Example Queries:

Free text search: "bwalth01" or "130.64.205.66"
All Juniper VPN activity: deviceVendor contains "Juniper" AND deviceProduct = "Netscreen VPN"
All traffic going to a particular IP: destinationAddress = "94.100.18.41"
All traffic to a set of IP addresses: destinationAddress IN [seim:"130.64.205.66","130.64.205.72","130.64.205.178"]
All failed login attempts: categoryBehavior CONTAINS "Verify" AND categoryOutcome = "/Failure"
Example Load Balancer log (for when you need Load Balancer specific searches): Rule Log-to-Arcsite <;SERVER_CONNECTED>;: Got connection: Client(130.64.177.249:61338)<;>;(130.64.212.185:443)LTM(10.250.136.10:61338)<;>;(10.250.136.82:443)Server

Useful fields for narrowing down Logger queries:

eventId - always a distinct, sequential integer. No two events have the same EventId
destinationAddress - the IP address to which packets, requests, or connections were sent
sourceAddress - the IP address from which packets, requests, or connections were sent
name - the human-readable description of the event
message - a human readable description or debug output associated with the event
destinationPort, sourcePort - the ports used in network connections
sourceHostName, destinationHostName - the hostnames that resolves with the sourceAddress and destinationAddress
eventTime - the time at which the logging service first recorded the event
destinationMacAddress, sourceMacAddress - for networking events which record MAC addresses
destinationUserName, sourceUserName - the username involved with requesting an action which generated the event
baseEventId - for correlated or aggregated events, the eventId associated with the rule that triggered this new derivative event
baseEventCount - the number of aggregated events that were combined to form this new derivative event
device - the server hostname on which the SmartConnector is installed that captured this event
deviceReceiptTime - the time which the ArcSight SmartConnector received the log
deviceCustomString[seim:1-6] - special values associated with a particular event that do not fit inside other fields. Sometimes related distances, MAC addresses, or other misc details.
CategoryBehavior - the action associated with this event. Usually among:
- /Access
- /Access/Start
- /Access/Stop
- /Authentication/Verify
- /Authorization
- /Communicate
- /Communicate/Query
- /Communicate/Response
- /Create
- /Execute
- /Execute/Query
- /Execute/Response
- /Execute/Start
- /Execute/Stop
- /Found/Defective
- /Found/Exhausted
- /Modify/Configuration
- /Modify/Content
CategoryOutcome - the reported outcome of the event. Among:
- /Attempt
- /Success
- /Failure

CategoryObject - the type of device associated with this event. Usually among:
- /Actor/User
- /Host
- /Host/Application
- /Host/Application/Database
- /Host/Application/Service
- /Host/Application/Service/Email
- /Host/Operating System
- /Host/Resource
- /Host/Resource/Interface
- /Host/Resource/Memory
- Network
CategorySignificance - the reported event significance type. Usually among:
- /Hostile
- /Informational
- /Informational/Error
- /Informational/Normal
- /Informational/Warning
- /Normal
- /Recon
- /Rule/Action/Success
- /Suspicious
transportProtocol - usually among:
- TCP
- UDP
- ICMP
- IGMP
DeviceProduct - the brand name of the product which triggered the event. Examples:
- Apache
- ArcSight
- CiscoRouter
- Device Product
- IntruShield
- IP Flow
- Logger
- Microsoft Windows
- Mobility Controller
- Netscreen VPN
- NSM
- NT syslog
- Peoplesoft Financials
- Peoplesoft HR
- Sendmail
- Switch
- Tomcat
- Unix
- WebLogic
DeviceVendor - the brand name of the owner/vendor of the product. Examples:
- Apache
- ArcSight
- Aruba Networks
- BEA
- CISCO
- Extreme Networks
- IP Flow
- Juniper
- McAfee
- Microsoft
- Oracle
- SaberNet
- Unix
DeviceAction - the arbitrary action reported by the device. Examples:
- DHCPACK
- DHCPDISCOVER
- DHCPINFORM
- DHCPNAK
- DHCPOFFER
- DHCPRELEASE
- DHCPREQUEST
- 200
- 400
- 5
- Accept
- accepted
- closed
- connect
- info
- moved
- notice
- pckt dropped
- Postponed
- REFUSED
- Sent
- SERVFAIL
- succeeded
- Suspicious
- Warning

Browser not supported