Skip to content

LogSentinel SIEM Dashboard

The home dashboard is the main place for day-to-day usage of the product. It has several components:

  • Statistics - General statistics about your organization as well as charts of certain attributes
  • Main timeline chart - The main timeline of log entries
  • Reports - Reporting functionality in various formats
  • Custom charts - Additional custom, user-defined charts
  • Exports - Exporting functionality in various formats
  • Search query bar - A way to query the logs with detailed search queries
  • Log entries list - A list of all entries that satisfy the current search criteria and period; by default it shows all the latest entries
  • Time aggregations - Aggregated statistics over smaller time periods
  • Numeric aggregations - Perform aggregation functions on numeric parameters


The top row shows the current number of log entries per minute, the total number of log entries, distinct actors, actions and entities as well as the alerts recently triggered. Note that statistics is cached, so it's not real-time.

A little further down are the statistics charts which display the top actors, actions, entities and data sources by number of log entries. The charts can be expanded to show the actual values. There's also a link to the rankings pages to display the top actors/actions/entries for a selected period.

Both the statistics row and the charts are updated when the period of the main timeline is changed from the timepicker on the right.

The statistics row also contains information about the status of background log integrity verification. The green icon indicates that the log is intact. In exceptional cases of someone trying to manipulate the logs, the icon turns red.

Main timeline chart

The main timeline charts show the log activity over a selected period of time. The default period is three days.

The period can be changed in two ways: via the timepicker on the right or via slicing the chart with the mouse. Changing the period not only changes the visualized timeline but also the search period in the entries list below. That way you can visually inspect a certain period of time for the current search query. The currently sliced period can be reset via a button that appears ontop of the chart.

Additionally, you an click on a each point on the chart (points are placed at hourly intervals) which will select a 1-hour period starting from that point and apply it to the current search.

Custom charts

Custom charts that are defined in the "Charts" menu appears below the default statistics charts. Charts can be defined as aggregations on a specific field with or without an additional query. For example, a chart can display the top actors that have performed one of particular set of actions.

Custom charts can be bar, pie, line, doughnut and can have custom or random colors defined. Charts can be created ontop of event data as well as alert data.

Custom dashboards

Custom dashboards can be defined by users for easier analysis and day-to-day activities. A dashboard is a combination of saved searches and charts.


Above the main timeline chart are reporting buttons. A high-level report for the currently selected period can be exported in either PDF, XLSX or HTML formats. Reports contain an overview of the log activity over the selected period of time.

Additionally, reports are generated periodically and sent via email. The reporting periods are defined from the "Charts" page and can be "daily", "weekly", "monthly" and "yearly". Multiple report recipients can also be configured.

For more information about reports, check the Reports section.


The currently displayed log entries can be exported to various formats - CSV, XLSX, TXT, JSON and protobuf. The export is done from the buttons right above the entries list.

Search (query bar)

The search query bar is the way to define detailed queries to search through the logs.

Query format

The queries are in the format field:value, where field is either one of the predefined fields or params which are either automatically extracted or explicitly specified in the log requests. The params.XYZ parameters are autocompleted for the currently selected data source(s).

The query language is based on the Elasticsearch query string DSL, as documented here.

The details field allows full-text search using details:*value*, including regular expressions. The details field contains the raw (unstructured) data for each entry.

Multiple query parts can be used with AND or OR or by using parentheses to wrap clauses.

There are buttons to help with query generation - each button appends additional part of the query. The additional params can be found in the "params" dropdown.

The query bar autocompletes all parts of queries - the parameter names as well as the possible values. If you start typing "params." you'll see suggestions for all of the ingested parameters for the selected data sources (or for all sources, if none are selected)

SQL queries are also supported: SELECT * FROM logs WHERE action="delete". AND and OR WHERE clauses are also supported.

Nested queries

Sometimes simple queries are not enough to find what you are looking for. That's why LogSentinel supports nested queries with the following syntax

params.param-one:value AND params.param-two:(${params.param-from-other-query}>${params.param-three:valueThree})

That way the nested query (params.param-three:valueThree) is executed first and then the values of param-from-other-query are transformed to an IN query. For example, if the nested query returns 3 records with values "one", "two" and "three", the query is transformed to

params.param-one:value AND params.param-two:("one" OR "two" OR "three")

This is useful when querying data from multiple log sources that have incompatible and non-standard parameter names.

Period and source selection

Queries are run over a search period. The period is defined from the timepicker on the right. This timepicker is usually in sync with the one for the main timeline chart, but does not have to be, i.e. you can display entries over 3 days and search only within the past 10 hours.

There is a "Live view" option where new logs that match a search query are automatically added to the list. The refresh period is configurable from the live view dropdown.

Queries can be performed over all data sources or to one or more of them. You can select them via a data source dropdown. By default the query is performed on all data sources. Queries can be filtered by data source groups / tenants as well from the same dropdown.

Other search capabilities

Common queries can be saved from the dropdown next to the search button and then executed without the need to retype them.

Finally, if log details have been encrypted before sending them, you can perform search in the encrypted data by specifying the symmetric (AES, base64-encoded) key in the encryption key field on the right. The key is never transmitted to the server so the decryption are performed entirely client-side on the results that are fetched based on the the encrypted keywords.

Log entries list

The entries list contains all entries that satisfy the current search query. If there is no search query, the latest processed entries are displayed for all data sources.

The list has the following columns:

  • Actor - the column contains the actor for the current entry. If there is an actorDisplayName specified, it is shown instead of the actorId, which is assumed to not be human-readable. If there is no actorDisplayName, the actorId is displayed. Additionally, if any roles have been specifed for the actor, they are displayed in parentheses
  • Action - the action that has been performed. In case the actor is a non-person (e.g. a system actor), the action is the event that occurred.
  • Entity - the entity about which the log is. The semantics depends on the type of logs, but usually an entity has an ID as well. Both are displayed in this column as " #". In case a database is monitored, for example, this would be "table#primary key".
  • Details - this is the body of the log and can contain anything. The body is displayed after clicking on the "details" link. A formatting function can be defined for standard formats (JSON and XML) that would allow displaying the values as a table rather than as a raw message.
  • Timestamp - when did the even occur. The time is shown in the current user timezone. The clock icon opens a dialog that displays details about the cryptographic timestamp over a block of events. The base64-encoded token is in a RFC3161-specified format. The timestamp can be either the received timestamp or the original event timestamp (configurable from the arrow above the column)
  • Params - any params that were specified as part of the requests or extracted dynamically. For each IP and domain/URL parameter, geolocation data is displayed. Additionally, in the same column, the following is displayed:
    • Level - the log level, if one has been specified. Log levels can be: TRACE, DEBUG, INFO, WARN, ERROR, CRITICAL, FATAL.
    • Hash - opens a dialog where a number of details are shown: the individual hash of the entry, the hash as part of the hash chain, the entry id as well as the previous entry id (previous in the hash chain). These values can be used for log verification, e.g. for obtaining merkle proofs.
    • Tags - any tags that are automatically or manually assigned to the log entry are displayed here.

From the list you can generate simple queries by clicking on one of the fields (actorId, action, entity, param value).

The log entries list can be static or updated in real time. The period of update is specified through a dropdown.

All log entries that contain an IP address get geolocation information (visualized by a flag, with additional details on hover).

Time aggregations

Time aggregations show charts spit by hour, day, week, month or year, as well as the number of entries for the last periods of the selected type. Charts can be show for all applications or for a particular application.

Numeric aggregations

Certain parameters (params) can be numeric. If there are such parameters, users can perform aggregations on them. The supported aggregations are: average, sum, min and max.