tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Workload Protection Platform
    Documentation
    Download PDF

    Log Analysis

    Last updated: 2024-05-14 10:20:05
    Download PDF
      Log analysis is an important part of the CWPP protection solution. It provides security event logs about the CWPP. It supports SQL retrieval and query. It offers visualized reports and statistics. This helps users quickly identify intrusions, conduct source tracing, and perform other security operation tasks. This document will introduce how to use the log analysis feature.

      Restrictions

      Log data can be collected. It is subjected to the following restrictions by the host protection edition.
      Log Category
      Log Type
      Log Description
      Supported Versions
      Alarm Log
      Intrusion detection
      Malicious file scan, unusual login, password cracking, malicious requests, high-risk commands, local privilege escalation, and reverse shell.
      Professional edition and Flagship edition
      Vulnerability Management
      Emergency vulnerabilities, Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, and application vulnerabilities.
      Professional edition and Flagship edition
      Baseline Management
      Security baseline
      Professional edition and Flagship edition
      Advanced Defense
      Core file monitoring
      Flagship edition
      Client-Related
      Client offline and client uninstallation
      Basic edition and later
      To use the log shipping feature, you must first purchase a TDMQ for CKafka instance, and select the appropriate CKafka instance specification based on the volume of logs to be shipped.
      The log shipping feature only supports using a single TDMQ for CKafka account for shipping.
      According to the Cybersecurity Law, the log storage duration must be at least 6 months. It is recommended that each server be configured with a storage capacity of 20 - 40 GB to collect and retain log data.

      Operation Guide

      1. Log in to the Host Security console.
      2. In the left sidebar, choose Log Analysis to perform operations such as log query and log shipping.
      

      Viewing Log

      On the log analysis page, logs can be filtered based on the following methods.
      Filter by Time or Type: At the top of the log analysis page, you can filter logs by time and log type. Choose the time range or log type, and click Confirm.
      
      Filter by Field Value: At the top of the log analysis page, you can filter by entering a field value in the search box or by choosing a field match filter.
      Filter by Search Box Input Field Value: See the following figure. Enter the desired field and field value in the search box, and click
      
      to filter.
      
      Choose Field Match Filter: Click
      
      . Choose the appropriate field and operator from the drop-down list. Enter the corresponding field value, and then click Confirm to filter.
      
      Note:
      For commonly used searches, you can Save Search. Next time, simply click Quick Search, and choose the previously saved search content to filter.
      On the log analysis page, click on the bar chart or click and slide to quickly select a time range for a drill-down view.
      
      On the log analysis page, in the field navigation on the left side of the list, you can customize display fields and hidden fields.
      
      Click Export to export logs that meet the search criteria as a file. Download it through the browser to a local directory.
      Note:
      A single export supports up to 60,000 log records, with a maximum of 10,000 records per log type.

      Log Shipping

      On the log analysis page, you can configure different log types of CWPP to be shipped to different topics in the specified CKafka instances.
      1. Click Log Shipping on the top left corner to open the log shipping configuration pop-up. If the CKafka service is not authorized for the first time, click Go to Authorize first. After agreeing to the service authorization, you may make more log shipping configurations.
      
      2. After agreeing to the authorization service, you must choose the TDMQ for CKafka instance and network access method. Enter the username and password for the selected TDMQ for CKafka instance, and conduct a connectivity test.
      
      3. Choose the network access method.
      Network Access Method
      Description
      Optional Routing Instructions
      Public domain name access.
      Logs are shipped through the public network.
      This is the designated access method for TDMQ for CKafka instances.
      Supporting environment access.
      Logs are shipped through Tencent Cloud's private network. It offers higher performance.
      This is the designated access method for TDMQ for CKafka instances. But the PLAINTEXT access method is currently not supported.
      Private network shipping.
      Logs are shipped through Tencent Cloud's private network without the need for users to configure routing in CKafka. An invisible private network routing is automatically created to support the access.
      -
      Note:
      If the network access method is chosen as Public Domain Name Access or Supporting Environment Access, you also need to select an access routing. The routing policy corresponds to the access method detailed in the CKafka Instance List.
      
      If the network access method is chosen as Public Domain Name Access or Supporting Environment Access, you also need to enter the CKafka instance's username and password. The username and password are listed under ACL Policy Management > User Management in the CKafka Instance List details. (When configuring log shipping, just enter the username after the # symbol. The CKafka instance ID before the # symbol is not required.)
      
      4. After completing the CKafka configuration, you can proceed with a connectivity test. Once the test passes, you can configure different topics for the logs you want to ship. (for log types not being shipped, choosing a Topic ID is not required).
      
      5. After completing the log shipping configuration, click Log Shipping again to view the details of the log shipping.
      
      Basic Information: Displays the basic information of the CKafka instance.
      Note:
      You need to pay attention to the Status field. If it shows an alarm or abnormality, click View Monitoring to check if the CKafka service is abnormal, or if there is insufficient quota.
      Shipping Switch: It is used to control a specified log type, and to start or stop log shipping tasks. You can control the log shipping tasks with the switch button in the Shipping Switch column.
      Shipping Status: normal, abnormal (this status will suspend shipping), and disabled
      Edit: Click Edit to re-edit the log type and Topic ID for shipping.
      View Monitoring: Click View Monitoring to navigate to the monitoring page of the TDMQ for CKafka console. In the console, you can view network traffic, peak bandwidth, number of messages, disk occupancy, etc.
      Reconfiguration: At the top of the log shipping list, click Reconfiguration to return to the state after agreeing to the CKafka authorization service. You can reconfigure the TDMQ for CKafka instance, network access method, log type, Topic ID, etc.
      Note:
      Reconfiguration will interrupt the current shipping process.
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy