SIEM, Log Management, Security, Compliance, Server Monitoring and Uptime Monitoring Software
Table of Contents

SIEM Reports

A SIEM Report queiries centralized log databases for specific log entries generated from various log types on multiple servers, workstations and network devices, applies log entry filters, applies display options, such as the column order, group by and sort by rules, then lastly, displays, saves or emails the output results.

This report is typically used by network administrators that want to analyze and correlate Security Event Logs and data from various sources within their organization's network infrastructure, such as firewalls, intrusion detection systems, and servers.

Note
To quickly view logs of the same type, see: Merging Logs.

SIEM Reports optionally use Regular Expressions to parse log entries, extract values, validate subject and target accounts in Active Directory (when applicable), then, finally, filter entries using each assigned log type's native filters.

How to create a SIEM Report

  • From the Menu Bar select File | New. The Create New Object View displays.
  • From the Create New Object View, expand Reports.
  • Expand Report | Log Consolidation Reports then select SIEM Report. The Properties View displays.
Note
Unlicensed report types appear in gray text. If you would like to create a report that is not currently licensed, please contact Corner Bowl Software to upgrade your license.
Sample Windows Security Log and Linux Audit Log Assignment
Sample Windows Security Log and Linux Audit Log Assignment
Sample Windows/Linux Success Logon Report Column Definitions
Sample Windows/Linux Success Logon Report Column Definitions
Note
If you apply regular expressions column definitions in your corresponding log consolidation templates, and the column keys are identical between log types, you do not need to re-apply the regular expressions to the report.

The Options Tab

  • Use the Filters drop-down to select all of the filters you would like to apply to the report.
Important
Filters are only applied to corresponding log entries types. For example, when you have assigned both an Event Log and a Text Log to the report, Event Log Filters are only applied to Event Log Entries while Text Log Filters are only applied to Text Log Entries.
Sample Regular Expression Driven Success Login Filter Properties View
Sample Regular Expression Driven Windows Success Login Filter Properties View
Sample Regular Expression Driven Red Hat Linux Success Login Filter Properties View
Sample Regular Expression Driven Red Hat Linux Success Login Filter Properties View
  • Once a filter is assigned, use the Include entries that pass drop-down to select the filter method.
    The following filter options are available:
OptionDescription
AllInclude each entry that passes all assigned filters.
AnyInclude each entry that passes any filter.
NoneInclude each entry that does not pass any of the filters.
IgnoreInclude all entries.
Sample SIEM Success Logon Report Properties View
Sample SIEM Success Logon Report Properties View
  • Use the Select distinct count controls to define a composite key to select a distinct count of entries that match your composite key. For example, generate a report that displays the number of each unique event type, Information, Warning, Critical, Audit Success and Audit Failure or the number of unique entries keyed by Event ID and Source on each assigned host).
Sample Select Distinct Count Properties View
Sample Select Distinct Count Properties View
  • Use the Query by controls to optimize SQL statements. For example, if the column you want to search for was added using a regular expression column defnition, specify the column key and the value to search for. Once executed, only rows that match your search criteria are returned from the database engine.
Sample Select Clause to Optimize SQL Table Scans
Sample Select Clause to Optimize SQL Table Scans
Sample Windows/Linux Success Logon Report
Sample Windows/Linux Success Logon Report

Related Topics

Merging Logs

Reports