Raw Log Search Troubleshooting

Resolve issues related to the Raw Log Search feature in the Arctic Wolf® Portal.

Issues related to search parameters Direct link to this section

The query does not return search results as expected.

The query is taking a long time to return results. Direct link to this section

Depending on the search criteria, some searches can take tens of minutes or more to return. Searches that use case insensitivity are usually slower.

To perform faster searches:

• Limit the date range.
• Make your search case-sensitive.
• Limit the search to specific log sources.

There are no search results that match the query. Direct link to this section

The query syntax might be incorrect. Or, if the syntax is correct and Arctic Wolf is receiving data from the specified log sources, there are no log lines that match the query parameters.

Try revising your search parameters:

• Deselect the Case sensitive box and run the query again.
• Expand the date range of your search.
• Confirm that the log sources included in the query are correct, or add more log sources to your query. For example, add all log sources with the router tag to your search instead of narrowing your search to logs from a specific router.
• Verify that the query syntax is correct. For example, some log sources produce log lines that contain tabs as whitespace characters. If the tab whitespace character is not in the search term, the query will not match logs from those sources. See the Raw Log Search Query Guide for more information about syntax.

Issues related to log data Direct link to this section

Log lines are missing or inaccurate.

Log lines that you expect to find in the search results are missing. Direct link to this section

Arctic Wolf might not be receiving data from the log source.

Raw Log Search queries the data that you send to Arctic Wolf for security monitoring. To resolve this issue:

1. Check the Raw Log Sources page to see if this log source is registered with Arctic Wolf.

   Tip: See View raw log sources in the Raw Log Search User Guide for instructions.

2. Follow the appropriate steps:

   On the Raw Log Source page	Steps
   If the log source is not listed	Configure the log source to send data to Arctic Wolf. Tip: See the Arctic Wolf Documentation for the relevant configuration guide. Contact your CST if you require assistance.
   If the log source is listed	Go to the Tickets page and search for a corresponding Log Source Disappeared alert. Then, follow the instructions in the ticket. If there are no corresponding alerts, contact your CST for assistance.

Some log lines have the wrong timestamp. Direct link to this section

The Arctic Wolf Portal shows timestamps in either local time or UTC, depending on your display settings.

If there is a mismatch between the actual timezone and the configured timezone for your log source, the data that Arctic Wolf receives may be offset by a number of hours. For example, if the timezone of a log source is EST and is configured to use local time, but the Arctic Wolf platform attributes the UTC timezone to this source, the timestamp for those log lines will be five hours in the future.

If one of your log source timezones is offset, contact your CST to resolve the issue.

See also Direct link to this section

• Raw Log Search User Guide
• Raw Log Search Query Guide
• Arctic Wolf Unified Portal User Guide