Skip to Content
Information

This site will undergo a brief period of maintenance on Friday, 18 December at 12:30 AM Central/12:00 PM IST. During a 30 minute window, site availability may be intermittent.

Analyzing messages

When presented with a long list of messages, you might have questions about how to approach what is being displayed, especially if you are new to the message format structure, or have no idea what to search for.

Whenever a long list of messages is presented, you are given two links at the top of the screen:

  1. You can graph the data to get a time sense of the messages being viewed, and;
  2. You can Analyze the data, to see a breakdown of the messages by devices. Users, facilities, severities, common fields, or any arbitrary Parse function.

In particular, the Analyze function is particularly easy to get started with and very powerful for seeing anomalous behavior, or that devices are the busiest (or least busy) on the system. Whenever the operator is presented with a long list of messages, clicking the Analyze link at the top of the display is a great way to make send of the message data.

The Analyze link (identified with a magnifying glass) appears on the top level Messages > Search screen and on the various catalog screens of the system (Devices, Users, Threads.) The Analyze function also appears on the Reports > Query screen. When you click the link, you can quickly explore the data, including viewing Common Fields and graphs of that data associated with the particular messages being presented.

Analyze messages screen, additional notes

Whenever the operator is presented with a list of raw messages, the operator can click the Analyze link (Magnifying Glass icon) that appears towards the top of the screen. The Analyze screen breaks the message set into occurrence counts, showing selected items and the counts in the message set. From this screen, the operator can view the messages associated with a particular item by clicking one of the following links at the top of the Analyze screen: 

  • Devices—Clicking this link shows a list of all the devices in the selected messages, showing the number of messages for each device and permitting the operator to view the messages by device. 
  • Users—Clicking this link shows a list of all the user names in the selected messages, showing the number of messages for each user, and enabling the user to view the messages by user name. The user names shown are the same names that are depicted on the Messages > Catalogs > Users screen, discovered by the server system.
  • Facilities—Clicking this link shows a list of all the syslog facility codes in the selected messages, showing the number of messages for each syslog facility and enabling the operator to view the messages by facility code. 
  • Severities—Clicking this link shows a list of all the syslog severity codes in the selected messages, showing the number of messages for each severity, and enabling the operator to view the messages by severity. 
  • Freq—Clicking this link shows a frequency view of the selected messages (that is, the time between messages within the message set). This is similar to a discrete frequency domain (DFFT) view of the system messages, useful for seeing the periodicity of the messages received, especially useful for behavioral analysis of the message set. 
  • Common Fields—Clicking this link shows a drop-down list of common fields parsed from the messages, appropriate for the message set. Selecting an item from the drop-down menu submits a Parse Specification for the field (where the Parse function is described.) This is furnishes a fast way to get started with the parse function. 
  • Parse—This special link executes the Parse Message function where you can parse any arbitrary message, string, or segment from the message set, tabulating occurrences of the message. This feature is extremely powerful when performing a forensic investigation, or simply attempting to understand the behavior of messages. Parse expressions, entered into the Analyze screen, can also be used with the Parse-Thread-Gadget and other gadgets of the Dashboard facility. 

Other items (such as WinEvt messages, that shows occurrence counts by Windows Event Codes within the message set) might also exist, depending upon the current configuration of the BMC Defender Server installation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 6.0