Query not producing results

Sparky · February 23, 2018, 8:20pm

I have been beating my head over the table over this for two days and I have been unsuccessful. Currently I have firewall logs coming in via Syslog port configured on GrayLog. There are not many fields extracted other than Message, Source, and a couple of others. The log is coma seperated and has various pieces of info like DNS names of devices and various IP addresses. The standard things you’d see in these type of logs. My question is: How do I write a query that would only show me logs from that source that have a certain piece of info in it? Such as a certain ip address in it, or a certain string in the log (I’m assuming an IP Address in this instance would be a string) and only show logs with that ip address in it or whatever word I chose that would be in the message body? I can provide a screenshot if needed but I’d have to modify it for security reasons before posting.

jochen · February 23, 2018, 8:34pm

Please provide some example messages and some queries you’d like to run against them.

Sparky · February 23, 2018, 8:47pm

Hey Jochen,

Thanks so much for the response. Here’s an example log:

source:
pa3050.fw.palm-4c.u38

message:
1,2018/02/23 15:36:19,00000000000,TRAFFIC,end,1,2018/02/23 15:36:19,192.168.1.50,5.5.5.5,0.0.0.0,0.0.0.0,untrust to webfront sites,ssl,vsys1,untrust,dmz-webfront,ethernet1/1,ethernet1/4,Critical-High Threat SyslogOnly,2018/02/23 15:36:19,139955,1,55007,443,0,0,0x1c,tcp,allow,3065,1256,1809,19,2018/02/23 15:36:00,20,financial-services,0,1111111111,0x0,US,US,0,11,8,tcp-fin,0,0,0,0,PA3050.FW.PALM-4C.U38,from-policy

As an example I want to find all logs during a specific time frame that has 192.168.1.50 from the source specified above.

Also just as an FYI I used backslash before the - to escape it out per GrayLog documentation and doing a search for that source only produces results but it shows ALL logs because obviously I didn’t try to narrow down results on what I am looking for from within the message.

Sparky · February 28, 2018, 7:07pm

Any Ideas? Just curious.

jan · March 1, 2018, 8:08am

Hej @Sparky

I would normalize the messages into seperated fields during ingest - that would make it more intuitive to search for the information. In the end you would save ressources doing this.

system · March 15, 2018, 8:08am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't receive the syslogs from Firewall Graylog Central (peer support)	2	492	August 18, 2017
Missing Log Source Graylog Central (peer support)	2	783	April 3, 2019
Queries not working properly? Graylog Central (peer support)	3	1789	May 14, 2018
[Graylog_2.3.2] No result in search Graylog Central (peer support)	8	1219	January 19, 2018
Parsing Logs On Graylog Graylog Central (peer support)	8	8336	November 17, 2017

Query not producing results

Related topics