Searches not populating expected results

Ran logging the past 24 hours and need to narrow down messages to only include specific keywords. This is the original message:

FW01 - - - %ASA-6-305011: Built dynamic UDP translation from inside:10.x.x.x/59654 to outside:67.x.x.x/59654

What I need is all messages that are only including the following are in quotes:

“FW01” - - - %ASA-6-305011: “Built dynamic UDP” translation from “inside”:10.x.x.x/59654 “to outside”:67.x.x.x/59654

I’ve tried to include all of the terms in bold in quotes for a specific time period, and that produced a wide range of different sites. I believe I am not using the correct syntax for what I need to achieve. Any assistance is appreciated.

Please elaborate on what you want to achieve and provide some examples with a description of what you’d expect as a result.

Additionally, take a look at extractors and pipeline rules to process your messages:

• http://docs.graylog.org/en/2.4/pages/extractors.html
• http://docs.graylog.org/en/2.4/pages/pipelines.html

Basically we are wanting to see outbound connections from the Cisco ASA firewalls inside interface to the outside (LAN to WAN) both TCP and UDP ports. From there we will want to export this into a csv/excel file for analysis. Mainly looking for reserved ports that maybe used (example, 21, 22, 123 etc.)

Then use extractors and pipeline rules to extract that information from the log messages.

You can also check out the Graylog Marketplace and search for content packs which help you implement your use case.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.