screen. The "Run Search Query" screen allows a user to select the parameters of a particular search, and launch the search background process. The screen is depicted below. This screen is available only if a background query is not already running. (If a background process is running, the top-level "Query" screen is always shown, and the user must first terminate the background query to view this screen.) CorreLog Screen Reference Manual, Page - 141

142 The screen provides reasonable defaults on entry, and retains the values from the previous query that executed. Many different capabilities exist, as described below. Query Name. This input field contains an optional query name. If the operator specifies a label for this query, it is saved under the specified name, accessed via the "Saved Queries" link (at the top of the main query screen.) If no name is specified, the query is not saved (but the results will still be retained in the query history.) Query File Type. This select menu specifies the type of files to search. The available selections are "LogFile", "Thread", "AuxFile", "Archive", "Tickets", or "External". Each value searches a different area of CorreLog. (The particular values are described in detail below.) Query Start Date. This select menu allows the user to specify the start day, or the start file for the query. The values represent a date, unless the user has selected "External" as the Query file type (in which case a list of Windows filenames is provided.) Query Span Days. This select menu allows the user to limit the range of days (or files) associated with the query. For example, if the start date is , and the "Query Span Days" is set to one day, then only messages on the selected date will be scanned. The number of files to span, starting with the "Query Start Date", can be selected here. Screen Auto-Refresh. This select menu allows the user to specify how often the screen refreshes (while the query is running.) Each time the screen refreshes, the latest results, if any, are displayed. The value does not affect the update of the background process, or the status line indicating the progress of the background process. If the user selects the default of fifteen seconds, new results are shown every fifteen seconds. Max Results. This select menu limits the number of results that are displayed by the query. By default, this value is fifty matches. This setting is useful in speeding up the results on those systems where a large number of matches may exist for the Match Expression (below.) When the number of max results is achieved, the Query tool terminates normally. Query Seek Order. This select menu determines how the message data is searched, either "Newer to Older" (the default) or "Older to Newer". This may be significant because the "Max Results" will limit the number of matches. Therefore, if the "Max Results" is set to fifty, and the "Query Seek Order" setting is "Newer to Older", then the 50 most recent matches will be listed. Conversely, if the setting is "Older to Newer", then the 50 CorreLog Screen Reference Manual, Page - 142

143 oldest matches will be listed. This also affects the "Trigger Expression" (if used.) Additional Match Qualifiers. This hyperlink reveals additional match qualifiers that can precisely target a message, including the ability to match facility and severities, as well as specific times of day. (See additional notes below.) Match IP Addr / Group. This input field allows the user to qualify the range of message to those matching a particular IP address or wildcard. The user can also specify an "Address Group" value, such as "@@windows_boxes@@" (if the user has defined this address group in the "Correlation > Config > Address Groups" screen.) Match Expression. This text area contains a keyword, wildcard, or logical combination of keywords and wildcards that are potentially parenthetically nested. Each message is compared to the match expression. When a match occurs, the logged message is listed as a result of the query on the main screen. The match expressions are identical to those found in the "Correlation > Threads" screen, with exception that macros are not allowed as part of the expression. Additional Match Qualifiers In addition to the above fields, the user can access more match qualifiers by clicking the "Additional Match Qualifiers" link on the "Query" screen. This expands the list to include the following fields that will be incorporated into the search criteria: Match Start / End Time. These settings are displayed if the "Additional Match Qualifiers" link is clicked, and allow the user to specify the start and end times of the search in HH : MM : SS format. The messages returned are delimited as after the match start and before the match end times, inclusive.) Match Facility / Severity. These settings are displayed if the "Additional Match Qualifiers" link is clicked, and allow the user to specify the match facility and match severity, if any. The match severity can be expressed as a range of severities. Match Trigger Expression. This setting is displayed if the "Additional Match Qualifiers" link is clicked, and allows the user to qualify the search by first finding an initial match expression. The search begins after the match expression is found in the log file. (See additional notes below.) CorreLog Screen Reference Manual, Page - 143

144 Query File Types The "Query" screen operates on different data sources, selected via the "Query File Type" menu at the top of the screen. Various types of file types are supported, as follows: LogFiles. This selection causes the tool to operate on all the messages in the "CorreLog\logs" folder, which contains a current list of all the messages received during the "Keep Days" interval (by default 30 days.) When "LogFile" is selected as the "Query File Type", the "Query" tool operates in a manner similar to the "Messages > Search" function, except that the search takes place as a background process and the search can use complex match expressions. Threads. This selection causes the tool to operate on a user selected thread, appearing in the "Correlation > Threads" screen. This may be the fastest way to run a query (given that the messages being queried all reside in a single defined thread on the system. Archives. This selection causes the tool to operate on all the messages contained in the gzipped archives, residing in the "Correlog\archive" folder. When "Archive" is selected as the "Query File Type", the "Query" tool will search all the archives on the system for the specified message. This can potentially take a long time, even more than a day, given that the CorreLog archives can potentially contain a thousand Terabytes of message data, or more. AuxFiles. This selection causes the tool to operate on the "Aux" files of the system, i.e. the filtered data. This data is also searchable via the "Messages > Aux" screen; however, the "Query" tool performs a more complete job of searching this data, and can use complex match expressions to locate specific messages in these files. In this case, the "Span Files" setting spans the Aux files (and not the days, since Aux files are always deleted at midnight.) Tickets. This selection causes the tool to operate on Tickets in the system. The data is also searchable via the "Advanced Ticket Search" screen on the top-level "Tickets" screen. The setting herein provides an alternate method, including the searching of archived tickets on the system. External. This selection changes the mode of operation of the "Query" tool. Rather than searching message data, the tool simply searches the ".log", and ".txt" files of an external directory. By default, this is the directory is the "CorreLog\external" folder, but the administrator can change this folder via the "Message > Config > Parms" screen to be any CorreLog Screen Reference Manual, Page - 144

145 folder on the system, including shared drives. This function expands the role of CorreLog to include non-message data. In this case, the "Span Files" setting spans the external file names (and not the days.) The "Match IP Addr / Group" input is not available for this type of file. Additional Match Qualifier / Trigger Expression If the operator clicks on the "Additional Match Qualifiers" hyperlink, more match expressions are added to the screen, which allows the user to first find a pattern before the main search begins. This additional match qualifier (labeled as a "Trigger Expression" on the screen) allows the user to search for messages within a specific context of a previous message. For example, the user may wish to find all messages associated with login failures that have been preceded by a specific connection to a VPN. The program will first find the "Trigger" expression, and then find all messages that follow. The "Trigger Expression" is any valid match expression, in a format identical to the main match expression. The system displays the "Trigger Expression" match as part of the results, and this will typically appear at the very bottom of the list (because the message results are displayed with the most recent messages first.) When a "Trigger Expression" is used, search results are limited to the same day as the trigger expression (i.e. the Query tool does not span multiple days.) Note that the "Query Seek Order" setting affects the trigger expression as follows: If the seek order is "Newer to Older" (the default) then the trigger expression will be newer than the messages being matched. If the seek order is "Older to Newer", then the trigger expression will be older than the message being matched. This distinction is important, and allows the operator to set a trigger expression before OR after the messages being matched. For example, to collect messages that follow the "Startup" keyword, the operator sets the "Query Seek Order" to equal "Older to Newer". In contrast, to collect messages that occur before the "Shutdown" keyword, the operator sets the "Query Seek Order to equal "Newer to Older" (the default.) Additional Notes The amount of time for the Query tool to complete depends upon a variety of factors. If the operator is searching for a rarely occurring (or non-occurring) message across all log data or archive data on the system, the query may take ten minutes or more to complete. Conversely, searching for a common message across a limited number of files may return results with a second or two. CorreLog Screen Reference Manual, Page - 145

146 Report "Audit" Screens CorreLog includes a flexible "Audit" reporting facility, accessed via the "Reports > Audit" tab of the system. This tab provides access to a variety of audit report functions that allow the user to view default reports and add new reports that may be needed to comply with auditing functions of the organization. Additionally, these reports can be loaded into a relational ODBC compliant database, and can be ed to users at scheduled intervals. The basic "Audit" facility is depicted below: The above screenshot shows the "User Activity Report" (the first of various audit reports supported by the system.) Each report summarizes the activity of users, devices, and other data items on the system. The operator clicks "Generate" to generate the report, clicks "Advanced" to edit advanced setting, clicks "AddNew" to add a new report to the system, and clicks "Edit" to edit an existing report. CorreLog Screen Reference Manual, Page - 146

147 To view the report data, the operator clicks the hyperlinked report name, which shows the report data in HTML format, and permits the operator to download the report in HTML, Text, or CSV format. Detailed discussion of the "Audit" facility is found in the "User Reference Manual", and other manuals. Types of Audit Reports The system creates various different audit reports, each of which summarizes data on various important management activities commonly required by security standards such as PCI-DSS. Basic reports that come with the system are accessed via the tabs (beneath the "Reports > Audit" tab) listed as follows: User Activity Reports. This reporting facility summarizes activity by users, including (but not limited to) User Names, Workstations, Last Logon Times, Sessions, Errors, Lockouts, and other metrics. This report is useful for reviewing all the managed users of network equipment, tracking user logons and access to managed systems. Device Activity Reports. This reporting facility summarizes activity for each managed device on the system, including (but not limited to) Active and Idle seconds, Security Messages, Application Messages, Critical messages, and total messages received. This report is useful for reviewing the message content and activity of managed devices, including the general nature of the message content and loading. Perimeter Reports. This reporting facility operates on any message containing two (or more IP addresses, where at least one of the addresses listed in the message is an external address. The report summarizes each external address including (but not limited to) Country Code, Local Addresses, External Addresses, Protocols, and message counts. This report is useful for reviewing external contacts of managed devices and users, and the state of firewall messages. Account Management Reports. This reporting facility summarizes the account management activities associated with Microsoft Active Directory (and possibly other LDAP based authentication systems.) The report summarizes each change to Active Directory, including accounts added, deleted, modified, groups added deleted, modified, and errors. The report is useful for tracking essential changes to the authentication methods of the system. Ticket Reports. This reporting facility summarizes ticket activity associated with the system. These reports include a description of each ticket, assignee, ticket resolution, and related messages. The report is useful for reviewing threads and anomalies detected by the system from all received messages. CorreLog Screen Reference Manual, Page - 147

148 Score Cards. This reporting facility summarizes the daily, weekly and monthly counts for user specified threads, useful as a quick summary of the amount and types of data being gathered by the system. Score Cards are especially useful for demonstrating compliance to some internal or regulatory standard. Report Generation Each of the various reports generates automatically at midnight. Additionally, the operator can launch any report by clicking the "Generate" button at the top of each report display. The "Generate" button will launch the report as a background process (which may take several minutes to complete.) The status of the report process is displayed each time the screen is refreshed, and this toplevel status line indicates when the report is complete. To terminate the report prematurely, the operator clicks the "Terminate" button for the report. Like other reports, while the report is being generated in background, the operator is free to leave the screen and check back at a later date for the resulting report. Audit Report Viewers Each of the various reports contain one or more "Report Viewers" that allow all or a subset of the data to be reviewed. The operator can define a new report viewer by clicking the "AddNew" button at the top of any screen, and then selecting the particular table columns and qualifiers for the report. The operator can match any field of the report, and can hide columns of the report that are not pertinent or interesting. For example, the operator can generate a report on locked out users by clicking the "AddNew" button on the "User Activity Report", and then hiding all fields except for the "User Name" and "Account Lockout" fields, and then specifying a value of "$1 gt 0" for the "Account Lockout" Match expression. When the report is then accessed (by clicking on the report hyperlink) the report will contain only those users that have at least 1 lockout during the reporting interval. Multiple report viewers can be defined for each type of report. The basic "All" report is included as a standard report for all of the report facilities, which can be further modified or deleted to create more specific report content Audit Report Advanced Parameters Each of the various reports contains an "Advanced" button, which permits the operator configure the advanced setting specific to the report (which vary CorreLog Screen Reference Manual, Page - 148

149 between the types of reports, as documented elsewhere.) The "Advanced" parameters contain several common controls as follows: Data Source. Most report facilities include a "Data Source" setting, which allows the operator to specify a source for the messages, by default "All Messages". If the administrator has configured a specific thread, this setting can speed up the report generator execution by limiting the message source to more specific messages. Match Expression. Most report facilities include a "Match" expression, which allows the operator to restrict the messages to a particular match pattern. For example, the User Activity report can restrict the data to certain messages meeting a set of qualified users, whereas the Device Activity report can restrict the data to certain qualified devices. By default, the "Match Expression" for all screens is an asterisk, which matches all messages. Span Days. All report facilities include a "Span Days" setting, by default 1 day, which limits the number of days that will be processed. This setting should be adjusted conservatively to prevent the report generator from taking to long to complete. Span Max Data Records. All report facilities include a "Span Max Data Records" value, by default 1 million records, which limits the number of messages that will be scanned by the report viewer. If the "Span Max Data Records" value is achieved, the report generator terminates with no further processing for that particular report. DSN Name. All report facilities include a DSN select menu that allows the operator to specify an ODBC Data Source Name that will include the message data. (The DSN is configured in the "Reports > ODBC" tab, discussed elsewhere.) The user must specify both a DSN Name and a Database Table name, and then the report generator will automatically create and load the database table with information each time the generator is executed. Database Table Name. All report facilities include a "Database Table" value. If the operator configures a DSN Name (above) AND ALSO a valid table name, then the report generator will automatically create and load the database table with information each time the generator is executed. Publish Text via RSS. All report facilities include a "Publish Text via RSS" select menu. If the operator sets this advanced setting to "Yes", then the audit report information is automatically published via RSS. This setting has no effect if RSS is not enabled via the "Reports > RSS" screen. CorreLog Screen Reference Manual, Page - 149

150 In addition to the above common values, certain screens have additional parameters that affect the generation of the report. These values are documented in other manuals, and are normally configured for ordinary and proper operation. Consult vendor support for more information on these parameters. Updating SQL Databases With Audit Information To support flexible SQL queries and third party report writers, the information within each report can be copied to a configured ODBC data source. This requires the following: 1. The operator should configure an ODBC Data Source Name via the "Reports > ODBC" tab of the system. Any ODBC compliant database is acceptable, including Microsoft Access reports. 2. The operator should click the "Advanced" button of the report facility, and then select the DSN name configured above, and also select an appropriate Database table name. 3. The operator can subsequently generate the report (or wait for the report to be generated automatically at midnight.) The data will then be automatically loaded into the relational database table configured above. This can be checked using the "Reports > ODBC" tab of the system. Note that the database table, if it exists, is automatically dropped and then created each time the report generator runs. Therefore, if the database is accessed while the report generator is running, incomplete results may be exist in the database table. If this is a concern, special safeguards should be implemented to notify SQL applications that the data is being updates. Consult with vendor support for more information. ing Audit Reports Audit reports can be automatically ed to users at periodic intervals via the "Reports > " tab of the system. This requires the following: 1. The operator should configure the SMTP interface to the system via the "System > SMTP" tab, which is a necessary step before any can be sent by any part of the CorreLog system. 2. The operator clicks on the Reports > tab of the system, and adds a new report via the "AddNew" screen. CorreLog Screen Reference Manual, Page - 150

151 3. On the "AddNew Report" screen, the operator selects the Attachment type to be "Audit HTML Report" 4. After selecting the Audit HTML Report attachment type, the operator can select the specified Audit report and then click "Save". For more information on the "Reports > " facility, see later sections of this manual. Limiting Access to Specific Audit Reports A common requirement of organizations is to limit access of data using rolebased users. The "Audit" report facility permits the user to create a "Profile", which limits the viewing of any Audit data to specific report names. This function is available via the "System > Logins > Access Profiles" screen. The Administrator can select "Audit Reports", available to a specific user profile, by clicking the "AddNew" button, and then clicking the "Select Audit Reports" button on that screen. This displays a screen that allows the Administrator to check-off the particular audit reports available for that user profile. When the profile is subsequently assigned to a user logon, the user will be able to see (and access) only those reports that were selected by the Administrator. For example, the user may be able to access only those "Device Activity" reports related to routers or certain windows platforms. This provides a consistent method of limiting access to the system for certain types of message data. Additional Notes The time to generate a report depends upon a number of factors, the biggest factor being the amount of data to process, and the CPU limitations of the system. The report generation time can be improved by limiting the data to be processed. The operator can specify a thread, which contains a smaller subset of messages, and can reduce the number of records and days to process. These configuration options are available via the "Advanced" button on each report generator screen. The "Audit" facility includes multiple features, the description of which is outside this manual. Refer to more specific information on the Audit reporting facility, contained in other manuals within the CorreLog basic distribution, or contact vendor support for assistance. CorreLog Screen Reference Manual, Page - 151

152 Report "Excel" Screen CorreLog includes an "Excel" reporting facility, which will generate reports in Microsoft Excel format, or inserts data into an ODBC compliant database. The Excel Reporting screen is accessed by clicking on the "Reports" tab at the top of the screen. This displays the "Excel" The top level Excel Reports screen is depicted below. Detailed notes on the CorreLog Reporting facility including how to configure specific reports, how to publish reports using RSS, and how to customize Excel spreadsheet reports are provided in Section 7 of the "CorreLog User Reference" Manual. The system can be configured to generate up to 100 different reports, and selectively publish these reports to RSS aggregator programs, thereby providing a comprehensive reporting capability needed for auditors, system planners, and analysts. CorreLog Screen Reference Manual, Page - 152

153 Report " " Screen CorreLog includes a reporting facility, which will one or more users various lists of messages on a scheduled basis. The " Reporting" screen is accessed by first clicking on the "Reports" tab at the top of the screen, and then clicking " ". This facility allows the user to select and send specific classes of messages to an recipient. The top-level Report screen is depicted below. The CorreLog administrator can configure up to 100 different reports, which are automatically ed to selected users each day at midnight. These reports are text-based, and provide both summary and detailed information as attachments. The CorreLog administrator must first specify and configure an SMTP server, by clicking the "Configure" hyperlink at the bottom of the display, also available via the "System > SMTP Server" tab. (See later notes in this section on how to configure SMTP server parameters.) CorreLog Screen Reference Manual, Page - 153

154 Report Types The "Reports > facility can generate and / or distribute three types of different reports, selectable via the " Attachment Type" drop-down menu when the user clicks the "AddNew" button. Raw Message List. This type of report, when selected, allows the user to specify a thread and match expression. When the report is generated, the list of matching messages (over the selected time) range is ed to a recipient as an attachment. This is useful for sending arbitrary lists of messages to an end-user. Audit HTML Report. This type of report, when selected, allows the user to select one of the audit reports configured under the "Reports > Audit" tab. Selecting this option will reveal another drop-down menu that permits the user to select the specified Audit report. The audit report is created via the "Audit" tab (described previously.) The last audit report generated by the system is ed. Excel Report. This type of report, when selected, allows the user to select one of the Excel reports configured under the "Reports > Excel" tab. Selecting this option will reveal another drop-down menu that permits the user to select the specified Excel report. The Excel report is created via the "Audit" tab (described previously.) The last Excel report generated by the system is ed. Note that once a report type is selected, it cannot be modified without deleting and re-adding the report. By default, the attachment to the is compressed via the "gzip" command, and can be opened by WinZip or other uncompression program. Other formatters may also be configured, selectable by the " Formatter" drop-down item. Scheduling Normally, reports are generated by the CO-maint.exe program, which executes at midnight. ing of reports is always performed after first generating all the Audit and Excel reports, so the user will receive the latest report information in the morning. If the report is generated manually (via the "Generate" button) the last Audit and Excel report generated by the system will be ed. Generating one of the Audit or Excel reports will not send automatically. CorreLog Screen Reference Manual, Page - 154

155 Report RSS Publishing Screen The user can publish report data via a standards-based RSS facility, built into CorreLog. This allows an administrator to selectively specify Excel reports that are available for download by other users, including users that have no other access to the CorreLog system. The RSS parameters are specified via the "Reports > RSS" tab, depicted below. The RSS reporting facility will publish reports at a scheduled basis. Standard RSS readers and aggregators can detect which reports are published and download these reports for their own use. This CorreLog facility provides a convenient way for making certain data available to auditors and managers without requiring a login to the CorreLog system. Multiple RSS readers and news aggregators are available, including RSS functions incorporated into later versions of Microsoft IE, Firefox, as well as more sophisticated RSS aggregators such as the "Feed Demon" RSS aggregator. CorreLog Screen Reference Manual, Page - 155

156 Report "ODBC" Screen CorreLog includes an ODBC interface, which permits the user to load Excel report data (and other data) into an ODBC compliant relational database. The "Report ODBC Screen" is one of several interfaces to the CorreLog ODBC capability, and permits the operator to define ODBC data sources accessible to CorreLog. Additionally, the screen permits the user to run standard SQL queries on ODBC data sources, for testing and reporting purposes. The Report ODBC screen is depicted below. Detailed notes on the CorreLog ODBC facility are provided in Section 7 of the CorreLog User Reference Manual. The system can work with multiple ODBC data sources, and these data sources support the Excel, and Actions facilities of CorreLog. Additionally, methods to create CorreLog screens that run database queries and display the results are documented in the "CorreLog Sigma Web Framework" Users Manual. Refer to other documentation for more information. CorreLog Screen Reference Manual, Page - 156

157 NOTE: The CorreLog Server operates as 32-bit executable, hence cannot access a 64-bit ODBC driver. When configuring the CorreLog Server ODBC connection on a 64-bit machine, the operator must run the %Windir%\SysWOW64\odbcad32.exe program to configure the ODBC data source. This is a common mistake. The procedure for configuring the ODBC data source is as follows: 1. On a 32-bit host platform, simply access the "Admin Tools > ODBC" screen from the "Control Panel", select the "System DSN" tab of the Microsoft dialog, and create the DSN. The user specified name will then appear in the drop-down list of the "Reports > ODBC" screen. 2. On a 64-bit host platform, execute the 32-bit ODBC driver, usually found in the following location: %Windir%\SysWOW64\odbcad32.exe Create a "System DSN" (identical to the procedure in #1 above) and the DSN value will then appear in the drop-down list of the "Reports > ODBC" screen. 3. Once the System DSN appears in the drop-down list of the "Reports > ODBC" screen, the operator selects the value, clicks "Edit", and supplies the user name and password (if any) that was configured above in the ODBC tool. If the user specified name does not appear in the drop-down list of the "Reports > ODBC" screen, then the operator has either configured a 64-bit DSN (and should then configure the 32-bit DSN) or has not configured the DSN under the "System DSN" tab. After performing the above steps, the ODBC DSN will be available for use throughout the CorreLog server, on the various "Reports" tab, and in the "Actions" tabs of the system. It may be useful for the operator to create a desktop shortcut on the CorreLog platform that points to the correct Microsoft ODBC tool, to facilitate further interactions with the correct "Control Panel" tool. CorreLog Screen Reference Manual, Page - 157

158 Report "Graphs" Screen The Graph Message screen is displayed when the user selects the Reports tab at the top of the screen, and then clicks "Graphs From this location, the operator can generate bar graphs showing event rates on a per minute, hourly or a daily basis, including graphs for specific match patterns. The above screen shows a graph of the event rates on the system. The user can view the Daily or the Hourly graph rates, can configure match patterns in the control bar, and can adjust the scale via a slider bar. The operator configures the control bar, and clicks the Apply button to view the selected graph data. The filter items in this table correspond to the same general message matching specifications used in other locations of the program. For a message to be filtered, all of the filter fields must be matched. The specific fields of the table are as follows: CorreLog Screen Reference Manual, Page - 158

159 Match Address. This is the address to filter. It can be a specific IP address, or a wildcard. The Filter Address of *.*.*.* is the default, and matches all IP addresses on the system. The IP address is the address of devices after any Address Overrides are processed. Match Facility. This is the facility to filter. It is the message facility AFTER any facility overrides processed. The default setting is Any, which matches any Syslog facility code. Match Severity. This is the severity to filter. It is the message facility after any severity overrides are processed. The default setting is Any, which matches any Syslog severity code. Graph Screen, Special Notes The user can configure an arbitrary filter, select a start date, and then inspect the event rates that match the filter. The statistics for the data (showing Minimum, Maximum, Average, and Standard Deviation) are shown for the resulting data at the bottom of the screen. It is often the case that a spike in the data, for a certain hour or certain day, causes the graph to auto-range in such a way that it is difficult to inspect the typical data (which is effectively zeroed out on the display, depending upon the magnitude of the spike.) In order to compensate for this typical situation, the Graph screen provides a Slider switch, which the user can adjust upward to range the scale in such a way that the low-level data is now visible. The operator clicks the slider, drags it upward, and releases the slider to redisplay the data at the new scale. When the user changes the filter, or refreshes the display via the Apply button, the slider switch is set back to its zero position. The user can hover over any of the bars in the graph to see a read-out of the data. This will show the X / Y values for the data point, useful for precisely assessing the number of events for a particular hour or day. Finally, note that this screen can be printed and incorporated into reports. The highly flexible nature of the filtering and scaling makes this an ideal screen to interrogate, in order to assess the current event counts related to devices, facilities, and severities. CorreLog Screen Reference Manual, Page - 159

160 Report "Pivot" Screen In additional to the other reporting functions described previously, CorreLog furnishes a generic log file analyzer facility that generates "Pivot" type reports on any thread data. This facility allows the user to analyze data such as web server logs, firewall logs, or other data consisting of field-delimited data. The system breaks selected messages into fields, records the unique values for fields, and reports on the number of times these unique values have occurred. The Pivot Report screen is accessed via the "Reports > Pivot" tab, and is depicted below. Pivot reports operate on specific "Threads", and break messages into field value, which are tabulated and recorded. The operator can then drill into any field to see the unique values, counts, and messages associated with each value, such as the unique URLs of an HTTP server log (and their counts) or the number of messages filtered by each rule of a firewall. Pivot reports are executed each day at midnight, and can be generated on demand. CorreLog Screen Reference Manual, Page - 160

161 Pivot Report Detailed Notes The Pivot report is one of the only places in CorreLog that requires the user to normalize data, by specifying labels to specific fields within messages. The basic configuration of a Pivot report is discussed below. 1. The user creates a thread of messages via the "Correlation > Threads" screen for the Pivot report to operate on. These messages should all be "regular", i.e. they should contain the same number of fields, and certain fields should consist of finite enumerated values (such as URLs, status codes, IP addresses, etc.) 2. The user creates a new Pivot report via the AddNew button on the toplevel Pivot screen. On the "Add New Pivot Report" screen, the user selects the thread created above, provides a title, and provides any additional match expression that will qualify messages in the specified thread. 3. The user clicks on the "Config" button of the "Pivot Field Specifications" screen, and provides a label for each field of interest. (Sample messages are provided to assist in this operation.) Additionally, the user can change the field delimiters and specify new match expressions to qualify the list of messages. 4. The user saves the data, and waits until midnight for the report to generate, or generates the report immediately via the "Generate" button on the top-level Pivot Report screen. 5. If the user generates the report automatically, the user should refresh the screen when the Pivot report is finished, to see the latest report data. (This step is not necessary if the reports are generated automatically, at midnight.) When the Pivot report is generated, the user can access the values for each field specified in step 3 above by clicking on the associated hyperlink for the Pivot report. This will depict a bar graph of message counts associated with each value in the selected field. The user can further see the related messages for the pivot field by clicking on the hyperlinks, and can "pivot" between the various message groups created by the report via further hyperlinks and drop-down messages. The level of effort for initially configuring a Pivot report can range from simple to difficult, depending upon the complexity of the messages being analyzed. Several advanced features, not documented here, are available, such as defining "sub-labels" within fields. Contact CorreLog support for additional assistance. CorreLog Screen Reference Manual, Page - 161

162 CorreLog Screen Reference Manual, Page - 162

163 Section 9: System Screens The CorreLog "System" application screens provide various system functions, including support for user preferences, login management, scheduling of programs, and configuration of global parameters. Except for the user's preferences, these screens all require an "admin" type login to the CorreLog system (as configured in the "Login" screen of this group.) Each regular CorreLog operator has access to the "System > Preferences" screen, which allows each user to configure specific parameters associated with their profile, such as their initial login screen, and initial settings when they access other screens. Additionally, the "User Preferences" screen permits a user to change his or her password. With regard to CorreLog administrators, the "System" application screens provide ancillary but important functions pertinent to the security and operation of the system. In particular, the administrator can assign user logins to the program via the "Login" screen, enable enhanced login security, and limit access to certain data items of the system. Additionally, administrators can schedule programs to execute at periodic intervals, and define what programs are automatically started when the main CorreLog Framework Service starts. The "System" group includes various other screens to support system operation, such as screens to configure SMTP server parameters used by all operators. Knowledge of the "System > Scheduler" screen, described herein, is typically required to install any option or adapter to the CorreLog system. CorreLog Screen Reference Manual, Page - 163

164 User Preferences Screen The "User Preferences" screen is accessed by clicking on the "System" tab. This screen is also available via the "More" pull down menu at the upper right of the display. The screen shows a list of user preferences specific to the currently logged in user, and permits the user to change the login password. Modifications of this data affect only the currently logged in user. This screen is depicted below: The user modifies preferences by clicking the "Edit" button, and then clicking the "Commit" button on the edit screen. The user can change his or her password using the "Modify" button at the top of the screen. User preferences are as follows: CorreLog Screen Reference Manual, Page - 164

165 Change Password. This button at the top of the screen allows the user to change his or her password. The operator enters their current password, and new password, and confirms. Current Login Name. This value is not modifiable from this screen, and can only be assigned by the CorreLog administrator via the "System > Logins" screen (described below.) This is the name of the currently logged in user, provided here only for reference. Full User Name. This is the full name of the user, initially configured by the Administrator, and appearing on the "Logins" screen. The text is arbitrary, and used to identify and distinguish the currently logged in user. The value is available to CorreLog developers, but not otherwise used in the system. Initial Login Screen. This is a drop-down menu that determines the initial screen displayed when the user logs into the CorreLog system. The default value is "Home". The user can set the initial login screen to be "Messages", "Correlation", "Tickets", "Reports", or "System". The value can be set depending upon the particular interest areas of the user. Initial Dashboard Screen. This is a drop-down menu that determines the initial dashboard displayed when the user logs into the CorreLog system. The default value is "Unspecified", which defaults to the first dashboard on the system (listed in alphabetical order.) This value can also be set when creating a new dashboard via the "Add New Dashboard Wizard", which will automatically make the new dashboard the default dashboard. Initial Device Group. This is a drop-down menu that controls the initial "Device Group" setting of the "Messages > Devices" screen on entry. The preference affects only the "Devices" screen. This setting can be used to list only selected devices on entry, convenient to those CorreLog operators that are concerned with managing only specific devices on their system Initial Thread Group. This is a drop-down menu that controls the initial "Thread Group" setting of the "Correlation > Threads" screen on entry. The preference affects only the "Threads" screen. This setting can be used to list only threads of interest for a user, convenient to those CorreLog operators that are concerned with managing only specific devices or applications on their system Initial Ticket Group. This is a drop-down menu that displays a list of all the registered users and configured ticket groups. The value is used by the "Tickets" facility to show and filter the tickets assigned to a particular group. This setting allows the user to configure the initial group displayed CorreLog Screen Reference Manual, Page - 165

166 . when the "Tickets" tab is clicked, so that the user immediately sees the particular tickets of interest. The default ticket group for an "admin" type login is "All", indicating tickets of all assignees are displayed. For other users, the default value is the username. Initial Load Graph. This is a drop-down menu that displays a list of all the graph configurations on the system defined by the "Reports > Graphs > Edit Parms" screen. The user can configure a graph, and then specify this as the default graph displayed when the "Reports > Graph" tab is clicked. This provides an easy way of setting up the default graph for a particular user. Initial List Count. This is a drop-down menu that controls the "Max List" setting of various screens in the system, including the "Search", "Devices", and correlation screens. The user can specify the number of entries initially displayed by these screens. The initial list count can be made "Max-1" to indicate the number of messages by page number. Setting the value extremely high may degrade the performance of the browser. Initial Sort By. This is a drop-down menu that controls the "Sort By" setting of the "Messages > Devices" screen on initial entry. The preference affects only the "Devices" screen. This setting can be used to keep the devices on this screen positioned independent of the time of last message. (Sort by "Time" is the default.) Open Dashboards In New Window. This is a drop-down menu that allows the user to specify whether dashboard links (possibly but not necessarily configured as part of dashboard window pane titles) will cause the new dashboard to be displayed in a separate window, or within the same window. The default value is "No", indicating that dashboards are opened up in the current browser window. Use Java Applets In Dashboards. This is a drop-down menu that allows the user to specify whether Java applets are displayed for the user. The default value is "Yes", indicating that dashboards can make use of Java based gadgets. If the value is set to "No", then an alternative to a Java applet is automatically selected for the user when any dashboard is selected that uses Java. This may speed up accessing of dashboards, and may be required if the client computer does not support Java. Screen Auto-Refresh. This screen is a drop-down menu that controls the rate that screens are automatically refreshed. This screen is mainly useful when letting CorreLog "idle" on a screen, such as on a Network Operations Center terminal. Setting this value to other than the default "None" may have undesirable usability side effects, since the auto-refresh CorreLog Screen Reference Manual, Page - 166

167 interferes with editing values. Note that some screens, such as the "Dashboard" screen, automatically updates without any special refresh. Address. This is the address of the user, initially configured by the Administrator, and appearing on the "Logins" screen. This value is available to system programmers, but is not otherwise used by CorreLog. Modify Advisories. This button at the bottom of the screen allows the operator to view and modify their current "System Advisory" settings, which controls the "Advisory" screen functions documented in Section 10 of this document. Reasonable defaults are provided for all user preferences. Note that all data is specific to the currently logged in user, and all values affect only the display of data (and not the actually messages received and correlated.) To change a password, the user clicks the "Modify Password" button at the very bottom of the screen. This prompts the user for the current password and a new password. When changing a password, any modifications to parameters prior to clicking the "Modify" button are discarded. (The user will have to access the screen again and reconfigure parameters, if necessary.) If a user preference corresponds to a configuration item that has been deleted (such as a device group, ticket group, initial dashboard screen, or other item) then the user preference generally becomes the installation default. The value depicted on the top-level user preference screen is undefined. The value may appear as the initial setting, or the setting last specified by the user. In this case, the user should edit and save the user preferences to make the top-level screen agree with the actual setting. This may be slightly confusing to naïve users. Note that there is one other class of "user preference" data, which is the "pin" list associated with the user, configured for the various CorreLog applications, and affecting the ordering of item lists on "Threads", "Devices", and various other screens. The user pin list, like the parameters of this screen, are completely local to the currently logged in user, and do not affect other users of the system. Finally, note that "ticket" and "dashboard" type users (described below) will not be able to access their user preferences via the "System" tab, however will still be able to modify their preferences via the "More" menu hyperlink at the upper right of the display. CorreLog Screen Reference Manual, Page - 167

168 System Logins "Users" Screen The System Logins "Users" screen is accessed by clicking on the "System" tab, and then clicking "Logins", and then clicking "Users". This screen is available only to "admin" type users, and permits the operator to add, modify, or delete CorreLog system logins. This screen is depicted below: The user adds a login via the "AddNew" button. To edit an existing login, the user clicks the "Edit" button at the left of the target username. To delete a login, the user first clicks the "Edit" button and then clicks the "Delete" button on the edit dialog. All user password information is kept in encrypted form on the disk, and is only accessible through the login screen shown here. The number of user logins to the system depends upon your licensing option to the system. If no licensed number of users is specified. CorreLog Screen Reference Manual, Page - 168

169 User Login Parameters When creating a user login, the CorreLog administrator must specify the following parameters associated with each user. The administrator then clicks the "SaveNew" button to save these parameters. Login Username. This is the user ID assigned by the administrator. The name must contain only alphanumeric characters, a dash, or an underscore. The name cannot contain any special characters. Full Username. This is the full username, which appears on the user preferences. The end-user can modify this value, which is provided for reference only. User Address. This is the address for the user, helpful in notifying the user. The end-user can modify this value, which is provided only for reference. Login Password. This is the password for the user, which can by a suitably long password that the end-user can change via the user preference screen. System Access. This is the particular access to the system, which governs what screens and modifications the user can make to the system. This value is further explained in the next section. User Permissions Each user, in addition to having a required username and password, is assigned to a CorreLog permission group that controls how the user can access the system. CorreLog supports the following system access groups: Admin group. This group provides complete access to all parts of the CorreLog system, including the login screen, and all system parameters. Administrators have no limits to their access. Administrators essentially have all permissions turned off. User group. This group provides both read and write access to all system configurable data except for global system parameters, logins, and some specialized data (such as the ODBC interface.) Generally, this is the level associated with power users, or the main users of the system. Guest group. This group provides read access to most of the data to the system, but no write access. Generally, this is the level associated with CorreLog Screen Reference Manual, Page - 169

170 guests to the system who may be interested in inspecting data, but should not be given permissions to modify any data, or view certain data items. Report group. This group is identical to the "Guest" group, except that only the "Reports > Excel" tab appears for the user. Members in this group cannot access any other CorreLog screens directly, and cannot modify any data. They can download reports, and configure new report items. Generally, this screen is the level associated with auditors who are only interested in report information from CorreLog. Ticket group. This group is identical to the "Guest" group, except that only the "Tickets" tab appears for the user. Members in this group cannot access any other CorreLog screens directly, and cannot modify any data except for ticket data. Generally, this is the level associated with operators or managers that are tasked with dispatching and resolving ticket items. Dashboard group. This group is identical to the "Guest" group, except that only the "Dashboard" tab appears for the user. Members of this group cannot access any other CorreLog screen directly, and cannot modify any data. Generally, this level is associated with operators or managers that want to view high-level system status. Custom Group. This special group allows the administrator to define custom permissions for a user, including the ability to limit the tabs seen by the user, and the limit the ability of the user to see items other than "pinned" items. More information on "Custom" access is discussed in the next section. Disabled group. This group consists of users that have been temporarily or permanently denied access to any part of CorreLog. Members of this group cannot log into the CorreLog system. For any "non-disabled" user, the user preferences are always accessible and can be modified. In the special case of "Ticket" and "Dashboard" users, the "System" tab is not displayed for the user, however the user can access user preferences via the "More" menu hyperlink at the upper right of the display. Attempting to access an area of CorreLog without permission will display a screen indicating that permission has been denied to the user, thereby preventing the user from continuing with the operation. In this case, the user should click the back button of the browser to return to the previous screen, or click on some other CorreLog navigation tab to enter a valid area of the program. CorreLog Screen Reference Manual, Page - 170

171 System Logins "Access Profiles" Screen The System Logins "Access Profiles" screen is accessed by clicking on the "System" tab, and then clicking "Logins", and then clicking "Access Profiles". This screen is available only to "admin" type users, and permits the operator to add, modify, or delete CorreLog system profiles, which can subsequently be used as access profiles in the System Logins "Users" screen (above.) The "Access Profiles" screen is shown below: The screen allows an administrator to restrict the view of certain data and screens to selected users. Each profile appears in the "System Access" select menu of the "System > Logins > Users" screen, can be assigned to any new or existing user. To create a new profile, the operator clicks the "AddNew" button. To edit or delete an existing profile, the operator clicks the "Edit Profile" button CorreLog Screen Reference Manual, Page - 171

172 next to the profile name. If a profile is deleted that is assigned to a user, the user logon access becomes "disabled". On the "AddNew" screen, the following controls and selections are available when configuring a new Profile for the system. Access Profile Name. This input field is the name of the access profile, which will appear on the top-level screen, and also in the "System Access" select menu of the "System > Logins > Users" screen. Profile Description. This input field is a description of the purpose or intent of the access group, which annotates the top-level display of the screen. Select Dashboard Name. This select menu, if a dashboard is selected, creates a "Dashboard" tab for the user logon, which displays the selected dashboard. The select menu provides an option for each dashboard currently configured on the system. If the default value of "None" is selected, no "Dashboard" tab is displayed for the user. Select Device Group Name. This select menu, if a device group is selected, displays the "Devices" and "Query" tabs of the system for the user logon, restricting the display to the selected device group. The select menu provides an option for each device group currently configured on the system. If the default value of "None" is used, the "Devices" and "Query" tabs are not displayed for the user. Select Ticket Group Name. This select menu, if a ticket group is selected, displays the "Tickets" tab of the system for the user logon, which displays the tickets of the selected group. The select menu shows each ticket group currently configured on the system. If the default value of "None" is selected, no "Tickets" tab is displayed for the user. Select Correlation Threads. This button displays a screen permitting the administrator to view each configured thread, and select the thread for display in the user logon profile. If no threads are selected, no "Correlation > Threads" tab is displayed for the user. Select Audit Reports. This button displays a screen permitting the administrator to view each configured audit report, and select the audit report for display in the user logon profile. If no audit reports are selected, no "Reports > Audit" tab is displayed for the user. Select Excel Reports. This button displays a screen permitting the administrator to view each configured Excel report, and select the Excel CorreLog Screen Reference Manual, Page - 172

173 report for display in the user logon profile. If no audit reports are selected, no "Reports > Excel" tab is displayed for the user. Select Pivot Reports. This button displays a screen permitting the administrator to view each configured Pivot report, and select the Pivot report for display in the user logon profile. If no pivot reports are selected, no "Reports > Pivot" tab is displayed for the user. Select Other Tabs. This button displays a screen permitting the administrator to view various other tabs on the system, and select the tabs for display in the user logon profile. This permits the administrator to select other special screens for inclusion in the logon profile. Additional Notes The "System > Login > Access Profiles" is the primary mechanism for establishing a "multi-tenant" type of operation within CorreLog. (An alternative method is to create "Custom" user logins, discussed in the previous screen.) The screen herein will likely be the easiest way of setting up a particular access profile and restricting users of that profile to selected data items and view. In general, "Access Profiles" limit the changes to the system in the same was as a "Guest" type access. Users with configured access profiles have permissions ONLY to view the data and make no substantial changes to the system other than modification to certain user preferences (such as the ability to change their password.) When setting up an access profile, the administrator should note that there is no guarantee that other devices and data items (outside of the specific profile) will be revealed. The profile is intended only to direct the user's attention to specific data, simplifying the operation of the system for the specific user type. Access profiles do not necessarily guarantee data privacy. In particular, dashboard components (if the administrator assigns a dashboard to a user profile) should be carefully constructed to permit only certain data views, and not reveal data that is otherwise confidential. If an access profile is deleted from the system, any users of the profile will have their logons set to "disabled", and will have no further access to the system. This is a common administrative mistake, but is easily corrected by simply creating a new access profile with the same name as before. CorreLog Screen Reference Manual, Page - 173

174 Security Enhanced Functions Configuration Screen The "Security" screen is accessed by clicking on the "System" tab, and then clicking "Logins", and then clicking the "Security" tab. This screen is available only to "admin" type users, and permits the operator to configure special parameters that may enhance the security of the CorreLog Server site. The screen permits the CorreLog administrator to configure authentication methods and other parameters that apply to all CorreLog users. The screen is depicted below: This screen is a standard CorreLog "Edit" dialog that gives the administrator various extra options regarding user logins, such as whether passwords expire, maximum login attempts before the user is logged out, and lockout duration. The screen provides various parameters as follows: CorreLog Screen Reference Manual, Page - 174

175 Security Enhanced Functions. This selection allows the administrator to enable enhanced login security, or disable it. The default is "Disabled". The administrator must first enable Enhanced Session Security before any of the other settings below will apply. Login Authentication Method. This selection specifies whether authentication takes place with HTTP authentication, a built-in Web screen, or both. When using HTTP authentication, the user is prompted for a password via a browser pop-up dialog. When using "Web Screen" authentication, the user is prompted for a password via a CorreLog screen. Use Active Directory Authentication. This selection permits the user to access CorreLog via SSPI (Microsoft Active Directory) authentication. In this case, the user's password is checked against the value for the platform (either the local logon password if any, or the active directory password.) Default Logon Domain. This section (which appears only after clicking the "Edit" tab) is necessary only if "Use Active Directory Authentication is "True". The administrator must specify the domain that the user will be authenticated against. If the value is not specified, the user will still be able to logon to CorreLog using the local password (if any) and the password of the local computer (if any.) Auto Logout Time (Minutes). This value represents the time in minutes before a user is automatically logged out of CorreLog due to inactivity. The default value is 60 minutes. After 60 minutes of inactivity, the user is automatically presented with a login screen when any button, tab, or link is clicked. Require Strong Passwords. This selection enforces strong passwords. A strong password must have eight characters or more, including one upper and lower case letter, and one digit. The default setting is "False", which does not enforce strong passwords (and requires only that the password be three or more characters.) Password Expire Time (Days). This value represents the time in days before a user must change his or her password. When the password expires, the user is forced to enter the current password, and select a new password. This action occurs immediately upon expiration, before any other screen can be launched. Max Login Attempts. This value represents the maximum number of attempts to login to the system without a correct password, and the maximum number of attempts to change a password. After this number of CorreLog Screen Reference Manual, Page - 175

176 attempts, the user is automatically locked out from the system for the "User Lockout Duration" (described below.) The default value is 10 unsuccessful attempts to login. User Lockout Duration (Minutes). This value represents the time that a user will be locked out from CorreLog if the "Max Login Attempts" value (above) is exceeded. The user will be presented with a screen indicating they have been locked out of the system, and this screen will persist for the number of minute specified here. (The administrator can unlock a user from the "Login" screen, described previously.) Require IP Address / Group. This value is an IP address, an address wildcard, or an address group that indicates what IP addresses are allowed to access CorreLog. If the administrator specifies an address group, the value should include the "@@" character delimiters in standard CorreLog format. Configuring Active Directory Authentication For convenience, CorreLog Server can be configured to authenticate users to active directory, so that passwords are maintained by the organization. Note that this may cause some security risk if CorreLog is principally being used to monitor privileged user activity (since a malicious managed administrator can compromise the system through modifications to active directory.) To configure active directory authentication: 1. The CorreLog administrator adds the user and privileges for the user to the "System > Logins > Users" list. (The user MUST first exist in CorreLog, necessary to define the privileges associated with the CorreLog user.) The password configured for the user will apply ONLY if the CorreLog user wants to login to the CorreLog system using the "Local" setting. In most cases, a long and random password can be selected for this field to prohibit user access except through Active Directory Authentication. 2. On the "System > Logins > Security" screen, the CorreLog administrator" (a) sets "Security Enhanced Functions" to be "Enabled; (b) sets "Login Authentication Method" to be "Web Screen"; (c) sets "Authenticate Using SSPI / AD" to be True"; (d) provides the domain name for the login; and then (e) clicks "Commit" to save the settings. The above steps are sufficient to enable Active Directory login authentication. When a CorreLog user logs into the system, the password will be authenticated against his or her active directory settings. The permissions for the user (to the CorreLog Server screens) is determined by the settings of step 1 above. CorreLog Screen Reference Manual, Page - 176

177 System SMTP Parameters Screen The SMTP screen is accessed by clicking on the "System" tab, and then clicking "SMTP". This screen is used to specify the parameters of an SMTP server used by the "Actions" facilities, the " Report" facility, and other locations within CorreLog. The screen permits the user to specify the standard parameters associated with most SMTP servers. This screen is depicted below. Before any SENDMAIL action program or report can actually send an e- mail message, the CorreLog administrator must first configure valid parameters for the SMTP server that is used in the mail transaction. This screen allows the administrator to configure the address, authentication type, and authentication parameters associated with the SMTP server. CorreLog supports plain text authentication, login authentication, and non-authenticating SMTP servers. CorreLog Screen Reference Manual, Page - 177

178 Specific SMTP parameters, available by clicking the "Edit" button on this screen, are described below. SMTP Master Enable. This drop-down menu permits the administrator to temporarily (or permanently) disable all messages sent by the program. The default is "enable", which permits CorreLog to send messages. SMTP Server IP Address. This is the IP address of the SMTP server, expressed as dot-notation. The administrator must specify a valid IP address. CorreLog will not accept a host name for this field. Mail From Address. This is the address of sender. It is also used to send test messages (described below.) The value should be the address of a valid recipient within the organization. Authentication Type. This is the type of authentication. CorreLog supports three standard authentication types: "Auth-Login" is the standard authentication employed by most SMTP servers, requiring a username and password; "Auth-Plain" is a less-common type of authentication, requiring a username, password, and account ID; "Auth-None" is standard SMTP, but without authentication. This value must agree with the settings of the SMTP Server IP Address. Account Username. This is the account username. It is generally (but not necessarily) the address of a system user. This value is required for both "Auth-Plain" and "Auth-Login" type authentication. Account Password. This is the password for the specified account. This value is required for both "Auth-Plain" and "Auth-Login" type authentication. Account ID. This is the account ID for the specified account. It is used only for "Auth-Plain" type authentication (which is the less-common form of SMTP authentication.) If the user has selected an authentication type of "Auth-Login", this value is ignored. Max Messages Per Hour. This setting limits the number of messages per hour to some value, by default 100 messages per hour. If more than the specified number of messages is sent, the e- mail "Throttle" value activates for the remaining portion of the hour, and a final is sent to recipients. The user can see the status of the throttle by clicking the "View / Clear Throttle" link next to this input field. CorreLog Screen Reference Manual, Page - 178

179 Timeout Seconds. This setting limits the amount of time to establish a connection and send to the SMTP server. If more than this time elapses during any message transmission (including connect time) then the program terminates and an error is logged. Send Test Message. This button will test the connection by sending an e- mail message, and displaying the transcript of the SMTP session during this transmission. This provides a simple way to test the SMTP parameters configured here. After saving parameters, the user can click the "Test" button to send a test message to the "From Address" configured by the dialog. This sends the message and displays a transcript of the SMTP transaction, which can be used to debug the connection. The system will limit the number of messages that are sent each hour. By default, this is 100 messages per our. The administrator can change the value to some other suitable value as described above. Once the maximum number of messages is sent during a one-hour interval, no further will be sent. Instead, a final message will be sent, and an error will be logged. The user can view the state of the throttle via the "View / Clear Throttle" link, which accesses a special screen showing the throttle time, throttle state, number of messages bypassed, and providing a "Clear" button to clear the throttle. Note that a common problem with configuring SMTP parameters is that some e- mail systems filter spam. If the transmission of a test message looks successful, but the is not received, the administrator should check spam filters of the "From Address" user, if any. CorreLog Screen Reference Manual, Page - 179

180 System Parameters Screen The "System Parameters" screen is accessed by clicking on the "System" tab, and then clicking "Parms". This screen is available only to "admin" type users, and permits an administrator to adjust ancillary (non-message related) system parameters that affect all users. This screen is depicted below: The administrator modifies system parameters by clicking the "Edit" button, and then clicking the "Commit" button on the edit screen after making changes. System parameters controlled by this screen are as follows: CGI TImeout. This is the maximum time, in seconds, before the CGI interface will time out with a message. All CorreLog screens will generally finish their execution and rendering within a few seconds, so the default value of 30 seconds is probably adequate for most sites. CorreLog Screen Reference Manual, Page - 180

181 Enhanced Login Security. This value is identical to the value on the "Enhanced Login Security" screen, described previously, and enables the settings on that screen (including auto-logout, max login attempts, etc.) Default User Access. This is the system user access level for users if HTTP authentication is disabled within CorreLog. This special value can be used to users without logins to access CorreLog screens. For example, setting this value to "dashboard" will permit anyone without a specific login to CorreLog to access the dashboard screens, if HTTP authentication is disabled within the Apache server. Audit Security Level. This is the severity of the "audit" message that is sent from CorreLog to itself any time that configuration items are changed within CorreLog. By default, the value is "debug", indicating that a debug message is logged whenever a configuration item of any type is changed. Execution Debug Trace. This special switch will likely be enabled only by CorreLog technical support, and can be used to gather background information on system calls and program executions. Data is collected in the "Temp" directory of CorreLog, and can then be sent to CorreLog support for analysis. Max BG Percent CPU. This value, ranging from 10% to 90%, indicates the maximum amount of CPU that can be used by background processes on the system. This provides a way of controlling the load of CorreLog background processes on the system CPU resources. Setting this value too high may cause the CorreLog system to respond more slowly to web requests. Setting this value too low may slow down the correlation and indexing processes. The default value is "30%", which is appropriate for most CorreLog Server implementations. The administrator should adjust this value cautiously because it can result in unintended consequences. CGI Process Priority. This value allows the administrator to tune the priority of the CGI processes launched via the web interface. A value of "normal" indicates the processes run at no special priority; a value of "high" causes the processes to run at slightly above normal priority; a value of "highest" causes the processes to run at high priority. This setting normally does not need adjustment, but can increase web performance on some types of hardware (at the expense of other processes on the system.) Navigation Tab Colors. These four fields define the colors of the navigation tabs and background text values. The administrator can modify these values, such as to identify a particular CorreLog installation, or to match corporate colors. CorreLog Screen Reference Manual, Page - 181

182 Max Queued Actions. This value indicates the maximum number of action programs that can be queued for execution. For example, if a custom action script is blocking (and clogging) the queue directory, the queue can become filled with files that are queued for execution. When the value of "Max Queued Actions" is reached, an error is logged, and the queue is cleared. (See Section 6 of the CorreLog User Reference Manual for more information.) System Contact. This is the contact for the product. The value appears in only a few areas of the program, such as in the RSS report index. The value is arbitrary, and can be changed to the address of a local administrator at the installed site. System Pass Key. This value is used during the remote authentication of CorreLog agent programs, used during a remote configuration process. The value must agree with the values in the CorreLog agent configuration files. The default value is the keyword "Default". Note that this is not the only authentication used with Windows agents, hence the value is somewhat arbitrary and needed only if the site requires additional security. Only CorreLog administrators can view or access the system parameters screen. System parameters rarely need to be modified. To restore the default system parameters (which existed on initial installation), the administrator can click the "Edit" button, and then click the "Default" button. Additional Notes On Parameter Screens Note that there are two locations where the user can adjust ancillary system parameters. This screen allows the user to adjust the parameters associated with the "CorreLog Sigma Framework". Additional parameters, associated with Messages, can be found in the "Message > Config > Parms" screen. The parameters of that screen affect message reception and archiving. This may cause minor confusion when looking for a particular parameter setting. All the significant modal parameters of CorreLog affecting performance can be found in one of the above two screens. When looking for a particular parameter, the operator can easily switch between these two screens by clicking the hyperlink at the top of the each parameter display. CorreLog Screen Reference Manual, Page - 182

183 System Schedule Screen The "System Schedule" screen is accessed by clicking on the "System" tab, and then clicking "Schedule". This screen is available only to "admin" type users, and permits an administrator to configure programs that are automatically executed when the CorreLog program starts or stops, or automatically executed at periodic intervals. This screen is depicted below. The screen lists a series of programs and directives that are read by the COsvc.exe program, which is the interface to the Windows service manager. The CorreLog system startup and shutdown schedule should not be modified without the assistance of CorreLog support or professional services, or unless explicitly documented in some other manual. Further information on system parameters can be found in the "CorreLog Sigma Web Framework" Users Manual. CorreLog Screen Reference Manual, Page - 183

184 Edit Advanced Schedule Screen The "Edit Advanced Schedule" screen is accessed by clicking on the "System" tab, and then clicking "Schedule", then clicking the "AddNew" or "Edit" screen, and finally clicking the "Edit Advanced Schedules" link. This screen allows the user to configure up to four different custom schedules that permit more control over a scheduled process. This screen is depicted below. The "Schedule" screen provides four different "custom" schedules, named "Schedule #1" through "Schedule #4". These schedules are selected from the top-level screen, and permit the user to schedule a day of the week, and various times of each day. For example, the administrator can configure "Schedule #2 to execute on Tuesdays at 2AM, 9PM, and 11PM. Then, the administrator selects the "sched-2" setting as the schedule directive from the top level "System > Schedule" screen to execute a program at the selected times. CorreLog Screen Reference Manual, Page - 184

185 Section 10: Utility Screens Throughout the system, CorreLog provides various hyperlinks to different areas of the program. These utility links permit the user to rapidly access related items and screens. For example, the user can click on the "Query" hyperlink of the "Messages > Search" screen to immediately navigate to the "Reports > Query" screen (to further search for messages using the reporting facility) These hyperlinks are typically (but not necessarily) distinguished by trailing ellipses, or follow a naming convention such as "Go To X". These types of hyperlinks indicate that the main navigation tabs of the program will change if the user clicks the link. Other hyperlinks, such as those described in this section, do not necessarily change the navigation flow, but instead operate within the specific context of the current tabs. For example, clicking on an IP address anywhere within CorreLog will display the "Device Information" screen without changing the tabs or current navigation context. Similarly, the user can view the "Message Detail" associated with any message, and retain the current navigation tab settings. This final section contains utility screens that are accessed from various locations independent of the CorreLog Tab navigation system, without changing the navigation context. These screens provide general utility in describing data items, and are accessed via hyperlinks from various CorreLog locations, as defined herein. CorreLog Screen Reference Manual, Page - 185

186 Device Information Utility Screen The Device Information screen is accessed by clicking on the IP address hyperlink found anywhere within CorreLog. This screen is used to identify the IP address for the device, including SNMP values (if so configured.) A depiction of this screen is shown below. This screen is the most commonly found screen in all of CorreLog. It is accessible from most other screens, by clicking on any IP address hyperlink. The screen identifies the device associated with an IP address. This is one of the most useful things to immediately know about a message (that is specifically, the nature of the device that has sent the message.) The screen displays the IP address and official DNS name of the device, along with any commentary or notes about the device. Executing this screen will additionally Ping the device to determine the device state and ping response CorreLog Screen Reference Manual, Page - 186

187 time. Finally, if the SNMP parameters are configured in the Configure Parms screen, several useful SNMP values are displayed. At the top of the screen, either two or three links are provided, as follows. All Messages For Device. Clicking this link with display all the messages that have been logged for the particular device. The link launches the "Catalog Information" utility screen, discussed in the next section. Edit Device Info. Clicking this link will display the "Device Information Editor" screen for the device, which permits the user to specify a device comment, the default device DNS name, and enable Ping and SNMP status. Edit Remote Config. This link is displayed only if the user has enabled the remote configuration editor, on the "Edit Device Info" screen described above. This link permits the user to download and upload the configuration file from the "CorreLog Message" service program. Using this screen, the user can find the messages for any device as follows: The user clicks on the IP address hyperlink for any device IP address displayed by the CorreLog system, and then clicks the "All Messages For Device" hyperlink. Pinning A Device If the "Device Information" screen is accessed from the "Messages > Devices" screen, it will contains one additional field, which is a setting to pin the device to the top of the device list. This permits the user to quickly identify important devices and place them at the top of the "Devices" screen. When the device list is sorted, all the pinned devices are sorted and displayed first, followed by unpinned devices. This provides an easy way to organize the "Devices" screen so that interesting devices remain at the top of the list. Remote Configuration Editing As a special function, the operator can use this screen to edit the remote configuration file of the CorreLog System Message Server. In order for the "Edit Remote Config" hyperlink to operate, the user must first enable this function via the "Edit Device Info" hyperlink. Additionally, the device must be executing the "CorreLog Message" service. Additional requirements may exist, as configured in the remote configuration file of the message service, as documented in the "CorreLog Windows Tool Set" manual CorreLog Screen Reference Manual, Page - 187

188 Device Associated URLs and Extra Tabs Screen The "Device Associated URLs and Extra Tabs" screen is accessed by first accessing the "Device Information" screen (by clicking on an IP hyperlink anywhere in CorreLog) then clicking the "Edit Device Info" link, and then clicking the "Edit Extra Links And Tabs" button. This screen is depicted below. As shown above, this screen allows the user to specify an "Associated URL" and label that, when specified, creates a link at the upper right of the "Device Information" screen, useful for accessing web services that may be related to the device. This screen also permits the advanced function of allowing an administrator (or developer) to add extra tabs across the top of the "Device" screen through modification of the "config/dev-xtabs.cnf" file, as discussed in the paragraphs that follow. CorreLog Screen Reference Manual, Page - 188

189 Device Extra Tabs Definition Because the "Device Information" screen is a ubiquitous and centrally located screen for accessing all information related to a device, CorreLog permits easy extensibility of this screen, and augmenting device information with user supplied information. This allows developers and savvy administrators to customize the system with their own screens and URLs. Tab information resides in the "config/dev-xtabs.cnf" file, which can be edited locally at the CorreLog Server to specify "Tab Groups" related to certain devices. For example, if a device has a number of metrics or programs that are web enabled, and this information can be fetched via a URL, the developer or administrator can add tabs that are displayed when the device is accessed (to permit further drill down into the device.) The "dev-xtabs.cnf" consists of multiple entries in the following format: (groupname).(tabno)_label This entry, when found in the "config/devxtabs.cnf" file, causes a tab to be created for the device with the label specified. The value of "(groupname)" specifies the name of the group, selectable via the "Extra Tab Group" dropdown; the value of "(tabno)" is an integer number ranging from 1 to 8 (describing the position of the tab). (groupname).(tabno)_url - This entry, when found in the "config/devxtabs.cnf" file, causes the specified URL to be used with the tab. The URL can contain the variables $ipaddr and $devname (described below.) (groupname).(tabno)_width - This entry, when found in the "config/devxtabs.cnf" file, limits the display of the URLcontents to be the specified pixel width. The value, if omitted from the "config/dev-tabs.cnf" file defaults to 100% (groupname).(tabno)_height - This entry, when found in the "config/devxtabs.cnf" file, limits the display of the URL contents to be the specified pixel height. The value, if omitted from the "config/dev-tabs.cnf" file, defaults to be 800 pixels height. The Correlog system comes with a single tab group, called "Example_1" in the "config/dev-xtabs.cnf" file. This entry can be copied and appended to the file (modifying the group name value) to create custom tabs. Then, the specified group name will appear in the drop-down menu of the "Extra Tab Group" pulldown, and will cause tabs to appear on the "Device Information" screen when the tab group is actually selected. When the user clicks on the tab, the actual information contained by the URL is displayed in an IFRAME within the tab. The width and the height of the IFRAME CorreLog Screen Reference Manual, Page - 189

190 is specified as part of the "dev-xtabs.cnf" file (because no standard browser based iframe attribute exists to set the height of the iframe.) If the content is larger than the specified height and width, then the iframe automatically opens vertical and / or horizontal scroll bars. The tabbed technique described here is useful for all types of integration to thirdparty network managers, software, or home grown applications. More information on the extensible features of the "Device" screen (as well as other areas of the program) can be learned by contacting CorreLog support, or reviewing the "Sigma Web Framework" manual, incorporated into all versions of the program. Device Associated URLs When specifying a URL, either as the "Associated URL" value, or within the "devxtabs.cnf" file, the operator can optionally reference the device IP address or the device name (appearing on the screen.) $ipaddr This value, if used in a URL, is substituted with the IP address of the selected device (or the name of the device as it appears throughout the CorreLog system.) The first and only occurrence of this keyword is substituted in the URL. $devname This value, if used in a URL, is substituted with the name of the selected device defined on the "Device Information" screen, and depicted below the $ipaddr values as it appears throughout the CorreLog system. The first and only occurrence of this keyword is substituted in the URL. For example, consider the case where the Associated URL value for the device (with a device name of "Localhost") is configured as follows: When the user accesses the "Device Information" screen (by clicking the " " hyperlink anywhere within CorreLog) the user will see the URL in the upper right of the screen, and this URL will be resolved as follows: This provides a simple mechanism for launching web-based applications from tabs or an associated URL that is standard across a range of different managed devices, and passing information to these web services via the URL. CorreLog Screen Reference Manual, Page - 190

191 Device Scheduled Disables Screen The "Device Scheduled Disables" screen is accessed by first accessing the "Device Information" screen (by clicking on an IP hyperlink anywhere in CorreLog) then clicking the "Edit Device Info" link, and then clicking the "Edit Scheduled Disables" button. This screen is depicted below. As shown above, the "Device Scheduled Disables" screen provides a simple method of disabling all alerts for a device during particular "maintenance" intervals. (Other methods of disabling alerts exist, such as on the "Tickets > Config > Parms > Edit Scheduled Disables" screen. The above screen permits the user to specify "time windows" during which no alert condition for the device will open a ticket. The user can set certain time windows across a week. CorreLog Screen Reference Manual, Page - 191

192 User Information Utility Screen The User Information screen is accessed by clicking on the User Name hyperlink found anywhere within CorreLog. This screen is used to identify the particular user by full name and other contact information. A depiction of this screen is shown below. The screen displays the logon name of the user, along with commentary about the user (such as the user s full name, phone number, etc.) If a Full Name is specified for the user, that name will appear beneath the logon name for the user in any location with CorreLog that displays the logon name. At the top of the screen, links are provided, as follows. CorreLog Screen Reference Manual, Page - 192

193 All Messages For User. Clicking this link with display all the messages that have been logged for the particular user. The link launches the "Catalog Information" utility screen, discussed in the next section. Edit User Info. Clicking this link will display the "User Information Editor" screen for the user, which permits the operator to specify the full username, phone number, location, and other information. Using this screen, the operator can find the messages for any logon name as follows: The user clicks on username hyperlink anywhere it is displayed by the CorreLog system, and then clicks the "All Messages For User" hyperlink. Pinning And Flagging A User As with the Device Information screen, the operator can pin users to the top of the list of users, for easy visibility. When the Correlation > Users list is sorted, all the pinned users are sorted and displayed first, followed by unpinned users. This provides an easy way to organize the "Users" screen so that interesting users remain at the top of the list. Additionally, the operator can Flag a user, which places a small flag next to any occurrence of the user name within CorreLog. This provides an easy indication that the user is of special interest when a message occurs. Full Name Lookup Function When the operator clicks the Edit User Information hyperlink, the resulting screen includes a Lookup button that can be configured to lookup the full name (from the logon name), in a fashion similar to the Lookup function found on the Device Information Screen. By default, this particular lookup function is not configured, and requires assistance with CorreLog support to configure. (This is in contrast to the Device Information Lookup function, which uses DNS services, and is operable in all versions of CorreLog without special consideration. More information on the Lookup function is found in the CorreLog\net-user directory of the CorreLog installation. CorreLog Screen Reference Manual, Page - 193

194 Message Detail Utility Screen The Message Detail screen is accessed by clicking on the "Detail " hyperlink at the bottom of any logged message within the CorreLog screen. This screen permits the user to view the details of the message, view keywords, copy the keyword, and see related messages. A depiction of this screen is shown below. This screen is accessible wherever message information is displayed in CorreLog, via the "Details.." hyperlink incorporated with the message. The screen displays an image of the message, and permits the user to view related information associated with the device severity, and facility. Fields are as follows: IP Address. This is the IP address of the device that sent the message. The user can click on the IP address hyperlink to access the device information screen and view all messages from the device. CorreLog Screen Reference Manual, Page - 194

195 Message Time. This is the time that the message was received, including the elapsed time since the screen was refreshed. The user can click on the hyperlinked time to view all the messages on the system that occurred starting with that time. Message Facility. This is the Syslog facility for the message. The user can click on the facility hyperlink to view all messages received with the same facility value. Message Severity. This is the Syslog severity for the message. The user can click on the severity hyperlink to view all messages received with the same severity. Message Content. This is a precise image of the message content. If the user is copying the message into the Windows clipboard, this is the exact message that was received, without any spaces added to assist in wrapping (see note below.) Note that the message content found on other screens, while superficially the same, may contain spaces to promote wrapping of the text that are not in the actual message. Hence, any copy and paste operation, to capture message content, should be performed at this location. Word Count. This is the number of words (and characters) contained in the message. The operator can click the "Word Positions" hyperlink to view all the words in the message, and their numeric position (useful for creating field based correlation rules, i.e. rules such as "$17 eq Source.") Matched Threads. This is a list of all correlation threads that matched message. The user can click on one or more of the threads to view all related messages in the thread. (See additional notes below.) Matched Users. This is a list of all user names that were matched within the message. (These usernames are defined and appear on the "Messages > Users" screen of the system.) The operator can click on one or more user names to view all the related messages for the user name. If no user names appear in the message, then this field will not be displayed. Ref IP Address. This value is any IP address that appears in the message content, along with the country of origin for that IP address. If no IP address appears in the message content (not including the IP address of the source device) then this field will not be displayed. Message Encoding. This value is the message encoding, useful for system level debug. The message encoding is related to the device, or is related to the encoding configured at a Windows agent device. To modify CorreLog Screen Reference Manual, Page - 195

196 the encoding, the user should access the device information screen (by clicking the IP Address value at the start of this list.) Message Offset. This value is the hexadecimal offset of the message into the current log file for today, useful for system level debugging, and included in the message detail for completeness. Message Detail Screen, Special Notes The "Message Detail" screen is one of the most commonly accessed screens of the system, and is accessed via the "Details" link accompanying all message references displayed on the system. From this screen, the operator can quickly jump between screens associated with the current message, clicking on any of the hyperlinked values on the page. The message content on the "Message Detail" screen is a precise image of the received message. Note that if the user copies and pastes from the top-level message screen (possibly to compose a search field or match expression) this is problematic because the top-level screen introduces spaces to assist the browser with wrapping text. Hence, the user only should copy the message from the message detail screen. The "Copy" button (which is not necessarily functional across all browsers) assists with the copy operation. (If the "Copy" button does not work, due to browser limitations, simply copy the text from this area using standard mouse techniques.) One important application of this screen is to see if the message has matched any threads. Each thread that matches the message is listed on this screen, and the user can make adjustments to match patterns accordingly and if necessary. The threads serve to identify the class or various classes of the message, such as "Windows Event", "Firewall Event", and "Critical Error". This allows an experienced user to easily infer the properties of the message via a quick inspection of the matching thread names. Finally, the "Next" and "Prev" messages on this screen access the next and previous messages in the main message list, not necessarily the next or previous message in a message catalog (if the "Message Detail" screen is launched from the catalog.) These links are useful for assessing what other messages occurred during the interval of time that the target message was received. CorreLog Screen Reference Manual, Page - 196

197 Catalog Viewer Utility Screen The Catalog Viewer screen is accessed by clicking on a catalog item hyperlink found in various locations of the system. This screen lists the messages associated with the catalog item, similar to the Search screen. A typical depiction of this screen, showing the "Network Events" thread, is shown below. The "Catalog Viewer" screen operates similarly to the Search screen, except the particular list of messages is limited to the particular catalog of messages, either a thread, a username, a device name, a facility, or a severity. The screen shows all the events associated with the catalog item, and permits the user to page through the data, filter the data, and adjust the start date and span days for the listing. Additionally, the user can edit (and possibly delete) the catalog item from this location. CorreLog Screen Reference Manual, Page - 197

198 Types of Catalog Screens The "Catalog Viewer" screen can be used to view the following specific types of data in a consistent manner. Thread Catalog Data. The Catalog Viewer screen is launched to view the data associated with a Correlation thread. This occurs when the operator clicks on the thread title hyperlink on the "Correlation > Threads" screen. Device Catalog Data. The Catalog Viewer screen is launched to view the data associated with messages from a particular IP address. This occurs when the operator clicks on the IP address hyperlink of a device (anywhere on the system) and then clicks the "All Messages For Device" hyperlink. Username Catalog Data. The Catalog Viewer screen is launched to view the messages associated with a username. This occurs when the operator clicks on a username hyperlink listed on the "Messages > Users" screen. Facility Catalog Data. The Catalog Viewer screen is launched to view the messages associated with a Syslog facility code. This occurs when the operator clicks on a facility name hyperlink listed on the "Messages > Facilities" screen. Severity Catalog Data. The Catalog Viewer screen is launched to view the messages associated with a Syslog severity code. This occurs when the operator clicks on a severity name hyperlink listed on the "Messages > Severities" screen. In each of the above situations, the list of messages is shown as contained in the catalog. The operator can filter the messages, page through the list, can view message details, and perform other browsing functions. Clicking on the "Edit" button on this screen will run an edit dialog for the catalog. In the case of thread messages, this permits the user to edit the thread match patterns and specifications, or delete the thread. For all other catalogs, clicking on the "Edit" button permits the user to delete the catalog. Operators can only perform this operation if they have "user" or "admin" system access. Deleting the catalog does not delete any messages from the system, but only the catalog message associations. CorreLog Screen Reference Manual, Page - 198

199 Analyze Catalog Messages Screen The "Analyze Catalog Messages" screen is accessed by clicking on the "Analyze Messages" hyperlink at the top of the "Catalog Viewer Utility Screen" shown previously. This screen allows the operator to quickly see the occurrences of any devices, users, facilities, and severities within the catalog set. The screen is particularly useful for analyzing the contents of a Thread (which may contain diverse data sources and message types.) A depiction of the "Analyze Catalog Messages Screen" is shown below. The above screen shows a typical depiction of the "Analyze Messages" screen, showing the distribution of facilities for the "Logon Failures" thread during the last one-hour. The operator may select the analysis item to be "Devices", "Users", "Facilities" and / or Severities, and change the span time to be one-hour to tendays. To view all the occurrences of the specified item, the operator can click on the item hyperlinked name. CorreLog Screen Reference Manual, Page - 199

200 Regenerate Catalog Screen The "Regenerate Catalog" screen is a special dialog that allows the user to rebuild a catalog of data. The screen is accessed via the "Regenerate Catalog" hyperlink found at the bottom of the "Catalog Viewer" screen. Only "admin" type users can execute this dialog. The screen is depicted below. The screen is especially useful when first adding a correlation thread, modifying a correlation match pattern, or manually adding a username to the CorreLog system. In each of these cases, the catalog of data can be built (or rebuilt) from the list of existing messages by clicking the "Generate" button. This launches a background process, which scans the entire list of messages and rebuilds the catalog contents. This operation can take many minutes, and only one catalog can be rebuilt in background at a time. CorreLog Screen Reference Manual, Page - 200

201 Message Catalog Statistics Screen The Catalog Statistics screen is accessed by clicking on the "View Catalog Statistics" hyperlink at the bottom of any catalog screen. This screen is also accessed via the "View Counter Threshold Hints" hyperlink on the "Edit" screen of the "Alert" component. This screen shows the basic statistics of messages contained in the catalog. The screen is depicted below. This screen shows the basic statistics associated with messages in the catalog. It is available for the Device Address, Facility, Severity, Username and Thread catalogs. For example, the user can view the message statistics associated with any device by clicking on the device title hyperlink (to view the list of device messages) and then scrolling down to the bottom of the page, and then clicking the "View Message Statistics" hyperlink. To view the statistics regarding all messages for a device, the user clicks the device address hyperlink (found anywhere in the system) then clicks "View All Messages For Device" at the top of CorreLog Screen Reference Manual, Page - 201

202 the device information screen, then clicks the "View Catalog Statistics" hyperlink at the bottom of the device message catalog. The screen shows the following fields: Alert Threshold Hints. These are suggested alert thresholds for the data based upon the current average value for the data rates and the data standard deviation. These values can assist in the configuration of proper alert thresholds in the "Alerts" facility. Number of Message Records. This is the total number of messages in the catalog for the specified "start date" and "span days" interval, which should agree with the value shown in the catalog message viewer. Number of Sample Intervals. This is the number of sampled intervals during the span of days. Increasing the sample interval value decreases the number of total sample intervals. For example, if the sample interval is 3600 seconds, then there will be approximately 24 intervals per day (one for each hour.) Maximum Counts For Any Interval. This is the maximum number of messages received during any sample interval. Average Counts Per Interval. This is the statistical average of messages received for any interval, across the span of days. It is approximately equivalent to the total number of message records divided by the span of days (in seconds) multiplied by the sample interval. Standard Deviation From Mean. This is the statistical variance of the messages, and can be thought of as the average distance from the statistical average for all samples. The user can change the time interval window for the statistics, and can change the start date, and the span days. By default, the statistics are for all messages starting with the current date, and for the previous 30 days. Increasing the time interval increases the average and standard deviation, and decreases the number of intervals sampled. More information on the "Alert Threshold Hints" is found in section 5 of the CorreLog User Reference Manual, related to configuring proper alert thresholds to support message correlation. CorreLog Screen Reference Manual, Page - 202

203 User Links Screen The User Links screen is accessed by clicking the "More" drop-down menu, and is not otherwise accessible on the system. This screen allows the user to augment the list of hyperlinks in the top banner with other links of interest. The links appear only in the private login session of the user, and is a user preference. The screen is depicted below. Each operator can add up to eight different hyperlinks. These links will appear only in their login session, and will not affect other users. To add a link, the user clicks the "Edit" button, and then enters both a label and a full URL value. (The URL can be copied from the "Address" window of the browser, or can be any other valid URL.) To delete a link, the user sets either the link label or value to be a zero-length string. The resulting link will appear in the top-level status bar when the browser is refreshed. CorreLog Screen Reference Manual, Page - 203

204 Keyword Process Statistics Screen The Keyword Process Statistics screen is accessed by accessing the "Keyword Process Statistics" hyperlink found at the bottom of the Keyword Index Screen, and found at the bottom of the "Messages > Config > Parms > Edit" screen. This screen provides general utility in viewing the current statistics associated with the CO-Gendex.exe" program (which is responsible for indexing all the keywords as messages are received.) The screen is depicted below. This screen is mainly useful for diagnosing issues associated with the keyword indexing system (such as if many non-keywords are being indexed, or the list of keywords is growing without bounds.) The screen is generally not useful to end users, and mainly exists to assist CorreLog support. More information on this screen is available by contacting CorreLog. CorreLog Screen Reference Manual, Page - 204

205 System Advisory Screen The "System Advisory" screen is displayed when a system health advisory is generated on the system. Checks of system health and status occur hourly. When a system advisory is detected, an icon and "Advisory" link appears in the links at the upper right of the display, which the user can click on to view the advisories. A typical advisory screen is shown below. These advisories relate to CorreLog system status and performance, which affect system security, but are not necessarily indications of a security threat. Instead, the advisories relate to system health anomalies, such as disk full conditions, abnormal process exits, and other items. The user can disable any advisory in their logon, and can re-enable (or inspect all) advisories via the "System > Prefs" screen. CorreLog Screen Reference Manual, Page - 205