2 Replies Latest reply on Jan 2, 2013 10:44 AM by 0x1b69a

    Viewing "Raw" Log Files

      Hello All,


      New to the community...Did a couple searches for this but couldn't find anything, maybe I was using the wrong search parameters.


      We've got some new firewalls in, and I've got successfully set them up as data sources for our Nitro Receiver. We have all the views enabled in the ESM, but I'm curious if there's a way to view the logs in a "raw" format, or the way would be seen in the firewall.  I get the whole correalation thing, but I want to know if the SIEM, with all it's capability, can perform the functions of a basic Syslog server as well, and allow me to simply browse through the logs.


      In the event we get asked to pull FW log traffic for a specific timeframe, I want to know that I can quickly and easily pull it up in Nitro. I understand I can do this locally in the FW, but we're using the ELM for long term log retention, so if I'm asked about traffic during a timeframe that's no longer stored on the locally on the FW, I should be albe to find the logs in Nitro.


      This Nitro product set is new to me, so forgive me if this has been asked and answerd or is available in a tech note or something elsewhere.





        • 1. Re: Viewing "Raw" Log Files

          Hello Brown,


          Do you know if you have the Enterprise Log Manager (ELM) as part of your solution?  If so, this is where your raw logs will be stored (whereas the ESM stores parsed/normalized/correlated events).  You can access them via the ESM in a couple of ways.  First, from the ELM Archive tab for a specific event:


          elm archive.png

          This tab will only be available if you are logging the events to the ELM.  Second place is the Advanced ELM search:


          Advanced ELM Search.png


          Third place is from the ELM System Properties which allows the same searching as the Advanced ELM Search view with the addition of integrity checks. 


          ELM Properties.png


          Hopefully this answers your questions. 



          • 2. Re: Viewing "Raw" Log Files



            Thank you very much! I actually found method number 2 on my own maybe 20 minutes before you responded, and I appreciate the response and confirmation that this is the correct way to do it. The raw logs are displayed in a bit of jumbled fashion, but I don't care. The necessary information is present to meet out log retention policy, and I typically have to "pretty up and dumb down" the info when it's sent up to management anyway.


            As for the other two methods, I was unaware of those.  I appreciate your help Kara!