Logsign Search Reference

Improving to search capabilities on Logsign is the one of the most important and easiest way to inform yourself how to get the log lists you exactly want. Searching query is used at overall of the logsign interface like dashboard, report and analysis Ect. For saving your time and making reports easier, you can refer this document as below.

Search basic in Logsign

  • Search with Column names and values:

Basically, you would have many occasion to write query on search bar. You can simply type some keywords to list all logs on the interface. However, the results will also include other data which has the same keywords but with irrelevant properties you have wanted to see. For example, If you only type an IP address without properties or column name Logsign will show you all logs including the IP regardless of Destination.IP, Source.IP or EventSource.IP. So, If you want some specific log lists you need to know how to make efficient query. You can see the basic form and examples as below.

-Basic form   

Column_name : Value

-Examples

Source.IP : 10.0.0.1

URL.Domain : "www.google.com"

 

Here are most used Columns as below. 

  • Source.IP : Shows source IP Address of an event. ( 10.0.0.1 )
  • Destination.IP : Shows destination IP Address of an event. ( 89.101.23.11 )
  • URL.Domain : Shows web address of an event ( www.yahoo.com )
  • Event.Info : Shows the message of an event. ( Connection Opened )
  • EventSource.IP : Shows the IP Address of event source. ( 10.0.0.23 )
  • Application.Name : Shows the application name if there is an application content. ( Skype )

 But You can also see other Columns as below.

 

For example, If you want to see the logs about the traffic coming from Bursa city you can write Source.City:"Bursa" or If you want to see the logs of Vendor ID 713 you can write like Event.VendorID:713

Notice that some Column name can be missed depend upon the vendor or server which send logs.

 

  • Search with Boolean operators:                                                             

You might want to filter the results under certain conditions. For example, you might want to see the log lists satisfying multiple condition or one of its operands. For this reason, we serve Boolean Operators. Available operators are as below.  

AND
value AND another_value
matches events that contain value and another_value


OR
value OR another_value
matches events that contain value or another_value


NOT
value1 AND NOT ( value2 OR value3 )
matches events that contain value1 but not value2 or value3

You can apply this operators in this way.

- Source.IP:172.30.30.50 AND Destioation.IP:10.0.0.1

- Severity.Name:"alert" OR Severity.Name:"critical"

- Source.Country:"Turkey" AND NOT (Source.City:"Istanbul" OR Source.City:"Bursa")

 

  • Parentheses

Using Parentheses will help you write efficient and economical query. If you want to present range or plural value we recommend you use parentheses. The basic form and examples are as below.

Round Brackets
column : ( value1 OR value2 )
You can reach multiple values at the same time by grouping columns.

Samples :
Source.IP : (192.168.1.1 OR 192.168.1.2)
Vendor.Name : (Microsoft OR Cisco)

Square Brackets
column : [ value1 OR value2 ]
You can query a specific range of text,IP or any text value.

Samples :
Source.IP : [192.168.1.1 TO 192.168.1.60]
Bytes.Sent : [100400 TO 10000000]

Curly Brackets
column : { value1 TO value2 }
You can query a specific range of text,IP or any text value including last to fist value.

Samples :
Source.IP : {192.168.1.1 TO 192.168.1.23}
  • Quotation Mark 

You can use quotation marks to search some keywords in any text. Especially the text that includes space or any other special characters.

Samples:
"Web Site Visited"
"Connection Close"

 

  • All at the same time

You can use all these rules in your query as well.

Samples:
*.exe OR *.zip OR *.rar matches events that contains .exe, .zip, .rar.
EventSource.Vendor:Fortinet AND Event.Info:”URL has been visited” *.exe OR *.zip
Have more questions? Submit a request

Comments