View Categories

Events Viewer Tab

User Guide for Event Management System #

Welcome to the User Guide for the Event Management System, a sophisticated tool designed for real-time event handling, querying, and management based on Suricata events and using Redis for data storage. This guide provides you with the necessary information to interact with the system effectively, utilizing its comprehensive set of features.

System Overview #

The Event Management System offers a robust backend solution for managing and analyzing network security events. It interfaces through RESTful APIs and is designed to facilitate seamless interactions with event data, making it ideal for integration into web applications.

Key Features #

  1. Event Retrieval by Type:

    • Retrieve events based on their type, such as alerts or logs.

    • Usage: Send a GET request to /events/type/{event_type} with optional offset and limit query parameters to paginate results.

  2. Event Search by Name:

    • Look up events by specific names or identifiers within the events.

    • Usage: Access through /events/name/{event_name} to fetch relevant event data.

  3. Event Count by Type:

    • Get a count of how many events of a certain type are stored.

    • Usage: Use the endpoint /events/count/{event_type} to receive an integer count.

  4. Detailed Event Information:

    • Fetch detailed information of an event by its unique ID.

    • Usage: Query /events/details/{event_type}/{event_id} to get a comprehensive view of a single event.

  5. Event Deletion:

    • Delete events by type, removing them from the database.

    • Usage: Send a DELETE request to /events/delete/{event_type} to clear all events of that type.

  6. Advanced Search Capabilities:

    • Perform advanced searches combining multiple parameters such as source IP, destination IP, ports, and protocol.

    • Usage: Navigate to /events/search with the necessary query parameters to filter the results according to your needs.

  7. Time-Shifted Event Retrieval:

    • Retrieve events within a specific time frame relative to the current time.

    • Usage: The endpoint /events/timeshift/{event_type} accepts timeshift (hours), offset, and limit parameters to customize the temporal scope of the query.

CORS Support #

  • All HTTP responses include CORS (Cross-Origin Resource Sharing) headers, allowing integration into diverse client environments across different domains.

Error Handling #

  • The system is designed to handle errors gracefully, providing meaningful error messages in the HTTP response to assist in debugging and integration efforts.

Configuration and Setup #

  • System configuration is managed through a configuration file (config++.conf), which includes settings such as the path to the fast.log file and Redis connection parameters.

Retrieving Fast.log Content #

  • The system can directly serve the contents of the fast.log file, providing real-time access to raw log data.

  • Usage: Access this feature through the endpoint /fastlog, which returns the content of the fast.log file.

Integration Tips #

  • Ensure that your client application is configured to handle JSON responses effectively, as all data exchanged with the backend is in JSON format.

  • Utilize the provided CORS headers if the API is consumed from web applications hosted on different domains.

This user guide aims to equip you with the knowledge to utilize the Event Management System efficiently. Whether for application integration or network monitoring, the system provides a powerful toolkit for managing and analyzing security events.



Events Tab (web client) Top of Events page
Events Tab, Top

Selecting and Viewing Events:

  • Event Type (eventType): Dropdown list for selecting the type of Suricata IDS/IPS events, such as alert, anomaly, drop, etc. This allows filtering events by their type.

  • Time Shift (timeShift): Dropdown list for selecting the time shift for events, such as the last hour, two hours, etc. This allows viewing events for a specific time period.

Filtering by IP and Ports:

  • Offset (eventOffset): Field for entering a number that determines the offset in the event data set.

  • Destination IP (dest_ip) and Destination Port (dest_port): Fields for entering the destination IP address and port to filter events.

  • Source IP (src_ip) and Source Port (src_port): Fields for entering the source IP address and port for additional event filtering.

  • Protocol (event_proto): Text field for entering the protocol name to filter events.

  • Limit (eventLimit): Field for entering a number that limits the number of displayed events.

  • Count (eventCount): Read-only text field displaying the number of events matching the current filters.

Control Buttons:

  • Fetch Events: Button to retrieve all events of the selected type.

  • Find Events By Params: Button to select events matching the specified parameters.

  • Find Events By Timeshift: Button to select events of the specified type, limited by time parameters.

  • Delete Events: Button to delete all events of the selected type.

  • Clear Form: Button to clear the form of entered data.

Additional Elements:

  • Events Output (eventsOutput): Area for displaying the results of the event selection.

  • Event Detail (eventDetail): Area for displaying detailed information about the selected event.

  • Events Histogram (eventsHistogram): Area for displaying a histogram of events, helping to visualize the distribution of events over time or other parameters.

  • Fast Log Content (fastLogContent): Text field for displaying the content of the Fast log.



Events Tab. detailed information about selected event and frequency histogram

At the very bottom is a chart showing the number of events over the last 24 hours.
Lastly, the content of the fast.log file is displayed on the page.

Events Tab. Fast log view

More about suricata events and output,

Tool for events parsing.