I have a problem searching the log "142810: Oct 29 18: 14: 52.165 BSB-3:% PARSER-5-CFGLOG_LOGGEDCMD: User: 71014632186 logged in command: no ip route vrf Guest 0.0.0.0 0.0.0.0 10.39.2.5 100 "
When I search for “ip route” it works now when I search for “logged command” brings nothing.
Can anyone help?
I am using Graylog 3.1.2 and Elastic 6.7.1
I think the problem is that command is not represented as an independent word, but as command:no.
I think a search for “logged command”* would match.
Thanks for answering. Searching for “logged command”* didn’t work either.
No sure why the log in your post is different than the log in the screenshot, but try searching for “logged*command” with the quotes.
Sorry for the log, was the translator. Look at the pure log.
142810: Oct 29 18:14:52.165 BSB-3: %PARSER-5-CFGLOG_LOGGEDCMD: User:71014632186 logged command:no ip route vrf Guest 0.0.0.0 0.0.0.0 10.39.2.5 100
do you get anything if you search for just “logged” or just “command”?
for testing purposes, can you modify the input to store the full original syslog message and then query that? make sure you clear this when you’re done as you’ll be basically storing the message twice.
full_message:“logged command”
you can also try searching from the views menu, but I suspect that would return the same result.
strange for sure…
You checked the docs right?
https://docs.graylog.org/en/3.1/pages/queries.html
the string is split into terms and the field message (and full_message) are enabled for full-text-search so you could check the terms so see what you are able to search …
In addition I would parse the log into different fields to be able to correlate the content of that fields …
Try “logged command*”
Yes, searching for “log” or “command” yields results.
I tested “full_message” and it looks the same.
I checked the documentation. I need to vary the content of the message that comes right in front of “logged command:”
Already tried, no result, but your search for “logged command: ip route” yes.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
