Вы находитесь на странице: 1из 10

Visualize This!

A Demonstration of Log Miner By Chris Petersen, LogRhythm CTO and co-founder


One of the fundamental challenges with analyzing log data is the sheer volume of the data to be analyzed. How does one analyze millions upon millions of log messages? Simple, aggregate and visualize. Leveraging data-mining techniques, LogRhythm is capable of providing long term trending and analysis across every log message ever collected. We have invented a unique approach for aggregating log data. With our latest release we introduce Log Miner, a tool capable of analyzing millions of log messages fast, easy, and in a single view.


Copyright 2008 LogRhythm, Inc. Page 1 of 10


This paper serves to illustrate the powerful log analysis capabilities unleashed in Log Miner. Log Miner provides a true data-mining visualization and analysis tool for log data. As with all our analysis tools, they are highly configurable. The previous screenshot is a typical Log Miner view and serves to demonstrate the visual aspects and the scalability of this tool. In the previous screenshot, Log Miner is loaded with every log message collected across a deployment over the past 7 days. Log Miner has aggregated the collected logs down to ~250,000 unique log messages comprising ~5.5 Million log entries. Have you ever seen 5.5 Million log entries in one screen? You just did. Log Miner itself includes a number of powerful charts, an aggregated log message list, and some advanced filtering options. These will be described in detail.

Log Miner Components


Log Message Occurrences by Day and Hour of Day
This chart provides an aggregated visual display of log data by day and hour of day. Each color represents a single day of activity. It is easy to visually identify days or specific times where activity increased, decreased, or a trend exists. Anomalous activity levels on a specific day and/or time visually stand out.


The following is an example of 30 days of activity. To determine what day and time a color pertains to, place the cursor over the desired area.

Copyright 2008 LogRhythm, Inc.

Page 2 of 10


Log Message Occurrences by Day of Week and Hour of Day

This chart provides a visual representation of activity based on the day of week and the hour of day. Each color represents a day of week. It is easy to visually identify a day of the week or a time of day activity increased, decreased, or a trend exists. Anomalous activity levels on a specific day of week and/or time of day visually stand out.

The following is an example of 30 days of activity. To determine what day and time a color pertains to, place the cursor over the desired area.

Log Message Occurrences by Hour

This chart provides a visual representation of activity based on date. The chart is summarized by hour with each bar representing one hour of activity. It is easy to identify days where activity increased, decreased or a general trend exists. Anomalous activity on a specific day is easy to spot.

The following is an example of 30 days of activity. As with the other charts, highlight the desired area to determine the date and time.

Copyright 2008 LogRhythm, Inc. Page 3 of 10


Aggregate Log Messages

Although not a visual tool in itself, the aggregate log message list is a powerful analysis tool. Every unique log matching your search criteria is displayed with a count of occurrences. Easily drill down on any log message field by double clicking on the value in the grid. Want to visualize the activity for just a single login, double click on the login and all charts update to reflect logs containing that login. As you drill-down, you can also drill-back and begin from where you started.

Time-of-day Filtering

An additional filtering tool is provided to allow for day of week and time of day filtering. Easily visualize activity based on when it occurred using this powerful filtering capability. The following is an example of a filter that could be applied to visualize activity Monday through Friday during non-business hours.

Copyright 2008 LogRhythm, Inc.

Page 4 of 10

Visualize This!
Log Miners combination of charts, aggregated log messages, advanced filtering and drill-down provide an analysis experience unrivalled in power, ease, and scale. The remainder of this paper provides real-world examples of Log Miners use. Visualize This! 30 days of VPN activity across your entire user base. Whos working at midnight on a Friday! Im either very impressed or a bit worried. Answers are a click away

Copyright 2008 LogRhythm, Inc. Page 5 of 10


Visualize This! Audit failures occurring over the past 90 days across your entire user base. The following represents nearly 400,000 log messages. Who the heck is butthead and what is he doing on our network! The answer is a click away.


Copyright 2008 LogRhythm, Inc. Page 6 of 10


Visualize This! All superuser activity occurring over the past 360 days. The following represents nearly 7 Million log messages! What happened on 9/16/06 between midnight and 10:00 AM? The answer is a click away.

Copyright 2008 LogRhythm, Inc.

Page 7 of 10


Visualize This! All network allow & deny activity (i.e., allowed & denied packets) occurring over the past 30 days. The following represents 78,000 unique log messages and 2.2 Million log message occurrences. Why is Friday activity greater than other days? Why on 7/27 did the sustained activity level increase? Answers are a click away.


Copyright 2008 LogRhythm, Inc. Page 8 of 10

Visualize This! All activity from a specific IP block, in this case the IP block registered to China Telecom. Only a single visitor creating HTTP - 200 - Success Reply OK logs against our web server. This is yet another great example of no news being good news.


Copyright 2008 LogRhythm, Inc. Page 9 of 10

Visualize This! All perimeter attacks occurring over the past 30 days. Whats the cluster of activity starting 7/19/07 at 5:00 AM? The answer is a click away.


By now you are probably getting the general idea. Whatever you want to look for, however far back you want to look, Log Miner is the tool for the job. Visualize what Log Miner can do for you.

LogRhythm Corporate Headquarters


LogRhythm, Inc. 3195 Sterling Circle, Suite 100 Boulder, CO 80301 Phone: (303) 413-8745 Fax:(303) 413-8791

EMEA Headquarters
LogRhythm, Inc. Siena Court, The Broadway Maidenhead, Berkshire SL6 1NJ United Kingdom Phone: +44 (0) 1628 509 070 Fax: +44 (0) 1628 509 100

APAC Headquarters
LogRhythm, Inc. 8F Exchange Square II 8 Connaught Place, Central Hong Kong Phone: (852) 9461 9809 Fax: (852) 2297 2289

Copyright 2008 LogRhythm, Inc.

Page 10 of 10