Explore the functionality of LogReduce, which allows you to distill unique messages from the noise by identifying recurring Signatures in your data.
In a new search, run LogReduce on your Snort security data to identify unusual activity (intrusions).
Note: LogReduce may also be optionally applied through the UI. Below the query builder, you may click the LogReduce button.
You may want further detailed investigation. In your signature tab, click on one of your smaller counts. A new tab with details will open up. Now click on the Host to view surrounding messages. You will be able to look at surrounding messages for 1, 5 or 10 minutes +/-. This troubleshooting capability may additional help you to identify why something has happened.
- Host Matches messages based on the same system _sourcehost.
- Name Matches messages from the same file path AND the same host _sourcename.
- Category Matches messages based on the same user-created _sourcecategory metadata.