What is eBuzzSaw ?
    Why is there an eBuzzSaw ?   
    Why  is there a field for timeStored and timeGenerated ?
    Why do some unix machines ( like solaris) have a timeGenerated and other UNIX machines don't ?
    What are the sql fields used ?
    What's up with "\x0" doing in the "strings" and "message" fields ?
    After using eBuzzSaw, I then get the 'login' screen. Why ?
    How do I submit questions or get help ?
    I can't login ... I know that my user name and password are correct, why ?

    What is the current set of reports that I can run ?
How do I view the logs of a NT machine as in their "application","security","system" etc form ?
    How do I view the logs of a UNIX machine as in their continuous form ?
    How do I view all three/five NT logs from a particular machine at one time ?
    How can I sort the reports by a different column or resort the table ascending/descending ?
    Download from eBuzzSaw so you can use the log entries locally to your machine ?
   
 

back to the top

What is eBuzzSaw ?
eBuzzSaw displays log entries. It allows the viewing of aggregate reports, such as, how many log entries, by machine, by log facility in the last hour. From this screen one could drill down to a specific machine/log facility and see the detail logs.
back to the top

Why is there an eBuzzSaw ?
To admin more than a couple of machines, especially NT's, having the logs in one central location allows for monitoring the health/status of the domain to be seen at one time as opposed to the separate viewing of each machines log.  One can point UNIX syslogs to a central log server, but not NT's. With eBuzzSaw
one can :

>> sort by critical event across the whole domain.

>> monitor the quantity of logs to get a general sense of computer activity.

>> sort by many different criteria across all machines as opposed to a single machine. 

Back to the top

Why  is there a field for timeStored and timeGenerated ?
The two fields are in some instances the same and some times different. The 'Time Stored'  is the time that the eBuzzSaw system collected and stored in the the data base that given log entry. The 'timeGenerated' is the time that the host generated the log.  'timeGenerated' is only available on NT and solaris log entries. Otherwise the two fields are set to the same value of 'Time Stored'.

Back to the top

Why do some UNIX machines ( like solaris) have a timeGenerated and other UNIX machines don't ?
... well all should have a 'timeGenerated' ... but some UNIX machines will have a truer 'timeGenerated' value due to the fact that when the given UNIX machine generates and sends the syslog entry the sending machine includes a time generated, making this time part of the syslog message. eBuzzSaw can then parse this time from the syslog message and use it.  Solaris does this type of syslog message. NT machines will also have separate timeGenerated and time Stored. These times are local to the generating machine.

Back to the top

What are the sql fields used ?
The current sql fields include:

field names NT values UNIX values
* recNumber 868122 868123
Source MSExchange Pop3 Interface sendmail
Computer XYZHOST 192.220.26.67
Length NULL NULL
Data NULL NULL
Category 1 NULL
RecordNumber 2310890 NULL
* TimeGenerated 978110918 978811506
* Timewritten 978110918 978811559
* EventID 11100 26
* EventType 4 6
ClosingRecordNumber NULL NULL
Strings 63.201.36.7\x0 MAIL INFO Jan 6 12:05:06 sendmail[3348]: MAA03346: to=xyz@ebuzzsaw.com,123@ebuzzsaw.com, ctladdr=root (0/1), delay=00:00:05, xdelay=00:00:03, mailer=relay, relay=ns2.downtown.net. 192.203.63.245], stat=Sent (OK)
Message NULL <22>Jan 6 12:05:06 sendmail[3348]: MAA03346: to=xyz@ebuzzsaw.com,123@ebuzzsaw.com, ctladdr=root (0/1), delay=00:00:05, xdelay=00:00:03, mailer=relay, relay=ns2.downtown.net. [192.203.63.245], stat=Sent (OK)
User NULL NULL
* m_logSource application MAIL
m_os nt UNIX
* m_userName NULL NULL
m_timeGenerated 2000-12-29 09:28:38.000 1/6/01 2:51:03 PM
m_syslog_host XYZHOST pm2-67.xyz-123.net
m_syslog_store_date 2000-12-29 09:30:38.000 1/6/01 2:51:55 PM
m_userDomain NULL NULL
m_userSIDtype NULL NULL


back to the top

What's up with "\x0" doing in the "strings" and "message" fields ?
The syslog data coming from the host machines can or may include null characters, hex x00. Sql doesn't like null characters in fields. We replace null characters with the ascii characters of "\x0 to act as a substitute. Null characters are hex "00" and are not NULL fields, which is a field that has no data. 
Back to the top

After using eBuzzSaw for some time I leave my browser with eBuzzSaw in it and when I try to use it again, I get the 'login' screen and I'm forced to give my username and password again, why ?
If your browser see's no session activity, ie no requests to eBuzzSaw, your browser will time the session out and lose its security token (a browser cookie). In this case. You'll need to log back in.  This is by design so that an unattended desktop will not allow anyone to use eBuzzSaw after the browser times out.
Back to the top

How do I submit questions or get help ?
On the bottom of each page is a link for "feedback ?". This will take you to the webbased help desk. 
Back to the top

I can't login ... I know that my user name and password are correct, why ?
It probably is due to your browser not excepting cookies. Cookies is how we store your security token that lets eBuzzSaw know you can view the syslog info contained in the data base.

Back to the top

What is the current set of reports that I can run ?

report# report description
======================================================================
3 HOST
4 host by LOG
5 host by log by SOURCE
6 eventType/priority by HOST
7 eventType/priority by host by SOURCE
8 eventType/priority by host by SOURCE 1,16 for NT and 0,1,2,3,4 for UNIX
10 host by eventType
11 host by eventType by source
20 host by LOG - detail by log
50 user grouped by user
51 user sort by time excld 'system','iusr*',NULL
52 user excld 'system','iusr*',NULL
100 UNIX cpu,memory,disk
106 UNIX priority by HOST
107 UNIX priority by host by FACILITY
120 UNIX FACILITY
512 host by eventID 512 eventLog startup
513 host by eventID 513 system shutdown
528 host by eventID 528 successful logon
529 host by eventID 529 bad logon attempt
530 host by eventID 530 bad logon attempt: logon time restriction violation
531 host by eventID 531 bad logon attempt: account disabled
532 host by eventID 532 bad logon attempt: account expired
533 host by eventID 533 bad logon attempt: workstation restriction - not allowed to logon at this computer
534 host by eventID 534 bad logon attempt: inadequate rights - as in user atmpt console login to server
535 host by eventID 535 bad logon attempt: password expired
536 host by eventID 536 bad logon attempt: netLogon service down
537 host by eventID 537 bad logon attempt: unexpected error - ?!??
538 host by eventID 538 successful logoff
539 host by eventID 539 bad logon attempt: account locked out
627 host by eventID 627 bad logon attempt: NT AUTHORITY\ANONYMOUS tried to change a password
642 host by eventID 642 PDCs change of secure channel passwords
644 host by eventID 644 user account Locked out
901 overview of events by host
902 overview of log entries by host
910 count of syslog entries by time written
911 count of syslog entries by time written by host
951 search using adhoch words with AND, NOT ...
998 sql rows in the last 'x' amount of time
999 sql count


back to the top