Viewing Dashboards - TIBCO LogLogic® Log Management Intelligence (LMI) User Guide

LogLogic Appliances let you monitor a large variety of data to observe the system’s status and the widgets saved on your Dashboard.

Topics

• Viewing System Status on page 10

• Viewing Multiple Systems Status (Management Station) on page 15

• Viewing Log Source Status on page 20

• Viewing Log Source Data Trend on page 26

• Managing Your Dashboard on page 27

Viewing System Status

The System Status tab displays a condensed view of the appliance's current state, showing current message rate, CPU utilization, alerts, total message counts, and disk usage (including usage external to the database).

To view system status

1. Choose Dashboards > System Status from the navigation menu.

2. View the following sections on the System Status tab for information about your appliance’s system status:

— Current Message Rate

— New Alerts

— Disk Usage

— CPU Usage

— Message Counters

Detailed descriptions for each section are documented in Table 2 on page 10.

3. Click to expand or collapse a section to display an expanded or condensed version of the section’s status information.

4. Optionally, click the Message Rate tab for a larger view of this graph.

5. For more information, see Viewing Message Rate on page 17.

6. Optionally, click the CPU Usage graph or the CPU Usage tab for a larger version of this graph.

7. For more information, see Viewing CPU Usage on page 18.

8. Click the Refresh button to update the system status information for your appliance.

Table 2 System Status Tab Elements Element Description General information

Uptime Continuous running time since the last reboot of the appliance.

Date/Time Date and time set on the appliance.

Viewing System Status

|

¹¹

Software Version LogLogic software release running on the appliance.

Failover (not visible unless issues are present)

Status of the Management Station cluster’s master and standby appliances. If issues exist, they are indicated through flags:

• C: Cluster_id mismatch

• A: Appliance model mismatch

• V: Software version mismatch

• E: Eligible

For example, the failover status line Failover: master 10.1.4.6 (wait), standby 10.1.4.7

(flags:__V/EHX/O) means the master is waiting for the standby, and the standby is running the wrong software version, is configured for failover, is eligible for HA, but is excluded, and (as a result of the version mismatch) is out of cluster.

IMPORTANT! After pairing two appliances in HA, do not change any network settings.

System Status sections Current Message Rate

Measured messages per second rate for the last 1, 5, and 15 minute time segments.

Click on the 1 MIN, 5 MIN, or 15 MIN headings links to change the Message Rate Graph time scale to 2 hour, 12 hour, and 24 hour time scales, respectively.

When using LogLogic TCP for routing logs to the appliance, this graph displays spikes of activity every 5 minutes rather than a steadier line. This is because LogLogic TCP transfers data in regularly recurring chunks that are merged on the appliance, and not continually.

Table 2 System Status Tab Elements (Cont’d) Element Description

Message Rate Graph (Message Rate tab)

Recent message rate over 1, 5, and 15 minute time segments.

The pink line represents the average number of messages per time segment.

The blue line represents the real-time incoming message rate for your appliance.

The red line appears when inbound traffic exceeds the preset threshold

Click the Message Rate tab for a larger view of this graph.

New Alerts (LX/MX only) Number of active alerts over 1, 6, and 12 hour periods categorized by priority.

Disk Usage Usage of the disk on the file system. This can be helpful for calculating data retention time tables, by listing Free and Total available usage.

CPU Usage Current CPU utilization for the last 1, 5, and 15 minute time segments.

Click on the 1, 5, and 15 minute headings to change the CPU Usage Graph time scale to 2, 12, and 24 hour time scales, respectively.

CPU Usage Graph Percent CPU utilization over 1, 5, and 15 minute time segments.

Click the CPU Usage Graph or the CPU Usage tab for a larger version of this graph.

Table 2 System Status Tab Elements (Cont’d) Element Description

Viewing System Status

|

¹³

Message Counters Statistics on each message category stored in the appliance since the last boot. The count corresponds to a percentage of the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

Message categories:

Total Received—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. If auto-identify is on, all messages are auto-identified and no messages are unapproved.

Skipped—Total number of messages ignored by the appliance when the log source entry in LMI exists but is disabled.

Dropped—Total number of messages recognized but not processed due to network congestion or a corrupted syslog message.

The following appear only on LX and MX appliances:

Total Parsed—Total number of incoming messages parsed for all categories.

Accepted IP—Total number of messages indicating successful connections through the firewall. For example, PIX® Message Numbers - 302013-302016.

Denied IP—Total number of messages indicating denied access by the firewall. For example, PIX Message Numbers - 106001, 106006, 106007, 106015, 106023.

Security—Total number of messages to be recorded in the Security Event Log report.

System—Total number of messages to be recorded in the System Event Log report.

Generic—Total number of flawed messages received from an approved source. These messages are discarded.

URL—Total number of messages to be recorded to the Web Surfing Activity report.

FTP—Total number of messages to be recorded in the FTP Connections report.

Auth/Access —Total number of messages to be recorded to the VPN Events report.

Table 2 System Status Tab Elements (Cont’d) Element Description

Message Counters (cont’d)

Other—Any message that is not in included in the other listed categories. Messages received from an approved source but contain an unrecognized message number. Certain known messages numbers are discarded.

Updates the system status information for your appliance.

Table 2 System Status Tab Elements (Cont’d) Element Description

Viewing Multiple Systems Status (Management Station)

|

¹⁵

Viewing Multiple Systems Status (Management Station)

The Management Station System Status is the fastest way to view the condition and status of your appliances as traffic flows through your system. You can use this information to provide for rapid reporting to the operations staff and acquire information about syslog messages at any particular time.

The System Status information uses a proprietary technology for optimizing and then collecting security data for immediate use. Administrators can monitor the CPU usage when necessary to check on its congestion.

To view system status using a Management Station

1. Choose Dashboards > Management Station from the navigation menu.

2. View the following sections on the Management Station tab for information about an appliance’s status:

— Message Statistics

— Message Rate

— New Alerts

— Message Counters

For detailed descriptions of each section, see Table 3 on page 15.

3. Click the Refresh button.to view updated status information for the appliance.

Table 3 Management Station Screen Elements

Element Description

General information

Software Version Management Station appliance’s software version.

Displays the Help topic for this tab.

Management Station sections

Appliances Lists the appliances in your Management Station cluster.

To view the System Status for an Aapliance, click its name.

• A green square indicates the appliance is online.

• A red square indicates the appliance is offline.

• A blank square indicates the appliance entry is being updated.

Message Statistics Displays the following message statistics:

• Total, Processed, Dropped, Unapproved, and Skipped—Message processing information about each managed appliance.

Click a number in these columns to change the displayed value to the nearest thousand, million, or billion value.

Click the ID, Model, or IP columns to sort the appliances as required.

• Message Rate/Sec—Message rate, per second, by time segments of 1, 5, and 15 minutes.

Click on the message rate values to set the Message Rate graph to 4, 12, and 24 hour timescales, respectively.

• Time Skew—Time delta, in seconds, between the Management Station appliance and each remote appliance.

Message Rate Graph Monitors the rate at which messages are collected.

The Message Rate graph displays the current message rate by time segments of 1, 5, and 15 minutes. For example, 1 min – 100 msgs/sec. On ST Appliances, to the right of the minutes is the number of messages per second (xxx msgs/sec) for the appliance. xxx does not reflect the amount of messages that comes in via the LogLogic TCP protocol.

• The pink line represents the average number of messages per time segment.

• The blue line represents the real-time incoming message rate for your appliance.

• The red line appears when inbound traffic exceeds the preset threshold

Table 3 Management Station Screen Elements (Cont’d)

Element Description

Viewing Multiple Systems Status (Management Station)

|

¹⁷

Viewing Message Rate

The Message Rate tab shows the number of messages processed by the appliance over a 12-hour time period.

To view the message rate of the appliance

1. Choose Dashboards > System Status from the navigation menu.

2. Click the Message Rate tab to view the Message Rate graph.

New Alerts The number of activated alerts, by hour and priority (High, Medium, Low, All).

Click an alert value to show the Aggregated LX or MX Alert Log.

Message Counters Statistics on each message category stored in the syslog database. The count corresponds to a percentage related to the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

The following is a list of message counters:

• Total Received—Total number of incoming messages for all categories.

• Processed—Total number of messages received and parsed into the file system.

• Skipped—Total number of messages ignored by the appliance when the log source entry in LMI exists but is disabled.

• Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If

auto-identify is on, all messages are auto-identified and no messages are unapproved.)

• Dropped—Messages recognized but not processed due to network congestion.

Updates the system status information for your appliance.

Table 3 Management Station Screen Elements (Cont’d)

Element Description

3. If you are viewing a larger version of the Message Rate graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see Table 4 on page 18.

4. Click the Refresh button to update the Message Rate graph.

Viewing CPU Usage

The CPU Usage tab contains a graph that shows CPU utilization as a percentage over a 12-hour time period.

To view the CPU usage

1. Choose Dashboards > System Status from the navigation menu.

Table 4 Message Rate Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go forward six hours.

Displays the corresponding Help topic.

Message Rate section

<blue line> Real-time message traffic which includes UDP syslog and/or raw TCP (SyslogNG) traffic.

<pink line> Average rate of the incoming messages for the time segment shown.

<red line> Appears when inbound traffic exceeds the preset threshold Updates the Message Rate graph.

Viewing Multiple Systems Status (Management Station)

|

¹⁹

2. View the CPU usage by doing one of the following in the System Status screen:

— View the small graph in the CPU Usage section.

— Click on the small graph in the CPU Usage section to view a larger version of the graph.

— Click the CPU Usage tab to view a larger version of the graph.

3. If you are viewing a larger version of the CPU Usage graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see Table 5 on page 19.

4. Click the Refresh button to update the CPU Usage graph.

Table 5 CPU Usage Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go back 12 hours.

Displays the corresponding Help topic.

CPU Usage section

<blue line> CPU usage in real time.

<pink line> Average CPU percent utilization for the time segment shown. To see a larger version of the screen, click the CPU Usage tab.

Updates the CPU Usage graph.

Viewing Log Source Status

The Log Source Status tab lets you view statistics for each source device.

To view the log source status

1. Choose Dashboards > Log Source Status from the navigation Menu.

2. View the following log status information for each source device:

— Name

— IP Address

— Type

— Last Received Time

— Collector Domain

— Total Message Count

— Byte Rate/Sec

— Description

For detailed descriptions of each item, see Table 6 on page 20.

3. Click the Refresh button to update the view of your devices. 4. Optionally, click to print all the items in the list.

Log Source Status Descriptions

Table 6 lists and describes the elements in the Log Source Status tab.

If during auto-discover a device has the same name as an existing device, a random number is appended to the device name.

Table 6 Log Source Status Tab Elements Element Description

Saves the report in a CSV format. You can view the file in Excel as a spreadsheet.

Note: The CSV file saves and displays a maximum of 10,000 lines. A generated report can contain more than this number.

Viewing Log Source Status

|

²¹

Displays the report in HTML format in a new window. You can save the HTML file to your local machine.

Note: The HTML file saves and displays a maximum of 5000 lines. A generated report can contain more than this number.

Saves the report as a PDF file. You can save the PDF file to your local machine. Viewing the generated report as a PDF only works for Adobe Acrobat Reader version 6.0 and higher.

Note: The PDF file saves and displays a maximum of 5000 lines even though the generated report may contain more than this number.

Click to print all the items in the list.

Click to display the corresponding Help topic.

Displays the first page or last page of detail for the device list.

• Displays the previous page of detail for the device list.

• Displays the next page of detail for the device list.

• To display details for a specific page, type a page number and click GO.

Note: For certain pages that display this option, you can only view a set number of rows. To set the number of rows to view, use the Personal Preferences tab.

Log Source Status section (all of the following columns are sortable) Name Name of your source device. The format for this field is

<collector domain id>_<ip address>_ <device type> for example 1_10.10.10.10._windows.

IP Address IP address for your source device.

Type Type of source device.

Table 6 Log Source Status Tab Elements (Cont’d) Element Description

Last Received Time

• For File based devices, time displayed will show that the last event processed time

• For Syslog based devices, time displayed will show when the last event was received

Collector Domain This is the name used to identify each message sent from a specific device. This can either be the Collector Domain name added in the LogLogic Universal Collector or the name specified in the LMI when the device was added.

Total Message Count

The following types of messages counts:

Total—Total number of messages processed for the specified device.

• 1 Min—Total number of incoming messages during the previous one minute period.

• 5 Min—Total number of incoming messages during the previous five minute period.

• 15 Min—Total number of incoming messages during the previous 15 minute period.

1 Min (Byte Rate/Sec)

Byte rate per second for each device during the previous one-minute period.

Description Description you defined for the Source Device in the Management > Devices > Devices tab and the

Management > Check Point Configuration > Interfaces tab.

If you selected the Auto-identify Log Sources option in the Administration > System Settings > General tab, the system displays that the source device is an auto-identified log source.

Updates the view of your devices. If auto-identify is enabled and the appliance detects new devices, refresh displays them in this view.

Table 6 Log Source Status Tab Elements (Cont’d) Element Description

Viewing Log Source Status

|

²³

Advanced Options

By default, all these options are displayed:

• Name

• IP Address - supports /prefix length <0-32> for IPv4 and / prefix length <0-128> for IPv6. The field supports the Classless Inter-Domain Routing (CIDR) notation for IPv4 and IPv6. Available options include:

— equals - only returns the pattern entered

— not equals - returns everything but the entered pattern

— in - several patterns may be entered separated by a comma, all matches will be returned

— not in

— like - like behaves the same way as "in"

— not like

Note: The use of asterisks (*) is no longer supported.

• Type

Use the drop-down menu to view options in ascending or descending order.

Deletes all text in the Advanced Options text boxes.

Executes with the defined Advanced Options parameters.

Table 6 Log Source Status Tab Elements (Cont’d) Element Description

Viewing Unapproved Messages

Use the Unapproved Messages tab to view information on up to 100 of the most recent real-time messages received from a recognized but unapproved source.

Unapproved messages are discarded.

Summary data on unapproved messages can be seen from the Dashboards >

System Status tab.

To view unapproved messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Unapproved Messages tab.

3. This section contains the following elements.

4. Click the Refresh button to update the information. 5. (Optional) Click to print all the messages in the list. 6. (Optional) Click to open the Help topic.

Viewing Recent Messages

Use the Recent Messages tab to view information on up to 100 of the most recently-received real-time messages.

Messages from all file-based data are not listed here because they are not treated as real-time messages.

Table 7 Unapproved Messages Tab Elements Element Description

No. Number assigned to the message.

Time Time the message was received.

IP Address IP address of the appliance through which the message was received.

Message Text of the message.

Messages from all file-based data are not listed here because they are not treated as real-time messages.

Viewing Log Source Status

|

²⁵

To view recent messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Recent Messages tab.

This section contains the following elements.

3. Click the Refresh button to update the information. 4. (Optional) Click to print all the messages in the list. 5. (Optional) Click to open the Help topic.

Table 8 Recent Messages tab descriptions Element Description

No. Number assigned to the message.

Time Time the message was received.

IP Address IP address of the appliance through which the message was received.

Message Text of the message.

Viewing Log Source Data Trend

The Log Source Data Trend tab displays the graphs of incoming Syslog Data rate in MB from all sources over the last 24 hours. The top graph displays Realtime Logs, and the bottom graph shows File Transfer Logs. Log data that has been fully indexed is represented by blue bars; log data to be indexed is represented by orange bars. The bar graphs refresh once per minute.

在文檔中 TIBCO LogLogic® Log Management Intelligence (LMI) User Guide (頁 23-55)