Replay lets you re-analyze archived log data by processing it from its archived location on an ST Appliance with an LX Appliance as its remote appliance. The LX Appliance treats the data as if it were new data, and sends it through the parsing process again.
Because you are replaying archived data, the original timestamps on the log data are kept, so you need to run reports and searches with this in mind. The archived data can then be made available to custom reports and searches.
Replay is particularly useful if you recently added support for new log sources, reports, or Compliance Suites.
Topics
• How Replay Works on page 114
• Configuring Appliances to Replay Archived Data on page 117
• Replaying Archived Data on page 121
• Replay is not supported on MX Appliances.
• Replay only works with IPv4 addresses.
How Replay Works
Replay requires a source ST Appliance and a destination LX Appliance to be configured in a Management Station relationship. The ST Appliance must be a Management Station that manages the LX Appliance. The Management Station relationship ensures that you manage Replay sessions correctly.
The source ST Appliance and destination LX Appliance manage the progress of each Replay session. Therefore, if at any point a Replay session is interrupted (for example, the network goes down or the appliance service is not available):
1. The source ST appliance keeps trying to replay data infinitely until a connection is re-established.
2. Once the connection is re-established, the data transfer resumes where it left off. After the replay is completed, the Replay Status is updated to completed
on the Replay Status tab.
How a Replay session works:
1. The scheduled Replay session starts.
2. Replay gathers the appropriate archived data on the source ST Appliance based on the Replay rules specified in the Replay session. The source ST Appliance notifies the destination LX Appliance how many files it is transferring.
3. The source ST Appliance transfers the appropriate archived log data to the destination LX Appliance. Authentication and encryption are used only if configured for the Replay session.
4. All log data is received by the destination LX Appliance, so the LX Appliances begins processing the data as new data. Log data is received by LLTCP-HTTP.
When using Replay, the LX Appliance must not be set up as a Management Station. If the configuration is not correct, Replay will not work.
Archived real-time files on the source ST Appliance are always rediscovered during a Replay session whether or not a search filter is used. Rediscovering real-time files lets additional devices be recognized that were not known during the initial capture by the LX or ST Appliance. However, file-based logs are not rediscovered at this time.
Pulled files are always replayed as a whole file. However, real-time logs can be subjected to filtering.
5. After all log data is processed by the destination LX Appliance, it notifies the source ST Appliance that the Replay session is completed.
6. The source ST Appliances ends the Replay session and updates the status to completed.
Replay Environment Configuration
LogLogic recommends that you set up a dedicated destination LX Appliance to handle Replay sessions. Dedicating an Appliance lets you focus on only the data you want to re-analyze and does not affect the production environment hard drive space and message handling.
LogLogic lets you configure your Replay environment to support the following source to destination relationship:
• One to one
Figure 13 Single source ST Appliance using a single destination LX Appliance
Data Retention
If the destination LX Appliance becomes full during a Replay session, standard data retention rules for the Appliance apply. That is, the oldest files are purged to make room for the new messages coming in from the Replay session. LogLogic recommends that you configure data retention for the LX Appliance you are using to handle Replay sessions.
The maximum replay number is 16. Canceled and completed replays are not included in the total number.
The user must have Search Archived Data privileges on the ST Appliance to replay the archived data. For more information on user privileges, see Setting User Privileges on page 223.
If you do not use a dedicated LX Appliance for Replay sessions, you risk having duplicate data. Reports and searches intended to be done on “production” data can also pick up Replayed data, giving you inaccurate results.
Destination Appliance Source
Appliance
ST LX
The retention time is counted from the time the log data was generated by the original log source.
Authentication
If a Replay session is configured to use authentication, the source ST Appliance must present an authentication key to the destination LX Appliance. However, the LX Appliance does not need to send an authentication key to the ST
Appliance. The LX Appliance asks for authentication only if the ST Appliance is configured as an upstream device with an authentication key. If the LX Appliance is configured without authentication, any upstream device can connect without requiring an authentication key.
Auto-Identify Turned On in the LX Appliance
If auto-identify is turned on in the destination LX Appliance, any forwarding Appliance (source ST Appliance) can connect without sending an authentication key. However, if the upstream device is configured on the destination LX Appliance with an authentication key, the key must match the key from the source ST Appliance.
Auto-Identify Turned Off in the LX Appliance
If auto-identify is turned off in the destination LX Appliance, only configured upstream devices can connect to the LX Appliance. If the LX Appliance also is configured to use an authentication key, the key must match the key from the source ST Appliance.
If a key mismatch with an authenticated channel prevents the ST Appliance from connecting to the LX Appliance, an error message is captured in the sys.log file for both Appliances.
Configuring Appliances to Replay Archived Data
To configure Appliances to replay archived log data from an ST Appliance to an LX Appliance you must configure the LX Appliance and then the ST Appliance:
• Configuring the LX Appliance on page 117
• Configuring the ST Appliance on page 118
Configuring the LX Appliance
To configure an LX Appliance to process archived log data from an ST Appliance, you must complete:
• Configuring the LX Appliance to Analyze Data on page 117
• Clearing All Log Data from the LX Appliance on page 118
Configuring the LX Appliance to Analyze Data
LogLogic recommends that you set up the LX Appliance that replays archived data as you would a production Appliance. Specifically, to obtain the maximum benefit of replaying archived log data, ensure that you have all of the appropriate components and system settings configured in your Replay Appliance.
Consider configuring at least the following:
• Alerts—Configure alerts to send SNMP events or email notification of specific occurrences found in the data in the replay session.
• Reports—Configure reports to analyze the data in the replay session.
• Search Filters—Configure search filters to run reports and searches on specific log data.
• Devices—Ensure that you have all applicable devices configured.
• Full Text Indexing—Consider turning on full-text indexing on all data (parsed and unparsed; unparsed data is log data that is not associated with a
supported log source).
System Alerts (Message Volume and Ratio-Based) might produce skewed results because the data is being sent all at once rather than over the time period which it was originally sent. LogLogic recommends that you use message-based alerts instead.
• PIX/ASA Messages—Enable if the archived data contains PIX/ASA messages (if you enable PIX/ASA Messages and you do not have PIX/ASA messages in the replay session, it does not impact the Appliance).
• Message Routing—Enable only if you need to forward log data to another device.
• Data Retention—Configure how long to retain the data from the replay session on the destination LX Appliance (retention time is counted from the time the log data was generated by the original log source).
To speed up the setup process, use the Import/Export tool. For example, you can import components such as search filters and reports from any LX Appliance. You must manually set system settings such as data retention and full-text indexing.
For more information on importing and exporting components from one Appliance to another, see Import/Export Entities Between Appliances on page 181.
Clearing All Log Data from the LX Appliance
Before sending archived log data to an LX Appliance configured for replay, consider clearing the Appliance of all log data. A clean Appliance lets you run reports and searches on only the archived data you are replaying.
If you want to combine log data from multiple replay sessions, do not clear the log data.
To clear all log data on the destination LX Appliance
When logged in directly to the destination LX Appliance, or when managing the LX Appliance from the ST Management Station:
1. In the navigation menu click Administration > Clear Log Data.
2. The Clear Log Data tab appears.
Configuring the ST Appliance
To configure an ST Appliance to process archived log data to a destination LX Appliance, you must complete:
• Setting Up a Management Station Relationship on page 119
The clean-up process removes all log data on the LogLogic Appliance. It does not remove configuration data (such as system settings) or reports, search filters, etc.
The clear log data operation can not be done in a HA environment. To clear log data from a node, the node has to be removed from the HA environment first.
• Adding and Modifying Replay Rules on page 119
Setting Up a Management Station Relationship
You must set up the source ST Appliance as a Management Station with the destination LX Appliance as an Appliance in the Management Station cluster:
1. On the ST Appliance, in the navigation menu click Management >
Management Station.
2. The Configuration tab appears. See Managing Appliances with Management Station on page 9.
3. For the LX Appliance to be used the destination for the archived data to be replayed, enter its:
— Appliance IP or DNS Name
— Appliance Name
— Appliance Type 4. Click Add.
The LX Appliance appears as an Appliance in the Management Station cluster.
Adding and Modifying Replay Rules
Replay rules let you define specific data to include in a Replay session. Each Replay rule identifies data from the specific device and timeframe, so you can specify to push data associated only with certain devices or from all devices.
For example, you can create a rule that pushes data for your Blue Coat Proxy SG log sources from 03/11/09 at 00:00:00 to 03/12/09 at 23:59:59. You can also define a rule to push data for a specific Cisco PIX/ASA log source by specifying the device type as Cisco PIX/ASA and the Source Devices as the specific log sources.
To add a Replay Rule
1. From the navigation menu of the destination ST Appliance, click Administration > Replay.
2. Click the Replay Rules tab.
3. The Replay Rules tab appears listing all existing Replay rules in the Appliance.
4. Click the Add Rule button.
5. The Add Replay Rule tab appears.
6. Enter the following information:
— Rule Name—Name of the rule.
— Device Type—Select the device or application generating the logs to be transferred.
— Source Device—IP address of the device from which you want to transfer files.
— Search Filter—Select the Pre-Defined search filter to use to filter the archived log data.
— Time Interval—Time interval for the archived data you want to process.
7. Click Save to save the Replay rule.
Once you add your Replay rule you can schedule a Replay session that uses your Replay rules.
To modify a Replay Rule
1. From the navigation menu of the destination ST Appliance, click Administration > Replay.
2. Click the Replay Rules tab.
3. The Replay Rules tab appears listing all existing Replay rules in the Appliance.
4. Mouse over the name of an existing Replay rule and left-click. The Modify Replay Rule tab appears.
5. Enter the following information:
— Rule Name—Name of the rule.
— Device Type—Select the device or application generating the logs to be transferred.
— Source Device—IP address of the device from which you want to transfer files.
— Search Filter—Pre-defined search filter to use to filter the archived log data.
— Time Interval—Time interval for the archived data you want to process.
6. Click Save to modify the Replay rule (or Cancel to discard modifications).
Once you modify your Replay rule you can schedule a Replay session that uses your Replay rules.
Replaying Archived Data
Once you configure the LX and ST Appliances and set up Replay rules, you can schedule a replay session.
• Scheduling a Replay Session on page 121
• Viewing Replay Progress on page 122
Scheduling a Replay Session
You can schedule a Replay session to run immediately or at a scheduled time in the future.
You can schedule multiple Replay sessions to run from the same source ST Appliance, but the destination LX Appliance must be different. Replay sessions are serialized and start in sequence.
To schedule a Replay session
1. From the navigation menu of the ST Appliance, click Administration >
Replay.
The Replay Status tab appears listing all existing Replay sessions in your system.
If no Replay session has been scheduled yet, the Replay Status tab will display “No match found in database” even though you may have added If you run a report in the destination Appliance on newly replayed data, you might see only a portion of the data since the Appliance needs time for
aggregation. Specifically, if you run a report, the count (number of entries) might not match the actual detailed data that you see when you drill down on the count.
Try modifying the search interval or run the report later.
When scheduling a replay, if you select Authentication and Encryption options, type the CLI command system keycopy on the ST Appliance and follow the instructions displayed on the screen to add the public key to the LX Appliance.
The real-time logs can be replayed multiple times. Duplicate logs will not be rejected by LX. However, file-based logs are accepted only once and duplicate logs will be rejected by LX.
Pulled files are always replayed as a whole file. However, real-time logs can be subjected to filtering.
a Replay rule (or modified an existing one) and configured the Time Interval—you still must schedule the Replay rule to run in a Replay session.
2. To schedule a Replay session, click the Schedule Replay button.
The Schedule Replay tab appears.
3. In the Schedule Replay tab, enter the following information:
— Destination—IP address of the destination LX Appliance used for the Replay session.
— Replay Rules—Select the appropriate Replay rule (to add additional rules, click Add Rule).
— Authentication Required—Select the checkbox to enable authentication between the source ST Appliance and the destination LX Appliance.
— Encryption Required—Select the checkbox to require encryption of the data sent from the source ST Appliance to the destination LX Appliance.
— Schedule replay to run immediately—Select the checkbox to schedule the Replay session to run immediately upon clicking the Save button.
— Start Time—Start date and time to run the Replay session.
4. Click the Save button.
The Replay Status tab appears with the new scheduled replay session. If you scheduled the Replay session to occur in the future, the State appears as pending.
All completed Replay sessions remain in the Replay Status page showing their state. You can remove a Replay session.
Viewing Replay Progress
When using Replay, you can view the progress of the log data as it is gathered and sent from the source ST Appliance, as well as the progress of incoming log data to the destination LX Appliance.
Viewing Replay Progress in the Source ST Appliance
The ST Appliance lets you view the progress of a running Replay session as well as the status of all schedule Replay sessions.
To view the progress of a Replay session in the ST Appliance, use the Replay Status tab. To access the Replay Status tab, from the navigation menu click Administration > Replay.
To view the status of a Replay session on an ST Appliance
1. From the navigation menu of the destination ST Appliance, click Administration > Replay.
2. The Replay Status tab appears listing all existing Replay sessions in your system.
3. Navigate to the appropriate Replay session in the Replay Status table and view the State and Status tabs.
The State column lists the current state of the Replay session:
• canceled—Replay session was canceled by a user
• completed—Replay session is complete
• in progress—Replay session is currently running
• pending—Replay session is scheduled to run The Status column lists the status of the Replay session:
• Messages—total messages to process
• retrieved—total messages to be sent to the destination LX Appliance
• sent—total messages sent to the destination LX Appliance
Viewing Progress in the Destination LX Appliance
From the destination LX Appliance, to view the progress of incoming log data for a replay session, you can use the dashboard tools as well as the Real-Time Viewer:
• To view the dashboard tools, in the navigation menu click Dashboards >
System Status. From here you can also access the Message Rate, and CPU Usage tabs.
• To view the Real-Time Viewer, in the navigation menu click Real-Time Viewer. Real-Time Viewer lets you view all incoming log data or specify filters to view only specific log data.
Canceling a Replay Session
You can cancel any Replay session that is in progress or that is scheduled to run.
Depending on the state of the replay session, you might need to do further clean-up of the Appliance. Specifically, you might want to clear the log data in the destination LX Appliance if the log data in the replay session was being parsed.
If you cancel a Replay session that is in progress, the Replay session finishes the file it is currently processing before stopping.
To cancel a replay session:
1. From the navigation menu of the ST Appliance, click Administration >
Replay.
The Replay Status tab appears listing all existing Replay sessions in the Appliance.
2. Select the appropriate Replay sessions, and then click Cancel.
3. Confirm that you want to cancel the Replay session.
The Replay Status tab appears with your Replay session showing a state of cancelled.