Searching the logs

Log

Some keywords will not match unless you include both the log field name and its value (type=webfilter).

Remove unnecessary keywords and search filters which can exclude results. In More Options, if All Words is selected, for a log message to be included in the search results, all keywords must match; if any of your keywords do not exist in the message, the match will fail and the message will not appear in search results. If you cannot remove some keywords, select Any Words.

You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you could enter any partial term or IP address, then enter * to match all terms that have identical beginning characters or numbers.

You can search for IP ranges, including subnets. For example:

172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses in the subnet 172.168.1.1/255.255.255.0

172.168.1.1-140.255matches all IP addresses from 172.168.1.1 to 172.168.140.255

You can search for URLs in multiple ways, using part or all of the URL. Searching for the full URL may not return enough results if the URL contains random substrings, such as session IDs. If your search keywords do not return enough results, try one of the following:

Full Search

shortening your keyword to the smallest necessary substring of the URL

shortening your keyword to a substring of the URL delimited by slash (/) characters

The search returns results that match all, any, or none of the search terms, according to the option you select in Match.

For example, if you enter into Keyword(s):

192.168.* action=login

and if from Match you select All Words, log messages for attacks on 192.168.* by W32/Stration.DU@mm do not appear in the search results, since although the first keyword (the IP address) appears in attack log messages, the second keyword (the name of the attack) does not appear, and so the match fails. If the match fails, the log message is not included in the search results.

Printing the search results

After completing a search, a Printable Version button appears, allowing you to download a printable HTML copy of the search results. You can print this file, or save it to your computer for later use.

To download the results, select Printable Version.

Downloading the search results

After completing a search, a Download Current View button appears, allowing you to download a log file reflecting the search results. Search results can be saved in comma-separated value (.csv) format or in standard log (.log) format.

 

FortiAnalyzer Version 3.0 MR7 Administration Guide

104

05-30007-0082-20080908

Page 104
Image 104
Fortinet 3.0 MR7 manual Printing the search results, Downloading the search results, 192.168.* action=login