When analyzing and aggregating the collected logs in the Log Analyzer Server, set the screening condition and exclusion condition that have been set in advance.
If the setting of this condition is inappropriate, the accuracy of analysis and aggregation results will be reduced. Therefore, determine what kind of condition should be set during the design stage.
The settings are as follows:
Specify the following items and determine the analysis condition.
Keyword: string contained in a file or file path (partially match)
Domain: string contained in E-mail address (partial match)
URL: string contained in URL (partially match)
Application: executable file name apart from extensions (complete match)
In order to exclude PC from the aggregation target, determine the exclusion conditions as follows.
PC required to access to important files on business
PC that performs large amount of daily file access
In order to perform analysis with higher accuracy, it is necessary to consider the following:
Set screening conditions on every Log Analyzer Server. Therefore, when multiple organizations are targeted, after the keyword limited to particular organizations has been set, analysis that is not for this organization may become inappropriate.
Try to extract common keywords and do not refine the setting of keywords limited to the department.
In addition, configure the organization that processes same confidential information to the same Log Analyzer Server for management. For viewpoints of configuration, refer to "1.2.1.3 Determine the Installation Standard for Log Analyzer Server" of "1.2.1 Determine System Structure
Distinguishing the exception PC mentioned above is important for exclusion conditions. Do not set a PC with lower accuracy in aggregate results as the aggregation target.
