Where can I find Log Analyzer logs on Orion server?

I'd like to find where i can see which rule is tagging messages as they come in to the Log Viewer console.  I have 800 different Rules, and a couple of them seem to be tagging Logs for incorrect vendors.  I'd like to check the rules that have tagged these messages, but i can't effectively go through 800 rules one at a time. I'm hoping there's some log messages on the system that would indicate which Rule was used to tag. 

  • I am checking on this with the team. Not sure if there is any info in the logs or if we need some SQL / SWQL to solve this.

  • So it seems this is not as straight forward as a query unfortunately. There are no indications in the DB about what rule applied the tag. The only place to see what you are looking for is likely in the logs and only if the level is set to debug which can generate a great deal of info very quickly. This may be a situation where it is better to open a ticket and ask the support team to step through this with you so you can isolate the rules in question. if you decide to do that, please ping me the ticket number so I can keep an eye on it internally.

  • Hmm, the problem for me is going through hundreds of rules individually. Thanks Jvb! Ticket 00474905. Haven't heard back since Tuesday.

    Thanks again!

  • Yep, understood. Lots of customers have a large amount of rules so we may need to look at improving this from a diagnostic level. Thanks for the input! I will keep an eye on the ticket and nudge it if need be.

  • Is there a way to see the count of how many times a particular rule fired? that may help me whittle it down to the most likely offenders.


  • Ticket seemed to have died last Friday, i've asked a few questions back to my support tech and i can't get a reply from them.

  • Well i was able to come up with an easy workaround that got me what i was after.  I cloned an already existing Log Alert, and changed the trigger condition to only a vendor that i knew wasn't a legit target but was still being tagged.

    rule tag.PNG

    and said include Processing Rule where "is not empty".

    alert trigger condition.PNG

    In the trigger action, i put 3 variables, the Log Message, the Rule Name, and Rule Definition ID. 

    It didn't take long to trigger, and as soon as it did, i see in the alert message the name of the rule that triggered the alert.

    rule name.PNG

    And sure enough, after going to that rule, i found that it did not have any conditions or limitations applied, corrected it, and haven't seen any improperly fire since.

  • OK, thanks for sharing the solution back here and I will do some investigation on why the ticket went dead on you.