Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Searching logs returns no results when using *

Up front: 

I read that "The Description field is not currently indexed" - that might be the answer to my question - but I still do not have a working workaround..

My question: 

I know I have hits on my 80.30 firewall ( Appliance model 5200 running R80.30 take 200 Last updated on: Mon Jan 6 14:01 2020) from the europol DNS scanner from "*.shadowserver.org" but when I search for it by name and as source (with the src:* before the domain name) I get 0 hits.

Img1Img1

 To see if the (.) dot was needed I added it after the star so it said "src:*." and searched again but still no hits..

Img5Img5 

If I alter the search to not include the star (*) and dot (.) and just search for the domaine i get 2 hits.. (indicating that it had never been the source but have been the destination at some time) <-- that is also correct but i am missing all the log lines where it was the source...

Img2Img2

 

Finally - If I instead search for the IP address that the server had at the given point in time it was logged I get MANY hits and can see in the description and source column that the name "shadowserver.org" is logged with the FQDN of scan-09h.shadowserver.org - that is odd (why was it then not found in the prior 2 searches i made ?) 

Img3Img3

 Searching for the full name (not using *.) does give me the hits - but I would really like to get the info of all the hosts with the domaine .shadowserver.org that have hit my firewall 

Img4Img4

 

Now.. 

Can any one here tell me if I need to use another search terminology/syntax or if the 80.30 search function in logs is broken ? 

Best regards 

Keld Norman 

kno@dubex.dk

 

 

 

0 Kudos
4 Replies
Highlighted

Have you tried shadowserver.org without anything in front?
Regards, Maarten
0 Kudos
Highlighted
Nickel

yes - see img2 (the order of the images i posted are messed up) - but.. i did - two hits but no hits where the shadowserver.org was the source.. 😕 
0 Kudos
Highlighted

Sorry did not see that one. Problem with the search is that it can be anything from the start, but not from a dot or any other demarcation point in the name or IP.
You can search for scan-09 and most certainly it will find your server.
Regards, Maarten
0 Kudos
Highlighted
Nickel

Got it - Unfortunately I need the facts the other way around so I can see all the hosts that have been scanning my IP from the domain (*.shadowserver.org) but thanks for the explanation anyway. 🙂
0 Kudos