Content Archive

Customizing the content archive view

4Enter the text that matching log messages must contain.

Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT.

5Select OK.

A column’s filter icon is green when the filter is currently enabled.

To disable a filter

1In the heading of the column whose filter you want to disable, select the filter icon. A column’s filter icon is green when the filter is currently enabled.

2To disable the filter on this column, deselect Enable.

Alternatively, to disable the filters on all columns, select Clear All Filters. This disables the filter; it does not delete any filter text you might have configured.

3Select OK.

A column’s filter icon is gray when the filter is currently disabled.

Note: Filters do not appear in Raw view, or for unindexed log fields in Formatted view.

When viewing real-time logs, you cannot filter on the time column: by definition of the real- time aspect, only current logs are displayed.

Filtering tips

When filtering by source or destination IP, you can use the following in the filtering criteria:

a single address (2.2.2.2)

an address range using a wild card (1.2.2.*)

an address range (1.2.2.1-1.2.2.100)

You can also use the Boolean operator “or” to indicate multiple alternative matches:

1.1.1.1 or 2.2.2.2

1.1.1.1 or 2.2.2.*

1.1.1.1 or 2.2.2.1-2.2.2.10

Most column filters require that you enter the column’s entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter.

For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter only one octet of the IP address, (such as 192) the filter will not completely match any of the full IP addresses, and so the resulting filter would omit all logs, rather than including those logs whose IP address contains that octet.

Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column.

FortiAnalyzer Version 3.0 MR7 Administration Guide

 

05-30007-0082-20080908

111

Page 113
Image 113
Fortinet 3.0 MR7 manual To disable a filter, 111