Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 14367 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log Viewer Filtering

Jason Vorbeck

Hi, I'm new to the XG firewall so please forgive me if I have overlooked something obvious here. I came from TMG and I have finished my deployment of the XG to replace it. I need to resolve some small issues with server publishing rules (WAF here) and I am having trouble with filtering the log. In the TMG I would just filter on "Denied" connections so that I could focus on the problems. In the XG I cannot figure out how to filter out the 10s of thousands of normal/successful connections that dont require my attention and only show me the denied connections.

The little icon on the left is already doing this by virtue its GREEN for allowed and RED for denied but the filter bar doesn't give me ability to key off that disposition. After looking at the logs it appears that the field named "reason" is exactly what I need to filter by but it wont work. All successful connections are REASON="-" and all denied connections are REASON='insertvariousreasonhere". I need to be able to filter by REASON <> "-" or =<Not Null> or whatever to say basically "Show me all denied connections"

Could someone please help me out here? I called technical support but they told me they couldn't help with this and I needed to post my question to this community site.

Thank you in advance!

-Jason



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Jason Vorbeck

    Apologies, I missed that part. So you're saying that you notice that all allowed packets have a REASON="-" , possibly try just doing the inverse?

    Or switch over to the Detailed View:

    There's more granularity in the filter options, perhaps play around with the available options here?

    Cheers,
    Karlos

  • 0 in reply to Karlos

    Hey Karlos, no worries. The filter will not allow me to express a "-" character at all, regardless of the condition. When I switched over to the Detailed view I found that even though they present more fields to you (a culmination of the different fields available on different logs) when you attempt to use a field that isn't available on the Standard View for that particular log (WAF) such as "Reason" it will not work, the log returns no results...

  • 0 in reply to Jason Vorbeck

    Hi Jason,

    I'm sorry we're not able to achieve your means with the available filters. Please submit a feature request so we can see it included in the future.

    Cheers,
    Karlos

  • 0 in reply to Karlos

    Thanks Karlos. I will submit the request, but i just want to make sure that we understand each other first because I would be very surprised at this. There is no way to filter "Allowed" and "Denied" connections in the Web Server Protection log? I'm not being smart here, it just occurs to me that this is perhaps the most basic filtering one could use and I want to make sure you understand what exactly it is I am looking for.

  • 0 in reply to Jason Vorbeck

    Hi Jason,

    Yes, I do understand that you would like to simply filter by "Allowed" or "Denied" connections on the GUI of the Log Viewer. As you know this is available for our Firewall logs but not on Webserver protection logs at present. 

    Another option would be to use the Advanced Shell and go to /log/reverseproxy.log and filter using the grep command.

    Cheers,

    Karlos

     

  • 0 in reply to Karlos

    Thank you for your time Karlos.