C
orreLog
®
Security Correlation Server
Screen Reference Manual
http://www.correlog.com mailto:[email protected]CorreLog, Screen Reference Manual
Copyright © 2008 - 2016, CorreLog, Inc. All rights reserved.
No part of this manual shall be reproduced without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibilities for errors or
omissions. Nor is any liability assumed for damages resulting from the use of this information contained herein.
This manual contains screenshots that may be slightly different from the version of the system you are using. Screenshots included in this manual are intended to be representative of the displays that you may see, depending upon factors such as whether you are using an OEM version, or the latest version of the software. For clarification on any particular function or feature contained in this manual, contact CorreLog support for more detailed information.
Table of Contents
Section 1: Introduction ………….. 5
Section 2: Dashboard Screens ………….. 13
Section 3: Message Screens ………….. 25
Section 4: Message Config Screens ………….. 53
Section 5: Correlation Screens ………….. 87
Section 6: Alerts Screens ………….. 107
Section 7: Ticket Screens ………….. 123
Section 8: Reporting Screens ………….. 137
Section 9. System Screens ………….. 164
Section 10: Utility Screens ………….. 185
Section 1: Introduction
This document provides detailed descriptions of all major screens of the CorreLog Security Correlation Server, along with associated explanations and details. The manual lists these screens by major application function of the
system. Screens are listed by the order in which the screens appear in CorreLog. The manual serves as a comprehensive site map for CorreLog, as well as a reference manual describing input fields, settings, screen functions, and screen values available to CorreLog operators.
The "CorreLog Security Correlation Server" is a compact software system, which listens for Syslog and other messages within your enterprise. As these messages are received, they are logged, and cataloged into related groups of messages, and correlated to find meaning. The user can search this information, and can take automatic action when security violations occur.
CorreLog is a fully web-based system, which leverages the capabilities of web browsers, operating with or without client Java enabled. The program has an easy-to-navigate, tab-based interface consisting of many different screens that are accessed through hyperlinks and buttons. The system is intended to be highly ergonomic, intuitive, and easy to operate.
The manual provides screenshots and descriptive text for all screens. Although this manual provides usage information, it is not intended to be a comprehensive operation manual. Application and operation of the CorreLog server is
documented in a companion manual, the "CorreLog User Reference Manual", which is available from the "Home" screen of the CorreLog server, and other locations.
Screen Overview
CorreLog employs a web-based user interface that leverages the power of your web browser to configure and access data. The program uses standard browser features, and does not require client Java or JavaScript to fully operate. If Java is available to the client browser, it is used to implement minor and non-essential improvements to navigation.
The actual order of tabs is governed strictly by the ordering of programs within the "sigma-web" directory of the CorreLog root directory, as discussed in the "CorreLog Sigma Framework" companion manual. Basic applications of CorreLog appear in the top-level screens, as follows:
Dashboard Screens. The "Dashboards" screen is the entry point to the CorreLog dashboard facility, which permits the user to display real-time data about various elements of the system, such as message rates, top devices, top users, and many other data items. The user can create, modify, and delete dashboard configurations. The operator can make this the default login screen, and select a default dashboard, using the "User Preferences" screen of the system. Dashboards are discussed in Section 2 of this document.
Message Group Screens. The CorreLog "Messages" application
aggregates, processes and displays message data from network devices. This gives visibility into all received messages. The user can search raw message data, view data catalogs, and configure filters and overrides. The "Search" screen employs a high-speed indexed search engine supporting advanced searches, and a keyword index that lists all keywords (and their counts) for all messages received. Messages Group screens are
discussed in Sections 3 and 4 of this document.
Correlation Group Screens. The "Correlation" application processes the raw message data received by the "Messages" application. The
correlation screens permit the user to establish associations between messages by creating "Threads", which consist of simple or complex match patterns, possibly controlled by "Triggers". The counters of these threads can then be alarmed via the "Alert" facility (described below.) These screens include a macro editor, address group editor, and a template capability, as well as an "Action" capability that can furnish automation and further data reduction based upon correlated data. Correlation Group screens are discussed in Section 5 of this document Alert Group Screens. The "Alerts" application continuously monitors
CorreLog counters and states, and opens "Tickets" on the system (described below.) This group consists of several different facilities and
screens, each of which can open tickets assigned to users. Alert Group screens are discussed in Section 6 of this document.
Ticket Group Screens. The "Tickets" application furnishes the highest level of message correlation by creating actionable incidents in a traditional incident management framework. Tickets are automatically opened by the "Alerts" and "Patterns" facilities. Tickets are assigned to either registered CorreLog users, or a user defined ticket group. This application can be interfaced directly to a third-party enterprise ticketing system. Tickets Group screens are discussed in Section 7 of this document.
Report Group Screens. The "Reports" application provides general utility in the reporting of both raw and correlated message information. These screens include a "Query" search utility, and "Audit" capability", graphing facility, as well as a comprehensive reporting facility based on Microsoft Excel spreadsheets. In particular, the user can define new reports, and create new Excel templates, leveraging the power of Excel to perform highly customized analytical functions and graphical depictions of data. Excel reports can be distributed to users via RSS, which can be
configured to publish daily, weekly, or monthly reports. Report information can also be loaded into an ODBC compliant SQL database. Reports Group screens are discussed in Section 8 of this document.
System Group Screens. The "System" application screens provide various system functions, including support for user preferences, login management, scheduling of programs, and configuration of global parameters. Except for the user's preferences, these screens all require an "admin" type login to the CorreLog system (as configured in the "Login" screen of this group.) System Group screens are discussed in Section 9 of this document.
In addition to the above screens, various utility screens (accessed by clicking on hyperlinks located throughout CorreLog) permit access to specialized data, details, and additional information. These utility screens are discussed in Section 10 of this document.
Navigating Screens
CorreLog is navigated by a series of tabs that appear at the top of all screens. The currently selected tab is always highlighted, providing an immediate indication to the user of the current area of operation within the CorreLog program.
Some tabs display screens directly, whereas other tabs (distinguished with a trailing "/" slash character) reveal lower-level tabs. Tabs can be nested several
screens down into CorreLog. The user can switch to any location within CorreLog by clicking on a tab, which immediately transitions the user to the new screen. Clicking on the currently highlighted tab immediately resets the screen to the default values, as they appear on initial entry to the screen.
Context Sensitive Help. A "Help" link is provided at the top right of every screen. Clicking on this link will display help on the current screen. This context sensitive help provides an excellent way to learn the various features of CorreLog. From the "Help" screen, the user can navigate back to the selected screen, and can access other online resources.
Device Address Hyperlinks. Throughout CorreLog, wherever a device IP address appears, the operator can click on the IP address hyperlink to display information about the device. The "Device Information" screen permits the operator to ping the device and edit device parameters (such as special device commentary.) Additionally, the "Device Information" screen allows the operator to view all the messages associated with the device.
Message Detail Hyperlinks. Throughout CorreLog, wherever a message is displayed, the user can click on the "Detail" hyperlink to display
information about the message. The Message Detail Hyperlink permits the user to view related messages, including the contents of "Correlation Threads that the message is part of.
Pinned Items. On various CorreLog screens, the user can pin items to the top of the list. The user clicks the "Edit" button, and then selects "Pin To Top". This keeps certain items (such as Correlation Threads, Alerts, Triggers, Actions, and Reports) at the top of the list of items. Pinned items are part of the user's preferences, and affect only the current user's login. Search Terms / Expandable Titles. On various CorreLog screens
(including the "Devices", "Users", "Facilities", "Severities", and "Threads" screens) the user can click on the "Plus" icon to the left of the title to expand the options associated with the catalog of items. The user can graph the items in the catalog, and can further add "Search Terms" that will view specific items in the catalog. This provides an easy way to drill down into specific lists of items associated with a catalog of data. The "More" Menu. To the right of the "Help" link is the "More" menu,
which displays selected utilities and CorreLog applications. The user clicks on the "More" link to display this menu, and then selects one of the menu links to display the new screen.
CorreLog Dialogs and Buttons
CorreLog provides a consistent way of adding, editing and deleting information. On various CorreLog screens, the user can access Edit and Wizard dialogs. These are accessed via "AddNew" or "Edit" buttons. To add a new item to a list, the user clicks either "AddNew" or "Wizard" buttons. To modify an existing item, the user clicks the "Edit" button (usually represented as a #NN number to the left of the list item.) To delete an existing item, the user clicks the "Edit" button, and then clicks "Delete".
The buttons on CorreLog screens and operate consistently as follows:
Apply Button. This button appears wherever a match pattern field exists, and applies the settings of the match pattern (or other filter) and then refreshes the screen with the new information.
Clear Button. This button clears the information from the display. On the "Messages Search" screen, the button temporarily clears the display of messages so that the operator can see any new messages that have arrived.
Config Button. This button appears on various screens, and runs a special configuration screen associated with the data of the top-level screen. For example a "Config" button appears on the "Devices" screen to allow the operator to configure the device "Idle Time" value. Likewise, the "Config" button appears on the "Users" screen to allow the operator to configure user auto-discovery parameters.
AddNew Button. This button appears on screens that permit the user to add items to the screen list, such as a new correlation thread, a new filter, a new alert, or other list item. The screen displays a dialog that allows the user to add information associated with the screen.
Wizard Button. This button appears on various screens, and runs a wizard that guides the operator through the process of adding a new item. It performs a function similar to the "AddNew" button, but via a wizard interface.
Edit Button. This button appears on parameter dialog screens.
Additionally, on screens with a list of items, each item has an Edit button in the form "#NN" to the left of the item. The user can edit (or delete) the item via the edit dialog.
Save Button. This button appears on "Add New" and "Edit" dialogs, and commits the data to the system, redisplaying the top-level screen showing the new or modified list item.
SaveNew Button. This button appears on "Edit" dialogs, and saves the edited item as a new item. The top-level screen is then displayed, showing both the old (unmodified) and the new item.
Cancel Button. This button appears on "Add New" and "Edit" dialogs, and on wizard screens. The button causes the current screen to be
abandoned, and returns the user to the top-level screen.
Delete Button. This button appears only on "Edit" dialogs, and causes the current list item to be deleted. To delete an item, the user clicks "Edit" and then clicks the "Delete" button.
Default Button. This button appears on certain parameter screens, and sets the current values to their installation defaults. The button can be used to restore the system defaults to their initial operating values. Reset Button. This button appears on various screens, and operates
exactly as if the user clicked the "Cancel" screen, and then selected the edit screen again. The screen values appear exactly as they did on initial entry to the screen. Any changes made to the dialog are discarded. Refresh Button. This operates similarly to the "Apply" button, but simply
refreshes the screen with the latest data. This button is mainly useful for fetching the latest system data (which may have been modified by another user, or by a system process.)
User Defined Search Terms
For each catalog of data (such as "Threads", "Devices", "Users", etc.) the user can define specific search terms that assist with viewing and analyzing message data.
The operator defines a search term by clicking on the "Plus" icon to the left of each catalog item (that supports this feature.) This causes the title to expand, and show various items. Once a catalog title has been expanded, various hyperlinks are revealed, including the ability to "Graph" catalog message rates, and "Edit Search Terms" for the catalog. Clicking the "Edit Search Terms"
displays a screen that allows the user to add search terms and labels, which will appear the next time that the user clicks the "Plus" icon for the title.
This provides a simple way for the user to define data items (and taxonomies) of special interest. The user can simply click the "Plus" icon associated with any device, facility, user, thread, or other catalog item to view the search terms he or she has defined. For example, if the user has a thread called "Hardware Events",
the user can quickly drill down (after defining a search term) to view only the "Disk Hardware" events, or "Printer" events.
"User Search Terms" are also available from any catalog of items by clicking the "Match" keyword in the filter bar of the catalog of items. (This keyword is
hyperlinked on all screens where the "User Search Terms" function is
supported.) Clicking on the "Match" keyword takes the user to the list of search terms he or she has defined for the particular catalog of items (identical to accessing this screen via the "Edit Search Terms" hyperlink described above.) From this location the operator can define or modify personal search terms, or can execute one of the existing search terms.
User Defined Hyperlinks
In addition to creating hyperlinks to search terms within catalogs, the user can define hyperlinks to arbitrary locations within the system, such as adapters, screens of special significance, or external programs. These hyperlinks appear in the banner of the program, inline with the "Search" and "More" hyperlinks in the upper right of the display.
The user defines hyperlinks by clicking the "More" menu, and selecting "User Links" from the list. This launches a special editor screen that allows the user to define the label for the hyperlink, and the hyperlink value. The label can be any arbitrary 10-character label, whereas the value can be any legitimate URL value to a maximum of 200 characters.
In particular, the hyperlink value can be the URL of a CorreLog screen copied and pasted directly from the browser into the edit field (including the http:// prefix for the URL.) The hyperlink value can also be an external URL to some other web-enabled program or website. If the URL is greater than 200 characters then the URL is silently truncated. (In the special case of CorreLog internal URLs, this will generally have no affect on the ability to actually navigate to the selected location.)
Note that "User Defined Hyperlinks", like "Search Terms" appear only for the particular user that has defined them; these are user preferences that do not affect the display of other users. The function furnishes a simple way of
navigating to certain locations within the CorreLog system (or other location on the network) through a single mouse-click.
How To Use This Manual
This manual is intended for use by operators, administrators, and program
developers, and is written to be complete documentation for all primary CorreLog screens. The manual focuses on screen purposes and functions, and does not necessarily discuss specific application and operation of screens. (This
information is available within other manuals in the CorreLog documentation suite, such as the "CorreLog User Reference" manual, accessed from the "Home" screen of CorreLog.
If viewing this document with PDF Adobe Acrobat, you can access the help topics for any screen via the "Bookmarks" pane at the left of the screen.
Otherwise, this manual provides a table of contents and an Alphabetical Index at the end of the document.
A complete list of companion manuals is available after logging into CorreLog by accessing the "More" hyperlink (in the upper right corner of the CorreLog display) and then selecting "User Manuals". This provides a list of all the current manuals on the system.
Additionally, other user manuals may exist, such as those related to specialized adapter software that has been added to CorreLog after the initial installation. All manuals can be found within the "CorreLog\s-doc" directory folder, which serves as the central repository for all online documentation within the system.
For More Information
For more information on CorreLog usage, refer to the "CorreLog User Reference Manual", available from the home screen of CorreLog. This manual provides important usage and background information regarding the system.
CorreLog is committed to delivering the industry’s best combination of log management and multi-platform security correlation. We are pleased to offer support for both evaluation and licensed versions of our product. If you have any difficulty with the CorreLog server installation or operation, we would like to assist you.
CorreLog, Inc.
http://www.correlog.comSection 2: Dashboard Screens
CorreLog provides a comprehensive dashboard facility that allows users to view top-level CorreLog data, and drill down to view details. Each dashboard consists of various window panels. Each window panel can contain a user specified "Gadget". The particular gadgets are specified and configured via the "Edit Layout" button at the bottom of the screen, or by clicking the "Edit Gadget" icon at the upper right of each window panel.
The user can create, modify, and delete dashboard configurations. The operator can make this the default login screen, and select a default dashboard, using the "User Preferences" screen of the system.
The "drill-down" capability of dashboard screens is quite extensive, and allows the end user to navigate all significant areas of the program. For some users, the dashboard facility will be the principle (and perhaps only) screen used to assess the security of the organization and performance of the system.
This section provides a description of primary Dashboard screens, including information on how to construct dashboards. A description of the actual gadgets available to users is not included here, but is available as an appendix to the "CorreLog User Reference Manual", and is available as online HTML help when constructing dashboards.
Dashboard Screen
The top-level “Dashboard” screen, displayed when the user first clicks the "Dashboard" tab at the top of CorreLog screens, provides a flexible dashboard presentation system that can depict the real-time status of raw and correlated messages on the system. The operator can configure new dashboards, create "drill down" dashboards, and set a default dashboard in his or her user
preferences. A typical dashboard is shown below.
Each dashboard consists of various panels (specified in a selectable "layout" file) where each panel contains a "gadget". Various gadgets are provided with the base CorreLog installation, and other gadgets are available from a variety of sources. Each gadget contains an "Edit" button to permit configuration of detailed parameters, and a "Move" button that allows the gadgets to be dragged to new
locations on the dashboard. The actual dashboard layout (including panel titles, and links to other dashboards) is configured via the "Edit Layout" button at the bottom of the dashboard screen.
Dashboard Tabs
The "Dashboard" screens displays a series of tabs across the top, corresponding to up to eight different dashboards that can be accessed quickly. (Other
dashboards, if they exist, can be accessed via the "drop-down" menu at the bottom of the display.) The operator can click the "Select Tab" link at the upper right of the dashboards to specify which dashboards are to be displayed as tabs. The first dashboard displayed, referred to as the "Default Dashboard", is also configurable in the user's preferences.
To select the dashboard tabs of special interest, the operator clicks "Select Tab", and then selects each dashboard in the order that it is to be displayed at the top of the "Dashboard" screen.
Dashboard Layout Files
Each dashboard is based on a "Layout" file, selected via the "Edit Layout" button, or specified via the "Add New" wizard. (These buttons are found at the bottom of the screen.) Layout files reside in the "dash/layout" directory of the CorreLog root directory. In the basic CorreLog distribution package, various layout files are provided to support different screen resolutions (by default either 800, 1024, or 1280 screen widths.) These layout files are simply HTML files containing specific keywords and "IFRAME" references that can contain gadgets. Administrators can modify the existing layout files, or add new layout files that provide customized panel arrangements and other annotations. Any text editor, as well as a variety of HTML editors, can be employed to create new or modify existing layout files. No special caution is required in editing a dashboard, other than preserving the particular "@@" macro references in the file. These references are filled in with appropriate information when the dashboard is displayed, using the "HTML Macro" function documented in the "Sigma Web Framework" Users Manual. When creating a new layout file, the user simply preserves these references, or relocates these references within the new layout file.
Dashboard Gadgets
Within each panel of the dashboard, the user specifies a "Gadget" that depicts a particular type of data to be displayed. Each gadget depicts the data in a variety of formats, and with a variety of possible arguments. For example, the "Top Devices" gadget displays top device activity based upon various selectable criteria (such as most recently updated devices, or most active devices.) The
parameters of each gadget are similar, but can be slightly different depending upon the data being displayed. Generally, the user can qualify lists of items based upon match expressions, address groups, filters, or other items. For example, the "Top Devices" gadget allows the user to look at all top devices, or the top devices associated with a particular address group.
Most gadgets support various "Display Modes", such as horizontal bar chart, pie chart, stack chart, or tabular display. These different display modes affect the look of the gadget, but not the particular data to that is displayed. Some of these display modes require Java, whereas others do not. The particular aesthetics of the dashboard are flexible, and completely controlled by the end user.
Special Dashboard Features
The dashboard facility is easy to use and intuitive to setup. The application supports a number of special features, outlined below.
External Gadgets. In addition to the built-in CorreLog gadgets, users can add gadgets from other external locations, such as the "iGoogle" and "Widgetbox" websites. The user cuts and pastes the gadget reference from these websites into a CorreLog dashboard using the "Text/HTML" gadget. This allows the user to add gadgets such as calendars, news feeds, clocks, and other external items into a CorreLog dashboard. Edit Gadget Button. The user can edit gadgets by clicking the "Edit
Layout" button at the bottom of the screen, and then clicking the "Edit" button associated with the specific gadget. Or, the user can simply click the "Edit Gadget" button found at the upper right of each gadget window panel. This takes the user directly to the particular "Edit Gadget" screen, Move Gadget Button. The user can rearrange the layout of the gadgets using the "Move Gadget" button found at the upper right of each gadget window panel. The user clicks on this button, holds down the mouse button, and releases the mouse button in the windowpane of another gadget. (Note that the button must be released in the blue windowpane of the target gadget, and not in the main window of the gadget) This will swap the location of the two gadgets.
Links To Other Dashboards. Each gadget has an optional "Panel Name" setting that allows the user to enter arbitrary identifying text for the
windowpane, and link this text to another dashboard. This provides a simple mechanism for creating a hierarchy of dashboards, where the user drills down from one dashboard to a lower level dashboard.
Dashboard User Preferences. Several user preferences are provided to specifically support dashboards: the user can select the dashboard screen
to be the default screen on login, and can specify a default dashboard to be displayed when the dashboard screens are viewed. Additionally, each user can control whether dashboards are opened in new windows, or in the current window. User preferences are accessed by clicking the "System" tab (and are also accessible from other locations, such as the "More" menu at the upper right of the screen.)
Referencing Gadgets From External Screens. The user can display any CorreLog gadget on an external web page, allowing top-level system status to be depicted on third-party pages and portals. A website
developer can simply view the source for a particular layout, and then cut and paste the IFRAME reference into another web page on the network. (These references are clearly commented and visible in the default layout files.) HTTP authentication is preserved, but can be disabled by the
CorreLog administrator for gadgets via edits of the HTTP configuration file.
Dashboard User Preferences
The system supports various user preferences associated only with dashboards. (More information on user preferences is available in Section 8 of this document.) These user preferences are located in the "System > Prefs" tab of CorreLog, and are listed here.
Initial Dashboard Screen. This user preference identifies the name of the dashboard that is displayed when the user first clicks the "Dashboard" tab at the top of the screen. The user can select any initial dashboard for display. This setting is only the initial dashboard, and does not restrict the user from accessing other dashboards via the "Dashboard Name" drop-down menu at the bottom of the "Dashboard" display.
Open Dashboard Links In New Window. This user preference controls whether new dashboards (accessed by clicking on the hyperlinked title of a dashboard gadget pane) are opened in a new browser window, or whether the new dashboard is displayed in the main browser. This is a minor change to dashboard navigation behavior, and is provided to accommodate the particular preference of the operator.
Use Java Applets in Dashboard. This user preference controls whether Java Applets are used to display pie charts, graphs, and other items. Each gadget has at least one "display mode" that does not require Java, and which is similar to the Java applet depiction. If the user selects "False", the non-java mode of the gadget is automatically selected for the user. In general, this will speed up the rendering of the dashboard with minor or insignificant loss of functionality.
Adding A New Dashboard
The CorreLog dashboard facility permits easy creation and modification of dashboard depictions. Multiple dashboards can exist on the system. The default dashboard for a user is set in the CorreLog "System > Prefs" screen.
1. Click the "AddNew" button to start the dashboard wizard. (This button is found at the bottom of the dashboard screen.) The wizard queries for a dashboard name, queries whether to make the dashboard the default for the user, and queries for the layout file. (All of these items can be modified later.)
2. When the "Add New Dashboard" wizard finishes, the "Edit Dashboard" screen is displayed. The user can edit any of the parameters for the
dashboard, or can save the dashboard with no changes. (The easiest way to get started is to save the dashboard file with no changes.)
3. When the dashboard file is saved, it appears as the current dashboard. If the user has not assigned any gadgets, all the windowpanes will be blank. Click on the "Edit Gadget" icon in the upper right of a windowpane. (The "Edit Gadget icon is a "Note" icon.) This will bring up the gadget editor for the particular windowpane.
4. On the "Gadget Editor" screen, select a gadget for the windowpane via the drop-down list. Brief help on gadgets is available via the "Gadget Help" hyperlink. The user can select any gadget from the drop-down list. 5. When the gadget is selected, the screen will refresh showing the various
specific parameters associated with the gadget. Provide any parameters for the gadget. This includes an optional title for the windowpane, and hyperlink for that title. (Usually, the default values will be suitable to get started with.)
6. Click "Save" to save the gadget information. This returns to the "Edit Dashboard" screen (displayed in step 2 above.) Click "Save" on this screen to return to the top-level dashboard screen. The gadget will be displayed in the windowpane, and will reflect the current system data. The user can edit any windowpane using the "Edit Gadget" icon in the upper right of the dashboard. The user can rearrange gadget positions by clicking the "Move Gadget" icon, to the immediate left of the "Edit Gadget" icon, and dragging the gadget to another windowpane. To change the layout file or rename the gadget, the user can click the "Edit Layout" button at the bottom of the screen, which permits the user to access all the gadgets and global parameters of the dashboard.
Add New Dashboard Wizard
The "Add New Dashboard" wizard screen is accessed by clicking on the "AddNew" button at the top of the display. This dashboard guides the user through the process of adding a new Dashboard on the system. The wizard queries for the name of the dashboard and the layout file for the dashboard. The wizard then creates the dashboard and launches the dashboard editor screen (discussed in the next section.) The screen is depicted below.
The "Add New Dashboard" wizard is a standard CorreLog dialog, containing "Next", "Previous", "Reset", and "Cancel" buttons. The user fills out the data on each screen as prompted, and clicks "Next" to continue the wizard. To return to the previous screen, the operator clicks the "Previous" button. To reset the screen to entry values, the user clicks "Reset". To cancel the operation with no action, the user clicks "Cancel". Note that the user can change values supplied by the wizard, including the layout file specified on the second page, using the "Edit Dashboard" screen discussed in the next screen.
Edit Dashboard Screen
The "Edit Dashboard Screen" allows the user to edit or delete an existing dashboard. This screen is accessed from the top level "Dashboard" screen by clicking the "Edit" button at the bottom of the dashboard display. This screen is also automatically launched by the "Add New Dashboard" screen when a new dashboard is created. A depiction of this screen is provided below.
The "Edit Dashboard" screen allows the user to rename a dashboard, select a different layout file, and specify the gadgets for each dashboard pane.
Additionally, the editor allows the user to specify optional panel titles for each dashboard pane, and allows the user to link a pane to another dashboard. Note that this screen provides one of two ways to change dashboard gadgets. The user can change a gadget either by clicking on the "Edit" button to display this panel, or by clicking on the "Note" icon in the upper right of each gadget depicted on the top-level dashboard screen.
Dashboard Name. This value, at the top of the display, is the name of the dashboard originally specified in the "Add New Dashboard" wizard. The name can be changed here, and the new name will appear in the drop-down list of dashboards selectable at the bottom of the main dashboard display.
Dashboard Layout. This selection shows the current layout for the
dashboard, and permits the user to select a different layout file. If the user selects a layout with fewer panels than the current layout, the list of
dashboard gadgets is truncated. If the user selects a layout with more panels than the current layout, blank panels are added to the list.
Panel #N Name. Each dashboard panel can be given an optional name, which annotates the main display in the title bar of the gadget. This is an arbitrary title that clarifies the purpose and intent of the dashboard. (Note that dashboard gadgets have their own "subtitles" that can be filled in by the user, so this particular name is the main title for the gadget.)
Panel #N Link To Dashboard. If a dashboard panel is provided a "Name" (above) the user can link this title to another dashboard. This selection allows the user to select the dashboard that will be linked to the title, permitting the user to "drill down" into other dashboards from the main dashboard.
Panel #N Gadget. This selection allows the user to select the dashboard gadget that will be displayed. The selection provides a complete list of all gadgets on the system. A description of these gadgets is available via the "Gadget Help" hyperlink
Panel #N Edit Gadget Settings Button. This button allows the user to edit the particular settings of the dashboard, and displays the "Gadget Editor" screen appropriate for the selected gadget. This button saves the current settings before displaying the "Gadget Editor" screen. This is one way of editing a gadget's configuration (the other way being to click on the "Note" icon in the upper right of each gadget, in on the top-level
Edit Dashboard Gadget Screen
The "Edit Gadget Screen" is displayed when the user clicks the "Note" icon in the upper right corner of each dashboard gadget on the top-level screen, and is also displayed when the user clicks the "Edit Gadget Settings" button on the
"Dashboard Editor" screen. The exact screen depends upon the type of gadget being edited. A typical "Edit Gadget" screen is shown below.
CorreLog provides a rich assortment of different dashboard gadgets, each with their own particular capabilities and functions. Additionally, each gadget provides a number of different display modes, options, and filters that can be used to adapt the range of data and appearance of the gadget. This provides a large amount of configuration and flexibility to the end-user.
The particular values available for any gadget depend upon the gadget type. Typically, a default set of parameters (appropriate for many generic situations) is provided for each gadget, permitting a gadget to be selected without any special configuration by the operator. A few gadgets (notably the "Gauge-Alert" gadget) require the user to edit the gadget configuration, and select some parameter before the gadget can be used on the dashboard.
A partial list of configuration values is provided below.
Panel Name. This field exists for all gadgets, and is an optional title that appears in the title bar of the gadget. If a Panel Name is provided, the value can be linked to another existing dashboard using the setting below. Panel Link to Dashboard. This selection exists for all gadgets, and
allows the user to link the "Panel Name" value above to an existing dashboard. When the user clicks on the Panel name, the specified dashboard is selected. This allows users to drill down into new and specialized dashboards.
Panel Gadget. This selection is a list of all gadgets on the system. When the user selects the gadget, the particular parameters associated with the gadget are displayed.
Gadget Description. This value exists for all gadgets, and is a textual description of the gadget. Each gadget incorporates brief help. When a gadget is selected, this value changes, providing assistance to the operator.
View External URL. This value exists for all gadgets, and is the URL for the gadget, which permits the gadget to be referenced by some other web page (such as a business information portal or third-party web
application.) Click on the "+" character to view the external URL.
Refresh Rate. This value exists for all gadgets, and indicates the refresh rate of the gadget. When the gadget automatically refreshes, the latest values for the gadget are displayed.
Main Gadget Title. This value, if it exists, is a title that is displayed as part of the gadget. This title is configurable by the user, and is usually more specific than the "Panel Name" (described earlier.) The gadget
automatically selects an appropriate value, which the user can change. X-Axis Title. This value, if it exists, is the title for the X-axis of a graph or
bar chart. The gadget automatically selects an appropriate value, which the user can change.
Data Source. This value, if it exists, describes the source of data. Many (but not all) gadgets allow the user to specify a particular data source, such as the name of a thread, alert, or other parameter. The gadget defaults to an appropriate value, which the user can change.
Match IP Address / Value. This value, if it exists, qualifies the data displayed by the gadget. For example, a gadget may permit a match pattern (such as a keyword found in all thread or alert titles.) This value typically lists the range of data displayed by the gadget.
Display Mode. This value, if it exists, permits the user to change the display mode of the gadget, i.e. the appearance of the gadget. Each gadget can display data in different modes, such as "Pie Chart", "Stack Chart", "Bar Chart", etc. Some of the display modes may require Java, but each gadget has at least one display mode that does not (permitting dashboards to work without Java.)
Highlight Color. This value, if it exists, allows the user to change the primary color or highlight color of the gadget. Colors include "Red, "Blue", "Orange", and "Green". The gadget defaults to an appropriate value, which the user can change.
Enable Links & Drill Down. This value, if it exists, permits the user to disable links on the gadget that access additional information. This setting is useful for restricting data that might otherwise be available to non-privileged users.
Note that not all gadgets support all the above fields (unless otherwise noted.) Additionally, some gadgets (such as the Text-HTML gadget) have special fields not listed above. The operator should consult the "Gadget Help" hyperlink for specific notes about a particular gadget.
Gadget Support For Java and Non-Java Browsers
Some dashboard gadgets have specific "Display Modes" that require Java to display appropriately. However, each dashboard gadget has at least one display mode that does not require Java. This allows dashboards to work perfectly with client browsers that do not support Java or where Java is not enabled.
Users can disable Java dashboard displays in their personal User Preferences via the "System > Prefs" screen. The user can set the value of "Use Java Applets in Dashboards" to be "False", which causes CorreLog to automatically substitute an appropriate non-Java display mode for any Java based gadget. Generally, this has only minor consequences to the display, and will speed up the loading of the dashboard substantially.
Section 3: Message Screens
The CorreLog "Messages" application aggregates, processes and displays Syslog message data from network devices. This gives visibility into all received messages. The user can search raw message data, view data catalogs, and configure filters and overrides. The user can also create new Syslog facilities, which can be used in the correlation process.
The "Search" screen employs a high-speed indexed search engine supporting advanced searches, and a keyword index that lists all keywords (and their
counts) for all messages received. Additional screens in this group allow the user to view messages by basic type, such as by device IP address, username,
facility, and severity. The Message facility also includes an "Auxiliary Message" function, which allows the user to view messages that have been filtered from the main message stream, documented here.
This section provides a description of primary Message screens on the system, including a discussion of purpose, general usage, and basic application.
Note that the "Message" facility includes a comprehensive "Configuration"
capability (available via the "Messages > Config" tab). Because of the number of configuration screens, these particular screens are included within a separate section of this manual; message configuration screens are not discussed here, and are documented in the section following this one.
Search Messages Screen
The “Search Message” screen is the first screen displayed when the user selects the “Messages” tab at the top of the display. From that location, the operator can view the list of all received messages, displayed in reverse chronological order. The user can search for data, inspect keywords, or manually add messages to the system log. A depiction of this screen is shown below:
The above screen is the first screen that is accessed when the user clicks the “Messages” tab, and provides access to all the messages contained in the entire system. The list of messages contains the following fields:
Message Time. The first column shows the message time including both the date and time (with respect to the CorreLog platform server time), and including the elapsed time since the event occurred.
Message Address. The next column shows the name of the device that generated the message. The name is hyperlinked to the “Device
Information” screen (discussed further below.)
Message Facility. The next column shows the Syslog facility for the message. These facilities are also viewable via the “Facilities” screen. Message Content. The last column shows the message contents,
including the severity. The color used to display the event message can be configured via the “Configure Color Editor” screen (discussed further below.) The user can click on the "Details" link to view detailed information about the message.
Search Screen Controls
At the top of the display are controls that allow the user to filter the list (thereby searching for specific keywords.) The user can also set the maximum page size, as well as access pages via hyperlinks. The “Start Date” defaults to the latest date when messages were last received (normally the current date if the system is actively receiving messages.) This “Start Date” item can delimit the search range, and items displayed.
To modify the “Start Date”, “Span Days", "Max List”, or “Filter” setting, the operator makes adjustments and clicks the “Apply” button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the “Start Date”, "Span Days", “Max List”, and “Filter” settings back to their entry defaults.
Search Function And Search Terms
On the “Search” screen, messages are displayed in reverse order from when they were received, with most recent events first. Specifically, this screen is the entry point for the “GenDex” search engine, which permits fast searching of large amounts of data using an indexed search.
By default, the screen displays all events. (The match pattern is the wildcard “*”.) The operator can modify the search pattern to be one or more keywords, or a keyword followed by a wildcard, or an IP address. This will display all the matching messages on the system.
If the keyword is a number or an IP address, the screen displays the messages associated with the first IP address matching the search term. If the user selects a partial keyword, the screen finds the first matching full keyword, and performs the search using that keyword.
Search Screen Clear Button
At the far right of the screen controls, as a special facility, is a “Clear” button. This button, when clicked, causes the screen to be temporarily cleared so that any new incoming events can be seen the next time the “Apply” button is clicked. To restore the list of all events, click a page number hyperlink, click the navigation tab, or click the “Unclear” button.
This button is mainly useful for seeing how many messages are coming into the system, or when awaiting a particular event. The button does not delete or clear any data on the screen, but only clears the display temporarily, to mark the time. Whenever the screen is cleared, the elapsed time since the “Clear” button was clicked is shown at the bottom of the list of messages.
Search Screen, Special Notes
The keyword item, used to filter the display, defaults to “*”, which matches all events. The user can specify a keyword, or an IP address. The keyword must begin with two non-numeric characters, or an IP address, and can contain the “*” wildcard. The IP address can be specified as a partial match, but if the user specifies a non-numeric keyword, only full matches are displayed.
To view new messages, as they come into the system, the operator clicks the screen tab, or clicks the “Apply” button. This will refresh the display showing the latest message information. When the user pages through the display (via the hyperlinked page buttons) new events are not shown. This assists in reviewing historical information without having the display constantly scrolling, which is particularly important if the CorreLog is logging many messages. Clicking on the “Clear” button temporarily clears the display until clicking a hyperlink page number refreshes the screen.
The “Apply” button and the “Search” screen tab both perform similar functions of refreshing the screen. The “Apply” button is also used to modify the screen controls, such as modifying the filter or max list size. When any screen control is modified, the screen page number is set back to the first page.
Finally, note that this screen uses an indexed search engine, which permits rapid searches of large amounts of data. The searches always start at the specified “Start Date”, and that particular pull down menu can be used to confine the search to a particular time range and before. This allows an operator to limit search results to data collected from an earlier date.
Advanced Search Screen
The “Advanced Search” screen is displayed when the user clicks on the
"Advanced Search" hyperlink on the main search screen, and is also accessed by clicking the "Search" hyperlink at the upper right of the display. This screen allows searches that include match patterns, exclude patterns, and matches of addresses, facilities, and time ranges. This screen is depicted below.
The advanced search screen requires at least one "Primary Match" keyword, which serves as the index to the search. This primary match keyword must be a full keyword, without any wildcards. The user can then specify partial matches and exclude matches (using optional wildcards), as well as other parameters for the search. When the user clicks the "Search" button, the operator is returned to the top-level screen and the matched messages are displayed.
Keyword Index Screen
The “Keyword Index” screen is displayed when the user clicks on the "Keyword Index" hyperlink on the main search screen. (This screen is also available via the "More" pull down menu at the upper right of the display.) This screen is updated every few minutes, and shows a full list of all the keywords for all messages collected on the system. The screen is depicted below:
The user can click on the keyword hyperlink to initiate a search for the keyword, displaying all messages on the system that contain the keyword. The
approximate number of messages containing the keyword (accurate as of the last hour) is shown in the "Count" column of the screen, useful for viewing how many messages are related to the keyword. By default, keywords are listed in alphabetical order.
Other Search Parameter Screens
On the "Keyword Index" screen, the operator can access other parameters and settings that affect the search engine. The "Keyword Index" screen provides links across the top, which permit access to the following special screens:
Site Dictionary. This link permits the user to access the "Site Dictionary", which can contain special keywords that are incorporated into the search. This screen is mainly provided for completeness. (The search engine indexes all the words in the "CO-dict.dat" file, as well as all device names, user names, and special terms that appear on the "Correlation > Threads" screen.) The operator can enter any keywords into the list, and these keywords will be indexed when they are found in incoming messages. Parameters Screen. This link permits the user to access special
parameters related to the search engine as follows: The "Keyword Span Days" indicates the number of days that the "Keyword Index" traverses, by default one day; the "Max Keyword Count" value is the maximum number of keywords that will be indexed each day, by default one hundred
thousand individual keywords; the "Write Interval" value indicates how often the keyword list is written to the disk, by default once each minute; the "Max Keyword Length" value is the maximum number of characters for any keyword, by default twenty characters; the "Max Keyword
References" value indicates the number of times a word can occur before it is handled as a "common keyword", where a common keyword contains only indices to the most recent occurrences; the "Require Dictionary
Match" value indicates that a match to a dictionary word is required. These settings will generally not be modified without the guidance of vendor support and professional services.
Statistics Screen. This link permits the user to access statistics on the indexing process. The statistics may be useful to diagnose performance problems and anomalous behavior that may accompany the input message stream. The administrator can consult with vendor support for more information on these parameters, as needed.
Devices Catalog Viewer Screen
The “Devices Catalog Viewer” screen is accessed by clicking on the “Messages > Catalogs ” tab, and then selecting “Devices”. From that location, the operator can view a list of all devices that have sent messages, and can drill down on the device hyperlink to view a description of the device, including the device
messages. A depiction of this screen is shown below.
The above screen shows all the devices that have sent Syslog messages, in table format. By default, the list of devices is sorted in reverse chronological order. Each device entry contains the following items:
Device Address. This field indicates the IP address of the device.
Clicking on this link brings up the device viewer screen, which shows the DNS name (if any) and other notes about the device. This field also contains a status light (either green or red) indicating whether any
messages have recently been received within the "Message Idle Time Threshold" value, configured on the "Network Monitor" screen. (See additional notes below.)
Last Message Time: This field indicates the date and time at which the last message was received for that device. This is the field that, by default, the screen uses to sort data. Therefore, the device that most recently generated a message is shown as the first item in the upper left of the screen.
Elapsed Time. This field is related to the “Last Event Time”, and indicates the elapsed time (since the screen was refreshed) of the last message that was received from that device.
Message Count Today. This field indicates the number of messages that have been received from that device since midnight, or since CorreLog startup. The field is set back to zero at midnight, and each time that the CorreLog Server is restarted.
History. This field is an approximate count of the number of messages that have been received from that device since the device first issued a message. It represents the total number of messages received from the device since the CorreLog Server was originally installed and the device was discovered.
Device Catalog Viewer Screen Controls
At the top of the display are controls that allow the user to order the list by “Time” “Count”, “History”, or "Address", and other flags. By default, the screen is sorted by the time of the last event. Also, controls are provided to limit the listing to the Max-N devices, and filter the list (thereby searching for specific keywords.) The specific initial sort mode for this screen is configurable in the user's personal preferences. (See "User Preferences" screen, later in this section.)
The Device Catalog Viewer contains a filtering function that permits the user to view only those devices that match a particular device group, and optional filter. Device groups are specified within the "Correlation > Config" tab of the program, also accessible via the "Device Group" hyperlink on this screen. This allows the user view only those devices of interest, and to search for devices on the system. Additionally, the user can search for devices based upon their message content using the "Match Device By Message" hyperlink.
To modify the sort order, number of items displayed, or filter setting, the operator makes adjustments and clicks the “Apply” button. This refreshes the screen with the latest settings. Clicking on the tab button also refreshes the screen, but sets the control items back to their entry defaults.
The "Config" button, at the upper right of the display, permits the user to configure the "Network Monitor" controls, which governs the status lights and internal messages generated whenever a new device is found, or a device stops sending messages for a log period of time. (See "Status Lights" section, below.)
Device Catalog Counters
The “History” count is useful for determining historically how many messages have been logged by the system since it was first installed. The other “Today” field is useful for determining how many messages have been logged since midnight. These counters can be continuously monitored by the "Correlation Alerts" subsystem, discussed in later chapters.
The “History” count represents the approximate number of events that exist on the system for that catalog, viewable when the user clicks on the IP address hyperlink. The value is approximate because it is possible that some of the earliest events have been tossed out due to the setting of the “Keep Data” parameter, discussed in the “Configuration Parameter Editor” screen. The “CO-Devlog.exe” program, running in background, refreshes this list
approximately every 10 seconds. The data items shown are valid only within the last 10 seconds of system operation.
Network Monitor Status Lights And Configuration
A "status light" indicator is provided as part of the "Address" field of each device. This status indicator is either red or green, showing whether the device has received any messages since the "Message Idle Time Threshold" value
configured in the "Config" screen. This provides a quick indication of whether the device is active or inactive, especially useful when searching for devices or sorting by some value other than "Time".
Devices that have "red" indicators may no longer be active, or may be
persistently offline. The default "Message Idle Time Threshold" is 24 hours (that is, the indicator turns from green to red if a device has not sent a message within one full day.)
Approximately once each hour, CorreLog scans the list of devices and
determines which devices (if any) have not sent a message within the configured "Message Idle Time Interval. If any device has not sent a message for that
interval, or longer, CorreLog sends a message to itself indicating that the device is idle, and subsequently displays the "status light" as "red". The severity of the message is given by the "Address Idle Severity" setting of the "Advanced Device Configuration Screen", described in a later section.
Sorting and Pinning Devices
By default, the list of devices is displayed so that the most recently updated devices are shown at the top of the list. The user an change the order of the sort mode to order the list by "Count", "History", "Address", or "Name" via the select menu at the top of the screen. The initial sort mode is configurable on the "User Preferences" screen.
Additionally, the user can "pin" devices to the top of the screen. To accomplish this, the operator clicks the IP address hyperlink for the device, and then selects the "Pin Device To Top Of List" value to be "Yes". The device is then moved to the top of the display irrespective of the current sort mode, making it easy to find and watch the device. Similarly, the user can "unpin" a device by setting the "Pin Device" selection to "No", which will then cause the device to appear in the sorted list with no special ordering.
When a device has been pinned, it is identified as such via a small pin icon next to the device IP address. If multiple devices are pinned, the pinned devices are sorted first, and then the non-pinned devices. This provides a method of
organizing the list of managed devices so that the more interesting devices are kept at the top of the list, especially useful if there are many hundreds (or thousands) of devices on the system.
Note that the "Pin Device" setting applies only to the current user. If a user pins one or more devices, they are pinned only for the specified user and not all users of the system. This allows users to pin and unpin devices without affecting any other user on the system.
Device Catalog Viewer Screen, Special Notes
Clicking on the hyperlink for the device name will display the “Device Information Utility Screen, which describes the device. This screen is discussed in a later section. In particular, the user can click on the device IP address, and then click on the "All Messages For Device" hyperlink to view all messages received from the IP address.
The initial sort mode setting (by default "Sort By Time") is a user preference, and can be adjusted so that the initial sort mode is "Sort By Name" or "Sort By
Address" or one of the other sort mode options. See the "User Preferences" screen for more information.
Devices, Advanced Configuration Screen
The "Advanced" button on the "Messages > Device" screen provides access to various more advanced settings of the system related to device discovery, the "Message Idle Time" monitor, and the ability to add and delete devices by list. The screen is depicted below:
The above screen contains advanced settings and controls, available only to administrators, which affect the processing and monitoring of the system device list. The various fields and controls are as follows:
Enable Device Auto-Discovery. This select menu controls whether devices are automatically added to the list when a new message source is received. By default, a device is automatically added (discovered) when a new device sends messages to the server.
Message Idle Time Threshold. This time indicates when "Address Idle" messages are sent, and also affects the settings of the status lights (red or green) on the "Messages > Devices" screen. The default setting is one day. The user can adjust the setting between one hour and eight days. Address Discovered Severity. This is the severity of "New Address
Discovered" messages, which are sent whenever a new IP address is added to the system. This provides an indication of whether new
addresses are being added to the "Devices" catalog. The default setting is "info". The user can disable these messages by setting the value to
"disabled".
Address Idle Severity. This is the severity of the "Address Idle" message sent for any device if it does not receive any messages for "Message Idle Time Threshold" duration, i.e. when the icon on the "Devices" screen transitions from green to red. The default setting is "notice". The user can disable these messages by setting the value to "disabled".
Address Reactivated Severity. This is the severity of "Address
Reactivated" messages sent for any device if it receives a message after "Message Idle Time Threshold" duration of inactivity, i.e. when the icon on the "Devices" screen transitions from red to green. The default setting is "disabled", indicating that no "Address Reactivated" messages are sent. Network Failure Threshold. This is the maximum number of "Address
Idle" messages sent during any one-hour test. This limits the number of messages that may occur if there is a network failure. (Specifically, this prevents potentially thousands of messages from being sent if CorreLog loses its network connection.) The default value is 10 messages per cycle. Network Failure Severity. This is the severity of the message sent when
the "Network Failure Threshold" is reached, and is useful for indicating a possible network failure, router failure, or loss of network connectivity with CorreLog or some main router. The default value is "critical". The user can disable these messages by setting the value to "disabled".
Drop Inactive Devices. This setting indicates when a device (after it has stop sending messages for this period of time) is automatically dropped from the list of devices. This setting is useful for keeping the list of devices current. (The user may also delete devices manually, or via the "Delete Devices By List" button, described below.)
Import New Devices By List. This button accesses a special screen that allows the user to add devices via a list. The "Import New Devices" screen allows the operator to cut and paste a list of devices into the system, where the list of devices is automatically added to the system. This usually
is not necessary, since devices are automatically added to the system (if the "Enable Auto-Discovery" setting on this screen is set to the default "True" value.)
Delete Devices By List. This button accesses a special screen that allows the user to delete devices via a list. The "Delete Devices" screen allows the operator to cut and paste a list of devices into the system that will subsequently be deleted. This is one of several ways to delete devices (another way being to delete the device manually by deleting the catalog of devices.) Once a device is deleted, it may be automatically added back to the system if it begins sending messages again, and if the device is not filtered.
Edit Device Types. This button accesses a special screen that permits the user to classify devices into various types. The values on the "Device Types" can be assigned to devices via the "Device Information" screen (accessed by clicking a device name hyperlink anywhere within the system) The device types are used in Audit reports and other locations, and are useful in identifying and organizing devices by type. The system comes with a limited number of generic device types, which can be further refined via this screen.
Note that many of the parameters above are associated with detecting idle devices on the system, which allows an operator to determine whether a machine is still actively managed, or whether a problem or misconfiguration exists. The system periodically checks the device list, and issues notifications and advisories when one or more devices are not active.
If during this periodic check, the number of idle addresses meets or exceeds the "Network Failure Threshold" limit, then a second message is sent indicating a possible network or router failure. The severity of this message is given by the "Network Failure Severity" setting. These two settings permit the user to perform an elemental (but highly useful) check of the network based solely on the
Device Group Viewer Screen
The "Device Group Viewer" screen is accessed by clicking the "View Groups" link towards the top and upper-right of the "Device Catalog Viewer" screen. This link displays the various device groups (defined by the "Edit Correlation Address Groups" link) along with the rolled up status and counts for each group. This screen is depicted below:
As depicted above, the screen shows each device defined within the "Correlation Address Groups" screen, shows the rolled-up status of each group including the number of devices in the group, and the total counts for the group for today and historically. The user can click on the hyperlinked device group name to return to the "Devices" screen, with the specified group selected. This provides a
convenient method of assessing overall status of all devices with the various defined groups.
Users Catalog Viewer Screen
The “Users Catalog Viewer” screen is accessed by clicking on the “Messages > Catalogs” tab, and then selecting “Users”. From that location, the operator can view a list of all Syslog messages cataloged by users of the enterprise. A depiction of this screen is shown below.
The above screen provides a list of all the various users for messages that have been received by the system. By default, the list of users is sorted in reverse chronological order, and shows the most recently received message at the top of the list. Each row entry contains the following items:
User Name. This field indicates the name of the user that the rest of the row data items apply to. It is hyperlinked to the “Catalog Viewer” screen discussed further below.