Log file indicators search

You can search for indicators from log files by selecting the Log files tab on the Search page. To access this page, you need to switch to the Data management mode.

All log files that you pass to Kaspersky CyberTrace for scanning must be in UTF-8 encoding. If your log files have a different encoding, make sure to convert them to UTF-8.

The Search → Log files tab in CyberTrace.

The Log files tab

Search for objects

You can specify one or more log files. The search will be done for the indicators included in these files.

To search for indicators in log files:

Select the log files that you want to search. Do one of the following:
- Click the Select files button, and then select the log files.
- Drag the log files into the colored area.
Click the Search button.

The search result will appear in the Search report section.

Do not use feeds as log files for search. The scan results will contain a large number of matches, which will render the results uninformative.

Search result

After a search is performed, Kaspersky CyberTrace Web displays the result in the Search report section.

Log files search in CyberTrace. Search report.

The Search report section

The search result consists of the following data:

Summary information about the search result:
- Number of processed log files
- Number of matched indicators
- Number of strings that were processed
- Number of matches for each category
Information about the top 100 matching indicators
Button to download the report about the search result

For every item among the top 100 matching indicators, the following information is displayed:

Category of the matched indicator
Fields of feed records that matched the indicator
Name of the log file and the strings that contain the detected indicator

The detected indicator is hyperlinked to detailed information about it.

If no information is found for the indicators in the log file, a message about this is displayed.

If you run a search and then switch to another tab, the search results will become available in the search request history.

Downloading search reports

You can download a report with the results of the search operation. The report is a .csv file.

To download a report,

Click the Download full report button, and then, if asked, specify the directory to which you want to save the report.

A full report about a search result has the following fields:

file_name—Name of the log file
file_line—Line in the log file that contains the matched indicator
detected_indicator—The matched indicator
category—Category of the matched indicator
Context fields from the feed

Files with search reports will be stored in the httpsrv directory. Only the administrator (in Windows) or the root user (in Linux) has permission to open this directory.

Regular expressions for searching indicators from log files

To parse log files for indicators, Kaspersky CyberTrace Web uses the regular expressions defined in the Kaspersky CyberTrace Service configuration file. The regular expressions are specified by a special event source called http_file_lookup.

Page top