SAFE3.0 Data Sources Are Managed in Five Categories:

  1. Default: General data sources, used for common devices such as firewalls, IPS (Intrusion Prevention System) devices, or operating systems like Windows and Linux.
  2. JDBC: Collects data stored in databases via JDBC (Java Database Connectivity) connections.
  3. SNMP: Receives messages via SNMP (Simple Network Management Protocol), allowing for real-time detection and resolution of network issues or helping in network resource planning.
  4. Parsing Rules: SAFE3.0 allows for editing and configuring log parsing settings for collected device logs, including setting field attributes and filtering out keywords.
  5. Log Forwarding: Based on user configuration, logs received from client devices by SAFE3.0 can be forwarded to another host.

default.pngList

You can click the sorting icon on the right side of a column header to change the sorting order. You can also use the search input field to perform a fuzzy keyword search. By selecting "Data Sources" from the left menu → "SYSLOG", you can view device IP, device name (editable by the user), and category (user can add or edit categories).

Editing Device Information

Click the edit icon to enter the editing page.

editsyslog.png

  • Device Name: Required field, with a maximum of 40 characters.
  • Role: Required field, select the system role group from a dropdown menu. You can specify which role groups of users are allowed to view the logs of this device.
  • Category: Select the log category from the dropdown menu. The default category is "Unclassified/Not Used", and users can also add or edit categories themselves.
  • Log Reception Check: After enabling the switch, click the empty area of the input box to open the dropdown menu and select the log reception check frequency (10 minutes / 1 hour / 12 hours / 24 hours / 72 hours), and select the recipient role.

 Category

  • By clicking the category iconcategory.png, you can access the category management page where you can view the existing categories. The default categories such as "Unclassified/Not Used" cannot be deleted. For categories that users add themselves, there is an option to delete them by clicking the delete icon.

 category_manage.png

  •  To add a new category, you click the "Add" icon, input the category name (up to 40 characters), and click "Save" to confirm and apply the new category.

create_category.png

  • Click the "Edit" icon to open the IP settings window.

  • In the window, check the boxes next to the IP addresses you wish to configure.

  • Once the desired IP addresses are selected, click "Save" to complete the configuration.

setip.png

  • After setting a category, the advanced search feature allows you to use the "safe_tag" field to filter search results based on that category.

  • To manually refresh SYSLOG device log information, click the refresh icon.

  • For file uploads, click the file upload iconfileupload.png, which will open the file upload page, supporting JSON and CSV formats

fileupload-edit.png

  • Export: Click EXPORT22.pngto export source list as a CSV file.

 JDBC Setup

 jdbc222.png

Add JDBC Connection

  • IP: Required field, the IP address of the database host.
  • Name: Required field, users can customize the name of this JDBC connection, with a maximum of 45 characters.
  • Role: Required field, select from a dropdown menu to specify which users can access the device logs.
  • Database Type: Required field, select from a dropdown menu; currently supports Microsoft SQL Server/MySQL/MySQL 8.0/PostgreSQL.
  • Port: Required field; the default port for Microsoft SQL Server is 1433, for MySQL it is 3306, and for PostgreSQL it is 5432.
  • Database Name: Required field, the name of the database to be read.
  • User Name: Required field, the username for accessing the database. For security reasons, it is recommended not to use a DB Super Admin account; use an account with at least read permissions.
  • Password: Required field, the password for the user account.
  • Data Table Name: Required field, the name of the table to be read.
  • Query: Required field, the syntax to read data; does not support Group By, Order By, or WHERE filtering/sorting commands.
  • Tracking Column: Required field, the field for referencing data updates, usually a timestamp or serial number.
  • Schedule Type: Required field, the interval for reading data (seconds, minutes, hours).
  • Time Zone: Required field, the time zone of the data.

 SNMP Setup

snmp.png

  • Click on "SNMP" in the left sidebar to enter the edit management page.
  • Click the "Add+" icon to open the Add SNMP page.

add_snmp.png

(1)Select the SNMP version. The supported versions are:

  • SNMP v1

  • SNMP v2c

  • SNMP v3

(2)Configure the required information such as IP, role permissions, port, SNMP version, and community.

(3)Click "Scan."

(4)Based on the scan results, check the checkboxes to select the data to save.

scan_snmp.png

(5)If you want to collect SNMP trap logs, click the "TRAP" icon to open the Trap edit page. Enter the community and click "Save." It will ask if you want to restart the log collection service; please select "Yes."

trap1.pngtrap2.pngtrap3.pngtrap4.png

SNMP Trap Data Analysis

  • Users can upload MIB files in the MIB file editing page for SNMP Trap log data analysis.

mib.png

  • Users can also add MIB OIDs for compilation.

oid.png

Parser Rule

parser.png

In the left menu, click "Data Source" -> "Parsing Rules" to access the list.

  • The list shows columns for Features, Name, and Category. You can sort the Name and Category columns using the sorting icons.
  • There are two types of parsing rule:
    • SAFE (Official): Uploaded through "System" -> "Package Upload".
    • Custom: Can be added directly in the "Parser Rule" page.

Official Parser

Click "Edit" to enter the parsing rule editing page. You can view the parsing description and proceed to Step2 for IP configuration.

(1)Parsing Application

  • Select the log device by checking the check box next to it. Configure the parsing rule to apply to the selected log device. Once done, click "Finish" to save and return to the list page.

parser_ip.png

(2)Apply Parsing Settings:

  • In the parsing list page, check the box of the desired parsing entry to be applied.
  • Click "Check Apply" to apply the settings to the selected device.

applyparser.png

 (3)Delete Official Parsing:

Click the delete icon to remove the unused official parser.

Custom Parser

(1) Add Custom Parser: Click the "Add+" icon to open the custom parser edit page.

custom_parser.png

  • Name: Required field, only half-width English letters or numbers are allowed, with a maximum of 50 characters.
  • Description: Required field, with a maximum of 128 characters.
  • Regular Expression: Parsing rule syntax, only one rule can be set for each parsing.
  • Test String: Log sample used for testing.
  • Matching Information: Click "Test" to simulate parsing the test field with the regular expression field. If a match is found, the parsed fields and results will be listed. If no match is found, "No Match" will be displayed.

(2)Import Custom Parser: Use the left-side menu to navigate to "System" -> "Package Upload" to upload the file.

(3)Edit Custom Parser / Configure IP: Click the edit icon to enter the parsing editing page. You can edit the parsing description and regular expression, and in Step 2, configure the applicable IP. The remaining settings are the same as for official parsing.

(4)Delete Custom Parser: Click the delete icon to remove the custom parser.

(5)Export Custom Parser: Click the export icon to export the custom parser as a .des3 file.

custom_parser2.png

 Config Field

Renaming Existing Fields to Custom Field Names

  (1)Click the "Field Settings" icon to open the field settings page.

 config_field.png

(2)Add New Field Settings:

addconfig.png

  • Click "Add" to open the new field settings page.
  • Index Field: This is a required field where you input the new custom field name.
  • Log Field: This is a required field where you select the original field from a dropdown menu.
  • Description: An optional field for describing the field.
  • Note: An optional field for explaining the field's note.
  • Click "Save" to store the settings.
  • You must click "Apply" on the parsing edit page to write the settings to the system configuration file.

 (3)Edit Field Settings:

  • Click the "edit" icon to open the edit field settings page.
  • To write the edited settings to the system configuration file, you must click "Apply" on the parsing edit page.

 (4)Delete Field Settings:

  • Click the "delete" icon to delete the field settings.
  • To ensure that the changes are written to the system configuration file, you must also click "Apply" on the parsing edit page after deletion.

Field Mapping

beatsmap.pngnonbeatmap.png

(1)Open Field Mapping:Click the "Field Mapping" icon to access the configuration page, which is divided into "Beats" fields and "Non-Beats" fields tabs.

(2)Type Settings: Click on "Attributes" to open the settings page. From the dropdown menu, select the desired display format (Percentage / Number / Bytes / String). After saving, the attribute settings will be complete.

For example: Set the s3.system.cpu.total.norm.pct Field attribute to Percent and View the Field Content in Percentage in Advanced Search.

test_mapping1.pngtest_mapping2.png

 Keyword Filter

You can use the host/rawlog or beats fields to configure Safe3 to exclude certain logs.

keyword1.png

(1)Click the "Keyword Filter" icon to open the keyword filter settings page.

(2)To add an exclusion setting, click the add iconaddicon.png to add field settings. You can select the host / rawlog / Beats field name from the dropdown menu for configuration.

keywordrop.png

(3)In the keyword field, enter the keyword you want to exclude.

  • Example: If you select the rawlog field and enter just for test as the keyword, it will exclude logs that match the keyword rawlog:"just for test".
  • Example: If you select the host field and enter 10.16.6.199 as the keyword, it will exclude logs that match the keyword host:"10.16.6.199".

(4)After saving the settings, choose to apply the keyword exclusion, and the system will restart the service to write the settings into the system configuration file. Conversely, if you choose not to apply the keyword exclusion, only the file settings will be saved.

editkeyword.png

applykeyword.png

 Log Forward

logforward.png

(1)Click "Data Source" -> "Log Forwarding" in the left sidebar to enter the forwarding settings page.

  • The list displays IPs, device names, categories, and destination IPs for forwarding, which can all be sorted using the sorting icon.
  • Only SYSLOG (including SNMP) is supported.

(2)Target Config

Click "Target Config" to open the settings page.

target.png

  • Destination IP: Enter the target host IP in the input box.
  • Port: Enter the destination port in the input box.
  • Click to safe3151add a new target endpoint input box; clicksafe3152 to delete the input box.
  • After completing the inputs, click "Save."

source_config.png

(3)Source Config: Click "Source Config" to open the settings page.

  • Forward Target IP: Select the desired destination host IP from the dropdown menu.

drop1.png

  • Source Host List: Click on the source host IP in the source host list on the left to add it to the selected host list on the right.

source_config2.png

source_config3.png

  • Clicking "Save" only saves the settings; to enable the log forwarding service, you need to click "Apply." After applying, the Rsyslog service will restart, and there will be a short period during which logs cannot be queried.