Search Device Log Messages

From the Log Manager pages in WatchGuard WebCenter, you can use the Search page to refine the log messages that appear for any of your Fireboxes. You can run simple or complex search queries to find specific details in your device log messages.

There are four types of search queries that you can specify when you run a search:

  • ANY of these words — Search results include log messages with any of the words you specify.
  • ALL of these words — Search results only include log messages with all of the words you specified.
  • EXACT match of this phrase — Search results only include log messages with the exact phrase you specified.
  • NONE of these words — Search results only include log messages without any of the words you specified.

For each search query, you must specify at least one of these query types. Search queries are not case sensitive. For example, if you search for User1, the search results might include log messages with the text user1 as well as User1. For a simple search, specify one search query type. For a complex search with an AND operator, specify text to search on in more than one search query type in a single search query block. You can also use the OR operator to add another search query block and specify additional search queries. This is useful when you want to find log messages that include more than one type of event or type of log message.

After you run a search, you can export the search results to a file that you can save for later use outside of Log Manager. You can also save your search query so you can see the search results again in Log Manager.

You can start a search from two different places in Log Manager: the main Log Manager navigation menu or from the log messages page for a device.

Run a Search from the Search Page

From the main Search page, you can select the device, time range, and log type to search for. When you specify the parameters for your search queries, you can select to search for any details included in the log messages.

The Search page for your device includes one search query block by default. To run a simple search, specify the text to search on in one text box in the default search query block. To run a complex search with an AND operator, specify text to search on in more than one text box in a single search query block. To run a complex search that includes an OR operator, add another search query block. You can add up to nine search query blocks to your search, with a maximum of four AND operators per block.

To run a search from the Search page:

  1. Select LOG MANAGER > Search.
    The Search page appears with a list of all your devices with log messages on your Log Server.

Screen shot of the Search page

  1. Select a device.
    The Search page appears with the selected device in the breadcrumbs at the top of the page and one search query block.

Screen shot of the Search page for a device

  1. From the Time Range drop-down list, select the time range to include in the search, or specify a custom time range.
  2. From the Log Type drop-down list, select the type of log messages to include in the search:
    • Traffic
    • Alarm
    • Event
    • Diagnostic
    • Statistic
    • All
  3. In the search query block, type the text to search for in the text box for the type of search query to run.
    To run an AND operator search, type text to search for in more than one text box:
    • ANY of these words
    • ALL of these words
    • EXACT match of this phrase
    • NONE of these words
  4. To add an OR operator to your search, click the Add OR Operator icon.
    Another search query block appears.
  5. In the new search query block, type the text to search on.

Screen shot of the Search page with an OR Operator

  1. To remove a search query block from your search, click the Delete Query Block icon.
  2. Click the Search icon .
    The amount of time it takes the search to compete depends on the number of log messages for the device and the parameters of your search.
    A progress bar appears at the bottom of the search query parameters section of the page to indicate the status of the search.

Screen shot of the Search progress bar

The log messages page for the device is updated to include only those log messages that match the search query parameters you specified.

  1. To cancel a search, click the Search Cancel icon.

When the search is complete, the number of records included in the search results appears in the search parameter section.

  1. To remove all search query results, click the Clear icon.
    All log messages are removed from the search results section.

Run a Search from the Device Log Messages Page

If you are on the log messages page for a device, you can use the Search text box to start a search for that device.

From the log messages page for your device:

  1. In the Search text box, type the text to search for.
  2. Click the Search iconthe Search button.
    The Search page appears with the device you specified in the breadcrumbs navigation and the text you specified in the ANY of these words text box.
  3. Follow the instructions in the previous section, Run a Search from the Search Page, to complete your search query and run the search.

Export Search Results

After your search is complete, you can export your search results to a CSV file that you can download in a ZIP file. The ZIP file includes a text file with the search parameters.

From the Search page:

  1. In the search parameters section, click Export.
    The Save As dialog box appears.
  2. Specify a name for the file and a location to save the file on your computer.
  3. Click Save.

Save a Search

When you save a search, these details from your search parameters are saved:

  • Serial number or Cluster ID
  • Device name
  • Log type
  • Time range
  • Search query blocks

From the Search page for a device:

  1. Specify the parameters for a search.
  2. Click the Search icon.
    The Opening search.query dialog box appears.
  3. Select Save File and click OK.
  4. Select a location to save the file and specify a descriptive name for the file.
  5. Click Save.
    The file is saved in the location you specified.

Run a Saved Search

You can load a saved search to run the same search again.

From the Search page for a device:

  1. Click the Load icon.
    The Load Search Query dialog box appears.

Screen shot of the Load Search Query dialog box

  1. Click Browse and select a search query file.
  2. Click OK.
    The search results appear.

Change the Device

From the main Search page, you can select to search the log messages of a different device.

  1. In the breadcrumbs at the top of the Search page, click .
    The Devices list appears.
  2. Select another device.
    The new device appears in the breadcrumbs at the top of the page, but the search parameters do not change.

Screen shot of the Search page with a new device selected

  1. Click the Search icon.
    The search results appear for the new device.

See Also

View Device Log Messages

View Server Log Messages

Search Server Log Messages

See Log Messages & Reports in WebCenter

Connect to WatchGuard WebCenter

About Logging, Log Files, and Notification

About Notification

Set Up Your Log Server

Set Up Your Report Server

Give Us Feedback     Get Support     All Product Documentation     Technical Search