EPS Stats & Reading Graphics

Introduction

Logsign calculates EPS (Event Per Second) according to many processes that occur. You can monitor these values by updating them at certain time intervals. Now, let's see how we can read the graphs in this menu and what we can extract from them.

Stats:

By using the Logsign Unified SecOps Platform WEB interface, when you click on the Settings -> Maintenance -> EPS Stats tab, you will see a page with EPS tables according to many processes.

General:

Log: Indicates the log values taken per second from the devices added to Data Collection.

Correlation Engine: Indicates the number of logs passing through the alarm service.

Total: Indicates the total of Log and Correlation Engine values.

1.png

 

Correlation Engine:

Queued: Shows how many logs match the alarm rules.

Processed: Shows how many matching logs were produced as an alarm.

2.png

 

Log:

Parsed: Shows the graph of how many of the raw logs coming from the sources added to Logsign are normalized and mapped to the device's plugin.

Index: Shows the graph of how many normalized and mapped logs were sent to the Elasticsearch service.

Index Failed: Shows the amount of logs that could not be sent to the Elasticsearch service by the parser.

Note: Elasticsearch is the service that allows us to analyze logs live through the web interface.

Processed: Shows how much of the log sent to Elasticsearch service by the parser service was successfully processed.

3.png

 

Log By Source Types:

Shows the total EPS values according to the type of the source added to Data Collection.

4.png

Persisted:

Json Archive: Shows the amount of logs coming to the archive service. The event(s) collected on the Logsign Unified SecOps Platform are stored in the Archive section after going through certain processes.

5651 Archive (raw): Shows how many logs are archived according to 5651.

5.png

 

Filter:

This is the field that shows the EPS value of the logs that are excluded from the archive, 5651, and index through the Data Policy feature.

See also: https://support.logsign.net/hc/en-us/articles/360009693079-Data-Policies-DPM-

At the same time, you can also see the EPS values of the sources that send logs to Logsign as Syslog but are not added to Data Collection.

6.png

 

Drop:

Source Unknown: Reflects the values in the Unknown Source graph.

Syslog Error: Shows the logs that come to the Syslog service but cannot be distributed to the services. (There may be a problem with the Syslog service, it should be checked)

EPS License Drop: Indicates that the EPS limit assigned to your license has been exceeded.

See also: https://support.logsign.net/hc/en-us/articles/360009631420-How-to-View-Host-ID-and-License-Information

SFTP Failed: Shows the EPS values that fall due to errors in the source attached as SFTP type.

7.png

 

Socket Drop (Context):

The Parser and Persist services are incremented according to the EPS values. If the service is insufficient, we can track this through the graph.

8.png

 

Source Unknown:

The EPS value that Logsign sends to syslog (514) port with sources that are not added to Data Collection but send logs, and the graph that allows us to analyze it based on IP.

9.png

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.