Introduction
Logsign calculates EPS (Event Per Second) according to many processes that occur. You can monitor these values by updating them at certain time intervals. Now, let's see how we can read the graphs in this menu and what we can extract from them.
Stats:
By using the Logsign Unified SecOps Platform WEB interface, when you click on the Settings -> Maintenance -> EPS Stats tab, you will see a page with EPS tables according to many processes.
General:
Log: Indicates the log values taken per second from the devices added to Data Collection.
Correlation Engine: Indicates the number of logs passing through the alarm service.
Total: Indicates the total of Log and Correlation Engine values.
Correlation Engine:
Queued: Shows how many logs match the alarm rules.
Processed: Shows how many matching logs were produced as an alarm.
Log:
Parsed: Shows the graph of how many of the raw logs coming from the sources added to Logsign are normalized and mapped to the device's plugin.
Index: Shows the graph of how many normalized and mapped logs were sent to the Elasticsearch service.
Index Failed: Shows the amount of logs that could not be sent to the Elasticsearch service by the parser.
Note: Elasticsearch is the service that allows us to analyze logs live through the web interface.
Processed: Shows how much of the log sent to Elasticsearch service by the parser service was successfully processed.
Log By Source Types:
Shows the total EPS values according to the type of the source added to Data Collection.
Persisted:
Json Archive: Shows the amount of logs coming to the archive service. The event(s) collected on the Logsign Unified SecOps Platform are stored in the Archive section after going through certain processes.
5651 Archive (raw): Shows how many logs are archived according to 5651.
Filter:
This is the field that shows the EPS value of the logs that are excluded from the archive, 5651, and index through the Data Policy feature.
See also: https://support.logsign.net/hc/en-us/articles/360009693079-Data-Policies-DPM-
At the same time, you can also see the EPS values of the sources that send logs to Logsign as Syslog but are not added to Data Collection.
Drop:
Source Unknown: Reflects the values in the Unknown Source graph.
Syslog Error: Shows the logs that come to the Syslog service but cannot be distributed to the services. (There may be a problem with the Syslog service, it should be checked)
EPS License Drop: Indicates that the EPS limit assigned to your license has been exceeded.
SFTP Failed: Shows the EPS values that fall due to errors in the source attached as SFTP type.
Socket Drop (Context):
The Parser and Persist services are incremented according to the EPS values. If the service is insufficient, we can track this through the graph.
Source Unknown:
The EPS value that Logsign sends to syslog (514) port with sources that are not added to Data Collection but send logs, and the graph that allows us to analyze it based on IP.