Skip to Content

Analyze Catalog Messages screen

The Analyze Catalog Messages screen is accessed by clicking on the Analyze Messages hyperlink at the top of the Catalog Viewer Utility screen shown previously. This screen allows the operator to quickly see the occurrences of any devices, users, facilities, and severities within the catalog set. The screen is particularly useful for analyzing the contents of a Thread (that might contain diverse data sources and message types). A typical depiction of the Analyze Catalog Messages screen is shown as follows:

Related topic

Utility-screens

image2019-3-22_16-28-22.png

The preceding screen shows a typical depiction of the Analyze Messages screen, showing the distribution of facilities for the Common Threats thread during the last one day. The operator might select the analysis item to be Devices, Users, Facilities or Severities, and change the span time to be one-hour to ten-days. To view all the occurrences of the specified item, the operator can click on the item hyperlinked name.

Types of Analyze functions

The Analyze function depicts occurrence counts associated with raw message data. The following links appear at the top of the screen and permit you to switch between the various occurrence counting functions within the data. You can either select a link at the top of the screen, or select the function from the Item drop down menu. Functions are as follows:

  • Devices—This function tabulates the device counts within the selected data. If the operator drills down into a Device catalog, this function depicts just the device that was selected. Otherwise, the function lists all the unique devices in the recent messages of the selected catalog.
  • Users—This function tabulates your counts within the selected data, using the Users > Catalogs screen as a reference for user names. If the operator drills down into a User catalog, this function depicts just the user that was selected. Otherwise, the function lists all the unique user names in the recent messages of the selected catalog.
  • Facilities—This function tabulates the facility counts within the selected data. If the operator drills down into a Facility catalogs, this function depicts just the facility that was selected. Otherwise, the function lists all the unique facility names in the recent messages of the selected catalog.
  • Severities—This function tabulates the severity counts within the selected data. If the operator drills down into a Severity catalogs, this function depicts just the facility that was selected. Otherwise, the function lists all the unique severity names in the recent messages of the selected catalog.
  • Freq—This function is slightly different from other functions above. Rather than processing occurrence counts of items, the program tabulates the time between messages, achieving a spectrum analysis similar to (but not the same as) a Discrete Fourier Transform. This gives a projection of the message rates and how often messages occur within a set of messages.
  • WinEvt—This function tabulates the Windows Event counts within the selected data. This link and function appears only if the selected data contains windows event messages. The function lists the Windows Application, System and Security event codes in the recent messages of the selected catalog.
  • Common Fields—This function is a drop down menu, that permits the operator to select common fields that have been parsed from the raw messages. The function scans the first several hundred messages in the raw message list, and composes Parse Functions for the specific data. This is similar to the Parse Spec function below, except furnishes convenience by automatically detecting parse specifications.
  • Parse Spec—This function displays an input window where the operator can enter any arbitrary Parse Specification, to parse any particular field within the data. Assistance on Parse Specifications is provided as a link when this function is selected.

Frequency analysis

As discussed previously, the Freq link and type of analysis furnishes special utility in analyzing the periodicity and frequency of occurring messages within a set of messages. The time between messages is placed into a logarithmic bucket (with time intervals selected to capture common time frames, such as hourly, daily, and weekly activities). When you click on one of these time window links, the messages that occurred within that window are displayed.

Warning

Note

For any given time window, a message preceded the displayed message by a time interval within that time window. (The preceding message can be viewed by clicking the detail for the message, and then clicking Prev to view that other message.)

Frequency Analysis furnishes a powerful mechanism for determining the behavior of messages for a give group. 

Information
Example

If the operator has drilled into a particular user, the Frequency setting depicts how often you perform an activity that generate a message.

Warning

Note

If you click on the Freq link for All Messages, or for a busy general purpose thread, the frequency of message might show very little variation. Clicking the Freq link on the Analyze screen for the Messages > Search facility typically shows all messages occurred with an interval under one second. As message catalogs become more specific, a better representation of message frequency of a particular type can be seen.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.2