Overview

The Events Search tool, available from version 8.3.0, provides the capability to search events collected and stored in Snare Central, for fast troubleshooting and forensic analysis.

Both Basic and Advanced search options are available. The user can save a query for future re-use, view the search history, and view results of recent queries. An intuitive graphical interface can interactively filter search results by Time, Log Type and System.

Basic Search

Basic Search selectors allow the user to easily define search criteria.

Basic Search Selectors

Date and Time	Search for events within a given date and time range. Date and Time search criteria can be defined using either Quick Picks or using a custom Date and Time.
Systems	Search results can be narrowed by selecting systems that generated the events. By default, all systems will be included in a search. Click the selector and use check boxes to choose systems of interest. Use the filter to quickly find a system by host name or IP address.
Log Types	Search results can be narrowed by selecting Log Types. By default, all log types will be included in a search. Click the selector and use check boxes to choose from available log types. Use the filter to quickly find a log type.
More Fields	Search for text that appears in specific event fields by clicking the More Fields selector. A filter can be used to quickly find a field of interest. Click > to reveal an input field, and enter your search criteria in the field. Multiple values are supported.
Text Search	To search for content in any event field, use the Text Search input field.

Additional Search Options

	Check the Override Timeout checkbox to override the default query timeout of 5 minutes. A timeout can be set to any value between 1 minute and 24 hours, using either input fields or a slider. Uncheck the checkbox to return to the default value. Note: Status indicates that the search time out has been reached, and the search results returned may only represent a subset of the potential results stored on the Snare Central server. It is recommended that search criteria be refined in order to reduce the range of data to be searched.
	Check the Override Limit checkbox to override the default limit of 100,000 events in query results. Limit can be set to any value between 1,000 and 1,000,000 events, using either input fields or a slider. Uncheck the checkbox to return to the default value. Note: Status indicates that the limit has been reached, and the search results returned may only represent a subset of the potential results stored on the Snare Central server. It is recommended that search criteria be refined in order to reduce the range of data to be searched. Note: the search will stop executing when the Limit is reached, however due to a parallel nature of execution it is possible that more results will be returned than the configured Limit.
	Check the Case Sensitive checkbox to make text and fields search case sensitive.

Available Actions

Click to run the search.

Click to clear the query and the selectors.

Click Query Preview to view the query in Snare Query Language.

Click to edit the query in Advanced Search mode.

Click to switch from Basic to Advanced Search.

Advanced Search

Advanced search allows to write and edit a search query using the Snare Query Language. This allows complex queries to be specified, including complex conditions and regular expressions.

Additional Search Options

Check the Override Timeout checkbox to override the default query timeout of 5 minutes.
A timeout can be set to any value between 1 minute and 24 hours, using either input fields or a slider.
Uncheck the checkbox to return to the default value.

Note: Status indicates that the search time out has been reached, and the search results returned may only represent a subset of the potential results stored on the Snare Central server. It is recommended that search criteria be refined in order to reduce the range of data to be searched.

Check the Override Limit checkbox to override the default limit of 100,000 events in query results.
Limit can be set to any value between 1,000 and 1,000,000 events, using either input fields or a slider.
Uncheck the checkbox to return to the default value.

Note: Status indicates that the limit has been reached, and the search results returned may only represent a subset of the potential results stored on the Snare Central server. It is recommended that search criteria be refined in order to reduce the range of data to be searched.

Note: the search will stop executing when the Limit is reached, however due to a parallel nature of execution it is possible that more results will be returned than the configured Limit.

Available Actions

Click to run the search.

Click to clear the query.

Click to open online Snare Query Language documentation.

Click to switch from Advanced to Basic Search.

Note: If the Advanced to Basic Search switch is disabled, clear the Advanced Query search field to enable it again.

Search Results

Search results are displayed in the Search Results tab.

While the search is running, a status bar is displayed, along with the Status, Start Time and an estimated completion time (ETA).
User can choose to Terminate a running query at any time. Partial results, collected prior to termination, will be available.

Complete search results are displayed in the time-based bar chart, and in the results table.

Search Results Chart

For completed queries, a bar chart will be displayed. Each bar represents the number of events within a 15-minute time interval (also known as a 'quadrant').

The bar chart can be used to drill down and explore events by source System and by Log Type. See the Filtering Results section below for more details.

Chart Controls

Chart controls provide the capability to interactively customise the display of data, or export content:

Zoom Selection - Select an area to zoom. Select this button, then click and hold/drag on the chart to zoom.
Zoom Restore - Reverts the above zoom selection
Save as Image - Download the chart canvas as an image
Line Chart - Displays the chart as a Line Chart
Bar Chart - Displays the chart as a Bar Chart
Reset - Resets all above made changes to the default chart settings. Reset will also remove any filters applied to the Search Results and will hide a pie chart.

Search Results Table

Events stored in Snare Central are broken down into fields of useful security or support value, and are generally different for each Log Type. See Log Types for information on available fields.
The Search Result table displays all events that match the supplied search criteria, where each row represents an event, and each column represents an event field.

Click to expand the event row and show all the field contents.

Click in the table header to expand all events on the current table page.

Click to sort events by Date and Time. Note: by default, events may not be sorted.

In version 8.3.0, post-query sorting can be performed on no more than 50,000 results. If the results set contains more events, a message will be shown to the user advising that the search criteria should be narrowed down.

Click to show and hide columns using check boxes in the dialog. Use Filter in the dialog to quickly find relevant columns in the list.

Click to export search results to CSV file.

Click or in the table header to scroll results table to the left or to the right.

Use pagination controls at the bottom of the table to view more results:

Filtering Results

To filter query results by Time and either System, Log Type or both, perform the following steps:

Click on a relevant bar in a chart, representing events received during a time period of interest.
An interactive pie chart will be displayed showing events distribution by either a Log Type or a System that the event originated from.

Click on a data series in the chart legend to toggle its visibility.

Click on a data series on the pie chart to drill down and view Log Types for the selected System, or Systems for a selected Log Type, displayed as an outer layer on the same pie chart.

Two layers of a pie chart should now be displayed. The events in the table can be filtered by clicking on the pie chart:
- Click on the inner layer of the pie chart to filter events by Time and System or Time and Log Type.
  OR
- Click on a segment on the outer layer of the pie chart to filter events by the selected Time, System and Log Type.

The events in the results table will be filtered according to the selection.
The filter description is displayed on top of the results table:

To reset the filters applied to the Search Results and hide the Pie Chart, click Reset in the Bar Chart canvas, or click on the selected bar to deselect it.

To return to the first level of System / Log Type selection in the pie chart, click Back (the white circle) in the middle of Pie Chart. This will not affect filtered events in the results table.

Saving a Query

Any valid query constructed using either Basic or Advanced search can be saved for future use.

Note: saved queries are visible only to the user who created them.

Click Save Query from either Basic or Advanced Search.

In the dialog, enter query Name and Description and click Save.

Saved Queries

Click Saved Queries tab to view all saved queries.

Click to search the Saved Queries for a specific text in any of the query columns.

Click to expand the row and view the Snare Query Language representation of the saved query.

Click to collapse the row.

Available Actions

Clickto open the Actions menu for each saved query. Available actions are:

Action	Description
Add to Search	Pre-fills either Basic or Advanced search (depending on method used to create the query) with the current query. The user can then adjust the query.
Run Query	Executes the saved query.
View Last Result	Displays the result of the latest query execution, if available. Note: alternatively, you may see one of these messages: No Results Found - if no events were returned in the last query execution Results not Available - if the results are not available in the cache anymore Results Cache Snare Central can store a large number of historical query results in a 'Results Cache'. The cache is self-limiting, and when new queries are executed, older results may be removed from the cache, if space is running low.
Edit	Opens dialog for editing Name and Description of the saved query.
Delete	Deletes the saved query.

Search History

Click Search History tab to view the history of all queries executed by the current user in the past 30 days.

Saved queries are marked with a

Click to search the History for a specific text in the Query

Click to search the History for a specific date and time range

Click to filter the history by status

Query Status column may contain the following values:

Status	Description
	Query is running
	Query was completed successfully
	Query was completed successfully but reached the results limit. There may be more results available. It is recommended that the query be refined.
	Query was completed successfully but reached the defined timeout. There may be more results available. It is recommended that the query be refined.
	Query was terminated by user
	Query was aborted by the system. For example, if the server was restarted.
	Query failed to complete for another reason

Available Actions

Clickto open Actions menu for each query. Available actions are:

Action	Description
Add to Search	Pre-fills either Basic or Advanced search (depending on method used to create the query) with the current query. The user can then adjust the query.
Run Query	Executes the saved query.
Terminate	Terminates the query. This action is only available while the query is still running.
View Result	Displays the result of the latest query execution, if available. Note: alternatively, you may see one of these messages: No Results Found - if 0 events were returned in the last query execution Results not Available - if the results are not available in the cache anymore