Secure Access Service Edge:Log analysis

Prerequisites

The log storage service for SASE is enabled.

Enable the log storage service

Log storage is a paid service that must be activated before you can collect or query logs.

1. Log on to the SASE console.

2. In the left navigation pane, choose Log Analysis > Log Analysis.

3. On the Log Analysis page, click Activate Now.

4. Set the log storage service and log storage capacity based on your requirements, click Buy Now, and complete the payment.

After activation, SLS automatically creates a dedicated project for SASE. To view it, go to the Project list on the home page of the Simple Log Service console.

Enable log collection and storage

After the log storage service is active, turn on log collection for your SASE deployment.

1. Log on to the SASE console.

2. In the left navigation pane, choose Log Analysis > Log Analysis.

3. In the upper-right corner of the Log Analysis page, click Log Status to enable log collection and storage.

Query logs

Select a log type and enable log delivery

1. In the upper-left corner of the Log Analysis page, click the drop-down list and select the log type you want to view. Filter the results by specifying conditions as needed.

2. Click the switch next to a log type to enable or disable log delivery for that type.

Run a query

1. Enter a search statement in the search box and set a time range.

A query analysis statement combines a search statement and an analytic statement, separated by a vertical bar (|):

<Search statement> | <Analytic statement>

Statement type	Required	Description
Search statement	Yes	The filter condition. Accepts keywords, fuzzy queries, numeric values, numeric ranges, or combinations. Leave blank or enter * to return all data in the selected time range. For more information, see Query syntax and features.
Analytic statement	No	Computes or aggregates query results. If omitted, only the matching log entries are returned without statistical analysis. You can omit the from log clause that standard SQL requires. By default, the first 100 entries are returned. Use the LIMIT clause to change this limit. For more information, see Query and analysis overview.

1. Click Search & Analyze to run the query and view results.

Results appear as a log distribution histogram and Raw Logs. From the results page, you can also set alerts, create saved searches, refresh, and share. For more information, see Description of the Query/Analysis page.

* AND log_type : client_status_log | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

* AND log_type : client_status_log AND app_status:offline | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

* AND log_type : client_logon_log | select username,action,COUNT(*) AS cn GROUP BY username,action order by cn desc limit 10000

* AND log_type : pa_access_log | select username,device_type,COUNT(*) AS cn GROUP BY username,device_type order by cn desc limit 10000

* AND log_type : pa_access_log AND action:block | select username,block_info,COUNT(*) AS cn GROUP BY username,block_info order by cn desc limit 10000

* AND log_type : dlp_log | select username,matched_policy,COUNT(*) AS cn GROUP BY username,matched_policy order by cn desc limit 10000

View data reports

Data reports are available for Internet access log only.

1. From the drop-down list, select Internet access log, then click the Data Report tab.

1. On the Data Report tab, explore the log data:

   • Time Range: Select a time range in the upper-right corner to filter report data.

   • Drill Down: Click in the upper-right corner of the report. In the Drill Down dialog box, view data from different data sources.

Log field reference