Viewing and managing agent logs in the administration console

All the logs you have configured to be displayed on the console are visible in the Environment > Agent logs menu. In this menu, you will be able to analyze, filter and manage logs, add exceptions so that certain logs will no longer be generated, and run Yara or IoC scans from logs. You can also Analyzing contexts to understand attacks and Managing remediation tasks from logs.


If an agent is offline and its logs were not sent to the agent handler, you can export its logs so that you can import and view them later in the Agent logs panel.

The Agent logs - Modify privilege is required to manage logs and create exceptions.

  1. Select the Environment > Agent Logs menu.
    The list of logs for all components is displayed according to the active filters.
    When the logs panel is opened for the first time, the New and In progress logs, of Emergency and Alert level, issued in the last 24 hours are visible.
    Identical logs generated by several agents make up an Event. They are grouped by default on a single row and identified by the grouped logs icon icon.
  2. If you wish to display the ungrouped logs view, disable the Group events option in the top right-hand corner.
  3. To view details of logs in a group, click on the grouped logs icon, then expand the group by clicking on the + icon to the left of the group.
  4. In the main log view or in the view of a log group, click on the Date button to select the period that you want to view, and click on Apply. With the double arrow in the drop-down menu, select the period from a calendar. The cross to the right of the Date field resets the period to the last 24 hours.
    5. The list of logs generated during the selected period appears.
    The color to the left of a log line indicates the severity level: there are 8 severity levels, corresponding to the Syslog protocol levels. Every level is assigned a color:

  1. In the Agent column in the ungrouped view, click on the three dots to choose which information to display about the agent: Host name, user name and/or IP address.
  2. To the right of the logs, click on if you want to see or modify the rule that generated the log. This rule will stand out from other rules in the rule panel because it is grayed out and shows a blue bar on its left.
  3. In the main log view or in a log group view, click on the small arrow to the left of the log to open it and display additional information:
    • Details tab: full description of the processes, actions, etc. that caused the generation of the log. Two links allow you to check the malicious nature of each process involved directly on the Google search engine or on the VirusTotal website. For this feature, the workstation that runs the administration console must have Internet access.
    • Raw log tab: code of the log in JSON format.

    If you suspect an issue and need to display more logs, change the log settings in the agent group logs or in the security rule.

  1. In the Filters table of the Logs agents panel, enables filters to customize your log list. Every column corresponds to a type of filter and contains several values. Click on these values to enable the corresponding filter, then click on Apply.

    In this image, for example, only Critical level New logs are displayed.

    • The number indicated in brackets refers to the number of separate logs, not the total number of logs. Identical logs make up a single event and are counted only once. In the image above, there are 12 critical logs, but only four logs are counted: two events (i.e., log groups) and two individual logs.
    • The Status column allows you to filter logs by the status that you assigned. Refer to the section Managing logs.
    • You can look for groups and agents in the Agent group and Agent columns by entering full or partial names in the search field.
    • The Application and Target application columns make it possible to filter logs by applications that performed an action and those on which the action was applied.
  2. Click on Advanced filters to add other more specific filters that will refine your logs list. In the advanced filter window:
    1. Click on Add filter.
    2. Select the desired filter type. A line appears in the advanced filter window.
    3. Enter the value of the filter by selecting it from a list or by entering it manually.
    4. Specify whether the filter must include or exclude the value. This filter is inclusive by default – it displays all logs that match the chosen value. Click on to make this an exclusive filter.
    5. Add other filters if necessary. More advanced filters means fewer results in the list of logs.
    6. Click on OK.

    At any time, you can return to the initial filtering by clicking on Default filters: only logs whose severity is Emergency or Alert and status is New or In progress will be displayed.

When you manage log analysis, you can assign a status to each log and indicate the name of the user who analyzed it. Log status is an important piece of information visible on the administration console dashboard in the Events by status area.

  1. In the Environment > Agent logs panel, select one or several logs, then click on Edit selected logs. The Edit logs window appears.
  2. In the Status list, select which status you wish to assign to the logs:
    • New: default status of a log. The log has never been analyzed.
    • In progress: the log is being analyzed.
    • False positive: the log has been identified as a false positive – a security rule triggered this log but it does not represent a malicious action. This status is automatically assigned to logs for which you have added an exception. For further information, refer to the section Viewing and managing agent logs in the administration console.
    • Fixed: the issue described in the log has been fixed.
    • Closed: the analysis of the log is complete. No further action is required.
  3. In the Assigned to list, select the name of a user to whom the log will be assigned. This list shows all users declared in SES Evolution. For more information, see Managing users on the SES Evolution administration console.
  4. In the Comments field, enter additional information if necessary about the log or your action. If anything is entered in this field, a tool tip will appear in the Status column in the list if logs.
  5. Click on OK.

If, after analyzing a log, you consider that the action that triggered it was not malicious and should not have been blocked, you can add an exception to the log. Doing so will prevent this action from being blocked and/or logged again in the future. Likewise, if you think that a file was wrongly quarantined, add an exception on the quarantine log.

  1. In the Environment > Agent logs panel, select one or more context logs you no longer wish to generate in future, then click Add exceptions. This will automatically:
    • Add one or more rules to the Exception rule set of the relevant security policy. These rules ensure that a blockage does not occur in identical circumstances. The application IDs needed for such rules will also be created.
    • Assign a False positive status to the log in question, and identify the user who added the exception.
    • Add the comment Automatic exception created from this log to the log.
    • In an exception on a quarantined file, the file will automatically be restored at its original location the next time the environment is deployed.
  2. If necessary, you can look up or edit the exception rule created from the log:
    1. Display your log by enabling the False positive filter.
    2. Click on the icon.

    The exception rule that matches this log will appear. It will stand out from other rules in the rule panel because it has a blue bar on its left.
    If this rule cannot be found, this means that it was deleted in the meantime.

If your appliance pool was targeted in an attack reflected in agent logs, you can perform a remediation to limit the impact of the attack and repair any damage caused.

  1. In the Environment > Agent logs panel, select a log and click on Tasks > Create remedial task.

  2. Follow the procedure Managing remediation tasks.

If a log indicates that a process or file is potentially dangerous, you can configure a Yara or IoC scan to look up the process or file on the agent.

  1. In the Environment > Agent logs panel, select a log and click on Tasks.

  2. Select the type of analysis.
    The task panel appears and the agent to which the log applies will be automatically selected.

  3. Follow the procedure in Running a Yara scan on demand or Running IoC scans on demand to finish the configuration and run the scan.

When an agent does not have access to the agent handler, its logs cannot be transmitted to the administration console and are therefore not visible in the Agent logs panel. You can export these logs to import them later into the console and read them in the same way as other logs.

Exported logs remain on the agent.

  1. Log in to the agent workstation as an administrator.
  2. Double-click on the icon in the status bar.
    The SES Evolution agent interface appears.
  3. In the Help and support tab, click on Events.
    The list of logs from this workstation appears.
  4. Click on the Export events... button, and select the destination folder.
    A cab file is generated.
  5. Copy it to a USB key or send it by e-mail.
  6. Copy this cab file to the import folder of the agent handler, e.g., C:\ProgramData\Stormshield\SES Evolution\Server\AgentLogs\Import. After approximately ten seconds, the file disappears from the Import folder and the logs it contains are displayed in the Agent logs panel.

TIP
You can also export logs via a script, by running the EsGui program ([...]\Stormshield\SES Evolution\Agent\Bin\Gui) with the /ExportLogs command. Alternatively, you can specify in the command line the destination folder to which the file will be exported. For example: EsGui /ExportLogs "C:\Users\Administrator\Desktop\Logs.cab"