Log Messages

You can use the Search tab of the Alert Logic console to perform basic and advanced searches for log messages.

Access Log Messages

To access the Log Messages page, click the SEARCH tab, and then click the Log Messages subheading.

Search log messages

Search log messages

  1. Navigate to the Log Messages page.
  2. Enter your search parameters in the top bar.
    • To search for a specific term, type the term in Click Here and Type to Add Search Terms. As you type, suggestions will appear in a drop-down menu.
    • To search for dates, click BETWEEN. In the drop-down menu, choose the desired date range. If you want to search based on a specific date, click Custom..., pick the dates from the calendars, and then click Apply.
  3. When you have defined your search parameters, click the search icon ().

From the list of log messages, you can further specify your search. For example, if you click on a token below the log message, and then click the search icon, another search takes place.

Connected search terms, parameters, and options are applied to log messages in order from left to right. You can drag and drop to change this order. The search terms you choose determine which columns are visible in the table of log messages.

Review the chart below to better understand the listed log messages.

Color Parameter
Blue

Context

Gray

Date or header

Green

Token

Red

Text

Yellow

Type

You can use Search Options to modify the display format for your search results or modify your search query parameters.

For more information about Search Options, see Log message search options.

Additional options

The following options appear below the search function:

Symbol Option

Save View
If you made changes to how log messages display, use this option to save this view.

You can also use this option to share a saved view with other users.

Available Saved View
Use this option to search and select a view that was previously saved.

Context Map
Use this option to further configure your search parameters.

To add a search parameter, click the plus ( + ) sign that appears when you place your cursor over a message option. This parameter will appear in the top search bar.

Edit Query
Use this option to import or export a query in a JSON format.
Reset Query
Use this option to reset the query to default values.
Export Log Messages

Use this option to download the current search results in a CSV file.

Options

Use this option to configure in more detail how to display log messages. For example, you can hide token trains using Options.

List View

Use this option to display messages in rows.

Hybrid View

Use this option to display messages in columns.

Collapse / Expand Messages

Use this option to collapse messages to a single line or to expand messages to show more information.

Show Flagged Messages

Use this option to only display messages that are flagged.

Show Unflagged Messages

Use this option to only display messages that are not flagged.

Show All Messages

Use this option to display all messages, regardless if the messages are flagged or not flagged.

Reset Flagged Messages

Use this option to remove flags from flagged messages.

After a successful search, the following options appear below the search function:

Symbol Option

List View

Use this option to display messages in rows.

Hybrid View

Use this option to display messages in columns.

Collapse / Expand Messages

Use this option to collapse messages to a single line or to expand messages to show more information.

Show Flagged Messages

Use this option to only display messages that are flagged.

Show Unflagged Messages

Use this option to only display messages that are not flagged.

Show All Messages

Use this option to display all messages, regardless if the messages are flagged or not flagged.

Reset Flagged Messages

Use this option to remove flags from flagged messages.

The following options appear when you place your cursor over a log message: 

Symbol Option
Use this feature to flag a message for easy reference.
Use this feature to unflag a message.

Use this feature to collapse the log message into a single line.

To expand the log message, click on the log message.

Use this feature to expand the displayed information.
Use this feature to return the expanded information to the default view.
Use this feature to add a log message to your case cart.
Use this feature to create an incident report in a separate window.
Use this feature to view more information in a separate window.

Log message search options

To open Search Options:

On the Log Messages page, click () to open Search Options.

A token is a meaningful character string parsed from a log message.

A child token is a character string derived from a parent token. For example, Src Host Name is a child token of Host Name, the parent token.

Option Description
Show Full Message

When selected, this option displays all the details for the log message.

If not selected, you see a summarized version of the log message.

Show Token Train

Only available if Show Full Messages is selected.

When selected, this option reveals the predefined tokens at the bottom of each log message.

Pagination Divides results over multiple pages by the Rows per Page count.
Infinite Scroll Displays all results on a single page.
Rows per page Number of results shown per page if Pagination is selected.
Limit by collected messages and tokens

When typing a search value in the search box, you will see predicted search terms based on your collected messages and the tokens derived from them.

Do not limit

When typing a search value in the search box, you will see predicted search terms based on Log Manager's full database of log messages and tokens.

Do not include any children tokens

When selected, this option matches your search value exactly.

Example: If you search for Host Name, you will see results that include Host Name, but not Src Host Name.

Include children in parent token fields, unless child is also requested

When selected, this option returns results that could include derivatives of the search value.

Example: If you search for Host Name, you could see results that include Host Name and Src Host Name.

Save as Default Save this set of options as your default.

Create a saved view

This topic explains how to create a saved view of the current search criteria so that you can use the same search parameters at a later time.

To create a saved view:

  1. Navigate to the Log Messages page.
  2. Enter your search parameters. To learn how to create search parameters, see Search log messages.
  3. In the search table, click Save View (). A configuration area will display.
  4. In Save view name, enter a descriptive name.
  5. In Select group(s), click on the empty field and select the groups from the drop-down menu.
  6. In Share this saved view with, select a configuration option.
    • If you select Other users in my company and selected child customers, then select the child customers in the corresponding field.
  1. Click Create new view.

Create a default saved view

This section explains how to configure a saved view to become the default setting for future searches.

To create a default view:

  1. Navigate to the Log Messages page.
  2. Enter your search parameters. To learn how to create search parameters, see Search log messages.

You do not have to execute the search to save the search parameters.

  1. Select Options.
  2. In the menu that appears, select Save as Default.
  3. Click Save.

Create a saved view group

To create a saved view group:

  1. Navigate to the Log Messages page.
  2. In the search table, click Available Saved Views (). A configuration area will display on your screen.
  3. Click Create new group.
  4. In Name, enter a descriptive name.
  5. From the drop-down menu, select a parent group.
  6. In Description, enter a description.
  7. Select Check to hide this group from child customers to hide this group from child customers.
  8. Click Add new group.

Reset view to default settings

This section explains how to reset your current view to the default settings. This action will erase any modifications you have made to the Log Messages search function.

To reset view to default:

  1. Navigate to the Log Messages page.
  2. In the search table, click Reset to Default ().

Edit view of search results

This topic explains how to edit the view of the search results for log messages.

To edit the view:

  1. Navigate to the Log Messages page.
  2. In the search table, click Options (). A configuration area will expand and display in your screen.
  3. Use the available options to make changes.
  4. Click Save.

Update a saved view

To update a saved view:

  1. Navigate to the Log Messages page.
  2. In the search table, click Available Saved Views (). A configuration area will display on your screen.
  3. Select the desired saved view. You may need to search through the list of groups in order to find the desired saved view.
    • You can navigate through the folder directory.
    • You can also use the search field to search for the name of the saved view.
  4. In the menu that appears, click Load view.
  5. Edit the saved view.
  6. When you complete your changes, click the save view icon ().
  7. In the menu that appears, click Overwrite existing view.

Load a saved view

To load a saved view:

  1. Navigate to the Log Messages page.
  2. In the search table, click Available Saved Views (). A configuration area will display on your screen.
  3. Search the list of groups to select the desired saved view.
    • You can navigate through the folder directory.
    • You can also use the search field to search for the name of the saved view.
  4. In the menu that appears, click Load view.
  5. You can click the search icon ( ) to search with the loaded saved view.

View schedules list for a saved view

This topic explains how to view the schedules list of an executed saved view.

To view the schedules list for a saved view:

  1. Navigate to the Log Messages page.
  2. In the search table, click Available Saved Views (). A configuration area will display on your screen.
  3. Search the list of groups to select the desired saved view.
    • You can navigate through the folder directory.
    • You can also use the search field to search for the name of the saved view.
  4. In the menu that appears, click Show schedules list.
  5. If available, schedules for reports appear as a list. Click on them for details of the schedule.

Add a schedule to a saved view

To add a schedule to a saved view:

  1. Navigate to the Log Messages page.
  2. In the search table, click Available Saved Views ().
  3. Search the list of groups to select the desired saved view.
    • You can navigate through the folder directory.
    • You can also use the search field to search for the name of the saved view.
  4. In the menu that appears, click Add schedule.
  5. In the configuration area that appears, complete the fields to make your desired schedule.
  6. Click Add new schedule.

Export log messages

You can export the current list of search results as a CSV format file.

To export log messages, you must first have a list of search results. To create a list of search results, see Search log messages.

To export log sources:

  1. Navigate to the Log Messages page.
  2. At the top right of the search table, click the gear icon ().
  3. Select Export Log Messages.
  4. Click Export.

Related topics