Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.
SecMaster
SecMaster
- What's New
- Function Overview
- Service Overview
-
Billing
- Billing Overview
- Billing Modes
- Billing Items
- Billing Examples
- Changing the Billing Mode
- Renewing Your Subscription
- Bills
- About Arrears
- Billing Termination
- Cost Management
-
Billing FAQs
- How Is SecMaster Billed?
- Can I Use SecMaster for Free?
- How Do I Change or Disable Auto Renewal for SecMaster?
- Will SecMaster Be Billed After It Expires?
- How Do I Renew SecMaster?
- Where Can I Unsubscribe from SecMaster?
- Where Can I View the Remaining Quotas of Security Data Collection and Security Data Packages?
- Can I Change the Billing Mode for SecMaster?
- Getting Started
-
User Guide
- Buying SecMaster
- Authorizing SecMaster
- Checking Security Overview
- Workspaces
- Viewing Purchased Resources
-
Security Governance
- Security Governance Overview
- Security Compliance Pack Description
- Authorizing SecMaster to Access Cloud Service Resources
- Subscribing to or Unsubscribing from a Compliance Pack
- Starting a Self-Assessment
- Viewing Security Compliance Overview
- Viewing Evaluation Results
- Viewing Policy Scanning Results
- Downloading a Compliance Report
- Security Situation
- Resource Manager
- Risk Prevention
- Threats
- Security Orchestration
-
Playbook Overview
- Ransomware Incident Response Solution
- Attack Link Analysis Alert Notification
- HSS Isolation and Killing of Malware
- Automatic Renaming of Alert Names
- Auto High-Risk Vulnerability Notification
- Automatic Notification of High-Risk Alerts
- Auto Blocking for High-risk Alerts
- Real-time Notification of Critical Organization and Management Operations
-
Settings
- Data Integration
-
Log Data Collection
- Data Collection Overview
- Data Collection Process
- Adding a Node
- Configuring a Component
- Adding a Connection
- Creating and Editing a Parser
- Adding and Editing a Collection Channel
- Verifying Log Collection
- Managing Connections
- Managing Parsers
- Managing Collection Channels
- Viewing Collection Nodes
- Managing Nodes and Components
- Partitioning a Disk
- Logstash Configuration Description
- Connector Rules
- Parser Rules
- Upgrading the Component Controller
- Customizing Directories
- Permissions Management
- Key Operations Recorded by CTS
-
Best Practices
-
Log Access and Transfer Operation Guide
- Solution Overview
- Resource Planning
- Process Flow
-
Procedure
- (Optional) Step 1: Buy an ECS
- (Optional) Step 2: Buy a Data Disk
- (Optional) Step 3: Attach a Data Disk
- Step 4: Create a Non-administrator IAM User
- Step 5: Configure Network Connection
- Step 6: Install the Component Controller (isap-agent)
- Step 7: Install the Log Collection Component (Logstash)
- (Optional) Step 8: Creating a Log Storage Pipeline
- Step 9: Configure a Connector
- (Optional) Step 10: Configure a Log Parser
- Step 11: Configure a Log Collection Channel
- Step 12: Verify Log Access and Transfer
- Credential Leakage Response Solution
-
Log Access and Transfer Operation Guide
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
API
- Alert Management
- Incident Management
- Indicator Management
- Playbook Management
- Alert Rule Management
- Playbook Version Management
- Playbook Rule Management
- Playbook Instance Management
- Playbook Approval Management
- Playbook Action Management
- Incident Relationship Management
- Data Class Management
- Workflow Management
- Data Space Management
- Pipelines
- Workspace Management
- Metering and Billing
- Metric Query
- Baseline Inspection
- Appendix
- FAQs
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Buying SecMaster
- Authorizing SecMaster
- Viewing Security Overview
- Workspaces
- Viewing Purchased Resources
-
Security Governance
- Security Governance Overview
- Security Compliance Pack Description
- Authorizing SecMaster to Access Cloud Service Resources
- Subscribing to or Unsubscribing from a Compliance Pack
- Starting a Self-Assessment
- Viewing Security Compliance Overview
- Viewing Evaluation Results
- Viewing Policy Scanning Results
- Downloading a Compliance Report
- Security Situation
- Resource Manager
- Risk Prevention
- Threat Operations
- Security Orchestration
-
Settings
- Data Integration
-
Log Data Collection
- Data Collection Overview
- Adding a Node
- Configuring a Component
- Adding a Connection
- Creating and Editing a Parser
- Adding and Editing a Collection Channel
- Managing Connections
- Managing Parsers
- Managing Collection Channels
- Viewing Collection Nodes
- Managing Nodes and Components
- Partitioning a Disk
- Logstash Configuration Description
- Connector Rules
- Parser Rules
- Upgrading the Component Controller
- Customizing Directories
- Permissions Management
- FAQs
- Change History
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Authorizing SecMaster
- Security Overview
- Workspaces
- Viewing Purchased Resources
- Security Situation
- Resource Manager
-
Risk Prevention
-
Baseline Inspection
- Baseline Inspection Overview
- Creating a Custom Check Plan
- Starting an Immediate Baseline Check
- Viewing Check Results
- Handling Check Results
- Viewing Compliance Packs
- Creating a Custom Compliance Pack
- Importing and Exporting a Compliance Pack
- Viewing Check Items
- Creating a Custom Check Item
- Importing and Exporting Check Items
- Vulnerability Management
- Policy Management
-
Baseline Inspection
-
Threat Operations
- Incident Management
- Alert Management
- Indicator Management
- Intelligent Modeling
- Security Analysis
- Data Delivery
-
Security Orchestration
- Security Orchestration Overview
- Built-in Playbooks
- Security Orchestration Process
- (Optional) Configuring and Enabling a Workflow
- Configuring and Enabling a Playbook
- Operation Object Management
- Playbook Orchestration Management
- Layout Management
- Plug-in Management
- Settings
-
FAQs
-
Product Consulting
- Why Is There No Attack Data or Only A Small Amount of Attack Data?
- Where Does SecMaster Obtain Its Data From?
- What Are the Dependencies and Differences Between SecMaster and Other Security Services?
- What Are the Differences Between SecMaster and HSS?
- How Do I Update My Security Score?
- How Do I Handle a Brute-force Attack?
- Issues About Data Synchronization and Data Consistency
- About Data Collection Faults
-
Product Consulting
- Change History
-
User Guide (ME-Abu Dhabi Region)
- General Reference
On this page
Help Center/
SecMaster/
User Guide (ME-Abu Dhabi Region)/
Threat Operations/
Security Analysis/
Querying and Analyzing Logs
Copied.
Querying and Analyzing Logs
Scenario
You can query and analyze collected log data in real time on the Analyze & Query tab.
This topic walks you through how to query and analyze log data.
Prerequisites
Data access has been completed. For details, see Data Integration.
Executing a Query and Analysis Based on Query Criteria
- Log in to the management console.
- Click
in the upper part of the page and choose Security > SecMaster. - In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
- In the navigation pane on the left, choose Threat Operations > Security Analysis. The security analysis page is displayed.
Figure 2 Accessing the Security Analysis tab page
- In the data space navigation tree on the left, click a data space name to show the pipeline list. Click a pipeline name. On the displayed page, you can search the pipeline data.
Figure 3 Pipeline data page
- On the pipeline data retrieval page, enter the query analysis statement.
A query analysis statement consists of a query statement and an analysis statement. The format is Query Statement|Analysis Statement. For details about the syntax of query analysis statements, see Query and Analysis Syntax Overview.
NOTE:
If the reserved field is of the text type, MATCH_QUERY is used for word segmentation query by default.
Figure 4 Query/Analyze
- Select Last 15 minutes as the time range.
You can select Last 15 minutes, Last hour, or Last 24 hours or customize a time range for the query.
- Click Query/Analyze and view the results.
Using Existing Fields for Query and Analysis
The following part describes how to use existing fields to query and analyze logs.
- Log in to the management console.
- Click in the upper part of the page and choose Security > SecMaster.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 5 Workspace management page
- In the navigation pane on the left, choose Threat Operations > Security Analysis. The security analysis page is displayed.
Figure 6 Accessing the Security Analysis tab page
- In the Data Spaces tree on the left, click a data space name to show the pipeline list. Then, click a pipeline name. On the displayed page, you can search the pipeline data.
Figure 7 Pipeline data page
- Set search criteria.
NOTE:
If the reserved field is of the text type, MATCH_QUERY is used for word segmentation query by default.
- In raw logs, click
before an optional field on the left and click 
(adding a field value) next to the field to search for specific logs that contain the selected field value. To exclude a field value, click 
before the field name. - If you have expanded the log data at a specific time point and need to filter some fields, click
(adding a field value) in front of the field name. The query box displays the matched fields. To exclude a field value, click 
before the field name.
- In raw logs, click
- By default, data for the last 15 minutes is queried and displayed. If you want to query log data in other time ranges, set the query time and click Query/Analyze.
Creating a Quick Query
- Log in to the management console.
- Click in the upper part of the page and choose Security > SecMaster.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 8 Workspace management page
- In the navigation pane on the left, choose Threat Operations > Security Analysis. The security analysis page is displayed.
Figure 9 Accessing the Security Analysis tab page
- In the data space navigation tree on the left, click a data space name to show the pipeline list. Click a pipeline name. On the displayed page, you can search the pipeline data.
Figure 10 Pipeline data page
- Enter the query and analysis statement, set the time range, and click Query/Analyze.
For details, see Executing a Query and Analysis Based on Query Criteria.
- Click Save As Quick Query in the upper right corner of the area and configure query parameters on the right.
Table 1 Parameters for a quick query Parameter
Description
Query Name
Specify the name of the quick query.
Query statement
The system automatically generates the query statement entered in 6.
- Click OK.
After creating a quick query, you can click
in the quick query search box on the pipeline data query and analysis page and select the target quick query name to use the quick query.
Managing Query and Analysis Results
SecMaster displays query and analysis results in the form of log distribution bar charts, Raw Logs, and Charts.
- Log distribution bar chart
A bar chart is used to display queried logs over time. You can move the cursor to a certain bar to view the number of logs hit at the time the bar represents.
- Raw Logs
The Raw Logs tab displays the results of the current query.
- To display log data over time:
- By default, log data in the last 15 minutes is displayed. To display data in other time, select the time range in the upper right corner.
- To view data of all fields at a specified time, click
in front of the time in the table to expand all data. By default, data is displayed in a table.
To view data in JSON format, click the JSON tab. Data in JSON format is displayed on the page.
- To display or filter some fields in the list, select the fields to be displayed in the Available Fields area on the right and click
next to the field name. The fields are displayed in the log data list on the right.
- To adjust the field sequence: In the heading columns of the log data list on the right, select a field and then click
or 
next to the field name to move the field left or right by one column with each click. - To cancel the display: In the table header column of the log data list on the right, select the target field, and click
next to the field name, or click 
next to the field name on the left.
- To adjust the field sequence: In the heading columns of the log data list on the right, select a field and then click
- To export logs: On the Raw Logs tab page, click
in the upper right corner of the page. The system automatically downloads raw logs to the local PC.
- To display log data over time:
- Charts
After a query statement is executed, you can view visualized query analysis results on the Charts tab.
On the Charts tab, SecMaster provides query and analysis results in multiple chart types, such as tables, line charts, bar charts, and pie charts. For details, see Viewing Results in a Chart.
- Alarm
In the upper right corner of the Analyze & Query tab, click Add Alarm to add alert models. You can set alert rules for generating alerts for query and analysis results hit the rules. For details, see Quickly Adding a Log Alert Model.
- Quick Query
In the upper right corner of the query analysis page, click Save As Quick Query to save search criteria as a quick query. For details, see Creating a Quick Query.
Parent topic: Security Analysis
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
