Working Logs

The "Working Log" grid displays logs collected from:

Windows logs from remote machines
Windows logs from machines with RT enabled
Logs generated by the Azure and AS400 plugins
Syslog messages sent by compatible devices

Consentendo di effettuare ricerche, filtri, ordinamenti e raggruppamenti in tempo reale sull’intero archivio log degli ultimi 30 giorni.

This view allows real-time searching, filtering, sorting, and real time grouping across the entire log archive of the last 30 days.

To search for a specific machine, enter the initial character of the machine name in the PC column using the first filter row. Alternatively, use the "Filter" function by clicking the funnel icon in the column header, similar to Excel filtering.
In the "Date Time" column, the funnel icon provides access to an integrated calendar for date selection.

Columns

Area: defines the log context. Login events are highlighted with the label “Login: …”.
- User Access: physical user login.
- Lock/Unlock: access after desktop or screen saver unlock.
- Remote Access: login via remote desktop.
- Cached Access: login via cached credentials, for example a notebook disconnected from the domain.
- TeamViewer: access via TeamViewer remote connection.
- VNC: access via VNC remote connection.
- NoMachine: access via NoMachine remote connection.
- Dameware: access via Dameware remote connection.
- SpaskTop: access via Splashtop remote connection.
- Iperius: access via Iperius remote connection.
ID: original Windows event ID.
Data/Ora: date and time when the event was generated.
Type: log type.
Source: application or service that generated the event.
Category: log category.
PC: machine on which the event occurred.
User: user associated with the event.
Messagge: full original event message.
Login: when the key icon is shown, the event was generated by an interactive login. This field is obsolete.
Admin: shows whether the detected user is listed as a system administrator.
Admin Name: administrator name as defined in the administrators list.
Correlation ID: unique identifier used to trace and correlate requests across multiple systems and services.
- Request tracking: follows the request path across services.
- Troubleshooting: identifies all components involved in a transaction.
- Monitoring and logging: aggregates logs related to a specific request.

Login highlighting

Row colour meanings are shown in the [Legend]

Specifc features

By right-clicking a record, a drop-down menu is displayed, providing quick access to specific functions.

The available options are described below:

Verify Signature: performs a consistency check of the digital signature recorded at log creation time
Certified Log Print: generates a document containing all elements required for the EU regulatory compliance, including a graphical representation of the electronic signature. The document is displayed in a dedicated window and includes a scannable QR code that opens a summary page with key log data and signature verification details

Follow Session: creates an automatic filter for the session related to the event.
Follow Correlation: creates an automatic filter based on the event Correlation ID.
Create alert for this log: generates a dedicated alert using the variables of the selected log, which can later be modified in the alerts section.
Explain this log: sends the selected log to the AI engine to obtain an explanation, with options to export or print the result.
Verify external IP with AI: performs advanced analysis of the external IP address associated with the event, when present, including:
- IP origin: consultation of public databases to identify the original provider.
- IP reputation: query to a dedicated web service for address reputation.
- Assessment: security analysis generated based on the collected data.

Spiega il log selezionato

This function uses an AI-powered semantic analysis engine to automatically interpret the content of a single Syslog event.

The system analyzes the message and provides a detailed explanation divided into sections:

What happened: describes the detected event in natural language, indicating the user, device, and technical context (e.g., accesses, errors, or modifications).
Why it matters: explains the relevance of the event, highlighting risks, vulnerabilities, or security implications.
Actions: suggests recommended checks or verifications for managing the event or resolving the issue.

When specific information is not available for a given event, the Wiki tab displays the technical details of the event ID, along with possible alternative actions or suggestions for further investigation.

The explanation can be printed or saved using the commands available at the bottom of the window.

Blog Chat Copilot

On the right side of the grid, the BLog Copilot Chat is available. This feature allows interaction with the displayed data through an AI-style chat interface to perform various operations.

For example, entering the command “filter by PC = Azure” applies the corresponding filter. Additional commands can then be issued, such as “now show only today’s logs”, or all filters can be reset using a command such as “remove all filters”.

Traditional grouping, filtering, and management functions remain available through the toolbar buttons.

AI Analysis

With a dedicated licence, the [AI Analysis] button is available in the log grids.
Up to 100 events can be sent to the AI engine, which analyses them to identify critical or suspicious logs and provides a contextual evaluation that is easy to understand, even for non-expert users.

The purpose is to support interpretation of security logs and accelerate the identification of potentially risky actions.

If more than 100 events are selected, only the first 100 are processed.
The generated report can be printed and exported.