Start a new topic
Answered

Syslog Search Syntax

Hello,


I have a relatively simple question, which I am having a hard time finding the answer for both through forum searches and google.

We are new to EventSentry and currently running a test deployment with a trial license. So far so good! I have setup some basic monitoring of test-servers and a few network devices via syslog. Well, today I found myself needing to leverage the power of this software for the first time.


I am attempting to track down some rouge connections through a device sending syslog to the EventSentry server. However, the logs I am looking for are at the level of info. Manually scrolling through is out of the question as there are thousands of entries. My question is, how can I utilize the "message:" search functionality of EventSentry?


I have attempted the following: message:"192.168.6.27", message:[192.168.6.27], message:["192.168.6.27"] and message:192.168.6.27 - All of these searches came up blank, but I was able to find entries using my browser built-in search function.


I realize the software is using Query Parser Syntax and I have referenced THIS article for support but unfortunately neither really help in this situation.

 

Any help is appreciated!


Thank you in advance.



Best Answer

Hello,

When trying to search the message field, since you text (IP address) isn't going to match one to one, you'll have to use the wildcard so please try:

message:*IPaddress*

Does that give you the results you were looking for?

Steven

1 Comment

Answer

Hello,

When trying to search the message field, since you text (IP address) isn't going to match one to one, you'll have to use the wildcard so please try:

message:*IPaddress*

Does that give you the results you were looking for?

Steven

Login or Signup to post a comment