Querying Logs

Use the Log Query screen to query Apex Central generated logs and log data from registered managed products. You can also narrow the search results by using advanced custom filters, export the search results in XML or CSV format, or save and share the log query search criteria with other Apex Central administrators.

Note:

Apex Central also allows you to perform a log query from the Product Directory screen.

For details, see Querying Logs from the Product Directory.

  1. Go to Detections > Logs > Log Query.

    The Log Query screen appears.

  2. Specify the log type.
    Note:

    Log types correspond to specific data views used in Apex Central reports.

    For more information about log types and data views, see Log Names and Data Views.

    1. Select a log type from the first drop-down control.
    2. Click OK to apply the selected log type.
  3. To filter your search results to data from specific managed products:
    1. Click the second drop-down control.
    2. Select targets for the query by using one of the following options:

      • Directory: Allows you to locate and select managed products from the Product Directory structure

      • Type: Allows you to choose a product type and select from a list of all registered managed products of the same type

      • Tags and filters: Allows you to select custom tags, filters, or important labels from the User/Endpoint Directory to query specific endpoints

        Note:

        • You can select up to 10 custom tags, filters, or important labels to perform a log query.

        • Custom filters that contain Compliance, Important, Threat Type, Security Threat, or Threat Status Criteria information cannot be used to perform a log query.

    3. Click OK to apply the selected targets.
  4. Select a time period from the Time drop-down control.
  5. To filter search results using custom criteria:
    1. Click Show advanced filters.
    2. Specify the Match rule for the custom filter:

      • All of the criteria: Data must match all the specified criteria

      • Any of the criteria: Data can match any of the specified criteria

    3. In the Select criteria... drop-down list, select a data column to filter.
      Note:

      The data columns in the Select criteria... drop-down list dynamically change based on the log type you select in the first drop-down control.

      For more information about the data columns, see Log Names and Data Views and refer to the corresponding data view details.

      The filtering criteria that appear in the second and third drop-down lists dynamically change based on the data column you select.

    4. In the second drop-down list, select an operator.
    5. In the third drop-down list, define the criteria.
    Note:

    Apex Central supports up to 20 custom filtering criteria for each log query.

  6. Click Search.

    The search results appear in the table on the Log Query screen.

    Note:

    • The Generated column displays the local date and time on the endpoint for when the managed product first detected the threat.

    • The Received column displays the local date and time on the Apex Central server for when the Apex Central server received the data from the managed product server.

  7. (Optional) Click a link in a data column to drill down for more information.
  8. (Optional) Customize the data columns in the search results.

    • Click Customize Columns to add or remove columns that display in the table.

    • Rearrange the order in which the columns display by dragging the column headings.

  9. (Optional) Export the log query results.
    1. Click Export to CSV or Export to XML.

      The Log Query Exporting page screen appears.

    2. After the export completes, open or save the file.
  10. (Optional) Save log query search criteria.
    Note:

    • Saving a log query only saves the search criteria for the query. To save log query search results, export the results or create a report using a grid table.

      For more information about creating reports, see Reports.

    • Saved queries are automatically visible to all users from the same Active Directory group.

    • A gray user icon () next to a saved query indicates a log query shared by a user from outside your Active Directory group. Hover over the icon to view the name of the user who shared the query.

    1. Click the save button ().
    2. Specify a name for the saved query.
    3. Click Save.

    After saving a log query, you can click the saved queries button () to view a list of saved queries and perform the following actions.

    • Click the name of a saved query to run the log query.

    • Click the share icon () next to a saved query name to share the log query with all Apex Central users.

    • Click the stop sharing icon () next to a saved query name to stop sharing the log query with all Apex Central users.

    • Click the delete icon () to remove the saved query.

Parent topic: Logs