Search
To search for a message, simply type your search phrase in the search form box and press enter. You will then do a search in the full-text search index table in the database.
Both the result table and the timebar are updated when each hour of data are searched through in the database. If you want to stop the search just click on ”Stop” just below the search text field.
A Full-text search searches in all fields of the database for words you type in.
Example: search of ”connect” instead of msg=”connect” will be searched in all text fields, taking more resources from the server.
If you want to define a more advanced search query you can use the op5 LogServer query language.
Query Language
In op5 LogServer we have created a own Query Language to be able to do more complex searches. The usage is described below.
Column | Query | Descriptor |
Severity | sev|severity | (=) |
Facility | fac|facility | (=) |
Event ID | event|event_id|eventid | (=) |
Src IP | ip|src_ip|source_ip|sourceip | (=) (:) (~) |
Ident | ident | (=) (:) (~) |
Host | host | (=) (:) (~) |
PID | pid | (=) |
Message | msg|message | (=) (:) (~) |
Information about descriptors:
•= means ‘contains’
•: means ‘starts with’
•~ means ‘matches regular expression’
Examples:
Example 1 msg=”connection”
will search for any message including the string “connection”
Example 2 sev=(warn info) -(statistics daemon) -msg:Log -ident=sshd
Logs that have severity ”warn” or ”info”, and do not contain words ”statistics” or ”daemon” in any field, and where field ”msg” does not begin with ”Log”, and that were not generated by ”sshd”
Example 3 host “192.168.1.(97|158)” -msg “^(root) CMD”
Match host 192.168.1.97 or 158 and messages not starting with ’(root) CMD’
Example 4 msg~"UserName:\x09([[:alnum:]$_-])*[ˆ$] "
Match msg that contains “UserName:<tab>username”and user name does not end with $
Available fields: sev, fac, event, ip, ident, host, pid, msg
Severities: emerg(ency), alert, crit(ical), err(or), warn(ing), notice, info, debug
and user-name does not end with $
Facilities: kernel, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, ntp, logaudit, logalert, clock2, local0 to local7, mark
Query Builder
We have also created a Query builder function to make it easy for users to build their custom filters.
The Query Builder is bidirectional since op5 LogServer 3.3, meaning that it will expand your filter’s criteria to the correct boxes when selecting a filter. You can only get ”OR” function in Query Builder
Enclose your text with ”quotes”
Example: ”User Name” ”monitoruser”
Press the

located under the Search area to get a drop-down with options.
•To select more than one Severity or Facility, press and hold the Ctrl-key and click to select additional items.
•Enter the criteria you want to include in the search:
•
•Enter the criteria you want to exclude from the search.
•
Note: Regular expressions are not allowed in Query Builder
Search Filters
When you create a search filter, you have several criteria to choose
from. Some of these apply only to Windows and some only to UNIX.
Severity
Most UNIX daemons log their messages with more than one severity -- depending on the message your database server might send a notice message or a critical message – or any of the other available messages.
Facility
This is the category of data. For instance: Your mail server daemons may log only using the mail facility and you will find most log on failures in the auth facility. This field is part of the syslog specification.
Host
The name of the logging host.
Source IP
Displays’ the IP-address of the logging host.
Ident
This is normally the name of the logging application.
PID
This is a unique Process ID for the application sending the logs.
Event ID
This is only used by Windows hosts - it is the Event ID field from Windows Event Log
Message
This is the actual log message. This is the field that is the least well defined. You may want to use this to exclude any messages that clutter your search results.
Full text
Use these fields to specify search criteria that should be applied to all fields.
Save your search query
The basic concept for using op5 LogServer is a
search filter. Similar to any database search

•Fill out a number of criteria in the
Search area or use the
Query Builder. •Decide if you want to make the filter Global (for everyone) or Local (for yourself).
•Type a name for the filter in the Save this search as area.
•Click Save.
The saved filter will be based on the one selected in ”Search among”.
Search using a saved filter
To be able to extend your search you can us an existing filter (saved search query):
•Select the filter you want to search within.
•Enter your search criteria. You can use a simple full text search, the query language, or the query builder.
•Press Search now.
The search will now use the criteria in the Filter and the criteria you typed in the Search field.
Since the filters are organised in a hierarchical data model (a tree-like structure) you can create multiple filters in multiple levels based on the same parent filter. Filters created from filters will become dependent on the filter out of which they were created.
Manage Filters
The user management in op5 LogServer supports making filters Global or Private (My filters) and assigning special permissions to the filters.
Delete filter
To delete a filter, select it from the dropdown menu and press the

button.
Note: If you want to remove a filter that has other filters based on it you must first delete the ”sub filters”. Otherwise the ”sub filters” are left unusable.
Edit filter
To view/edit the search criteria of an existing filter, select it from the filter dropdown menu and press


.
You can now edit the search criteria directly in the search box or by using the Query builder.
Note: A user can’t edit Global filters unless they are member of the ’Filter administrators’ group.
Global/Private filters
If you are member of ‘Filter administrators’ group you can view how your filter looks like and also change/assign permission to filters.
Global filter
To make a filter
Global you mark it under
My filters and press the

button.
•Available Users/Groups: Users/Groups you can grant permission to use the selected filter.
•Current Users/Groups: Users/Groups that have permission to use the selected filter
Note: Making a filter global will also make all its parent filters global too.
Note: When you create/manage a filter, you need to decide which users should be able to use it. Default is none.
Note: If you want the filter to be visible for all users, us the ‘All’ group.
My filters
To make a filter My filters (private) you mark it under Global and press the

. Since it’s a private filter no permissions can be applied.
Note: Making a filter private will make all its child filters private as well.
Note: Private filters are private, filter administrators can’t view your private filters.
Auto Refresh
By clicking on the Down arrow on the Search now button will allow you to set a refresh period of the page. You can set it between 30 and 300 seconds.
The Auto refresh works like the UNIX program tail, showing the last x messages,
To cancel a refresh setting, click on
cancel.

CSV export
You can export the retrived data in CSV format by clicking on

.
The format is a | (pipe) separated list.
Timeline Browsing
You can move back and forth in time by using the timeline. If you go back in time and lack the data in the database you can easily import it, see
Import archived data on page 14Select date
To be able to browse/search on a specific day/hour you have to select it on the timeline.

•Select the month
•Select the date
•Select the hour you wish to display from
The GUI will now display the
X messages, matching the search criteria within the given time. To change the number or messages displayed, see
Modify view settings.
Messages are by default searched from the time you selected until the last message in database.
Example 5 If you select 2012-01-09 hour 17, you will be able to search on all messages between 17:00 and the last message imported into the database.
Note: No-day-limit or unlimited search mod is deprecated, this is now the normal behavior.
Move in time
To move in time you click the small arrows, they will move in time and display the
X previoius/following messages matching the time in the timeline.

Import archived data
Data is kept in the database only for a limited amount of time, so that archived data does not occupy uncompressed disk space and slow down your searches.
However, the archived data is not discarded until after a much longer time. It is merely compressed and archived for possible future access.
When you have started an import it will continue in the background so you can continue to browse your messages.

To look into very old data:
•Select the date you want to import
•Choose hour/day/month to import
The import process will start to import the logs that correspond to your selection. A status message in the upper left corner of the GUI will display the status of the import:
.

•A red hour number in the timeline indicates that the data is being imported
•A black hour number in the timeline indicate that the import is done. The date will become gray indicating that you have logs on that date.
Note: The import can take alot of time depending of the amount of logs in your archive
Search Result
Modify view settings
You can change display settings, these settings will be resetted when logging out.
Number of rows returned
•Click on

•Select the number of rows you want to be displayed
EventID
In the search result there is a column called EventID. If the log row contains a MS Windows Event, the eventid is displayed as a link directly to www.eventids.net. If you click on the link you will be sent to the page for the eventid in the log row.
Columns to display
To hide/unhide columns on the page.
•Click on

•Check/Uncheck the field(s) you want to hide/unhide