Skip to Content
Information

This site will undergo a brief period of maintenance on Friday, 18 December at 12:30 AM Central/12:00 PM IST. During a 30 minute window, site availability may be intermittent.

Analyzing messages

When faced with a long list of messages, you might find it useful to use the Analyze Recent Messages function to:

  • Detect anomalous behavior
  • Identify the busiest (or least busy) devices on your system
  • Graph message data
  • Break down the messages by device, user, facility, severity, common fields, or any arbitrary parse function.

To access the Analyze Recent Messages function, select Messages > Search and click Analyze Recent Messages (Magnifying_Glass_Analyze_Recent_Messages.PNG). This hyperlink also appears on the Reports > Query and in various catalog windows (for example, Devices, Users, or Threads).

Clicking Analyze Recent Messages opens the Analyze Catalog Messages window. At the top of the Analyze Catalog Messages window, click one of the following hyperlinks: 

Hyperlink

Description

Devices

Breaks down messages by device

Lists all devices in the selected messages and displays the number of messages for each device

Users

Breaks down messages by user name

Lists all user names in the selected messages and displays the number of messages for each user. The user names displayed are the same as those discovered by the server system and displayed in the Messages > Catalogs > Users  window.

Facilities

Breaks down messages by facility code

Lists all the syslog facility codes in the selected messages and displays the number of messages for each syslog facility

Severities

Breaks down messages by severity

Lists all the syslog severity codes in the selected messages and displays the number of messages for each severity

Freq

Displays the time between messages within the message set

This view is similar to a discrete frequency domain (DFFT) view of the system messages. This view is useful for seeing the periodicity of the messages received, especially for the behavioral analysis of the message set.

Common Fields

Lists common fields parsed from the messages

Selecting an item from the menu submits a parse specification for the field, in which the Parse function is described.

Parse Spec

Runs the Parse Message function, which enables you to parse any arbitrary message, string, or segment from the message set, tabulating occurrences of the message

This feature is useful when when you perform a forensic investigation or are simply attempting to understand the behavior of messages. You can also use parse expressions entered in the Analyze Recent Messages window with the Parse-Thread-Gadget and other Dashboard facility gadgets.

WinEvt

Displays occurrence counts by Windows Event Codes within the message set

This hyperlink might not be displayed,  depending upon the current configuration of the BMC Defender Server installation.

Related topic

Using



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 6.1