FAQ

Log collection

Can I send logs from a firewall to BMC Helix Log Analytics without installing a connector?

Yes. For more information, see Log-collection-endpoints-in-the-REST-API and knowledge article.

If my REST API returns token or key in a format that is not JSON, can I still fetch the token or key dynamically?

No. To get a connection token or key dynamically, if the API response is not in JSON format, you cannot fetch the token or key dynamically in BMC Helix Log Analytics.

For which integrations can I use Windows and Linux connectors?

Use Windows and Linux connectors to collect logs from Windows and Linux-based applications by configuring the Collect logs from file integration..

Alert policies

In an alert policy how many fields are allowed in the Group by field?

Three

What is the role of precedence value in alert policies execution?

Alert policies are evaluated and executed with the lower precedence value to higher. Note that the lower the number, the higher the precedence.

Can I use the alerts created in the Explorer?

Events will be generated for existing alerts. However, options to create, edit, enable, or disable alerts from the Explorer are disabled. Use the Alert Policies option from the Alerts menu. To avaoid duplicacy, after adding alert policies, delete the corresponding alerts in the Explorer.

Can I add alert polciy selection criteria on a field that is added by enriching the logs?

Yes. Policy evaluation is done in phases. Enrichment policies are run before alert policies.

Anomaly detection

How much time does it take to generate a model?

It takes around 10 minutes to generate a model. After the model is generated, anomaly detection starts.

In how much time the model is updated?

The model is updated in every 6 hours.

How many logs are required to generate a model?

You need at least 50000 logs that match the alert policy condition that you have configured.

What happens if I do not have minimum logs to generate a model?

If 50000 logs are not available in your data store that match the alert policy selection criteria, the model is not generated. The algorithm will try after every 6 hours. When 50000 logs are found, model is generated.

If I edit the policy, is the model regenerated?

Yes. The model is also regenerated if you edit a policy.

Archive and restore

I don't see the option to archive or restore logs or the Logs Archival page. How do I get it?

The option to archive and restore logs is disabled by default. To get it enabled, contact BMC Support.  

How often logs are archived?

Logs are archived each day after the retention period is over. For example, the retention period as per your license entitlement is 30 days, the logs collected on May 1st are archived on May 31st. Similarly, the logs collected on May 2nd will be archived on June 1st.

How can I restore the logs?

Restore logs on the Log Archival page. For more information, see Archiving-and-restoring-logs.

Can I search the archived logs?

No, you cannot search the archived logs. First, restore the archived logs and then search.

How long archived logs are stored?

Archived logs are purged after the archival period is over. This period is set for each tenant when the feature is enabled.  

Will the restored logs be archived automatically?

Yes, restored logs are archived automatically after the restore period (depends on your license entitlement) is over. However, you can also archive the restored logs manually. For more information, see Archiving-and-restoring-logs.

Where do I see the restored logs?

Logs are archived automatically after the retention days are over. All logs are stored together in an index that is displayed on the Archive and Restore page. When you restore such an index, the restored logs are shown in the index pattern with the logarc_* format. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*