Servers Information

Owned by Omry Koschitzky
Last updated: Jul 21, 2020
3 min read

The system provides two functions which can be used by Administrators to get information about the number of source servers that XpoLog gets data from, the source servers state, number of logs, etc.

XpologAccountStatsFunction

This function runs on the XpoLog Address Book and checks the status of each SSH, Remote XpoLog and Database accounts in the system and returns a detailed status on them.
Note that once activated, XpoLog will establish a connection to each of the accounts for a very short period (connect/ping/etc.).

  1. Download the jar file - XpologAccountStatsFunction.jar

  2. Place the jar in the XpoLog EXTERNAL_CONF/conf/functions/user/lib/ and restart XpoLog. 

  3. Go to the search console and run on the last 1 hour:

    * | datainfo | first 1 | execute class.XpologAccountStatsFunction(column.ext.log ,X , Y , Z ) as account id , account name ,account host, account type, is user in addressbook,  last modified logid ,last collection of the log ,is last activity in range , account verify , is host accessible , status code , status desc

 

  1.  

    1. The first part (* | datainfo | first 1 | execute class.XpologAccountStatsFunction) is fixed the time frame in the search console that is selected is not relevant, however it must run on at least some portion of the data and therefore its recommended to run on the last 1 hour. The actual time frame that XpoLog will check is based on the X parameter passed to the function as listed below.

    2. Function parameters:

    1.  

      1. column.ext.log – fixed, do not change.

      2. X – the number of days it will look to check if data was collected from the account (in range, for example 7 days).

      3. Y – timeout when pinging a server in milliseconds (for example 5000).

      4. Z – number of thread that will be used on execution to run multiple processes simultaneously (for example 10).

      5. The last part also fixed:
        as account id , account name ,account host, account type, is user in addressbook ,  last modified logid ,last collection of the log ,is last activity in range , account verify , is host accessible , status code , status desc

 

Important Fields:

account name = the name of the account in the addressbook

Account Host = the host configured in the account

Account Type = ssh, remote (Windows), db (databases)

Last Modified Log ID & Last Collection Of The Log = the last logid that data was collected from using the account and the last time data was collected from it

Is Last Activity In Range = whether the last collection time is in range of the parameter passed to the function (in the above example 7)

Account Verify = whether account verification passed successfully or not

Is Host Accessible = whether there’s a ping to the host configured in the account or not

Status Code & Status Desc:

State 1: Fully Active = XpoLog is able to connect to the account and there’s data (any data) from the server in the last X days. This means it’s a fully valid server

State 2: Partially Active = XpoLog is able to connect to the account but there’s no data (any data) from the server in the last X days. This means it’s a valid server and valid account but no logs / misconfigured logs in that server

State 3: Temporarily inactive = XpoLog is unable to connect to the account but there is data (any data) from the server in the last X days.  This means that there’s data (any data) from the server in the last X days but at the time of execution there’s no connection to the server

State 4: Inactive = XpoLog is unable to connect to the account, there’s no data (any data) from the server in the last X days, but the XpoLog is able to see the server in the network (XpoLog has a ping). This means  it’s a valid server but invalid account/credentials

State 5: Temporarily Unrecognized = XpoLog is unable to connect to the account , there is data (any data) from the server in the last X days, and XpoLog is unable to see the server (XpoLog does not have a ping) This means that there’s data (any data) from the server in the last N days but at the time of execution there’s no connection or ping to the server

State 6: Unrecognized = XpoLog is unable to connect to the account , there’s no data (any data) from the server in the last X days, and XpoLog is unable to reach the server (XpoLog does not have a ping). This means that XpoLog can’t see the server.

 

Note: 

  • You can order by any of the fields by adding: | order by <field_name> asc/desc

  • You can filter the result by adding a ‘where’ condition, for example: | where status desc = Inactive or status desc = Unrecognized