Troubleshoot Raw Log Search

This information provides solutions for common Raw Log Search issues in the Arctic Wolf® Unified Portal.

Search results do not match the query

Possible cause:

• The query syntax might be incorrect.
• If the syntax is correct and Arctic Wolf is receiving data from the specified log sources, there are no log lines that match the query parameters.

Resolution: Revise your query.

• Deselect the Case sensitive box and run the query again.
• Expand the date range of your search.
• Confirm that the log sources included in the query are correct, or add more log sources to your query. For example, add all log sources with the router tag to your search instead of narrowing your search to logs from a specific router.
• Verify that the query syntax is correct. For example, some log sources produce log lines that contain tabs as whitespace characters. If the tab whitespace character is not in the search term, the query will not match logs from those sources. See the Raw Log Search Query Guide for more information about syntax.

The query takes a long time to return results

Possible cause: Depending on the search criteria, some searches can take tens of minutes or more to return. Searches that use case insensitivity are usually slower.

Resolution: Revise your query.

• Limit the date range.
• Make your search case-sensitive.
• Limit the search to specific log sources.

Log lines that you expect to find in the search results are missing

Possible cause: Arctic Wolf might not be receiving data from the log source. Raw Log Search can only query data that is sent to Arctic Wolf for security monitoring.

Resolution:

1. Check the Raw Log Sources page to see if this log source is registered with Arctic Wolf.

   Tip: See View log sources in the Raw Log Search User Guide for instructions.

2. Follow the appropriate steps:

   • If the log source is not listed, configure the log source to send data to Arctic Wolf.

   Tip: See the Arctic Wolf Documentation for the relevant configuration guide. Contact your CST if you require assistance.

   • If the log source is listed:
     1. Go to the Tickets page.
     2. Search for a corresponding Log Source Disappeared alert.
     3. Follow the instructions in the ticket.
   • If there are no corresponding alerts, contact your CST for assistance.

Some log lines have the wrong timestamp

Possible cause: The Arctic Wolf Portal shows timestamps in either local time or UTC, depending on your display settings. If there is a mismatch between the actual timezone and the configured timezone for your log source, the data that Arctic Wolf receives may be offset by a number of hours. For example, if the timezone of a log source is EST and is configured to use local time, but the Arctic Wolf platform attributes the UTC timezone to this source, the timestamp for those log lines will be five hours in the future.

Resolution: If one of your log source timezones is offset, contact your CST to resolve the issue.

See also

• Raw Log Search User Guide
• Raw Log Search Expression Syntax Guide
• Arctic Wolf Unified Portal User Guide