Viewing and managing agent logs in the administration console

All logs that have been configured to appear in the console can be seen in the Agent logs menu. In this menu, you will be able to analyze, filter and manage logs, add exceptions so that certain logs will no longer be generated, and run Yara or IoC scans from logs. You can also Analyzing incidents to understand attacks and Performing a remediation from logs.
If an agent is offline and its logs were not sent to the agent handler, you can export its logs so that you can import and view them later in the Agent logs panel.

The Agent logs - Modify privilege is required to manage logs and create exceptions.

  1. Choose the Agent Logs menu.
    Logs from all components appear according to the active filters applied.
    The first time the log panel is opened, the logs displayed will be all the logs that were generated over the past 24 hours.
    Identical logs generated by several agents are grouped by default on a single row and identified by the grouped logs icon icon.
  2. If you want to view logs without them being grouped, disable the Group events option at the top right side.
  3. To view details of logs in a group, click on the grouped logs icon.
  4. In the main log view or in the view of a log group, click on the Date button to select the period that you want to view, and click on Apply. With the double arrow in the drop-down menu, select the period from a calendar. The cross to the right of the Date field resets the period to the last 24 hours.
    5. The list of logs generated during the selected period appears.
    The color on the left side of a log line indicates its severity: there are eight levels of severity that correspond to the levels on the syslog protocol. Every level is assigned a color:

  1. In the Agent column in the ungrouped view, click on the three dots to choose which information to display about the agent: Host name, user name and/or IP address.
  2. To the right of the logs, click on if you want to see or modify the rule that generated the log. This rule will stand out from other rules in the rule panel because it is grayed out and shows a blue bar on its left.
  3. In the main log view or in the view of a log group, click on the small arrow to the left of the log to open it and display additional information
    • Details tab: full description of the processes, actions, etc. that caused the generation of the log. Two links make it possible to immediately check the maliciousness of each process involved, either on Google or the VirusTotal website. For this feature, the workstation that runs the administration console must have Internet access.
    • Raw log tab: code of the log in JSON format.

    If you suspect an issue and need to display more logs, change the log settings in the agent group logs or in the security rule.

  1. In the Filters table of the Agent logs panel, enable filters to customize your list of logs. Every column corresponds to a type of filter and contains several values. Click on these values to enable the corresponding filter, then click on Apply.

    In this image, for example, only New logs that involve an Incident are displayed.

    • The Severity column shows all the log levels:

      • Very high: Emergency and Alert logs,

      High: Error and Critical logs,

      Medium: Notice and Warning logs,

      Low: Debug and Informational logs.

    • The Status column allows you to filter logs by the status that you assigned. Refer to the section Managing logs.
    • You can look for groups and agents in the Agent group and Agent columns by entering full or partial names in the search field.
    • The Application and Target application columns make it possible to filter logs by applications that performed an action and those on which the action was applied.
  2. Click on Advanced filters to add other more specific filters that will refine your list of logs. In the advanced filter window:
    1. Click on Add filter.
    2. Select the desired filter type. A line appears in the advanced filter window.
    3. Enter the value of the filter by selecting it from a list or by entering it manually.
    4. Specify whether the filter must include or exclude the value. This filter is inclusive by default – it displays all logs that match the chosen value. Click on to make this an exclusive filter.
    5. Add other filters if necessary. More advanced filters means fewer results in the list of logs.
    6. Click on OK.

    You can go back to your initial filtering at any time, by clicking on Default filters: only New or In progress logs will be displayed.

When you manage log analysis, you can assign a status to each log and indicate the name of the user who analyzed it. Log status is important information that can be seen on the administration console dashboard under Recent threats.

  1. In the Agent logs panel, select one or several logs, then click on Edit selected logs. The Edit logs window appears.
  2. Select the status that you want to assign to the logs in the Status list:
    • New: default status of a log. The log has never been analyzed.
    • In progress: the log is being analyzed.
    • False positive: the log has been identified as a false positive – a security rule triggered this log but it does not represent a malicious action. This status is automatically assigned to logs for which you have added an exception. For further information, refer to the section Viewing and managing agent logs in the administration console.
    • Fixed: the issue described in the log has been fixed.
    • Closed: the analysis of the log is complete. No further action is required.
  3. In the Assigned to list, select the name of a user to whom the log will be assigned. This list shows all users declared in SES Evolution. For further information, refer to the section Managing users on the SES Evolution administration console.
  4. In the Comments field, enter additional information if necessary about the log or your action. If anything is entered in this field, a tool tip will appear in the Status column in the list if logs.
  5. Click on OK.

After you have analyzed a log and decide that the action that triggered the log was not malicious and should not have been blocked, you can add an exception for this log. Doing so will prevent this action from being blocked and/or logged again in the future.

  1. In the Agent logs panel, select one or several incident logs that you no longer wish to generate in the future, then click on Add exceptions. This will automatically:
    • Add one or several protection rules in the Exception rule set of the security policy in question. These rules will prevent these incidents from being blocked under the same circumstances. The application IDs needed for such rules will also be created.
    • Assign a False positive status to the log in question, and identify the user who added the exception.
    • Add the comment “Automatic exception created from this log” to the log.
  2. If necessary, you can look up or edit the exception rule created from the log:
    1. Show your log by enabling the False positive filter.
    2. Click on the icon.

    The exception rule that matches this log will appear. It will stand out from other rules in the rule panel because it has a blue bar on its left.
    If this rule cannot be found, this means that it was deleted in the meantime.

If your appliance pool was targeted in an attack reflected in agent logs, you can perform a remediation to limit the impact of the attack and repair any damage caused.

  1. In the Agent logs panel, select a log and click on Tasks > Create a remediation task.

  2. Follow the steps indicated in Performing a remediation.

If a log indicates that a process or file is potentially dangerous, you can configure a Yara or IoC scan to look up the process or file on the agent.

  1. In the Agent logs panel, select a log and click on Tasks.

  2. Select the scan type.
    The task panel appears and the agent to which the log applies will be automatically selected.

  3. Follow the procedure in Running a Yara scan on demand or Running IoC scans on demand to finish the configuration and run the scan.

When an agent is unable to access the agent handler, its logs cannot be sent to the administration console, and will therefore not appear in the Agent logs panel. You can export these logs to import them later into the console and read them in the same way as other logs.

Exported logs remain on the agent.

  1. Log in to the agent workstation as an administrator.
  2. Double-click on the icon in the status bar.
    The SES Evolution agent interface appears.
  3. In the Help and support tab, click on Events.
    The list of logs from this workstation appears.
  4. Click on Export events... and choose the destination folder.
    A cab file is generated.
  5. Copy it to a USB key or send it by e-mail.
  6. Copy this cab file to the import folder of the agent handler, e.g., C:\ProgramData\Stormshield\SES Evolution\Server\AgentLogs\Import. After around ten seconds, the file will disappear from the Import folder and the logs that it contains will appear in the Agent logs panel.

TIP
You can also export logs via a script, by launching EsGui ([.]\\Stormshield\SES Evolution\Agent\Bin\Gui) with the command /ExportLogs. Alternatively, you can specify in the command line the destination folder to which the file will be exported. For example: EsGui /ExportLogs "C:\Users\Administrator\Desktop\Logs.cab"