Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 820

Network and Security Manager Administration Guide
Configuring Log Investigator Options
770
The first step in using the Log Investigator is to configure the basic criteria used to create
the Log Investigator matrix. To change the default options , from the View menu, select
Set Log Investigator Options. Use the Log Investigator Options dialog box to configure
the desired settings (detailed below) and click OK to apply your changes.
NOTE: You can configure up to 20 Log Investigator sessions. To change this default
number of sessions, edit the
which is located in the management system directory
The following sections detail each Log Investigator option.
Configuring a Time Period
The time period setting narrows the log entries included in your investigation based on
a specified time interval or start time. Each log entry contains a timestamp that indicates
the date and time the managed device generated the log entry (Time Generated). The
Log Investigator compares the timestamp of a log entry to the specified time period
setting, and eliminates those log entries that do not meet the time criteria.
First, you must specific a time duration. To specify a time interval for which you want to
see log entries, set the number of weeks, days, hours, minutes, or seconds. Setting a
longer interval time can help you identify broad trends in your network activity. Typically,
you use a longer interface time to initially locate problems. After you have identified the
issues you want to investigate, set a shorter time interval to eliminate irrelevant log entry
data.
After you have determined the time interval, you must set the end or start time for the
duration:
To set the end time of the duration, select Most Recent (this is the default setting).
The Log Investigator uses the current date and time as the end point for the time
duration. For example, for a time interval of 5 hours, the Log Investigator collects data
from log entries that have timestamps within the previous 5 hours.
To set the start time of the duration, select Start Time and configure the start date
and time. The Log Investigator uses the specified date and time as the start point for
the time duration. For example, for a time interval of 5 hours and a start date of 5/12/04
8:00:00 AM, the Log Investigator collects data from log entries that have timestamps
from the start date to the start date + 5 hours.
Typically, use Most Recent to investigate recurring activity or to monitor expected network
changes. Use a start time when investigating past known events, such as a virus attack.
When using a large time interval, the number of matching log entries might exceed the
capacity of the Log Investigator (100 log entries), causing a warning message to appear
next to the Selected Logs indicator. If you do not make changes to the time interval filter,
the Log Investigator automatically clears the session, requiring you to create a new time
filter.
devSvr.irMaxIndexCount parameter in the
/usr/netscreen/DevSvr/var/
Copyright © 2010, Juniper Networks, Inc.
devSvr.cfg file,
.