cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Highlighted
Level 10

Where can I find Log Analyzer logs on Orion server?

I'd like to find where i can see which rule is tagging messages as they come in to the Log Viewer console.  I have 800 different Rules, and a couple of them seem to be tagging Logs for incorrect vendors.  I'd like to check the rules that have tagged these messages, but i can't effectively go through 800 rules one at a time. I'm hoping there's some log messages on the system that would indicate which Rule was used to tag. 

0 Kudos
8 Replies
Highlighted
Product Manager
Product Manager

Re: Where can I find Log Analyzer logs on Orion server?

I am checking on this with the team. Not sure if there is any info in the logs or if we need some SQL / SWQL to solve this.

0 Kudos
Highlighted
Product Manager
Product Manager

Re: Where can I find Log Analyzer logs on Orion server?

So it seems this is not as straight forward as a query unfortunately. There are no indications in the DB about what rule applied the tag. The only place to see what you are looking for is likely in the logs and only if the level is set to debug which can generate a great deal of info very quickly. This may be a situation where it is better to open a ticket and ask the support team to step through this with you so you can isolate the rules in question. if you decide to do that, please ping me the ticket number so I can keep an eye on it internally.

0 Kudos
Highlighted
Level 10

Re: Where can I find Log Analyzer logs on Orion server?

Hmm, the problem for me is going through hundreds of rules individually. Thanks Jvb! Ticket 00474905. Haven't heard back since Tuesday.

Thanks again!

Highlighted
Product Manager
Product Manager

Re: Where can I find Log Analyzer logs on Orion server?

Yep, understood. Lots of customers have a large amount of rules so we may need to look at improving this from a diagnostic level. Thanks for the input! I will keep an eye on the ticket and nudge it if need be.

0 Kudos
Highlighted
Level 10

Re: Where can I find Log Analyzer logs on Orion server?

Is there a way to see the count of how many times a particular rule fired? that may help me whittle it down to the most likely offenders.

Thanks!

0 Kudos
Highlighted
Level 10

Re: Where can I find Log Analyzer logs on Orion server?

Ticket seemed to have died last Friday, i've asked a few questions back to my support tech and i can't get a reply from them.

0 Kudos
Highlighted
Level 10

Re: Where can I find Log Analyzer logs on Orion server?

Well i was able to come up with an easy workaround that got me what i was after.  I cloned an already existing Log Alert, and changed the trigger condition to only a vendor that i knew wasn't a legit target but was still being tagged.

rule tag.PNG

and said include Processing Rule where "is not empty".

alert trigger condition.PNG

In the trigger action, i put 3 variables, the Log Message, the Rule Name, and Rule Definition ID. 

It didn't take long to trigger, and as soon as it did, i see in the alert message the name of the rule that triggered the alert.

rule name.PNG

And sure enough, after going to that rule, i found that it did not have any conditions or limitations applied, corrected it, and haven't seen any improperly fire since.

0 Kudos
Highlighted
Product Manager
Product Manager

Re: Where can I find Log Analyzer logs on Orion server?

OK, thanks for sharing the solution back here and I will do some investigation on why the ticket went dead on you.