I have been beating my head over the table over this for two days and I have been unsuccessful. Currently I have firewall logs coming in via Syslog port configured on GrayLog. There are not many fields extracted other than Message, Source, and a couple of others. The log is coma seperated and has various pieces of info like DNS names of devices and various IP addresses. The standard things you’d see in these type of logs. My question is: How do I write a query that would only show me logs from that source that have a certain piece of info in it? Such as a certain ip address in it, or a certain string in the log (I’m assuming an IP Address in this instance would be a string) and only show logs with that ip address in it or whatever word I chose that would be in the message body? I can provide a screenshot if needed but I’d have to modify it for security reasons before posting.
Please provide some example messages and some queries you’d like to run against them.
Thanks so much for the response. Here’s an example log:
1,2018/02/23 15:36:19,00000000000,TRAFFIC,end,1,2018/02/23 15:36:19,192.168.1.50,22.214.171.124,0.0.0.0,0.0.0.0,untrust to webfront sites,ssl,vsys1,untrust,dmz-webfront,ethernet1/1,ethernet1/4,Critical-High Threat SyslogOnly,2018/02/23 15:36:19,139955,1,55007,443,0,0,0x1c,tcp,allow,3065,1256,1809,19,2018/02/23 15:36:00,20,financial-services,0,1111111111,0x0,US,US,0,11,8,tcp-fin,0,0,0,0,PA3050.FW.PALM-4C.U38,from-policy
As an example I want to find all logs during a specific time frame that has 192.168.1.50 from the source specified above.
Also just as an FYI I used backslash before the - to escape it out per GrayLog documentation and doing a search for that source only produces results but it shows ALL logs because obviously I didn’t try to narrow down results on what I am looking for from within the message.
Any Ideas? Just curious.
I would normalize the messages into seperated fields during ingest - that would make it more intuitive to search for the information. In the end you would save ressources doing this.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.