Search menu is a unique tool that outright shows you all results regarding the information you are looking for (Web, Application, opening-closing a Link, E-mail, VPN, etc.) and allows you afterwards to create special reports and alerts with these search results.
Logsign Search provides you with 3 different ways for a search on its menu.
1- Manual search by typing the query
Lucene is the query language of Logsign. The mostly used Lucene query strings are listed below.
Search with values
You can directly type the values you would like to search.
For instance:
- If you type 168.1.1, results including this IP address will be shown to you.
- If you type 168.1.1 8.8.8.8, results including both IP addresses will be shown to you.
- If you type logsign.com, results including www.logsign.com will be shown to you.
Search with column names
After collecting the logs, Logsign segments these logs and discards them to the columns for easy reporting. For your convenience, Logsign uses a special mechanism to name the columns that is close to the speaking language. There are special articles on Logsign column infrastructure on the platform.
For instance:
- If you type IP:192.168.1.1, results will only include the Source IP address of 192.168.1.1. Keep in mind that the results with this as the target IP will not be shown as you provided the source IP as the column name.
- If you typeIP:8.8.8.8, results will include the target IP address of 8.8.8.8.
- If you typeIP:192.168.1.1 Destination.IP:8.8.8.8, results will include the source IP address of 192.168.1.1 and the target IP address of 8.8.8.8.
Search with logical operators AND OR NOT
Logsign supports the use of logical operators. Therefore, you can prepare more special queries by using the operators of AND, OR & NOT, not needing to merge any data tables, to know about SQL or to write a Script.
OR
You can use OR for the queries. This word refers to any of the values used before and after it.
For instance:
- If you type cnn.com OR www.ntv.com.tr, results will include everything with www.cnn.com or www.ntv.com.tr.
AND
You can use AND for the queries. For your convenience, Logsign accepts BLANKS as AND – it is up to you to type it.
- If you type 168.1.1 www.cnn.com, results will include both 192.168.1.1 and www.cnn.com on the same log line.
* - ASTERISK
You can expand your searches by using *. Asterisk is used to complete the value adjacently typed before or after it. You can use the asterisk at the beginning, at the end, in the middle or both at the beginning and at the end at the same time.
For instance:
- If you type *.exe, results will begin with * and end with .exe.
- If you type *oogl*, results will include oogle in a way that the beginning and the end will not be important. For example, you will see results including google.com.
( ) ROUND BRACKETS
Round brackets are used for searches by grouping. You can use them by grouping the column names, especially when you would like to reach more than one values at the same time.
For instance:
- If you type IP:(192.168.1.1 OR 192.168.1.2 OR 192.168.1.3), results will include 192.168.1.1 or 192.168.1.2 or 192.168.1.3 on the Source IP domain.
- If you search for Vendor.Name:(Microsoft OR Cisco), you can reach the logs both from Microsoft and Cisco devices at the same time. This is a simple example of correlation. With a similar logic, you can create reports and alerts among branches, departments, a message group or an IP group.
- Information: Is it difficult to type 100 IP addresses existing on an IP blog with this method? Yes, it is. This is where the Square Brackets or Curly Brackets, which allow for searches to be made within a certain range, come to your rescue.
[ ] SQUARE BRACKETS
Square brackets are used for searches within a certain range. This range could be a number, a text or an IP address. For instance, you can use them when you want to make a search within a certain section of your IP blog or to find devices transferring more Bytes than a certain level.
For instance:
- If you search IP:[192.168.1.50 TO 192.168.1.100], results will include these two IPs and the IP addresses between them.
- If you search Sent:[1024000 TO 10000000], results will appear if more than 1 MB were sent as logs.
{ } CURLY BRACKETS
It functions almost the same as the square brackets. The only difference is that the curly brackets do not include the first and final values within the results.
For instance:
- If you search IP:{192.168.1.50 TO 192.168.1.100}, results will not include the IP addresses in the beginning and at the end, but those between them.
" " QUOTATION MARKS
Quotation marks are used when you need to search for a word or value thread. It is especially used when you are looking for a sentence with a space, “/”, etc., and you want to see the results existing as you type that sentence. For instance; if you type Ali goes to school without using quotation marks, the search results will include sentences including To school Ali goes as well. Each search method could be necessary at times. If you type “Ali goes to school”, results will include sentences with the same wording and syntax – meaning that you will see results including Ali goes to school only.
For instance:
- If you type "Web Site Visited", result will include sentences with the words "Web Site Visited" in the same order.
- Information: You cannot type a column name between the two quotation marks. Only values could be used between the marks.
- If you type Info:"Web Site Visited", results will include this syntax on the Event.Info domain.
USING ALL RULES SIMULTANEOUSLY
You can simultaneously use all search methods mentioned before.
You can more advanced queries on Logsign by using values, column names, logical operators and custom marks simultaneously during the search.
For instance:
If you type *.exe OR *.zip OR *.rar, results will include *.exe *.zip *.rar.
If you type Vendor.Name:Fortinet Event.Info:"URL has been visited" *.exe OR *.zip, results will include *.exe and *.zip within the web access logs sent by the Fortinet device.
2-Search with Automatic Queries by Clicking the Logs
When you click the received logs, you can see the results within the blue frame on the screenshot below. You can apprehensibly see the grouped version of the related data on these results Each of the data on this domain are clickable and active data that can lead you directly to the search field.
Our second search method is the one with which we click on the values, names, etc. indicated across the column names seen on the results.
When you click on the results shown with the arrows on the screenshot, you can see with the arrows on the upper side that the query automatically appears on the query field.
3- Easy Search with Search Filter
You can make easy searches by using the Search Filter on the Search menu.
These filters allow you to make deeper searches by customising your query and to see the results belonging to the very column according to the filter you chose.
On the screenshot example below, we see the results for the IP address "192.168.240.15" we chose according to the Source.IP filter. Our filter automatically appears on the field shown with the arrow. We only see the results belonging to this IP with the aid of the search button.
What you need to do to lift the filter is to use the "X" sign on the right of the IP. You can use the Search Filter field to add a new filter later on.