1
00:00:00,330 --> 00:00:04,410
Now we'll look at enticing queries and look at the log in the graph panels together.

2
00:00:04,470 --> 00:00:06,180
First will prepare some queries.

3
00:00:06,390 --> 00:00:14,990
So explore and I'll create a dashboard that shows VAR logs for both of my hosts same time module and

4
00:00:15,070 --> 00:00:16,219
farm Sherlocks.

5
00:00:16,260 --> 00:00:19,740
OK, so that's the logs that we'll see in our dashboard.

6
00:00:19,800 --> 00:00:24,270
Very simple query job because VAR Logs is going to save that for after job because VAR logs.

7
00:00:24,600 --> 00:00:28,530
The other one I want is to graph that, so I'll wrap that in.

8
00:00:28,530 --> 00:00:33,480
I count over time one minute and finish that off.

9
00:00:34,110 --> 00:00:35,870
And so now I can grab that.

10
00:00:35,910 --> 00:00:44,220
So I'll use those to query my dashboard if I go now to write a new dashboard, create dashboard, add

11
00:00:44,220 --> 00:00:44,910
an empty panel.

12
00:00:44,970 --> 00:00:47,870
The first one will be a lock down the bottom there.

13
00:00:47,940 --> 00:00:55,920
My low key query was job because bollocks, the Canada and there it is old school VAR logs OK supply

14
00:00:55,920 --> 00:00:59,160
that will create another panel which will use the time series.

15
00:00:59,180 --> 00:00:59,940
That's OK.

16
00:01:00,360 --> 00:01:04,709
Low key and it'll be that query there over time.

17
00:01:05,840 --> 00:01:10,370
One minute, so I'm saying lots of information there, all my log files that have been written on both

18
00:01:10,370 --> 00:01:16,550
servers, both hosts on California and Moscow and overdue sat down to one hour, for example, because

19
00:01:16,550 --> 00:01:17,460
that's pretty good online.

20
00:01:17,620 --> 00:01:18,620
VAR logs again.

21
00:01:18,620 --> 00:01:19,110
Excellent.

22
00:01:19,190 --> 00:01:19,650
OK.

23
00:01:19,710 --> 00:01:26,090
These descriptions here are quite long, so I could actually make those shorter by using a salmon grouped

24
00:01:26,090 --> 00:01:29,960
by options some that I host phone.

25
00:01:29,960 --> 00:01:35,390
I didn't click out of that, and those lines are now slightly shorter because it's not actually showing

26
00:01:35,390 --> 00:01:37,370
tropicals bollocks anymore.

27
00:01:37,400 --> 00:01:38,440
That's just an option you have.

28
00:01:38,450 --> 00:01:41,720
That's just one reason for using some and the grouping down there.

29
00:01:41,750 --> 00:01:45,140
So I'm happy with that apply that I can just reorder this a little bit.

30
00:01:46,100 --> 00:01:52,370
OK, so now if I change my time, filter up there, whatever I see here, they're the related box down

31
00:01:52,370 --> 00:01:53,990
there so I can zoom right into that.

32
00:01:54,210 --> 00:01:58,100
Related logs goes even further and other related logs from both service.

33
00:01:58,130 --> 00:02:03,740
I'll go back to one hour now to add an extra layer of querying code annotation queries over that now

34
00:02:03,740 --> 00:02:05,090
with a nice log launch here.

35
00:02:05,150 --> 00:02:07,640
There are occurrences of invalid use.

36
00:02:07,880 --> 00:02:10,729
I would like to have those highlighted on that graph.

37
00:02:11,120 --> 00:02:14,750
So while it's quite hard to actually see any here, there are likely to be some in there.

38
00:02:14,780 --> 00:02:20,930
So what I can do is create an annotation query that is executed over the dashboard appear so dashboard

39
00:02:20,930 --> 00:02:22,940
settings annotations.

40
00:02:23,960 --> 00:02:25,490
Ad annotation query.

41
00:02:26,120 --> 00:02:32,390
I'm going to call it invalid users, it's going to use a low key data source, it's enabled the color

42
00:02:32,420 --> 00:02:36,770
will be read and my query will be job equals via logs.

43
00:02:36,770 --> 00:02:40,820
Pipe equals invalid use antibodies.

44
00:02:40,820 --> 00:02:41,980
Click out of that, that points.

45
00:02:41,990 --> 00:02:44,900
So I got back to my dashboard and just turn it on and off.

46
00:02:45,080 --> 00:02:49,760
We now start to see some highlights going on here, matching invalid user.

47
00:02:49,790 --> 00:02:54,380
So if I zoom in to them, there's a little arrow just down here.

48
00:02:54,440 --> 00:02:58,040
If you hover over that, it shows you the actual log line that it found.

49
00:02:58,670 --> 00:02:59,660
I can see that again.

50
00:03:00,170 --> 00:03:04,760
And these are all different logging attempts on my my secure server, mostly.

51
00:03:05,240 --> 00:03:07,310
So this is normal for a server on internet.

52
00:03:07,310 --> 00:03:09,200
Automatic scripts will try and log into your service.

53
00:03:09,390 --> 00:03:11,110
OK, so straight away, that's pretty good networks.

54
00:03:11,120 --> 00:03:14,030
Already, I can see if I zoom out to one hour.

55
00:03:14,060 --> 00:03:17,900
There are a lot of attempts to log into my servers going on, so you might be happy with that graph.

56
00:03:17,900 --> 00:03:24,330
But actually something about the syslog log by Zoom to these ones, for example, and I'll find one.

57
00:03:24,350 --> 00:03:29,540
OK, so these log lines here, Bafana Lokey like same day level info, et cetera.

58
00:03:29,570 --> 00:03:36,980
Query equals job VAR logs, invalid user So what's going on here is when you enter log you out queries,

59
00:03:37,010 --> 00:03:39,770
they are all actually saved into the syslog as well.

60
00:03:39,770 --> 00:03:42,310
So you can see here that says they have boxes log.

61
00:03:42,320 --> 00:03:46,170
So any query I create is also being logged, so they're also being matched.

62
00:03:46,200 --> 00:03:52,310
So for look at these again, most of those entries that we see, they're actually just me typing queries

63
00:03:52,310 --> 00:03:54,500
through logical query logs.

64
00:03:54,600 --> 00:03:55,820
Valid user down here.

65
00:03:55,850 --> 00:03:59,180
Query VAR logs invalid user by zoom out.

66
00:04:00,430 --> 00:04:07,480
I actually want to see these kinds of queries where it says Invalides, so I need to refine my annotation

67
00:04:07,480 --> 00:04:08,620
query a little bit further.

68
00:04:08,650 --> 00:04:09,940
Let's zoom in into these ones.

69
00:04:10,090 --> 00:04:12,820
Further, let's find something in there.

70
00:04:13,020 --> 00:04:14,860
OK, I want to look at those ones bit further.

71
00:04:14,890 --> 00:04:16,250
If I look at that one there.

72
00:04:16,899 --> 00:04:23,950
Query job via logs, invalid user that line down the bottom their job VAR logs showing invalid user.

73
00:04:24,730 --> 00:04:28,590
I'll modify the filter to exclude something else returned in that line.

74
00:04:28,600 --> 00:04:35,530
So something that might be useful to exclude could be where it says level.

75
00:04:35,530 --> 00:04:36,550
It calls in for this.

76
00:04:36,550 --> 00:04:40,260
So I'm going to exclude level equals info from the query.

77
00:04:40,270 --> 00:04:45,460
So going back into annotation settings there annotations invalid user.

78
00:04:46,150 --> 00:04:51,820
I would find this filter to be not a class two level because in fire.

79
00:04:51,910 --> 00:04:57,550
So just click out of that so that it binds back to the dashboard now for Zoom back out to one hour,

80
00:04:57,600 --> 00:05:00,210
not seeing as many annotations now as before.

81
00:05:00,220 --> 00:05:05,300
So the annotations that I'm seeing now are going to be more explicit to the type I'm looking for.

82
00:05:05,320 --> 00:05:11,290
They are the actual invalid user log in attempts to link back out to three hours, for example, they

83
00:05:11,290 --> 00:05:12,310
go right back here.

84
00:05:12,670 --> 00:05:18,370
So within those highlighted annotations there, none of those are actually the local queries that are

85
00:05:18,370 --> 00:05:21,460
entered when I'm actually experimenting with the queries.

86
00:05:21,580 --> 00:05:27,580
So be aware that that any query you type into the Explore tab is also being logged into the syslog.

87
00:05:27,580 --> 00:05:29,740
Log on the server with this background.

88
00:05:29,740 --> 00:05:30,820
That's Mega-fauna server.

89
00:05:30,850 --> 00:05:32,140
So I I can save that.

90
00:05:32,200 --> 00:05:40,510
I can call that my VAR log stable site and look at that over six hours if I want, or even over 15 minutes.

91
00:05:41,540 --> 00:05:41,960
Excellent.