Troubleshoot Raw Log Search

This information provides solutions for common Raw Log Search issues in the Arctic Wolf® Unified Portal.

Search results do not match the query

Possible causes:

  • The query syntax is incorrect.
  • If the syntax is correct and Arctic Wolf is receiving data from the specified log sources, there are no log lines that match the query parameters.

Resolution: Revise your query using any of these methods:

  • Deselect the Case sensitive box, and then run the query again.
  • Expand the date range of your search.
  • Confirm that the log sources included in the query are correct.
  • Add more log sources to your query. For example, add all log sources with the router tag to your search instead of limiting your search to logs from a specific router.
  • Verify that the query syntax is correct. For example, some log sources produce log lines that contain tabs as whitespace characters. If the tab whitespace character is not in the search term, the query will not match logs from those sources.

    See Raw Log Search query syntax for more information.

The query takes a long time to return results

Possible cause: Depending on the search criteria, some searches can take tens of minutes or more to return. Searches that use case insensitivity are usually slower.

Resolution: Revise your query using any of these methods:

  • Limit the date range.
  • Make your search case-sensitive.
  • Limit the search to specific log sources.

Log lines expect to be in the search results are missing

Possible cause: Arctic Wolf might not be receiving data from the log source. Raw Log Search can only query data that is sent to Arctic Wolf for security monitoring.

Resolution:

  1. Check the Raw Log Sources page to see if this log source is registered with Arctic Wolf.

    See View Log Sources for more information.

  2. Based on your search results, do one of these actions:
    • If the log source is not listed, configure the log source to send data to Arctic Wolf.

      See Arctic Wolf Documentation for the relevant configuration guide. For more assistance, contact your CST at security@arcticwolf.com.

    • If the log source is listed:
      1. In the navigation menu, click Tickets & Alerts > All Tickets.
      2. Search for a corresponding Log Source Disappeared alert.
      3. Follow the instructions in the ticket.
    • If there are no corresponding alerts, contact your CST at security@arcticwolf.com for assistance.

Some log lines have the wrong timestamp

Possible cause: The MDR Dashboard shows timestamps in either local time or UTC, depending on your display settings. See Edit display settings for more information.

If there is a mismatch between the actual timezone and the configured timezone for your log source, the data that Arctic Wolf receives might be offset by a number of hours. For example, if the timezone of a log source is EST and is configured to use local time, but the Arctic Wolf platform attributes the UTC timezone to this source, the timestamp for those log lines will be five hours in the future.

Resolution: If one of your log source timezones is offset, contact your CST at security@arcticwolf.com to resolve the issue.