Log Decoders have the ability to track the log count and last received time for each event source and forwarder that reports to it.
View Log Stats Information
To view Logs Stats information:
-
Depending on your version:
- For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
- For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
- Select a Log Decoder service and click View > Stats.
-
Click the Log Stats tab.
Enable Source and Forwarder Tracking
However, this behavior is not enabled by default. To enable source and forwarder tracking, start capture and then perform the following procedure.
- Access the REST API by entering the following URL in a web browser:
http://logDecoderIP:50102, where logDecoderIP is the IP address of the Log Decoder. - Click
decoder, thenconfig. This displays all the configuration parameters for the Log Decoder. - Scroll down until you find Log Stats Enabled (log.stats.enabled).
- In the text field, type true, and click Set.
Once set, all subsequent logs received by the Log Decoder will increment the count and update the last received time for the event source that generated the log, and the forwarder that delivers the log to Log Decoder (if there is one).
Details
The Log Stats tab displays the following information.
| Feature | Description |
|---|---|
| Event Source Type | The name of the log parser for this event source. |
| Forwarder | The address of the device that delivered the log to the {nlc}} (as determined by the network connection). |
| Event Source | The address or hostname of the device that generated the log. |
| Log Count | The number of logs encountered with this source or forwarder since log stat collection was enabled. |
| Last Received Time | The time that this source or forwarder was last encountered. |
If you restart capture (or if you set log.stats.enabled to false), the statistics are reset.
