topic Searching Multiple log files by using filter in Firewall and Security Management

Searching Multiple log files by using filter

BeaconBits — Mon, 30 Jul 2018 14:46:20 GMT

Hello Folks,

I have new log file after every 2GB size. So each day I collect more than one file of logs.

Recently, I had to search for over few past days. So I was struggling to go into each log file and search.

Question:

Is there any way to search multiple log files at the same time?

Any query option that allows to select more than one log file.. or any other way (may be third party)?

Thanks!

Re: Searching Multiple log files by using filter

Norbert_Bohusch — Mon, 30 Jul 2018 15:21:24 GMT

Which version is your management running?

On R80.x logs are automatically indexed (as long as indexing is not turned off) and a search will search over all indexed log-files.

On R77.x (or older) logs in SmartView Tracker are not indexed, but in SmartLog they are.

Re: Searching Multiple log files by using filter

BeaconBits — Mon, 30 Jul 2018 15:46:02 GMT

It is on R80.10.

In this case then how can I check if log files are indexed?

Re: Searching Multiple log files by using filter

BeaconBits — Mon, 30 Jul 2018 15:50:22 GMT

Thanks Norbert

I have found this option on Log Server and it is enabled.

S it means, that I can go back only up to 14 days at a time.

Could you please add more relevant info that I'm missing?

Re: Searching Multiple log files by using filter

Jerry — Mon, 30 Jul 2018 15:51:35 GMT

I believe it all depends how your "log infrastructure" looks like,

if you're using CLM (Log Server) there are options for making that simpified

if your logs ends on SMS server - I don't think you can search few ELG files at the same time if I'm not mistaken (unless the script is already known to our belowed CCSM's here )

if your log switching is done per "size" on your Management Server (SMS) then obviously it must be a pain (and it is for each and everyone I guess) including myself to go trouch all the logs in order to find interesting record however, as Norbert mentioned in R80.10 for instance it should "per indexing" at least show you a snip of the record you're lookinig for. IMHO CLM is the best option, unless your logging facility does not need 12 months of log retention ...

Re: Searching Multiple log files by using filter

Jerry — Tue, 31 Jul 2018 08:12:04 GMT

open the object in your dash and see if the indexing (in logging section) is enabled - if not - enabled it manually.

Re: Searching Multiple log files by using filter

Jerry — Tue, 31 Jul 2018 08:12:42 GMT

it is called btw "Enable Log Indexing" with a little blue "i" icon

Re: Searching Multiple log files by using filter

BeaconBits — Wed, 01 Aug 2018 08:58:56 GMT

Yes, it is enabled.

So far what I understand is that I can search up to last 14 days because logs are being indexed to 14.

But searching multiple random files before these 14 days is not possible.

@Checkpoint: Not sure, but I think there should be feature where to select multiple log files and search from them at once rather selecting one by one that are not indexed.