{"id":32481,"date":"2026-06-23T01:58:05","date_gmt":"2026-06-23T01:58:05","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=32481"},"modified":"2026-06-23T01:58:07","modified_gmt":"2026-06-23T01:58:07","slug":"datadog-log-lab-and-assignment","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/datadog-log-lab-and-assignment\/","title":{"rendered":"Datadog Log: Lab and Assignment"},"content":{"rendered":"\n

Lab Manual: Datadog Logs Search, Filter, Sorting, Display, and Analysis<\/h1>\n\n\n\n

Hands-on Datadog Logs Explorer Lab using Ubuntu Linux Logs and Apache Logs<\/strong><\/h2>\n\n\n\n
\n\n\n\n

Lab Objective<\/h2>\n\n\n\n

By the end of this lab, students will be able to:<\/p>\n\n\n\n

    \n
  1. Open Datadog Log Explorer.<\/li>\n\n\n\n
  2. Search logs using free-text search.<\/li>\n\n\n\n
  3. Filter logs using source, service, host, status, and attributes.<\/li>\n\n\n\n
  4. Use Boolean operators such as AND<\/code>, OR<\/code>, and exclusion with -<\/code>.<\/li>\n\n\n\n
  5. Search exact phrases using double quotes.<\/li>\n\n\n\n
  6. Use wildcard search.<\/li>\n\n\n\n
  7. Search Apache logs by HTTP status code, path, method, and client IP.<\/li>\n\n\n\n
  8. Search Ubuntu logs for SSH, sudo, cron, systemd, authentication, and errors.<\/li>\n\n\n\n
  9. Use facets to narrow down logs.<\/li>\n\n\n\n
  10. Open individual logs and inspect log attributes.<\/li>\n\n\n\n
  11. Add\/remove columns in the log list.<\/li>\n\n\n\n
  12. Sort and display logs for troubleshooting.<\/li>\n\n\n\n
  13. Use Log Analytics to group logs by fields.<\/li>\n\n\n\n
  14. Use visualizations such as Top List, Timeseries, Table, Pie Chart, and Tree Map.<\/li>\n\n\n\n
  15. Use Log Patterns to identify repeated log messages.<\/li>\n\n\n\n
  16. Use Live Tail for near-real-time log checking.<\/li>\n\n\n\n
  17. Create Saved Views for repeatable troubleshooting.<\/li>\n\n\n\n
  18. Export\/share log views for team collaboration.<\/li>\n<\/ol>\n\n\n\n
    \n\n\n\n

    1. Lab Environment<\/h1>\n\n\n\n

    1.1 Assumptions<\/h2>\n\n\n\n

    This lab assumes the following logs are already available in Datadog:<\/p>\n\n\n

    Ubuntu Linux logs\nApache access logs\nApache error logs\n<\/code><\/span><\/pre>\n\n\n
    Common Ubuntu log examples:<\/p>\n\n\n
    \/var<\/span>\/log\/syslog\n\/var<\/span>\/log\/auth.log\n\/var<\/span>\/log\/kern.log\n\/var<\/span>\/log\/dpkg.log\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
    Common Apache log examples:<\/p>\n\n\n
    \/var<\/span>\/log\/apache2\/access.log\n\/var<\/span>\/log\/apache2\/error.log\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
    The exact Datadog fields may vary depending on your Datadog Agent configuration, log pipeline, parser, and integration setup.<\/p>\n\n\n\n
    \n\n\n\n
    1.2 Required Access<\/h2>\n\n\n\n
    Students need access to:<\/p>\n\n\n
    Datadog account\nLogs product\nLog Explorer\nPermission to search logs\nPermission to create Saved Views, if allowed by your organization\n<\/code><\/span><\/pre>\n\n\n
    Optional permissions:<\/p>\n\n\n
    Permission to create facets\nPermission to create log-based metrics\nPermission to create dashboards\nPermission to create monitors\n<\/code><\/span><\/pre>\n\n\n
    For this lab, students mainly need read\/search access.<\/p>\n\n\n\n
    \n\n\n\n
    1.3 Expected Log Sources<\/h2>\n\n\n\n
    Your logs may appear with sources like:<\/p>\n\n\n
    source<\/span>:syslog<\/span>\nsource<\/span>:ubuntu<\/span>\nsource<\/span>:linux<\/span>\nsource<\/span>:apache<\/span>\nsource<\/span>:apache.access<\/span>\nsource<\/span>:apache.error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    Services may appear as:<\/p>\n\n\n
    service<\/span>:system<\/span>\nservice<\/span>:ubuntu<\/span>\nservice<\/span>:apache<\/span>\nservice<\/span>:web<\/span>\nservice<\/span>:httpd<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    Hosts may appear as:<\/p>\n\n\n
    host<\/span>:ubuntu-demo<\/span>\nhost<\/span>:linux-demo<\/span>\nhost<\/span>:web-server-01<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    Because Datadog setups differ, students should first discover the actual values in their own Log Explorer.<\/p>\n\n\n\n
    \n\n\n\n
    2. Datadog Logs Explorer Mental Model<\/h1>\n\n\n\n
    Datadog Log Explorer is used for:<\/p>\n\n\n
    Search\nFilter\nInspect\nDisplay\nGroup\nVisualize\nExport\nSave\nTroubleshoot\n<\/code><\/span><\/pre>\n\n\n
    Simple mental model:<\/p>\n\n\n
    Raw logs arrive in Datadog\n        \u2193\nDatadog parses\/enriches logs\n        \u2193\nStudents search and filter logs\n        \u2193\nStudents inspect individual log attributes\n        \u2193\nStudents group and visualize logs\n        \u2193\nStudents save views for repeatable troubleshooting\n<\/code><\/span><\/pre>\n\n\n
    \n\n\n\n
    3. Important Datadog Log Terms<\/h1>\n\n\n\n
    3.1 Log Event<\/h2>\n\n\n\n
    A single log line or structured log entry.<\/p>\n\n\n\n
    Example Apache log event:<\/p>\n\n\n
    192.168<\/span>.1<\/span>.10<\/span> - - [23<\/span>\/Jun\/2026<\/span>:10<\/span>:10<\/span>:00<\/span> +0000<\/span>] \"GET \/index.html HTTP\/1.1\"<\/span> 200<\/span> 1024<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
    Example Ubuntu auth log event:<\/p>\n\n\n
    Jun<\/span> 23 10:11<\/span>:12<\/span> ubuntu<\/span> sshd<\/span>[1234]<\/span>: Failed<\/span> password<\/span> for<\/span> invalid<\/span> user<\/span> admin<\/span> from<\/span> 10.0<\/span>.0<\/span>.5<\/span> port<\/span> 53321 ssh2<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    \n\n\n\n
    3.2 Source<\/h2>\n\n\n\n
    The technology or integration that generated the log.<\/p>\n\n\n\n
    Examples:<\/p>\n\n\n
    source<\/span>:apache<\/span>\nsource<\/span>:syslog<\/span>\nsource<\/span>:linux<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    \n\n\n\n
    3.3 Service<\/h2>\n\n\n\n
    The logical application or service name.<\/p>\n\n\n\n
    Examples:<\/p>\n\n\n
    service<\/span>:apache<\/span>\nservice<\/span>:ubuntu<\/span>\nservice<\/span>:web<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    \n\n\n\n
    3.4 Host<\/h2>\n\n\n\n
    The server or VM that generated the log.<\/p>\n\n\n\n
    Example:<\/p>\n\n\n
    host<\/span>:ubuntu-demo<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    \n\n\n\n
    3.5 Status<\/h2>\n\n\n\n
    The severity level of a log.<\/p>\n\n\n\n
    Common values:<\/p>\n\n\n
    status<\/span>:info<\/span>\nstatus<\/span>:warn<\/span>\nstatus<\/span>:error<\/span>\nstatus<\/span>:critical<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    \n\n\n\n
    3.6 Attribute<\/h2>\n\n\n\n
    A parsed field from the log.<\/p>\n\n\n\n
    Examples:<\/p>\n\n\n
    @http<\/span>.status_code\n@http.method\n@http.url\n@network.client.ip\n@user.name\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    Attributes usually use the @<\/code> prefix when searched.<\/p>\n\n\n\n
    \n\n\n\n
    3.7 Facet<\/h2>\n\n\n\n
    A facet is a searchable\/filterable field shown in the left-side panel.<\/p>\n\n\n\n
    Examples:<\/p>\n\n\n
    Source\nService\nHost\nStatus\nHTTP Status Code\nHTTP Method\nClient IP\nURL Path\n<\/code><\/span><\/pre>\n\n\n
    Facets make searching easier because students can click values instead of typing full queries.<\/p>\n\n\n\n
    \n\n\n\n
    4. Lab Flow Overview<\/h1>\n\n\n
    flowchart<\/span> TD<\/span>\n    A<\/span>[Open Datadog Log Explorer]<\/span> --<\/span>> B<\/span>[Confirm Logs Are Available]<\/span>\n    B<\/span> --<\/span>> C<\/span>[Filter by Time Range]<\/span>\n    C<\/span> --<\/span>> D<\/span>[Filter Ubuntu Logs]<\/span>\n    C<\/span> --<\/span>> E<\/span>[Filter Apache Logs]<\/span>\n    D<\/span> --<\/span>> F<\/span>[Search Linux Events]<\/span>\n    E<\/span> --<\/span>> G<\/span>[Search Apache Requests]<\/span>\n    F<\/span> --<\/span>> H<\/span>[Use Facets]<\/span>\n    G<\/span> --<\/span>> H<\/span>\n    H<\/span> --<\/span>> I<\/span>[Open Log Side Panel]<\/span>\n    I<\/span> --<\/span>> J<\/span>[Add Columns]<\/span>\n    J<\/span> --<\/span>> K<\/span>[Group and Visualize]<\/span>\n    K<\/span> --<\/span>> L<\/span>[Patterns and Live Tail]<\/span>\n    L<\/span> --<\/span>> M<\/span>[Create Saved Views]<\/span>\n    M<\/span> --<\/span>> N<\/span>[Final Troubleshooting Exercises]<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
    \n\n\n\n
    5. Lab 1: Open Datadog Log Explorer<\/h1>\n\n\n\n
    Goal<\/h2>\n\n\n\n
    Open the Datadog Logs Console and confirm that logs are visible.<\/p>\n\n\n\n
    Steps<\/h2>\n\n\n\n
      \n
    1. Log in to Datadog.<\/li>\n\n\n\n
    2. In the left menu, go to:<\/li>\n<\/ol>\n\n\n
      Logs \u2192 Explorer\n<\/code><\/span><\/pre>\n\n\n
        \n
      1. Set the time range to:<\/li>\n<\/ol>\n\n\n
        Past 15 minutes\n<\/code><\/span><\/pre>\n\n\n
          \n
        1. If no logs appear, change the time range to:<\/li>\n<\/ol>\n\n\n
          Past 1 hour\n<\/code><\/span><\/pre>\n\n\n
            \n
          1. If still no logs appear, change the time range to:<\/li>\n<\/ol>\n\n\n
            Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
            Expected Result<\/h2>\n\n\n\n
            Students should see a list of log events.<\/p>\n\n\n\n
            Each row usually shows information such as:<\/p>\n\n\n
            Timestamp\nStatus\nHost\nService\nSource\nMessage\/content\n<\/code><\/span><\/pre>\n\n\n
            Student Check<\/h2>\n\n\n\n
            Write down:<\/p>\n\n\n
            Total logs visible: __________\nTime range used: __________\n<\/code><\/span><\/pre>\n\n\n
            \n\n\n\n
            6. Lab 2: Understand the Log Explorer Screen<\/h1>\n\n\n\n
            Goal<\/h2>\n\n\n\n
            Identify the main areas of Log Explorer.<\/p>\n\n\n\n
            Key UI Areas<\/h2>\n\n\n\n
            Students should locate:<\/p>\n\n\n
            Search bar\nTime range selector\nFacet panel\nLog list<\/span>\/table\nVisualization selector\nLog side panel\nSaved Views\nExport\/share options\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
            Exercise<\/h2>\n\n\n\n
            Click one log entry.<\/p>\n\n\n\n
            Observe the side panel.<\/p>\n\n\n\n
            Identify:<\/p>\n\n\n
            Timestamp\nHost\nSource\nService\nStatus\nMessage\nTags\nAttributes\n<\/code><\/span><\/pre>\n\n\n
            Student Check<\/h2>\n\n\n\n
            Write down any five fields visible in the selected log:<\/p>\n\n\n
            1. __________\n2. __________\n3. __________\n4. __________\n5. __________\n<\/code><\/span><\/pre>\n\n\n
            \n\n\n\n
            7. Lab 3: Discover Available Sources<\/h1>\n\n\n\n
            Goal<\/h2>\n\n\n\n
            Find out how Ubuntu and Apache logs are tagged in your Datadog environment.<\/p>\n\n\n\n
            Steps<\/h2>\n\n\n\n
              \n
            1. Clear the search bar.<\/li>\n\n\n\n
            2. Set time range:<\/li>\n<\/ol>\n\n\n
              Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                \n
              1. In the left facet panel, find:<\/li>\n<\/ol>\n\n\n
                Source\n<\/code><\/span><\/pre>\n\n\n
                  \n
                1. Expand the Source facet.<\/li>\n\n\n\n
                2. Look for values related to Apache or Linux.<\/li>\n<\/ol>\n\n\n\n
                  Possible values:<\/p>\n\n\n
                  apache\nsyslog\nubuntu\nlinux\nagent\n<\/code><\/span><\/pre>\n\n\n
                  Search Query Option<\/h2>\n\n\n\n
                  Students can also type:<\/p>\n\n\n
                  source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                  Then try:<\/p>\n\n\n
                  source<\/span>:syslog<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                  Then try:<\/p>\n\n\n
                  source<\/span>:linux<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                  Expected Result<\/h2>\n\n\n\n
                  Datadog should show logs matching that source.<\/p>\n\n\n\n
                  Student Check<\/h2>\n\n\n\n
                  Write down the source values found:<\/p>\n\n\n
                  Apache source value: __________\nUbuntu\/Linux source value: __________\n<\/code><\/span><\/pre>\n\n\n
                  \n\n\n\n
                  8. Lab 4: Discover Services<\/h1>\n\n\n\n
                  Goal<\/h2>\n\n\n\n
                  Find the service names attached to Ubuntu and Apache logs.<\/p>\n\n\n\n
                  Steps<\/h2>\n\n\n\n
                    \n
                  1. Clear the search bar.<\/li>\n\n\n\n
                  2. Set time range:<\/li>\n<\/ol>\n\n\n
                    Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                      \n
                    1. In the left facet panel, expand:<\/li>\n<\/ol>\n\n\n
                      Service\n<\/code><\/span><\/pre>\n\n\n
                        \n
                      1. Look for Apache\/Linux-related services.<\/li>\n<\/ol>\n\n\n\n
                        Possible service values:<\/p>\n\n\n
                        apache\nweb\nubuntu\nsystem\nsyslog\n<\/code><\/span><\/pre>\n\n\n
                        Search Query Option<\/h2>\n\n\n\n
                        Try:<\/p>\n\n\n
                        service<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Try:<\/p>\n\n\n
                        service<\/span>:web<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Try:<\/p>\n\n\n
                        service<\/span>:ubuntu<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        Write down:<\/p>\n\n\n
                        Apache service value: __________\nUbuntu service value: __________\n<\/code><\/span><\/pre>\n\n\n
                        \n\n\n\n
                        9. Lab 5: Basic Free-Text Search<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Search logs by words in the message\/content.<\/p>\n\n\n\n
                        Steps<\/h2>\n\n\n\n
                        In the search bar, try these one by one.<\/p>\n\n\n\n
                        Search for Apache<\/h3>\n\n\n
                        apache\n<\/code><\/span><\/pre>\n\n\n
                        Search for SSH<\/h3>\n\n\n
                        ssh\n<\/code><\/span><\/pre>\n\n\n
                        Search for failed logins<\/h3>\n\n\n
                        failed\n<\/code><\/span><\/pre>\n\n\n
                        Search for sudo<\/h3>\n\n\n
                        sudo\n<\/code><\/span><\/pre>\n\n\n
                        Search for cron<\/h3>\n\n\n
                        cron\n<\/code><\/span><\/pre>\n\n\n
                        Expected Result<\/h2>\n\n\n\n
                        Datadog displays logs where the message contains the searched term.<\/p>\n\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        For each query, record whether logs were found:<\/p>\n\n\n\n
                        Query<\/th>Logs Found? Yes\/No<\/th><\/tr><\/thead>
                        apache<\/code><\/td><\/td><\/tr>
                        ssh<\/code><\/td><\/td><\/tr>
                        failed<\/code><\/td><\/td><\/tr>
                        sudo<\/code><\/td><\/td><\/tr>
                        cron<\/code><\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                        \n\n\n\n
                        10. Lab 6: Exact Phrase Search<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Search for exact phrases.<\/p>\n\n\n\n
                        Steps<\/h2>\n\n\n\n
                        Try these queries:<\/p>\n\n\n
                        \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                        \"Accepted password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                        \"Invalid user\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                        \"GET \/\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                        \"POST \/\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Explanation<\/h2>\n\n\n\n
                        Double quotes search for a phrase.<\/p>\n\n\n\n
                        Use this when you want logs containing a specific sentence or phrase.<\/p>\n\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        Which exact phrase returned the most logs?<\/p>\n\n\n
                        Answer<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                        \n\n\n\n
                        11. Lab 7: Boolean Search with AND<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Search for logs that match multiple conditions.<\/p>\n\n\n\n
                        Syntax<\/h2>\n\n\n
                        term1 AND term2\n<\/code><\/span><\/pre>\n\n\n
                        If you enter two search terms without an operator, Datadog generally treats it like an AND-style search.<\/p>\n\n\n\n
                        Exercises<\/h2>\n\n\n\n
                        Search for SSH failed events:<\/p>\n\n\n
                        ssh AND failed\n<\/code><\/span><\/pre>\n\n\n
                        Search for Apache GET requests:<\/p>\n\n\n
                        apache AND GET\n<\/code><\/span><\/pre>\n\n\n
                        Search for sudo authentication events:<\/p>\n\n\n
                        sudo AND authentication\n<\/code><\/span><\/pre>\n\n\n
                        Search for failed password messages:<\/p>\n\n\n
                        failed AND password\n<\/code><\/span><\/pre>\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        Which query is most useful for investigating failed SSH login attempts?<\/p>\n\n\n
                        Answer<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                        \n\n\n\n
                        12. Lab 8: Boolean Search with OR<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Search for logs matching either one condition or another.<\/p>\n\n\n\n
                        Syntax<\/h2>\n\n\n
                        term1 OR term2\n<\/code><\/span><\/pre>\n\n\n
                        Exercises<\/h2>\n\n\n\n
                        Search for SSH or sudo logs:<\/p>\n\n\n
                        ssh OR sudo\n<\/code><\/span><\/pre>\n\n\n
                        Search for failed or invalid login logs:<\/p>\n\n\n
                        failed OR invalid\n<\/code><\/span><\/pre>\n\n\n
                        Search for GET or POST Apache requests:<\/p>\n\n\n
                        GET OR POST\n<\/code><\/span><\/pre>\n\n\n
                        Search for warning or error logs:<\/p>\n\n\n
                        status<\/span>:warn<\/span> OR<\/span> status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        How many logs are returned for:<\/p>\n\n\n
                        ssh OR sudo\n<\/code><\/span><\/pre>\n\n\n
                        Record count:<\/p>\n\n\n
                        Count<\/span>: __________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                        \n\n\n\n
                        13. Lab 9: Exclusion Search<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Exclude unwanted logs from search results.<\/p>\n\n\n\n
                        Syntax<\/h2>\n\n\n
                        query -term\n<\/code><\/span><\/pre>\n\n\n
                        or:<\/p>\n\n\n
                        query AND -term\n<\/code><\/span><\/pre>\n\n\n
                        Exercises<\/h2>\n\n\n\n
                        Search for Apache logs but exclude successful 200 responses:<\/p>\n\n\n
                        source:apache AND -@http.status_code:200\n<\/code><\/span><\/pre>\n\n\n
                        If @http.status_code<\/code> does not exist in your logs, try:<\/p>\n\n\n
                        apache AND -200\n<\/code><\/span><\/pre>\n\n\n
                        Search for SSH logs but exclude accepted logins:<\/p>\n\n\n
                        ssh AND -accepted\n<\/code><\/span><\/pre>\n\n\n
                        Search for failed logs but exclude cron:<\/p>\n\n\n
                        failed AND -cron\n<\/code><\/span><\/pre>\n\n\n
                        Search for error logs but exclude Apache:<\/p>\n\n\n
                        status<\/span>:error<\/span> AND<\/span> -source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        Why is exclusion useful?<\/p>\n\n\n
                        Answer<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                        \n\n\n\n
                        14. Lab 10: Filter by Time Range<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Understand how time range changes the logs displayed.<\/p>\n\n\n\n
                        Steps<\/h2>\n\n\n\n
                        Run the same query with different time ranges.<\/p>\n\n\n\n
                        Query:<\/p>\n\n\n
                        source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                        Time ranges:<\/p>\n\n\n
                        Past 15 minutes\nPast 1 hour\nPast 4 hours\nPast 24 hours\n<\/code><\/span><\/pre>\n\n\n
                        Student Check<\/h2>\n\n\n\n
                        Record the result count:<\/p>\n\n\n\n
                        Time Range<\/th>Result Count<\/th><\/tr><\/thead>
                        Past 15 minutes<\/td><\/td><\/tr>
                        Past 1 hour<\/td><\/td><\/tr>
                        Past 4 hours<\/td><\/td><\/tr>
                        Past 24 hours<\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                        Discussion<\/h2>\n\n\n\n
                        The larger the time range, the more logs you usually see.<\/p>\n\n\n\n
                        For real troubleshooting, start with a narrow time range around the incident.<\/p>\n\n\n\n
                        \n\n\n\n
                        15. Lab 11: Filter by Host<\/h1>\n\n\n\n
                        Goal<\/h2>\n\n\n\n
                        Show logs from a specific Ubuntu host.<\/p>\n\n\n\n
                        Steps<\/h2>\n\n\n\n
                          \n
                        1. Clear the search bar.<\/li>\n\n\n\n
                        2. Open the Host facet.<\/li>\n\n\n\n
                        3. Select one host.<\/li>\n\n\n\n
                        4. Observe the query automatically added.<\/li>\n<\/ol>\n\n\n\n
                          Example query:<\/p>\n\n\n
                          host<\/span>:ubuntu-demo<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Combine Host and Source<\/h2>\n\n\n\n
                          Search Apache logs from one host:<\/p>\n\n\n
                          host<\/span>:ubuntu-demo<\/span> source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Search syslog\/Linux logs from one host:<\/p>\n\n\n
                          host<\/span>:ubuntu-demo<\/span> source<\/span>:syslog<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Replace ubuntu-demo<\/code> with your actual host name.<\/p>\n\n\n\n
                          Student Check<\/h2>\n\n\n\n
                          Write the host value used:<\/p>\n\n\n
                          Host<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                          \n\n\n\n
                          16. Lab 12: Filter by Status<\/h1>\n\n\n\n
                          Goal<\/h2>\n\n\n\n
                          Search logs by severity.<\/p>\n\n\n\n
                          Common Status Queries<\/h2>\n\n\n
                          status<\/span>:info<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                          status<\/span>:warn<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                          status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                          status<\/span>:critical<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Exercises<\/h2>\n\n\n\n
                          Search all error logs:<\/p>\n\n\n
                          status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Search Apache error logs:<\/p>\n\n\n
                          source<\/span>:apache<\/span> status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Search Ubuntu error logs:<\/p>\n\n\n
                          source<\/span>:syslog<\/span> status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          If your source is different, replace source:syslog<\/code>.<\/p>\n\n\n\n
                          Student Check<\/h2>\n\n\n\n
                          Which source has more error logs?<\/p>\n\n\n
                          Apache \/ Ubuntu \/ Other: ____________________\n<\/code><\/span><\/pre>\n\n\n
                          \n\n\n\n
                          17. Lab 13: Apache Access Log Search<\/h1>\n\n\n\n
                          Goal<\/h2>\n\n\n\n
                          Search Apache access logs using HTTP-specific fields.<\/p>\n\n\n\n
                          Common Apache Fields<\/h2>\n\n\n\n
                          Depending on parsing, students may see fields such as:<\/p>\n\n\n
                          @http<\/span>.method\n@http.status_code\n@http.url\n@http.url_details.path\n@network.client.ip\n@http.useragent\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Step 1: Find Apache Logs<\/h2>\n\n\n\n
                          Try:<\/p>\n\n\n
                          source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          or:<\/p>\n\n\n
                          service<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Step 2: Open One Apache Log<\/h2>\n\n\n\n
                          Click an Apache access log.<\/p>\n\n\n\n
                          In the side panel, look for attributes such as:<\/p>\n\n\n
                          http\nnetwork\nurl\nstatus_code\nmethod\nclient_ip\n<\/code><\/span><\/pre>\n\n\n
                          Step 3: Search GET Requests<\/h2>\n\n\n\n
                          Try:<\/p>\n\n\n
                          @http.method:GET\n<\/code><\/span><\/pre>\n\n\n
                          If that does not work, try free text:<\/p>\n\n\n
                          GET\n<\/code><\/span><\/pre>\n\n\n
                          Step 4: Search POST Requests<\/h2>\n\n\n
                          @http.method:POST\n<\/code><\/span><\/pre>\n\n\n
                          Fallback:<\/p>\n\n\n
                          POST\n<\/code><\/span><\/pre>\n\n\n
                          Step 5: Search Status Code 200<\/h2>\n\n\n
                          @http.status_code:200\n<\/code><\/span><\/pre>\n\n\n
                          Fallback:<\/p>\n\n\n
                          200\n<\/code><\/span><\/pre>\n\n\n
                          Step 6: Search 404 Errors<\/h2>\n\n\n
                          @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                          Fallback:<\/p>\n\n\n
                          404\n<\/code><\/span><\/pre>\n\n\n
                          Step 7: Search 5xx Errors<\/h2>\n\n\n
                          @http.status_code:[500 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                          Fallback:<\/p>\n\n\n
                          500 OR 502 OR 503 OR 504\n<\/code><\/span><\/pre>\n\n\n
                          Student Check<\/h2>\n\n\n\n
                          Record counts:<\/p>\n\n\n\n
                          Query<\/th>Count<\/th><\/tr><\/thead>
                          Apache logs<\/td><\/td><\/tr>
                          GET requests<\/td><\/td><\/tr>
                          POST requests<\/td><\/td><\/tr>
                          HTTP 200<\/td><\/td><\/tr>
                          HTTP 404<\/td><\/td><\/tr>
                          HTTP 5xx<\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                          \n\n\n\n
                          18. Lab 14: Apache Troubleshooting Scenario \u2014 Find Broken URLs<\/h1>\n\n\n\n
                          Scenario<\/h2>\n\n\n\n
                          Users are reporting that some Apache pages are returning errors.<\/p>\n\n\n\n
                          Goal<\/h2>\n\n\n\n
                          Find which URLs are returning 404 or 5xx responses.<\/p>\n\n\n\n
                          Steps<\/h2>\n\n\n\n
                          Search 404 logs:<\/p>\n\n\n
                          source:apache @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                          If attributes are not available:<\/p>\n\n\n
                          source<\/span>:apache<\/span> 404\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Open one 404 log.<\/p>\n\n\n\n
                          Look for URL\/path fields:<\/p>\n\n\n
                          @http<\/span>.url\n@http.url_details.path\n@url\n@request\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                          Add the URL\/path field as a column.<\/p>\n\n\n\n
                          Group by URL\/path using Log Analytics.<\/p>\n\n\n\n
                          Analytics Steps<\/h2>\n\n\n\n
                            \n
                          1. Search:<\/li>\n<\/ol>\n\n\n
                            source:apache @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                              \n
                            1. Switch from log list to analytics\/visualization mode.<\/li>\n\n\n\n
                            2. Group by:<\/li>\n<\/ol>\n\n\n
                              @http<\/span>.url_details.path\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                              or:<\/p>\n\n\n
                              @http<\/span>.url\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                \n
                              1. Visualization:<\/li>\n<\/ol>\n\n\n
                                Top List<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                  \n
                                1. Sort by count descending.<\/li>\n<\/ol>\n\n\n\n
                                  Expected Result<\/h2>\n\n\n\n
                                  Students should see top broken URLs.<\/p>\n\n\n\n
                                  Student Check<\/h2>\n\n\n\n
                                  Top broken URL\/path:<\/p>\n\n\n
                                  URL\/path<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                  \n\n\n\n
                                  19. Lab 15: Apache Troubleshooting Scenario \u2014 Find Top Client IPs<\/h1>\n\n\n\n
                                  Goal<\/h2>\n\n\n\n
                                  Find which client IPs are generating the most Apache requests.<\/p>\n\n\n\n
                                  Query<\/h2>\n\n\n
                                  source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                  Analytics Steps<\/h2>\n\n\n\n
                                    \n
                                  1. Open Log Analytics.<\/li>\n\n\n\n
                                  2. Group by one of these fields:<\/li>\n<\/ol>\n\n\n
                                    @network<\/span>.client.ip\n@http.client_ip\n@client_ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                      \n
                                    1. Visualization:<\/li>\n<\/ol>\n\n\n
                                      Top List<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                        \n
                                      1. Sort by count.<\/li>\n<\/ol>\n\n\n\n
                                        Expected Result<\/h2>\n\n\n\n
                                        Students should see top client IP addresses.<\/p>\n\n\n\n
                                        Student Check<\/h2>\n\n\n\n
                                        Top client IP:<\/p>\n\n\n
                                        IP: ____________________\nRequest count: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                        Bonus<\/h2>\n\n\n\n
                                        Find client IPs causing 404:<\/p>\n\n\n
                                        source:apache @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                                        Group by:<\/p>\n\n\n
                                        @network<\/span>.client.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                        \n\n\n\n
                                        20. Lab 16: Apache Troubleshooting Scenario \u2014 Identify Error Spikes<\/h1>\n\n\n\n
                                        Goal<\/h2>\n\n\n\n
                                        Use timeseries view to find when Apache errors increased.<\/p>\n\n\n\n
                                        Query<\/h2>\n\n\n
                                        source<\/span>:apache<\/span> status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                        or:<\/p>\n\n\n
                                        source:apache @http.status_code:[500 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                                        Steps<\/h2>\n\n\n\n
                                          \n
                                        1. Set time range:<\/li>\n<\/ol>\n\n\n
                                          Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                                            \n
                                          1. Switch visualization to:<\/li>\n<\/ol>\n\n\n
                                            Timeseries\n<\/code><\/span><\/pre>\n\n\n
                                              \n
                                            1. Group by:<\/li>\n<\/ol>\n\n\n
                                              service\n<\/code><\/span><\/pre>\n\n\n
                                              or:<\/p>\n\n\n
                                              host\n<\/code><\/span><\/pre>\n\n\n
                                                \n
                                              1. Observe spikes.<\/li>\n<\/ol>\n\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Approximate time of highest spike:<\/p>\n\n\n
                                                Time<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Possible cause:<\/p>\n\n\n
                                                Answer<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                \n\n\n\n
                                                21. Lab 17: Ubuntu Auth Logs \u2014 Failed SSH Login<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Search Ubuntu authentication logs for failed SSH login attempts.<\/p>\n\n\n\n
                                                Queries<\/h2>\n\n\n\n
                                                Try these:<\/p>\n\n\n
                                                \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                                                ssh AND failed\n<\/code><\/span><\/pre>\n\n
                                                sshd AND \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n
                                                source<\/span>:syslog<\/span> sshd<\/span> failed<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                If your source is different, replace source:syslog<\/code>.<\/p>\n\n\n\n
                                                Open a Failed Login Log<\/h2>\n\n\n\n
                                                Look for fields or message content showing:<\/p>\n\n\n
                                                Username\nSource IP\nPort\nsshd process\nHost\nTimestamp\n<\/code><\/span><\/pre>\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Record one failed login example:<\/p>\n\n\n
                                                Username attempted: ____________________\nSource IP: ____________________\nHost: ____________________\nTimestamp: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                \n\n\n\n
                                                22. Lab 18: Ubuntu Auth Logs \u2014 Accepted SSH Login<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Find successful SSH login events.<\/p>\n\n\n\n
                                                Queries<\/h2>\n\n\n
                                                \"Accepted password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                                                sshd AND accepted\n<\/code><\/span><\/pre>\n\n
                                                ssh AND accepted\n<\/code><\/span><\/pre>\n\n\n
                                                Compare Failed vs Accepted<\/h2>\n\n\n\n
                                                Failed:<\/p>\n\n\n
                                                \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Accepted:<\/p>\n\n\n
                                                \"Accepted password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Which is higher?<\/p>\n\n\n
                                                Failed \/ Accepted: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                \n\n\n\n
                                                23. Lab 19: Ubuntu Sudo Activity<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Search for sudo command usage.<\/p>\n\n\n\n
                                                Queries<\/h2>\n\n\n
                                                sudo\n<\/code><\/span><\/pre>\n\n
                                                sudo AND COMMAND\n<\/code><\/span><\/pre>\n\n
                                                \"sudo:\"<\/span> AND COMMAND\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n
                                                source<\/span>:syslog<\/span> sudo<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Open One Sudo Log<\/h2>\n\n\n\n
                                                Look for:<\/p>\n\n\n
                                                User\nCommand\nWorking directory\nTarget user\nTimestamp\nHost\n<\/code><\/span><\/pre>\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Record one sudo command:<\/p>\n\n\n
                                                User<\/span>: ____________________\nCommand<\/span>: ____________________\nHost<\/span>: ____________________\nTime<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                \n\n\n\n
                                                24. Lab 20: Ubuntu Cron Logs<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Search for scheduled job logs.<\/p>\n\n\n\n
                                                Queries<\/h2>\n\n\n
                                                cron\n<\/code><\/span><\/pre>\n\n
                                                CRON\n<\/code><\/span><\/pre>\n\n
                                                source<\/span>:syslog<\/span> cron<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                source<\/span>:syslog<\/span> CRON<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Discussion<\/h2>\n\n\n\n
                                                Linux logs may have uppercase CRON<\/code>, depending on syslog format.<\/p>\n\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Did you find cron logs?<\/p>\n\n\n
                                                Yes \/ No: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                \n\n\n\n
                                                25. Lab 21: Ubuntu Systemd Logs<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Find systemd service events.<\/p>\n\n\n\n
                                                Queries<\/h2>\n\n\n
                                                systemd\n<\/code><\/span><\/pre>\n\n
                                                source<\/span>:syslog<\/span> systemd<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                systemd AND started\n<\/code><\/span><\/pre>\n\n
                                                systemd AND stopped\n<\/code><\/span><\/pre>\n\n
                                                systemd AND failed\n<\/code><\/span><\/pre>\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Record one service-related event:<\/p>\n\n\n
                                                Service\/process<\/span>: ____________________\nMessage<\/span>: ____________________\nTimestamp<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                \n\n\n\n
                                                26. Lab 22: Wildcard Search<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Use wildcard search to match partial words or patterns.<\/p>\n\n\n\n
                                                Apache Examples<\/h2>\n\n\n\n
                                                Search anything containing GET<\/code>:<\/p>\n\n\n
                                                *GET*\n<\/code><\/span><\/pre>\n\n\n
                                                Search services starting with apach<\/code>:<\/p>\n\n\n
                                                service<\/span>:apach<\/span>*\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Search sources starting with sys<\/code>:<\/p>\n\n\n
                                                source<\/span>:sys<\/span>*\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Search messages containing NETWORK<\/code>:<\/p>\n\n\n
                                                *NETWORK*\n<\/code><\/span><\/pre>\n\n\n
                                                Ubuntu Examples<\/h2>\n\n\n
                                                *fail*\n<\/code><\/span><\/pre>\n\n
                                                *auth*\n<\/code><\/span><\/pre>\n\n
                                                *sudo*\n<\/code><\/span><\/pre>\n\n\n
                                                Important Note<\/h2>\n\n\n\n
                                                Wildcard search can be useful, but avoid using very broad wildcards over large time ranges because it can return too many logs and slow down investigation.<\/p>\n\n\n\n
                                                Student Check<\/h2>\n\n\n\n
                                                Try:<\/p>\n\n\n
                                                *fail*\n<\/code><\/span><\/pre>\n\n\n
                                                Record the count:<\/p>\n\n\n
                                                Count<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                \n\n\n\n
                                                27. Lab 23: Attribute Search<\/h1>\n\n\n\n
                                                Goal<\/h2>\n\n\n\n
                                                Search structured fields with the @<\/code> prefix.<\/p>\n\n\n\n
                                                Examples<\/h2>\n\n\n\n
                                                Search a URL path:<\/p>\n\n\n
                                                @http.url_details.path:\"\/index.html\"<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                Search HTTP status code:<\/p>\n\n\n
                                                @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                                                Search HTTP method:<\/p>\n\n\n
                                                @http.method:GET\n<\/code><\/span><\/pre>\n\n\n
                                                Search client IP:<\/p>\n\n\n
                                                @network.client.ip:192.168.1.10\n<\/code><\/span><\/pre>\n\n\n
                                                Steps<\/h2>\n\n\n\n
                                                  \n
                                                1. Open an Apache log.<\/li>\n\n\n\n
                                                2. Find available attributes in the side panel.<\/li>\n\n\n\n
                                                3. Pick one attribute.<\/li>\n\n\n\n
                                                4. Click the attribute value.<\/li>\n\n\n\n
                                                5. Choose an option such as:<\/li>\n<\/ol>\n\n\n
                                                  Filter for<\/span> this<\/span> value\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                  or manually type the attribute query.<\/p>\n\n\n\n
                                                  Student Check<\/h2>\n\n\n\n
                                                  Write one attribute query you successfully used:<\/p>\n\n\n
                                                  Query<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                  \n\n\n\n
                                                  28. Lab 24: Numeric Range Search<\/h1>\n\n\n\n
                                                  Goal<\/h2>\n\n\n\n
                                                  Use range search for numeric fields.<\/p>\n\n\n\n
                                                  HTTP Status Ranges<\/h2>\n\n\n\n
                                                  Search successful responses:<\/p>\n\n\n
                                                  @http.status_code:[200 TO 299]\n<\/code><\/span><\/pre>\n\n\n
                                                  Search redirects:<\/p>\n\n\n
                                                  @http.status_code:[300 TO 399]\n<\/code><\/span><\/pre>\n\n\n
                                                  Search client errors:<\/p>\n\n\n
                                                  @http.status_code:[400 TO 499]\n<\/code><\/span><\/pre>\n\n\n
                                                  Search server errors:<\/p>\n\n\n
                                                  @http.status_code:[500 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                                                  Response Time Example<\/h2>\n\n\n\n
                                                  If your Apache logs contain response time:<\/p>\n\n\n
                                                  @http.response_time:>100\n<\/code><\/span><\/pre>\n\n\n
                                                  or:<\/p>\n\n\n
                                                  @duration:>1000000\n<\/code><\/span><\/pre>\n\n\n
                                                  The exact field name depends on your parser.<\/p>\n\n\n\n
                                                  Student Check<\/h2>\n\n\n\n
                                                  Which HTTP status range has the highest count?<\/p>\n\n\n
                                                  2xx \/ 3xx \/ 4xx \/ 5xx: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                  \n\n\n\n
                                                  29. Lab 25: Facet Filtering<\/h1>\n\n\n\n
                                                  Goal<\/h2>\n\n\n\n
                                                  Use the left-side facet panel instead of typing all queries manually.<\/p>\n\n\n\n
                                                  Steps<\/h2>\n\n\n\n
                                                    \n
                                                  1. Clear the search bar.<\/li>\n\n\n\n
                                                  2. Set time range:<\/li>\n<\/ol>\n\n\n
                                                    Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                                                      \n
                                                    1. Use facets to filter:<\/li>\n<\/ol>\n\n\n
                                                      Source = apache\nStatus = error\nHost = your Ubuntu host\n<\/code><\/span><\/pre>\n\n\n
                                                        \n
                                                      1. Observe the query generated by Datadog.<\/li>\n<\/ol>\n\n\n\n
                                                        Example:<\/p>\n\n\n
                                                        source<\/span>:apache<\/span> status<\/span>:error<\/span> host<\/span>:ubuntu-demo<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                        Exercise<\/h2>\n\n\n\n
                                                        Use facets to build this investigation:<\/p>\n\n\n
                                                        Apache errors from<\/span> one host in<\/span> the past 24<\/span> hours\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                        Student Check<\/h2>\n\n\n\n
                                                        Final query generated:<\/p>\n\n\n
                                                        Query<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                        \n\n\n\n
                                                        30. Lab 26: Log Side Panel Deep Dive<\/h1>\n\n\n\n
                                                        Goal<\/h2>\n\n\n\n
                                                        Inspect one log fully.<\/p>\n\n\n\n
                                                        Steps<\/h2>\n\n\n\n
                                                          \n
                                                        1. Search:<\/li>\n<\/ol>\n\n\n
                                                          source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                            \n
                                                          1. Click one log row.<\/li>\n\n\n\n
                                                          2. In the side panel, inspect:<\/li>\n<\/ol>\n\n\n
                                                            General context\nTags\nAttributes\nMessage\/content\nHost\nService\nSource\nStatus\n<\/code><\/span><\/pre>\n\n\n
                                                              \n
                                                            1. Click an attribute value.<\/li>\n\n\n\n
                                                            2. Try these actions if available:<\/li>\n<\/ol>\n\n\n
                                                              Add as<\/span> column\nFilter for<\/span> this<\/span> value\nExclude this<\/span> value\nCreate facet\nCopy value\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                              Student Check<\/h2>\n\n\n\n
                                                              Write down:<\/p>\n\n\n
                                                              Message<\/span>: ____________________\nSource<\/span>: ____________________\nService<\/span>: ____________________\nHost<\/span>: ____________________\nStatus<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                              \n\n\n\n
                                                              31. Lab 27: Add and Remove Columns<\/h1>\n\n\n\n
                                                              Goal<\/h2>\n\n\n\n
                                                              Customize the log list display.<\/p>\n\n\n\n
                                                              Steps<\/h2>\n\n\n\n
                                                                \n
                                                              1. Open one Apache log.<\/li>\n\n\n\n
                                                              2. Find the HTTP status field, for example:<\/li>\n<\/ol>\n\n\n
                                                                @http<\/span>.status_code\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                  \n
                                                                1. Add it as a column.<\/li>\n\n\n\n
                                                                2. Add HTTP method as a column:<\/li>\n<\/ol>\n\n\n
                                                                  @http<\/span>.method\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                    \n
                                                                  1. Add URL path as a column:<\/li>\n<\/ol>\n\n\n
                                                                    @http<\/span>.url_details.path\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                      \n
                                                                    1. Add client IP as a column:<\/li>\n<\/ol>\n\n\n
                                                                      @network<\/span>.client.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                        \n
                                                                      1. Return to the log list and observe the table.<\/li>\n<\/ol>\n\n\n\n
                                                                        Recommended Apache Columns<\/h2>\n\n\n
                                                                        Time<\/span>\nHost<\/span>\nService<\/span>\nSource<\/span>\nStatus<\/span>\n@http<\/span>.method\n@http.status_code\n@http.url_details.path\n@network.client.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                        Recommended Ubuntu Columns<\/h2>\n\n\n
                                                                        Time\nHost\nService\nSource\nStatus\nprocess\nmessage\nuser\n<\/code><\/span><\/pre>\n\n\n
                                                                        Actual field names may differ.<\/p>\n\n\n\n
                                                                        Student Check<\/h2>\n\n\n\n
                                                                        List the columns you added:<\/p>\n\n\n
                                                                        1. __________\n2. __________\n3. __________\n4. __________\n<\/code><\/span><\/pre>\n\n\n
                                                                        \n\n\n\n
                                                                        32. Lab 28: Display Logs by Newest and Oldest<\/h1>\n\n\n\n
                                                                        Goal<\/h2>\n\n\n\n
                                                                        Understand timestamp ordering.<\/p>\n\n\n\n
                                                                        Steps<\/h2>\n\n\n\n
                                                                          \n
                                                                        1. Search:<\/li>\n<\/ol>\n\n\n
                                                                          source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                            \n
                                                                          1. Look at the timestamp column.<\/li>\n\n\n\n
                                                                          2. Change the display\/order if the UI allows:<\/li>\n<\/ol>\n\n\n
                                                                            Newest first\nOldest first\n<\/code><\/span><\/pre>\n\n\n
                                                                              \n
                                                                            1. Compare the first and last visible logs.<\/li>\n<\/ol>\n\n\n\n
                                                                              Student Check<\/h2>\n\n\n\n
                                                                              Newest visible log timestamp:<\/p>\n\n\n
                                                                              Timestamp<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                              Oldest visible log timestamp:<\/p>\n\n\n
                                                                              Timestamp<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                              \n\n\n\n
                                                                              33. Lab 29: Group Apache Logs by Status Code<\/h1>\n\n\n\n
                                                                              Goal<\/h2>\n\n\n\n
                                                                              Use Log Analytics to count logs by HTTP status code.<\/p>\n\n\n\n
                                                                              Steps<\/h2>\n\n\n\n
                                                                                \n
                                                                              1. Search:<\/li>\n<\/ol>\n\n\n
                                                                                source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                  \n
                                                                                1. Switch to analytics\/grouping mode.<\/li>\n\n\n\n
                                                                                2. Group by:<\/li>\n<\/ol>\n\n\n
                                                                                  @http<\/span>.status_code\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                    \n
                                                                                  1. Visualization:<\/li>\n<\/ol>\n\n\n
                                                                                    Top List<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      \n
                                                                                    1. Sort by count descending.<\/li>\n<\/ol>\n\n\n\n
                                                                                      Expected Result<\/h2>\n\n\n\n
                                                                                      Students should see values like:<\/p>\n\n\n
                                                                                      200\n301\n302\n403\n404\n500\n<\/code><\/span><\/pre>\n\n\n
                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                      Top HTTP status code:<\/p>\n\n\n
                                                                                      Status code: ____________________\nCount: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                      \n\n\n\n
                                                                                      34. Lab 30: Group Apache Logs by HTTP Method<\/h1>\n\n\n\n
                                                                                      Goal<\/h2>\n\n\n\n
                                                                                      Find request volume by HTTP method.<\/p>\n\n\n\n
                                                                                      Query<\/h2>\n\n\n
                                                                                      source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      Group By<\/h2>\n\n\n
                                                                                      @http<\/span>.method\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      Expected Values<\/h2>\n\n\n
                                                                                      GET\nPOST\nPUT\nDELETE\nHEAD\nOPTIONS\n<\/code><\/span><\/pre>\n\n\n
                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                      Most common HTTP method:<\/p>\n\n\n
                                                                                      Method<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      \n\n\n\n
                                                                                      35. Lab 31: Group Apache Errors by URL Path<\/h1>\n\n\n\n
                                                                                      Goal<\/h2>\n\n\n\n
                                                                                      Identify which URL paths produce the most errors.<\/p>\n\n\n\n
                                                                                      Query<\/h2>\n\n\n
                                                                                      source:apache @http.status_code:[400 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                                                                                      Fallback:<\/p>\n\n\n
                                                                                      source<\/span>:apache<\/span> 404 OR<\/span> 500 OR<\/span> 502 OR<\/span> 503\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      Group By<\/h2>\n\n\n
                                                                                      @http<\/span>.url_details.path\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      or:<\/p>\n\n\n
                                                                                      @http<\/span>.url\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      Visualization<\/h2>\n\n\n
                                                                                      Top List<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                      Top error URL:<\/p>\n\n\n
                                                                                      URL\/path<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      \n\n\n\n
                                                                                      36. Lab 32: Group Ubuntu Logs by Host<\/h1>\n\n\n\n
                                                                                      Goal<\/h2>\n\n\n\n
                                                                                      Find which host generates the most Linux logs.<\/p>\n\n\n\n
                                                                                      Query<\/h2>\n\n\n
                                                                                      source<\/span>:syslog<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      or your actual Linux source.<\/p>\n\n\n\n
                                                                                      Group By<\/h2>\n\n\n
                                                                                      host\n<\/code><\/span><\/pre>\n\n\n
                                                                                      Visualization<\/h2>\n\n\n
                                                                                      Top List<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                      Top host:<\/p>\n\n\n
                                                                                      Host<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      \n\n\n\n
                                                                                      37. Lab 33: Group Ubuntu Authentication Failures<\/h1>\n\n\n\n
                                                                                      Goal<\/h2>\n\n\n\n
                                                                                      Analyze failed login logs.<\/p>\n\n\n\n
                                                                                      Query<\/h2>\n\n\n
                                                                                      \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      or:<\/p>\n\n\n
                                                                                      sshd AND failed\n<\/code><\/span><\/pre>\n\n\n
                                                                                      Group By Options<\/h2>\n\n\n\n
                                                                                      Depending on parsed fields, try:<\/p>\n\n\n
                                                                                      host<\/span>\n@user<\/span>.name\n@network.client.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      If no parsed fields exist, use Patterns instead.<\/p>\n\n\n\n
                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                      Most common source IP or host:<\/p>\n\n\n
                                                                                      Value<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                      \n\n\n\n
                                                                                      38. Lab 34: Use Timeseries View<\/h1>\n\n\n\n
                                                                                      Goal<\/h2>\n\n\n\n
                                                                                      Display logs over time.<\/p>\n\n\n\n
                                                                                      Steps<\/h2>\n\n\n\n
                                                                                        \n
                                                                                      1. Search:<\/li>\n<\/ol>\n\n\n
                                                                                        source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                          \n
                                                                                        1. Switch visualization to:<\/li>\n<\/ol>\n\n\n
                                                                                          Timeseries\n<\/code><\/span><\/pre>\n\n\n
                                                                                            \n
                                                                                          1. Set time range:<\/li>\n<\/ol>\n\n\n
                                                                                            Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                                                                                              \n
                                                                                            1. Group by:<\/li>\n<\/ol>\n\n\n
                                                                                              @http<\/span>.status_code\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                              or:<\/p>\n\n\n
                                                                                              status\n<\/code><\/span><\/pre>\n\n\n
                                                                                              Expected Result<\/h2>\n\n\n\n
                                                                                              Students should see log volume over time.<\/p>\n\n\n\n
                                                                                              Student Check<\/h2>\n\n\n\n
                                                                                              When was the highest Apache traffic?<\/p>\n\n\n
                                                                                              Time<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                              \n\n\n\n
                                                                                              39. Lab 35: Use Table View<\/h1>\n\n\n\n
                                                                                              Goal<\/h2>\n\n\n\n
                                                                                              Create a table-style log analysis.<\/p>\n\n\n\n
                                                                                              Steps<\/h2>\n\n\n\n
                                                                                                \n
                                                                                              1. Search:<\/li>\n<\/ol>\n\n\n
                                                                                                source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                  \n
                                                                                                1. Switch to analytics.<\/li>\n\n\n\n
                                                                                                2. Choose visualization:<\/li>\n<\/ol>\n\n\n
                                                                                                  Table\n<\/code><\/span><\/pre>\n\n\n
                                                                                                    \n
                                                                                                  1. Group by:<\/li>\n<\/ol>\n\n\n
                                                                                                    @http<\/span>.status_code\n@http.method\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      \n
                                                                                                    1. Measure:<\/li>\n<\/ol>\n\n\n
                                                                                                      count\n<\/code><\/span><\/pre>\n\n\n
                                                                                                      Expected Result<\/h2>\n\n\n\n
                                                                                                      A table showing count by status code and method.<\/p>\n\n\n\n
                                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                                      Which method\/status combination is most common?<\/p>\n\n\n
                                                                                                      Method<\/span>: ____________________\nStatus<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      \n\n\n\n
                                                                                                      40. Lab 36: Use Pie Chart<\/h1>\n\n\n\n
                                                                                                      Goal<\/h2>\n\n\n\n
                                                                                                      Display log distribution by category.<\/p>\n\n\n\n
                                                                                                      Query<\/h2>\n\n\n
                                                                                                      source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      Visualization<\/h2>\n\n\n
                                                                                                      Pie Chart\n<\/code><\/span><\/pre>\n\n\n
                                                                                                      Group By<\/h2>\n\n\n
                                                                                                      @http<\/span>.status_code\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      or:<\/p>\n\n\n
                                                                                                      status\n<\/code><\/span><\/pre>\n\n\n
                                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                                      Which category has the largest slice?<\/p>\n\n\n
                                                                                                      Answer<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      \n\n\n\n
                                                                                                      41. Lab 37: Use Tree Map<\/h1>\n\n\n\n
                                                                                                      Goal<\/h2>\n\n\n\n
                                                                                                      Visualize large contributors.<\/p>\n\n\n\n
                                                                                                      Query<\/h2>\n\n\n
                                                                                                      source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      Visualization<\/h2>\n\n\n
                                                                                                      Tree Map<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      Group By<\/h2>\n\n\n
                                                                                                      @http<\/span>.url_details.path\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      or:<\/p>\n\n\n
                                                                                                      @network<\/span>.client.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                                      Largest block:<\/p>\n\n\n
                                                                                                      Field value: ____________________\nCount: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                      \n\n\n\n
                                                                                                      42. Lab 38: Log Patterns<\/h1>\n\n\n\n
                                                                                                      Goal<\/h2>\n\n\n\n
                                                                                                      Use patterns to identify repeated types of log messages.<\/p>\n\n\n\n
                                                                                                      Why Patterns Matter<\/h2>\n\n\n\n
                                                                                                      Raw logs can be noisy. Patterns group similar logs together so students can quickly identify repeated behavior.<\/p>\n\n\n\n
                                                                                                      Useful for:<\/p>\n\n\n
                                                                                                      Repeated Apache errors\nRepeated SSH failures\nRepeated sudo activity\nRepeated cron messages\nRepeated systemd messages\n<\/code><\/span><\/pre>\n\n\n
                                                                                                      Steps<\/h2>\n\n\n\n
                                                                                                        \n
                                                                                                      1. Search:<\/li>\n<\/ol>\n\n\n
                                                                                                        source<\/span>:syslog<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                        or:<\/p>\n\n\n
                                                                                                        source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                          \n
                                                                                                        1. Switch view to:<\/li>\n<\/ol>\n\n\n
                                                                                                          Patterns\n<\/code><\/span><\/pre>\n\n\n
                                                                                                            \n
                                                                                                          1. Observe grouped messages.<\/li>\n\n\n\n
                                                                                                          2. Click a pattern to inspect matching logs.<\/li>\n<\/ol>\n\n\n\n
                                                                                                            Example Pattern Results<\/h2>\n\n\n\n
                                                                                                            Ubuntu:<\/p>\n\n\n
                                                                                                            Failed password for<\/span> invalid user * from<\/span> *\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                            Apache:<\/p>\n\n\n
                                                                                                            GET * HTTP\/1.1 404\n<\/code><\/span><\/pre>\n\n\n
                                                                                                            Student Check<\/h2>\n\n\n\n
                                                                                                            Write one pattern found:<\/p>\n\n\n
                                                                                                            Pattern<\/span>: ____________________\nCount<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            43. Lab 39: Live Tail<\/h1>\n\n\n\n
                                                                                                            Goal<\/h2>\n\n\n\n
                                                                                                            Use Live Tail to see logs as they arrive.<\/p>\n\n\n\n
                                                                                                            Steps<\/h2>\n\n\n\n
                                                                                                              \n
                                                                                                            1. Open Datadog Log Explorer.<\/li>\n\n\n\n
                                                                                                            2. Change the time selector to:<\/li>\n<\/ol>\n\n\n
                                                                                                              Live Tail\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                \n
                                                                                                              1. Search:<\/li>\n<\/ol>\n\n\n
                                                                                                                source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                  \n
                                                                                                                1. Generate Apache traffic from a browser or terminal if allowed.<\/li>\n\n\n\n
                                                                                                                2. Observe logs arriving.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  Example command from a machine that can reach Apache:<\/p>\n\n\n
                                                                                                                  curl http:\/\/<apache-server-ip<\/span>><\/span>\/\n<\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                  Generate 404 traffic:<\/p>\n\n\n
                                                                                                                  curl http:\/\/<apache-server-ip<\/span>><\/span>\/does-not-exist\n<\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                  Important Note<\/h2>\n\n\n\n
                                                                                                                  Live Tail may sample logs when very high log volume is flowing. If students need to see a specific event, they should narrow the query using source, host, service, or status.<\/p>\n\n\n\n
                                                                                                                  Student Check<\/h2>\n\n\n\n
                                                                                                                  Did new logs appear in Live Tail?<\/p>\n\n\n
                                                                                                                  Yes \/ No: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  44. Lab 40: Build a Saved View for Apache Errors<\/h1>\n\n\n\n
                                                                                                                  Goal<\/h2>\n\n\n\n
                                                                                                                  Create a reusable troubleshooting view.<\/p>\n\n\n\n
                                                                                                                  Query<\/h2>\n\n\n
                                                                                                                  source<\/span>:apache<\/span> status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                  or:<\/p>\n\n\n
                                                                                                                  source:apache @http.status_code:[400 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                  Recommended Time Range<\/h2>\n\n\n
                                                                                                                  Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                  Recommended Columns<\/h2>\n\n\n
                                                                                                                  Time<\/span>\nHost<\/span>\n@http<\/span>.status_code\n@http.method\n@http.url_details.path\n@network.client.ip\nMessage\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                  Steps<\/h2>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Apply query.<\/li>\n\n\n\n
                                                                                                                  2. Add useful columns.<\/li>\n\n\n\n
                                                                                                                  3. Choose a useful visualization, such as:<\/li>\n<\/ol>\n\n\n
                                                                                                                    Log Stream\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                    or:<\/p>\n\n\n
                                                                                                                    Top<\/span> List<\/span> grouped<\/span> by<\/span> @http<\/span>.status_code\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      \n
                                                                                                                    1. Save the view.<\/li>\n\n\n\n
                                                                                                                    2. Name it:<\/li>\n<\/ol>\n\n\n
                                                                                                                      Apache Error<\/span> Troubleshooting\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                                                      Saved View name:<\/p>\n\n\n
                                                                                                                      Name<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      45. Lab 41: Build a Saved View for Ubuntu Authentication<\/h1>\n\n\n\n
                                                                                                                      Goal<\/h2>\n\n\n\n
                                                                                                                      Create a reusable view for Linux authentication events.<\/p>\n\n\n\n
                                                                                                                      Query<\/h2>\n\n\n
                                                                                                                      sshd OR sudo OR \"Failed password\"<\/span> OR \"Accepted password\"<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      Optional source-scoped query:<\/p>\n\n\n
                                                                                                                      source:syslog (sshd OR sudo OR \"Failed password\"<\/span> OR \"Accepted password\"<\/span>)\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      Recommended Time Range<\/h2>\n\n\n
                                                                                                                      Past 24 hours\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      Recommended Columns<\/h2>\n\n\n
                                                                                                                      Time\nHost\nSource\nStatus\nMessage\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      Save View Name<\/h2>\n\n\n
                                                                                                                      Ubuntu Authentication Activity\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                                                      Saved View created?<\/p>\n\n\n
                                                                                                                      Yes \/ No: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      46. Lab 42: Build a Saved View for Apache 404 Investigation<\/h1>\n\n\n\n
                                                                                                                      Goal<\/h2>\n\n\n\n
                                                                                                                      Create a saved view for broken URL troubleshooting.<\/p>\n\n\n\n
                                                                                                                      Query<\/h2>\n\n\n
                                                                                                                      source:apache @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      Fallback:<\/p>\n\n\n
                                                                                                                      source<\/span>:apache<\/span> 404\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      Group By<\/h2>\n\n\n
                                                                                                                      @http<\/span>.url_details.path\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      Visualization<\/h2>\n\n\n
                                                                                                                      Top List<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                      Save View Name<\/h2>\n\n\n
                                                                                                                      Apache 404 Broken URL Analysis\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      Student Check<\/h2>\n\n\n\n
                                                                                                                      Saved View created?<\/p>\n\n\n
                                                                                                                      Yes \/ No: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      47. Lab 43: Export or Share Logs<\/h1>\n\n\n\n
                                                                                                                      Goal<\/h2>\n\n\n\n
                                                                                                                      Share investigation results with a teammate.<\/p>\n\n\n\n
                                                                                                                      Steps<\/h2>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. Open one useful search, for example:<\/li>\n<\/ol>\n\n\n
                                                                                                                        source:apache @http.status_code:[500 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n
                                                                                                                        1. Use Datadog share\/export options.<\/li>\n\n\n\n
                                                                                                                        2. Copy the view link or export the selected result if your permissions allow.<\/li>\n\n\n\n
                                                                                                                        3. Open one individual log.<\/li>\n\n\n\n
                                                                                                                        4. Use the side panel share\/copy option if available.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                          Student Check<\/h2>\n\n\n\n
                                                                                                                          What did you share\/export?<\/p>\n\n\n
                                                                                                                          View link \/ Log JSON<\/span> \/ CSV \/ Screenshot \/ Other: ____________________\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          48. Lab 44: Practical Investigation 1 \u2014 Apache 404 Spike<\/h1>\n\n\n\n
                                                                                                                          Scenario<\/h2>\n\n\n\n
                                                                                                                          A website owner reports that users are seeing \u201cpage not found\u201d errors.<\/p>\n\n\n\n
                                                                                                                          Student Task<\/h2>\n\n\n\n
                                                                                                                          Find:<\/p>\n\n\n
                                                                                                                          How many 404 logs exist?\nWhich URL has the most 404s?\nWhich client IP generated the most 404s?\nWhich host served those errors?\nWhen did the 404s happen?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Suggested Queries<\/h2>\n\n\n
                                                                                                                          source:apache @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Fallback:<\/p>\n\n\n
                                                                                                                          source<\/span>:apache<\/span> 404\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Suggested Groupings<\/h2>\n\n\n
                                                                                                                          @http<\/span>.url_details.path\n@network.client.ip\nhost\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Student Answer<\/h2>\n\n\n
                                                                                                                          Total 404 logs: ____________________\nTop broken URL: ____________________\nTop client IP: ____________________\nTop host: ____________________\nPeak time: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          49. Lab 45: Practical Investigation 2 \u2014 Apache Server Error<\/h1>\n\n\n\n
                                                                                                                          Scenario<\/h2>\n\n\n\n
                                                                                                                          Users report HTTP 500 errors.<\/p>\n\n\n\n
                                                                                                                          Student Task<\/h2>\n\n\n\n
                                                                                                                          Find:<\/p>\n\n\n
                                                                                                                          How many 5xx errors occurred?\nWhich endpoint had the most errors?\nWhich host generated them?\nWere errors concentrated at one time?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Query<\/h2>\n\n\n
                                                                                                                          source:apache @http.status_code:[500 TO 599]\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Fallback:<\/p>\n\n\n
                                                                                                                          source<\/span>:apache<\/span> 500 OR<\/span> 502 OR<\/span> 503 OR<\/span> 504\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Visualizations<\/h2>\n\n\n
                                                                                                                          Timeseries<\/span> grouped<\/span> by<\/span> host<\/span>\nTop<\/span> List<\/span> grouped<\/span> by<\/span> @http<\/span>.url_details.path\nTable grouped by @http.status_code and<\/span> host\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Student Answer<\/h2>\n\n\n
                                                                                                                          Total 5xx logs: ____________________\nTop endpoint: ____________________\nTop host: ____________________\nPeak time: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          50. Lab 46: Practical Investigation 3 \u2014 Failed SSH Login Attempts<\/h1>\n\n\n\n
                                                                                                                          Scenario<\/h2>\n\n\n\n
                                                                                                                          Security team suspects repeated SSH login failures.<\/p>\n\n\n\n
                                                                                                                          Student Task<\/h2>\n\n\n\n
                                                                                                                          Find:<\/p>\n\n\n
                                                                                                                          How many failed SSH attempts happened?\nWhich host was targeted?\nWhich username was attempted?\nWhich source IP appeared most often?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Query<\/h2>\n\n\n
                                                                                                                          \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          or:<\/p>\n\n\n
                                                                                                                          sshd AND failed\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Grouping Options<\/h2>\n\n\n\n
                                                                                                                          Try:<\/p>\n\n\n
                                                                                                                          host<\/span>\n@user<\/span>.name\n@network.client.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          If parsed fields are missing, use Patterns and manual inspection.<\/p>\n\n\n\n
                                                                                                                          Student Answer<\/h2>\n\n\n
                                                                                                                          Total failed attempts: ____________________\nTop host: ____________________\nTop username: ____________________\nTop source IP: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          51. Lab 47: Practical Investigation 4 \u2014 Sudo Activity<\/h1>\n\n\n\n
                                                                                                                          Scenario<\/h2>\n\n\n\n
                                                                                                                          Admin wants to review sudo usage.<\/p>\n\n\n\n
                                                                                                                          Query<\/h2>\n\n\n
                                                                                                                          sudo AND COMMAND\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          or:<\/p>\n\n\n
                                                                                                                          source<\/span>:syslog<\/span> sudo<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Student Task<\/h2>\n\n\n\n
                                                                                                                          Find:<\/p>\n\n\n
                                                                                                                          Which users ran sudo?\nWhich commands were run?\nWhich host generated the logs?\nWhen did sudo activity happen?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Student Answer<\/h2>\n\n\n
                                                                                                                          User<\/span>: ____________________\nCommand<\/span>: ____________________\nHost<\/span>: ____________________\nTimestamp<\/span>: ____________________\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          52. Lab 48: Practical Investigation 5 \u2014 Linux Service Problems<\/h1>\n\n\n\n
                                                                                                                          Scenario<\/h2>\n\n\n\n
                                                                                                                          A Linux service may have failed or restarted.<\/p>\n\n\n\n
                                                                                                                          Queries<\/h2>\n\n\n
                                                                                                                          systemd AND failed\n<\/code><\/span><\/pre>\n\n
                                                                                                                          systemd AND stopped\n<\/code><\/span><\/pre>\n\n
                                                                                                                          systemd AND started\n<\/code><\/span><\/pre>\n\n
                                                                                                                          status<\/span>:error<\/span> source<\/span>:syslog<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Student Task<\/h2>\n\n\n\n
                                                                                                                          Find:<\/p>\n\n\n
                                                                                                                          Which service had an issue?\nWhich host?\nWhat time?\nWas it started\/stopped\/failed?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Student Answer<\/h2>\n\n\n
                                                                                                                          Service\/process: ____________________\nHost: ____________________\nEvent type: ____________________\nTimestamp: ____________________\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          53. Lab 49: Advanced Query Cheat Sheet<\/h1>\n\n\n\n
                                                                                                                          General Search<\/h2>\n\n\n
                                                                                                                          apache\n<\/code><\/span><\/pre>\n\n
                                                                                                                          ssh\n<\/code><\/span><\/pre>\n\n
                                                                                                                          sudo\n<\/code><\/span><\/pre>\n\n
                                                                                                                          cron\n<\/code><\/span><\/pre>\n\n
                                                                                                                          systemd\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Exact Phrase<\/h2>\n\n\n
                                                                                                                          \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          \"Accepted password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          \"GET \/index.html\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Boolean Operators<\/h2>\n\n\n
                                                                                                                          ssh AND failed\n<\/code><\/span><\/pre>\n\n
                                                                                                                          ssh OR sudo\n<\/code><\/span><\/pre>\n\n
                                                                                                                          apache AND -200\n<\/code><\/span><\/pre>\n\n
                                                                                                                          status<\/span>:error<\/span> AND<\/span> source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Tags and Reserved Attributes<\/h2>\n\n\n
                                                                                                                          source<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          service<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          host<\/span>:ubuntu-demo<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          status<\/span>:error<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Attribute Search<\/h2>\n\n\n
                                                                                                                          @http.method:GET\n<\/code><\/span><\/pre>\n\n
                                                                                                                          @http.status_code:404\n<\/code><\/span><\/pre>\n\n
                                                                                                                          @http.url_details.path:\"\/index.html\"<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          @network.client.ip:192.168.1.10\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Range Search<\/h2>\n\n\n
                                                                                                                          @http.status_code:[200 TO 299]\n<\/code><\/span><\/pre>\n\n
                                                                                                                          @http.status_code:[400 TO 499]\n<\/code><\/span><\/pre>\n\n
                                                                                                                          @http.status_code:[500 TO 599]\n<\/code><\/span><\/pre>\n\n
                                                                                                                          @http.response_time:>100\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Wildcard<\/h2>\n\n\n
                                                                                                                          service<\/span>:apach<\/span>*\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          source<\/span>:sys<\/span>*\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          *fail*\n<\/code><\/span><\/pre>\n\n
                                                                                                                          *auth*\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          54. Lab 50: Student Final Challenge<\/h1>\n\n\n\n
                                                                                                                          Final Scenario<\/h2>\n\n\n\n
                                                                                                                          You are the on-call engineer. A manager says:<\/p>\n\n\n
                                                                                                                          The website had issues today, and we also saw suspicious login activity on the server.\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Student Mission<\/h2>\n\n\n\n
                                                                                                                          Use Datadog Logs Explorer to answer:<\/p>\n\n\n\n
                                                                                                                          Apache\/Web Questions<\/h3>\n\n\n
                                                                                                                          1. How many Apache logs were generated in the past 24 hours?\n2. How many HTTP 4xx responses occurred?\n3. How many HTTP 5xx responses occurred?\n4. Which URL\/path had the most errors?\n5. Which client IP generated the most requests?\n6. Which host served the most errors?\n7. What time did the highest error spike happen?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Ubuntu\/Linux Questions<\/h3>\n\n\n
                                                                                                                          1. How many failed SSH login attempts occurred?\n2. Were there successful SSH logins?\n3. Which host had the most authentication activity?\n4. Were any sudo commands run?\n5. Were there any systemd failed\/stopped service messages?\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Deliverable<\/h3>\n\n\n\n
                                                                                                                          Students must submit:<\/p>\n\n\n
                                                                                                                          1. Queries used\n2. Screenshots of Log Explorer results\n3. Top findings\n4. Saved View names created\n5. One short incident summary\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          55. Sample Student Incident Summary<\/h1>\n\n\n\n
                                                                                                                          Use this template:<\/p>\n\n\n
                                                                                                                          Incident Summary:\n\nTime range investigated:\nPast 24 hours\n\nApache findings:\n- Total Apache logs:\n- Total 4xx errors:\n- Total 5xx errors:\n- Top error URL:\n- Top client IP:\n- Peak error time:\n\nUbuntu\/Linux findings:\n- Failed SSH attempts:\n- Successful SSH attempts:\n- Sudo activity:\n- Systemd\/service errors:\n\nConclusion:\nThe main web issue appears to be related to __________.\nThe main Linux\/security observation is __________.\n\nNext recommended action:\n__________.\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          56. Instructor Validation Checklist<\/h1>\n\n\n\n
                                                                                                                          Before running this lab, the instructor should verify:<\/p>\n\n\n
                                                                                                                          Datadog Agent is sending logs\nUbuntu\/Linux logs are visible\nApache access logs are visible\nApache error logs are visible\nLogs have source tags\nLogs have service tags\nHost field is visible\nApache fields are parsed, if possible\nStudents have Log Explorer access\nStudents can create Saved Views, if required\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          57. Troubleshooting During Lab<\/h1>\n\n\n\n
                                                                                                                          Problem: No logs visible<\/h2>\n\n\n\n
                                                                                                                          Try:<\/p>\n\n\n
                                                                                                                          Increase time range to Past 24 hours\nClear search query\nCheck source facet\nCheck host facet\nConfirm logs are ingested\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Problem: Apache source does not work<\/h2>\n\n\n\n
                                                                                                                          Try:<\/p>\n\n\n
                                                                                                                          service<\/span>:apache<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          apache\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Look at the Source facet and find the actual source value.<\/p>\n\n\n\n
                                                                                                                          Problem: @http.status_code<\/code> does not work<\/h2>\n\n\n\n
                                                                                                                          Apache logs may not be parsed into HTTP attributes.<\/p>\n\n\n\n
                                                                                                                          Fallback:<\/p>\n\n\n
                                                                                                                          source<\/span>:apache<\/span> 404\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          source<\/span>:apache<\/span> 500\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Ask instructor to check Apache log pipeline\/parser.<\/p>\n\n\n\n
                                                                                                                          Problem: @network.client.ip<\/code> does not exist<\/h2>\n\n\n\n
                                                                                                                          Try:<\/p>\n\n\n
                                                                                                                          @client<\/span>.ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          @client_ip<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
                                                                                                                          @http<\/span>.client_ip\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Or inspect one Apache log in the side panel and find the actual field.<\/p>\n\n\n\n
                                                                                                                          Problem: Ubuntu source is not syslog<\/code><\/h2>\n\n\n\n
                                                                                                                          Check the Source facet.<\/p>\n\n\n\n
                                                                                                                          Possible alternatives:<\/p>\n\n\n
                                                                                                                          source<\/span>:ubuntu<\/span>\nsource<\/span>:linux<\/span>\nsource<\/span>:system<\/span>\nsource<\/span>:agent<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Problem: Too many logs<\/h2>\n\n\n\n
                                                                                                                          Narrow query using:<\/p>\n\n\n
                                                                                                                          source\nservice\nhost\nstatus\ntime range\nspecific phrase\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Example:<\/p>\n\n\n
                                                                                                                          source:apache host:ubuntu-demo @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          58. Best Practices Students Should Remember<\/h1>\n\n\n\n
                                                                                                                          Use narrow time ranges first<\/h2>\n\n\n\n
                                                                                                                          Start with:<\/p>\n\n\n
                                                                                                                          Past 15 minutes\nPast 1 hour\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Then expand if needed.<\/p>\n\n\n\n
                                                                                                                          Use facets before complex queries<\/h2>\n\n\n\n
                                                                                                                          Facets help avoid spelling mistakes and reveal actual available values.<\/p>\n\n\n\n
                                                                                                                          Prefer attributes for accurate search<\/h2>\n\n\n\n
                                                                                                                          Better:<\/p>\n\n\n
                                                                                                                          @http.status_code:404\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Less accurate:<\/p>\n\n\n
                                                                                                                          404\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Use exact phrase search for known messages<\/h2>\n\n\n\n
                                                                                                                          Example:<\/p>\n\n\n
                                                                                                                          \"Failed password\"<\/span>\n<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          Use exclusion to remove noise<\/h2>\n\n\n\n
                                                                                                                          Example:<\/p>\n\n\n
                                                                                                                          source:apache AND -@http.status_code:200\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          Add useful columns<\/h2>\n\n\n\n
                                                                                                                          Good columns make troubleshooting faster.<\/p>\n\n\n\n
                                                                                                                          Save repeatable views<\/h2>\n\n\n\n
                                                                                                                          Create Saved Views for common troubleshooting scenarios.<\/p>\n\n\n\n
                                                                                                                          Use Patterns when logs are noisy<\/h2>\n\n\n\n
                                                                                                                          Patterns quickly reveal repeated messages.<\/p>\n\n\n\n
                                                                                                                          Use Analytics for counts and grouping<\/h2>\n\n\n\n
                                                                                                                          Analytics helps answer \u201chow many,\u201d \u201cwhich one,\u201d and \u201cwhen.\u201d<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          59. Recommended Lab Timing<\/h1>\n\n\n\n
                                                                                                                          Section<\/th>Time<\/th><\/tr><\/thead>
                                                                                                                          Introduction and UI tour<\/td>10 minutes<\/td><\/tr>
                                                                                                                          Basic search\/filter<\/td>20 minutes<\/td><\/tr>
                                                                                                                          Apache log exercises<\/td>30 minutes<\/td><\/tr>
                                                                                                                          Ubuntu log exercises<\/td>30 minutes<\/td><\/tr>
                                                                                                                          Facets, columns, side panel<\/td>20 minutes<\/td><\/tr>
                                                                                                                          Analytics and visualizations<\/td>30 minutes<\/td><\/tr>
                                                                                                                          Saved Views and export<\/td>15 minutes<\/td><\/tr>
                                                                                                                          Final challenge<\/td>45 minutes<\/td><\/tr>
                                                                                                                          Review and discussion<\/td>20 minutes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                                                                                                                          Total suggested duration:<\/p>\n\n\n
                                                                                                                          3 to 4 hours\n<\/code><\/span><\/pre>\n\n\n
                                                                                                                          For a shorter workshop, run Labs 1\u201318, 25\u201331, and the Final Challenge.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          60. Final Learning Outcome<\/h1>\n\n\n\n
                                                                                                                          After completing this lab, students should be comfortable using Datadog Logs Explorer to:<\/p>\n\n\n
                                                                                                                          Search logs\nFilter logs\nSort and<\/span> display logs\nInspect log attributes\nUse<\/span> facets<\/span>\nAnalyze<\/span> Apache<\/span> access<\/span>\/error<\/span> logs<\/span>\nAnalyze<\/span> Ubuntu<\/span> Linux<\/span> logs<\/span>\nFind<\/span> failed<\/span> SSH<\/span> attempts<\/span>\nFind<\/span> sudo<\/span> activity<\/span>\nFind<\/span> Apache<\/span> 404\/5xx<\/span> errors<\/span>\nCreate<\/span> useful<\/span> columns<\/span>\nGroup<\/span> logs<\/span> by<\/span> fields<\/span>\nUse<\/span> visualizations<\/span>\nUse<\/span> patterns<\/span>\nUse<\/span> Live<\/span> Tail<\/span>\nCreate<\/span> Saved<\/span> Views<\/span>\nSummarize<\/span> troubleshooting<\/span> findings<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
                                                                                                                          This lab gives students the foundation needed for real-world log troubleshooting in Datadog.<\/p>\n\n\n\n
                                                                                                                          Older Content As Below<\/h3>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          \n\n\n\n