Events Search
The Events Search page addresses the review of raw events data prior to fusion (flow). The time range capabilities are similar to that of the Network Flows page, except there is no search within a minute option.
Page Layout
Base Event Record
When data enters the Fluency system, it is assigned metadata to note where and when the message came into the system. This recording of metadata provides a further layer of timing data to ensure addressing PCI DSS (10.4 and 10.3.3) and NIST 800-53 (AU-8).
Messages are sorted by the incoming timestamp. This means that polling message logs, like cloud logs, are often clustered together.
Click the "expand" icon (under the text "expand") on the left of the table to get the content of message more information.
In the expanded window, click < > on the right to see the syslog:
| Field | Description |
|---|---|
| @message | This is a complete record of the incoming message before parsing. |
| @facility | A defined group/facility area. |
| @level | This is the messages priority level. |
| @tags | An array of any tags what had a matching attribute. |
| @source | The module that produced this message. |
| @sender | The capture system that is the source of the message. |
| @fields | This is the resulting parsed data. |
| @timestamp | This is the millisecond epoch time. This provides a central timestamp verification of all incoming message. |
Parsing Process
Messages that come into the system are stored in the "@message" field. Comparing the "@message" field to the "@fields" object allows for parsing verification.
NOTE: After adding or updating a system, the log should be reviewed to ensure that the incoming message is being properly parsed. This is done by filtering to the Event Table to the changed source and then comparing the "@message" to "@fields" attributes.
JSON Sources
Some sources do not contain "@fields" attributes. These are sources that already produce formatted JavaScript Object Notation (JSON) messages. In this special case, the system can leverage the parsed data and add to the associated flow.
Special Views
Just like the Network Flows page, there are certain events that receive a different, more readable format, most notably the Office365 formatting. This is done to allow the events database to be used for analysis that does not involve a known flow or asset.
Using the Facet
Facet is a technical term used for groups of attributes; you can think of them as filters. The Facet Section covers this topic in more detail. Facet is an easy way to focus on data and see the most common responses by field.
Page last updated: 2023 Aug 10