skip to main content
Web Interface
   
Web Interface
Introduction
 
This chapter covers the web user interface for op5 LogServer Extension with the following topics:
 
Subject
Page
Subsections
 
 
 
About Web Interface
 
Most operations you perform on your op5 LogServer is done from
the web interface, including configuration.
The web interface is intuitive, and you will find a clickable question mark near many options, where you can find context–related help.
If you need information about a specific option, you should look at context–related help–popups. If you need information about how to solve a specific task, this manual is the right place to look.
 
Logging In
 
Point your web browser to the server you installed op5 LogServer Extension on and click the icon for op5 LogServer. That will take you to the login window.
To log in, fill out your user name and password and click the login
button.
Note: Default user name is “admin”, and password is “admin”.
View
This is the first page you get to when you log in. The page is divided
into 3 sections.
Search on page 5
Timeline Browsing on page 13
Search Result on page 15
When you click on View you will see the 75 last received messages as default.
This can be changed as displayed in section: Modify view settings on page 15.
Search
 
To search for a message, simply type your search phrase in the search form box and press enter. You will then do a search in the full-text search index table in the database.
Both the result table and the timebar are updated when each hour of data are searched through in the database. If you want to stop the search just click on ”Stop” just below the search text field.
A Full-text search searches in all fields of the database for words you type in.
Example: search of ”connect” instead of msg=”connect” will be searched in all text fields, taking more resources from the server.
If you want to define a more advanced search query you can use the op5 LogServer query language.
Query Language
 
In op5 LogServer we have created a own Query Language to be able to do more complex searches. The usage is described below.
 
Column
Query
Descriptor
Severity
sev|severity
(=)
Facility
fac|facility
(=)
Event ID
event|event_id|eventid
(=)
Src IP
ip|src_ip|source_ip|sourceip
(=) (:) (~)
Ident
ident
(=) (:) (~)
Host
host
(=) (:) (~)
PID
pid
(=)
Message
msg|message
(=) (:) (~)
Information about descriptors:
 
= means ‘contains’
: means ‘starts with’
~ means ‘matches regular expression’
 
For more info about PostgreSQL Regular Expression see the PostgreSQL Manual
Examples:
Example 1 msg=”connection”
will search for any message including the string “connection”
Example 2 sev=(warn info) -(statistics daemon) -msg:Log -ident=sshd
Logs that have severity ”warn” or ”info”, and do not contain words ”statistics” or ”daemon” in any field, and where field ”msg” does not begin with ”Log”, and that were not generated by ”sshd”
Example 3 host “192.168.1.(97|158)” -msg “^(root) CMD”
Match host 192.168.1.97 or 158 and messages not starting with ’(root) CMD’
Example 4 msg~"UserName:\x09([[:alnum:]$_-])*[ˆ$] "
Match msg that contains “UserName:<tab>username”and user name does not end with $
 
Available fields: sev, fac, event, ip, ident, host, pid, msg
 
Severities: emerg(ency), alert, crit(ical), err(or), warn(ing), notice, info, debug
and user-name does not end with $
 
Facilities: kernel, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, ntp, logaudit, logalert, clock2, local0 to local7, mark
Query Builder
 
We have also created a Query builder function to make it easy for users to build their custom filters.
The Query Builder is bidirectional since op5 LogServer 3.3, meaning that it will expand your filter’s criteria to the correct boxes when selecting a filter. You can only get ”OR” function in Query Builder
Enclose your text with ”quotes”
Example: ”User Name” ”monitoruser”
 
Press the located under the Search area to get a drop-down with options.
 
To select more than one Severity or Facility, press and hold the Ctrl-key and click to select additional items.
Enter the criteria you want to include in the search:
Enter the criteria you want to exclude from the search.
 
Note: Regular expressions are not allowed in Query Builder
Search Filters
 
When you create a search filter, you have several criteria to choose
from. Some of these apply only to Windows and some only to UNIX.
Severity
Most UNIX daemons log their messages with more than one severity -- depending on the message your database server might send a notice message or a critical message – or any of the other available messages.
Facility
This is the category of data. For instance: Your mail server daemons may log only using the mail facility and you will find most log on failures in the auth facility. This field is part of the syslog specification.
Host
The name of the logging host.
Source IP
Displays’ the IP-address of the logging host.
Ident
This is normally the name of the logging application.
PID
This is a unique Process ID for the application sending the logs.
Event ID
This is only used by Windows hosts - it is the Event ID field from Windows Event Log
Message
This is the actual log message. This is the field that is the least well defined. You may want to use this to exclude any messages that clutter your search results.
Full text
Use these fields to specify search criteria that should be applied to all fields.
Save your search query
 
The basic concept for using op5 LogServer is a search filter. Similar to any database search
 
Fill out a number of criteria in the Search area or use the Query Builder.
Decide if you want to make the filter Global (for everyone) or Local (for yourself).
Type a name for the filter in the Save this search as area.
Click Save.
The saved filter will be based on the one selected in ”Search among”.
Search using a saved filter
 
To be able to extend your search you can us an existing filter (saved search query):
 
Select the filter you want to search within.
Enter your search criteria. You can use a simple full text search, the query language, or the query builder.
Press Search now.
 
The search will now use the criteria in the Filter and the criteria you typed in the Search field.
Since the filters are organised in a hierarchical data model (a tree-like structure) you can create multiple filters in multiple levels based on the same parent filter. Filters created from filters will become dependent on the filter out of which they were created.
Manage Filters
 
The user management in op5 LogServer supports making filters Global or Private (My filters) and assigning special permissions to the filters.
Delete filter
 
To delete a filter, select it from the dropdown menu and press the button.
Note: If you want to remove a filter that has other filters based on it you must first delete the ”sub filters”. Otherwise the ”sub filters” are left unusable.
Edit filter
 
To view/edit the search criteria of an existing filter, select it from the filter dropdown menu and press .
You can now edit the search criteria directly in the search box or by using the Query builder.
Note: A user can’t edit Global filters unless they are member of the ’Filter administrators’ group.
Global/Private filters
 
If you are member of ‘Filter administrators’ group you can view how your filter looks like and also change/assign permission to filters.
Global filter
 
To make a filter Global you mark it under My filters and press the button.
Available Users/Groups: Users/Groups you can grant permission to use the selected filter.
Current Users/Groups: Users/Groups that have permission to use the selected filter
Note: Making a filter global will also make all its parent filters global too.
Note: When you create/manage a filter, you need to decide which users should be able to use it. Default is none.
Note: If you want the filter to be visible for all users, us the ‘All’ group.
My filters
 
To make a filter My filters (private) you mark it under Global and press the
. Since it’s a private filter no permissions can be applied.
Note: Making a filter private will make all its child filters private as well.
Note: Private filters are private, filter administrators can’t view your private filters.
Auto Refresh
 
By clicking on the Down arrow on the Search now button will allow you to set a refresh period of the page. You can set it between 30 and 300 seconds.
The Auto refresh works like the UNIX program tail, showing the last x messages,
To cancel a refresh setting, click on cancel.
CSV export
You can export the retrived data in CSV format by clicking on .
The format is a | (pipe) separated list.
Note: Depending of the user setting, see Modify view settings on page 15
Timeline Browsing
 
You can move back and forth in time by using the timeline. If you go back in time and lack the data in the database you can easily import it, see Import archived data on page 14
Select date
 
To be able to browse/search on a specific day/hour you have to select it on the timeline.
Select the month
Select the date
Select the hour you wish to display from
The GUI will now display the X messages, matching the search criteria within the given time. To change the number or messages displayed, see Modify view settings.
Messages are by default searched from the time you selected until the last message in database.
Example 5 If you select 2012-01-09 hour 17, you will be able to search on all messages between 17:00 and the last message imported into the database.
Note: No-day-limit or unlimited search mod is deprecated, this is now the normal behavior.
Move in time
 
To move in time you click the small arrows, they will move in time and display the X previoius/following messages matching the time in the timeline.
Import archived data
 
Data is kept in the database only for a limited amount of time, so that archived data does not occupy uncompressed disk space and slow down your searches.
However, the archived data is not discarded until after a much longer time. It is merely compressed and archived for possible future access.
When you have started an import it will continue in the background so you can continue to browse your messages.
Note: To change the time data is stored in database, see: Database Storage on page 23.
To look into very old data:
Select the date you want to import
Choose hour/day/month to import
The import process will start to import the logs that correspond to your selection. A status message in the upper left corner of the GUI will display the status of the import:
.
 
 
A red hour number in the timeline indicates that the data is being imported
A black hour number in the timeline indicate that the import is done. The date will become gray indicating that you have logs on that date.
 
Note: The import can take alot of time depending of the amount of logs in your archive
Search Result
Modify view settings
 
You can change display settings, these settings will be resetted when logging out.
Number of rows returned
Click on
Select the number of rows you want to be displayed
EventID
 
In the search result there is a column called EventID. If the log row contains a MS Windows Event, the eventid is displayed as a link directly to www.eventids.net. If you click on the link you will be sent to the page for the eventid in the log row.
Columns to display
 
To hide/unhide columns on the page.
Click on
Check/Uncheck the field(s) you want to hide/unhide
Reports
 
The reports section of op5 LogServer has to main functions:
 
Auto reports: Does scheduled searches and sends them to a list of user via e-mail, or save them in a folder on your file server.
Summary reports: Gives you top 10 hosts based on hits for each filter you have access to, and create graphs (message per minute) from global/private filters.
Auto Reports
Creating auto reports
 
If you wish to create an Auto report - for instance you might want a log of failed password login attempts sent to you weekly - you should start by creating the appropriate search filter. See section Search Filters on page 8 for information on how to create filters.
If you have your search filter ready and wish to us it to create a report, click Reports in the top menu, and click Add new report.
Create the appropriate search filter
Click Reports in the top menu
Fill out the parameters - see section Auto report Parameters on page 18.
Auto report Parameters
 
Report name
This is the name of the report you are creating. Choose a name that is descriptive - not only for your own sake, but also for your colleagues.
Sometimes it is a good idea to use your own name as part of the report, for future reference.
Description
Brief decription of your report.
Search filter
Choose your search filter from the menu.
Recipient Type
Choose Email if you want the report to be sent via e-mail.
Choose path if you want the report tot be created on a file server. You need to mount the file share on your op5 LogServer server in order to have a local path. See Using Remote Storage.
Email Recipients or File Path
Enter the email addresses that should receive the report (separated with comma ‘,’), or the path in which it should be saved.
Generating Interval
Choose - Every hour, Every 6 hours, Every 12 hours, Daily, Weekly or Monthly - How often the report should be genreated.
Click “Save” when you are done filling out the fields and then your report will be created.
Manage an Auto Report
 
When you have created your report, it will show up every time you click Reports in the page top menu.
 
Edit
To edit a report
Click on the to the right of the auto report, or double click on the row in the list.
Edit the fields you want to change and click on “Save”.
Deleting
To delete a report
Click on the to the right of the report
Click OK on the popup
Send now
You can force a send of the selected report by clicking the envelope.
 
Summary reports
 
The global and private summary reports is used to:
Print graphs over how many logs matches a filter
Display statistics over top 10 hosts found with a filter
To be able to add or delete a report your user have to belong to the group ‘Filter administrators’.
To veiw a report your user only have to belong to the ‘Summary viewers’ group.
Creating global or private summary report
 
If you wish to create a global or private summary report – for instance you might want to view the number of hits for a filter matching incorrect ssh connections – you should start by creating the appropriate search filter.
See section Search Filters on page 8for information on how to create filters.
If you have your search filter ready and wish to use it to create a
report click Reports in the top menu and click Add new report.
Summary report - global
 
When you create global filers, summary reports for the global filter will be created automaticaly.
However, if you delete your contact or upgrade, you might have to create one manually.
Summary report - private
Choose user that the report should belong to.
Choose what private filter you like to base the report on.
Click on “Save” and your report is created.
Note: When you have added your report it will take maximum 5 minutes until any graps is created.
Manage a global or private summary report
 
When you have created your report, it will show up every time you click Reports in the page top menu and then Global or Private summary reports flap.
Deleting
To delete a report
Click on the to the right of the report
Click OK on the popup
Viewing
To view a report click on the to the right of the report.
You will see a view like this:
The view is divided in two parts:
A graph displaying number of filter matches
A top 10 logging hosts table with number of matches per host.
You can “zoom” in on the grap by selecting what timeframe you want to look at by pressing the links under the graph image.
Settings
 
op5 LogServer stores the logged data in three different locations:
A local database for normal web access of latest data
Compressed archive for longer term storage on local filesystem
Compressed archive on remote file server for storage up to many years, only limited by the amount of disk space available
We recommend that you use op5 Monitor to check the available disk space on all disks used to store log data, so that you receive an alert if disk space is insufficient.
The picture below shows how the settings page looks like. Each option will be described in the next sections.
Storage Settings
Database Storage
 
How long you wish to keep data in the database - the Rotate database After setting - depends on how much data you log. Most organisations are happy with the default setting of 5 days, but if you log very much data you may need to store it for a shorter amount of time, regarding performance and disk space used.
Note: Old values will be converted if you upgrade.
Local Storage
 
The Local Storage Path is a setting you normally do not need to touch, unless you wish to save it on another storage unit.
The Keep archave in local storage setting with its default of 5 days regulates for how long the data will be stored in the local filesystem on the op5 LogServer machine. After this period of time, data will be stored only on the remote file server - still accessible but the access will be slower.
The issue is disk space; you would normally want to save data for as long as possible, without filling up the local hard disk. Keep in mind that since the amount of logged data per day often increases over time, you need a lot of free disk space for the future.
Note: Old values will be converted if you upgrade.
Remote storage
 
You should mount a remote file server in the file system on your LogServer machine. You can read more about this in Section B - Using Remote Storage.
When you have done so, set the Remote Storage Path to the mount point - you can use /opt/logserver/remote or any other path you choose.
If you wish to impose a time limit on the remote storage with the setting Keep Archive in Remote Storage.
Note: During upgrade  Forever will be converted to 999 months.
Note: 999 Months is the maximum limit.
Enable fulltext index
 
In some environments full text indexing of log messages is not really a good thing.
For example if you have a lot of log messages from a firewall that contains a lot of ”non-words”, binary data dumps and such.
Log messages like that can hog your CPU and affect the responsiveness of the op5 LogServer system.
Note: If you turn off the full text index, queries using full text syntax will still work but a bit slower.
The monitor host
 
Here you can define the hostname of your op5 monitor server that will be used in the links in the host field in the search result.
Use Monitor 5
 
Check this check box to have the links in the host field in the search result pointing to the new Ninja Gui instead of the old 4.x version.
Host information page
 
If you like to have an custom URL, instead of the standard URL to Monitor for the link in the host field in the search result, you can define it here.
Note: You still need to define the hostname in the text field The monitor host.
This can be any URL and to have the hostname added to the URL just use a [host] like in this example:
Example 6 /index.php?host=[host]
Import filter
 
You can import already exported filters here. Just click on Browse to choose the file. Then click on Import to import the filters.
Note: Every imported filter will be set as global with default permissions.
Export filters
 
Choose the filters you like to export and ”move“ them over from Available filters to Selected filters. Click on Export to save the XML file containing the filters. You can then import them via the Importfilters section in Settings.
When exporting a filter that depends on an other filter both of themwill be exported to make sure dependencies are untouched.
Note: Both global and private filters can be exported and no permission settings will be included
Users and Groups
 
To access Users and Groups, you have to be logged on as a user with admin privileges. If you have user administrator privileges, you will see a link called Users and Groups in the main menu at the top.
User Management
Add user
 
To add a new user click on
Fill in Username
Real Name
Email
Password
Repeat Password
Select the group(s) you want the user to belong to
Select the default filter to be used for the user
And press
Edit User
 
To edit a user, click on
Delete User
 
To delete a user, click on and answer “OK” on the popup.
Changing password as user
 
When logged in to the op5 LogServer you will see your username and a logout button in the top right corner.
Pressing the username will popup a “Update password” dialogue.
Enter your old password
Type in your new password
Verify your new password by re-typing it
 
Group Management
 
As default all new created user can see all log messages. To have it the opposite way you should remove the group all from the filter all. The you create groups for different level of users and set the permissions on the filters for the groups you created.
Default Groups
 
op5 LogServer comes with a couple of default groups that can’t be deleted:
 
Group
Description
Filter Administrators
Create/Manage Global filters, Create/Manage Summary reports
Import Administrators
Import old logs from archive into DB
Report Administrators
Create/Manage Auto reports, No access to Summary reports
Settings Administrators
Access/Change Settings
User Administrators
Create/Manage Users/Groups
Summary Viewers
View Summary reports
Add Group
 
To add a new group click on in the top menu
Then on the tab
And press
Fill in name
Description
Select and move the users you will assign/remove to this group
And press
 
 
 
 
Edit group
 
To edit a group, click on or doubleclick on the row for the group.
 
To delete a group, click on and answer “OK” on the popup.
 
Audit tracking
 
Since version 3.5 of op5 LogServer we have included audit tracking to make sure an administrator can se what the users have been doing. The following actions is logged:
 
Password and settings changes
Logging in and out
Creating, editing, deleting and viewing of auto reports
Adding, editing, deleting and viewing users and groups
Creating, editing, deleting and viewing of summary reports
Changing filter permissions
Importing logs
Creating, editing and deleting filters
Making filters global/private and viewing/changing permissions on filters
Importing/exporting filters
Exporting result sets to CSV
 
Everything is logged via syslog so the logs will show up in the GUI.
Two filters are added to make it easy ti either see or hide the audit messages:
Filtername
Description
audit
Shows all audit messages - useful for admins.
all except audit
Shows everyting except for audit messages. This is useful as a base for other filters, so that users don’t see audit messages.