Skip to main content
Sumo Logic

Lab 8 - Find the "needle in the haystack"

This lab teaches you how to use LogReduce to distill unique messages from large log data sets.
Explore the functionality of LogReduce, which allows you to distill unique messages from the noise by identifying recurring Signatures in your data.

 

  1. In a new search, run LogReduce on your Snort security data to identify unusual activity (intrusions).

_sourceCategory=labs/snort

| logreduce

Note: LogReduce may also be optionally applied through the UI. Below the query builder, you may click the LogReduce button.

  1. You may want further detailed investigation. In your signature tab, click on one of your smaller counts. A new tab with details will open up. Now click on the Host to view surrounding messages. You will be able to look at surrounding messages for 1, 5 or 10 minutes +/-. This troubleshooting capability may additional help you to identify why something has happened.

Image of surrounding messages selection

 

Note:

  • Host  Matches messages based on the same system _sourcehost.
  • Name Matches messages from the same file path AND the same host _sourcename.
  • Category Matches messages based on the same user-created _sourcecategory metadata.