Acer eDC 宏碁雲架構 - acer eDC｜safe3-0-operation-manual-log-en

Logs

Select "Logs" → "Search" from the left menu to access the basic search page.

1.Field Settings

(1) Click "Field Setting" icon to open the field settings window. Once finished, click "Save" to complete the settings.

(2) Relational Query Field Settings

Click on the blank space in the input box to open the dropdown menu, allowing users to set search fields as needed.
You can set search fields for Destination IP/Destination Port/Source IP/Source Port/Action, and input keywords for success and failure.

(3) Windows Field Settings

Set the search field for the Event ID.
Click on the blank space in the input box to open the dropdown menu for setting the search Event ID.

2. Search Functionality

(1) Relational Search: Directly input Source IP/Destination IP/Source Port/Destination Port information to query specific IP/Port events.

(2) Windows：Directly input the host's hostname or select a preset account audit event from the dropdown menu to search for events.

3. Query Results

Click the "Export Search" icon to export logs in CSV format.

Click the "Host Distribution" to open the top5 host list.

Click the host name or host ip to open the host search result.

Advance Search

1. Search Sources

The indices corresponding to various logs are as follows：

(1)metricbeat-*：Represents the host's system monitoring logs.

(2)weblog-*：Represents the Safe3.0 web activity logs.

(3)safe3r2-*：Represents host client logs.

2.Keyword Search

Instructions and basic syntax for keyword search:

String Query: Consists of one or more words or phrases, with phrases in double quotes, e.g., "test search".
Specific Field Query: SAFE3.0 supports searching specific fields, e.g., EventID: 4726.
Regex Query: SAFE3.0 supports wildcards for uncertain strings, e.g., "*" for multiple characters or "?" for a single character.
Range Query: SAFE3.0 supports range queries, using brackets for inclusive/exclusive bounds, e.g., response time: [10 TO *] for events with response time greater than or equal to 10.
Operators: Use AND, OR, NOT to combine queries, e.g., NOT EventID: 4726 excludes EventID 4726.

3.Keyword Search Example

To query logs of Windows account creation and deletion events in the past 24 hours:

Select "Logs" → "Advance Search" from the left sidebar.

Choose the log time range (last 24 hours) in the query screen.
Enter the query string (EventID: 4720 OR EventID: 4726) in the search field.
In the left field list under "safe3r2-*", select "Add" to include fields like "EventTime," "SubjectUserName," "SubjectDomainName," "EventID," "TargetUserName," and "EventType."

4. Save Search

Users can save search conditions for future queries.

In the upper right corner, click "Save," and it is recommended to name search conditions using the format: function-device-event-other (e.g., OS-Windows-Account_create_and_delete).
Click "Save."

5. Export Search Result

Users can export search data in two ways:

After saving search conditions, select "Share" to export as a CSV file.
Click "Open," then choose saved search filter and set the time range on the page. After the search is complete, click "Share" to export as CSV and go to "Downloads" to retrieve it.