0

Messages Tile (version 23)

The 'Messages' tile contains the message log that all Canary services write to. From here a user can filter and/or export the log as well as configure the software to send email notifications that other Canary services use.

Audit Screen

The 'Audit' screen provides a view of the messages, updated every 5 seconds with the latest messages at the top. Each message row will have a column for Timestamp, Log Level, Source, Category, and Message which can be reordered by clicking on the column header.

By default, the first 1000 messages are displayed. Messages are retained for 1 year unless the message count reaches 1.5 million. In that case, the message log is trimmed back to 1.25 million messages. The Admin service checks the size of the message log once a day and upon startup.

Filter

The 'FILTER' button in the top right allows the user to filter the message log based upon the column headers. Using the Message field, keywords are separated by spaces and are NOT case-sensitive. Furthermore, keywords can be excluded from the filter using a prepended '!'.

Export

Similarly, the 'EXPORT' button allows the user to export or email (See Configuring the Canary System to Send Email Alerts) the message log based upon the filters selected. Exported message logs are located wherever the Canary Base Path is stored which, by default, is C:\ProgramData\Canary [Labs]\Log.


Configuration Screen

The 'Configuration' screen allows the user to configure the Canary system to send email notifications, increase the verbosity level of the messages that are logged, view other message log databases, and enable the EAL (Enhanced Audit Log).

Email

Suspend Email Notifications - checking this will disable all email notification

Send Test Email - sends a test email message using the configured settings.  A confirmation message is displayed indicating the status of the test.

SMTP Server - the name of the mail server that can send out mail through the SMTP protocol.  If you do not know the name of your SMTP mail server, contact your Network Administrator for this information.

Port - port 25 is the default for no authentication and port 587 when using authentication, but these are dependent upon the SMTP server and subject to change.

From - requires a valid email address format

  • When not using authentication this address could contain the name of the machine to indicate where the message originated from (Ex: Mymachine@canarylabs.com).

  • When 'Use Authentication' is checked this email must match the authenticated username. To track the source of the email the address it may be formatted as "Mymachine <ValidEmail@mailserver.com>".

To - a valid email address. Multiple emails can be entered by separating with commas

CC - carbon copy email address

BCC - blind carbon copy email address

Use Authentication - email credentials for SMTP servers requiring authentication

Use SSL - most SMTP servers using authentication will support SSL for encryption

Username/Password - credentials used for authentication


Verbosity

The 'Verbosity' screen allows the user to change the message level for each Canary service as well as enable the EAL (Enhanced Audit Log).

MESSAGE LEVEL

The message level should be set to 'Standard' unless trying to troubleshoot a particular service. In that case, 'Debug' or 'Trace' can be enabled for a particular source(s). Debug and Trace messages will consume extra resources to write to the message log so it is not advised to leave them on.

SOURCES

The 'Sources' available will vary depending on the products installed. All sources will log messages at the Standard Level. The sources checked will also log messages for Debug or Trace, whichever is selected.

AUDIT LOGGING

In addition to the default message log, the EAL can be enabled to log audit information for whenever configuration changes are made within the Canary system. These messages are written to both the default message log and a separate audit log. Whereas the default message log stores messages up to a year, the audit log stores audit messages indefinitely.


Database

The 'Database' screen is only visible whenever an additional message log is imported to the default location of C:\ProgramData\Canary [Labs]\Log or if the the EAL is enabled, in which case, an 'auditlog.sqlite' database is created. An imported message log will appear using the machine name it was exported from along with the date/time the message log was exported.

The user can select a database, then navigate back to the 'Audit' screen to view the messages.

Reply

null