Viewing and managing agent logs in the administration console

All the logs you have configured to be displayed on the console are visible in the Environment > Agent logs menu. In this menu, you will be able to analyze, filter and manage logs, add exceptions so that certain logs will no longer be generated, and run Yara or IoC scans from logs. You can also Analyzing contexts to understand attacks and Managing remediation tasks from logs.

The date and time of the agent logs displayed on the console are based on the time zone set on the machine hosting the console.


If an agent is offline and its logs were not sent to the agent handler, you can export its logs so that you can import and view them later in the Agent logs panel.

The Agent logs - Modify privilege is required to manage logs and create exceptions.

  1. Select the Environment > Agent Logs menu.
    The list of logs for all components is displayed according to the active filters.
    When the logs panel is opened for the first time, the New and In progress logs, of Emergency and Alert level, issued in the last 24 hours are visible.
    Identical logs generated by several agents make up an Event. They are grouped by default on a single row and identified by the grouped logs icon icon.
  2. If you wish to display the ungrouped logs view, disable the Group events option in the top right-hand corner.
  3. To view details of logs in a group, click on the grouped logs icon, then expand the group by clicking on the + icon to the left of the group.
  4. In the main log view or in the view of a log group, click on the Date button to select the period that you want to view, and click on Apply. With the double arrow in the drop-down menu, select the period from a calendar. The cross to the right of the Date field resets the period to the last 24 hours.
    5. The list of logs generated during the selected period appears.
    The color to the left of a log line indicates the severity level: there are 8 severity levels, corresponding to the Syslog protocol levels. Every level is assigned a color:

  1. In the Agent column in the ungrouped view, click on the three dots to choose which information to display about the agent: Host name, user name and/or IP address.
  2. To the right of the logs, click on if you want to see or modify the rule that generated the log. This rule will stand out from other rules in the rule panel because it is grayed out and shows a blue bar on its left.
  3. In the main log view or in a log group view, hover the cursor over the right-hand end of a log line, and click on to open it and display additional information:
    • Details tab: full description of the processes, actions, etc. that caused the generation of the log. Links allow you to directly check:For this feature, the workstation that runs the administration console must have Internet access.
    • Raw log tab: code of the log in JSON format.

    If you suspect an issue and need to display more logs, change the log settings in the agent group logs or in the security rule.

 

  1. In the Filters table of the Agent logs panel, enable the filters to customize your list of logs. Every column corresponds to a type of filter and contains several values. Click these values to enable the corresponding filter, then click Apply.

    For example in this image, only the New logs of Critical severity are displayed.

    • The number indicated in brackets refers to the number of separate logs, not the total number of logs. Identical logs make up a single event and are counted only once. The image above shows 9 critical logs (consolidated in two events), but only two logs are accounted for.
    • The Status column allows you to filter logs by the status that you assigned. Refer to the section Managing logs.
    • You can look for groups and agents in the Agent group and Agent columns by entering full or partial names in the search field.
    • The Application and Target application columns make it possible to filter logs by applications that performed an action and those on which the action was applied.
  2. Click Advanced filters to add other more precise filters and hence refine your list of logs. In the advanced filter window:
    1. Click on Add filter.
    2. Select the desired filter type. A line is displayed in the advanced filters window.
    3. Enter the value of the filter by selecting it from a list or by entering it manually.
    4. Specify whether the filter must include or exclude the value. This filter is inclusive by default – it displays all logs that match the chosen value. Click on to make this an exclusive filter.
    5. Add other filters if necessary. More advanced filters means fewer results in the list of logs.
    6. Click on OK.

    At any time, you can return to the initial filtering by clicking Default filters: only logs whose severity is Emergency or Alert and status is New or In progress will be displayed.

You can share a filter with a colleague who also has administrator privileges. For more information, see SES EvolutionSharing log information.

When you manage log analysis, you can assign a status to each log and indicate the name of the user who analyzed it. Log status is an important piece of information visible in the administration console dashboard in the Events by status area.

  1. In the Environment > Agent logs panel, select one or several logs, then click on Edit selected logs. The Edit logs window appears.
  2. In the Status list, select the status to allocate to the logs:
    • New: default status of a log. The log has never been analyzed.
    • In progress: the log is being analyzed.
    • False positive: the log has been identified as a false positive – a security rule triggered this log but it does not represent a malicious action. This status is automatically assigned to logs for which you have added an exception. For further information, refer to the section Viewing and managing agent logs in the administration console.
    • Fixed: the issue described in the log has been fixed.
    • Closed: the analysis of the log is complete. No further action is required.
  3. In the Assigned to list, select a user name to assign the log to. This list shows all users declared in SES Evolution. For further information, refer to the section Managing users on the SES Evolution administration console.
  4. In the Comments field, enter additional information if necessary about the log or your action. If anything is entered in this field, a tool tip will appear in the Status column in the list if logs.
  5. Click on OK.

If your appliance pool was targeted in an attack reflected in agent logs, you can perform a remediation to limit the impact of the attack and repair any damage caused.

  1. In the Environment > Agent logs panel, select a log and click Tasks > Create remediation task.

  2. Follow the procedure Managing remediation tasks.

 

If a log indicates that a process or file is potentially dangerous, you can configure a Yara or IoC scan to look up the process or file on the agent.

  1. In the Environment > Agent logs panel, select a log and click Tasks.

  2. Select the type of analysis.
    The task panel appears and the agent to which the log applies will be automatically selected.

  3. Follow the procedure in Running a Yara scan on demand or Running IoC scans on demand to finish the configuration and run the scan.

In the Agent Logs panel, you can delete events that you no longer want to view. All logs contained in these events are then deleted from the log database. This action cannot be undone.

  1. In the Environment > Agent logs panel, click Actions > Delete events, then select the desired action. The number of events affected by the action is displayed in brackets.
    • Selected events - to delete simple events or logs that you have selected manually in the list,
    • Displayed events - to delete all events and simple logs visible in the Agent Logs panel,
    • All filtered events - to delete all simple events and logs matching the filter criteria, including those that are not visible in the Agent Logs panel.

    The Delete events window appears.

  2. Click Estimate volume to see the approximate volume of logs that will be deleted from the database.
  3. Click on Start. A notification indicates that the operation is started.
  4. In the notification, click View manual deletion task to go directly to the corresponding panel. For further information, see Managing the deletion of logs.

You can also automate log deletion on a daily or monthly basis. For further information, see Managing the deletion of logs.

When an agent does not have access to the agent handler, its logs cannot be transmitted to the administration console and are therefore not visible in the Agent logs panel. You can export these logs to import them later into the console and read them in the same way as other logs.

Exported logs remain on the agent.

  1. Log in to the agent workstation as an administrator.
  2. Double-click on the icon in the status bar.
    The SES Evolution agent interface appears.
  3. In the Help and Support tab, click Events.
    The list of logs from this workstation appears.
  4. Click the Export events... button, and select the destination folder.
    A cab file is generated.
  5. Copy it to a USB key or send it by email.
  6. Copy this cab file to the import folder of the agent handler, e.g., C:\ProgramData\Stormshield\SES Evolution\Server\AgentLogs\Import. After approximately ten seconds, the file disappears from the Import folder and the logs it contains appear in the Agent logs panel.

TIP
You can also export the logs via a script, by running the EsGui program ([...]\Stormshield\SES Evolution\Agent\Bin\Gui) with the /ExportLogs command. Alternatively, you can specify in the command line the destination folder to which the file will be exported. For example: EsGui /ExportLogs "C:\Users\Administrator\Desktop\Logs.cab"