Log data can be massive even in small organizations. Many of these logs might just be routine messages that don’t concern you, but others contain data that is critical to your network’s security. You want your security information and event management solution to provide efficient mechanisms to search through this log data. This is particularly helpful for network troubleshooting and the backtracking of security attacks.
To search for specific logs, you could type a search query such as:
USERNAME = “John” AND EVENTID = “4672” AND SEVERITY = “success”
However, typing out queries like this every time you have to search for something is neither an effective nor efficient way to go about searching logs. Search queries become more complex as additional search criteria are added. Moreover, you must be able to view all the data pertaining to a particular field in a single window to track events effectively. Say, for instance, you need to look at all hosts accessed by a particular user at a single glance.
EventLog Analyzer has a smarter search option, which allows you to intuitively create a complex search query in a jiffy.
Intuitive search mechanism of EventLog Analyzer
The first way to narrow down your search criteria is by choosing the log type, as shown in Figure 1.
Figure 1. Selecting the log type.
This will list all the Windows Event Log data for the specified time interval, as you can see in Figure 2.
Figure 2. Viewing the Windows Event Log data.
If you want to track the special logons made by a particular user on a particular machine, first, click on the Username field, which will display all the active users in ascending or descending order. You can select the user of interest here (see Figure 3).
Figure 3. Selecting the user you want to track.
By clicking on the Type field in the log message, you can track all the different types of logs generated by this user such as security, application, PowerShell logs, and so on, as shown in Figure 4.
Figure 4. Selecting the type of logs you want to track.
Next, select the host on which you want to monitor the user’s activity by clicking on the Host field in the log message (see Figure 5).
Figure 5. Selecting the host you want to monitor.
And finally, you can select the event ID by clicking on the Event ID field in the log message, as shown in Figure 6. This will list the events performed by the selected user on the selected host.
Figure 6. Selecting the Event ID.
In this way, complex search queries can be performed conveniently in just a few simple steps! You can also easily save the results of your search as a report, or save the search query as an alert.
Learn more about EventLog Analyzer’s search capabilities here.