Log Search (FireCloud)

Applies To: FireCloud Internet Access, FireCloud Total Access

On the FireCloud Log Search page, you can create simple or complex search queries to find specific details in log messages. Log search uses WatchGuard Query Language to search FireCloud log messages stored in WatchGuard Cloud. WatchGuard stores FireCloud log messages for one year.

End-users can also see active log messages in the FireCloud connection manager, and can export these log messages to a file.

By default, log search helps you build your own queries. You can select which log message fields and values you want to search for. If you want to build your own query, you can select the Advanced search option. You might do this if you have a complex query that the basic search cannot create for you.

When you use advanced search, we recommend that you first build your query with the basic search and then switch to the advanced search and make changes.

Run a Search from the FireCloud Log Search Page

To search FireCloud log messages, in WatchGuard Cloud:

  1. Log in to WatchGuard Cloud.
  2. If you have a Service Provider account, select an account from Account Manager.
  3. Select Monitor > FireCloud.
  4. Select Log Search.
  5. To select the date range for log messages, click Date icon.

    Screenshot of the FireCloud Log Search page with recent log searches and example searches

  1. To repeat a recent search, in the Recent Log Searches section, click a query.
  2. To specify which type of log messages to search, select the search bar and, from the Log Search drop-down list, select General or Security Services.
  3. In the Security Services and Log Message Fields sections, click Add Field to specify which log message fields to search. You must select a log message field and specify a value or string to search that log message field for. For log message fields that have specific values, such as Allow or Deny, you select the applicable value from the drop-down list.
  4. After the field name, type the search query text.
    To search for a partial word, you must include the wildcard character * at the end of the partial word. For more information about how to create a query, go to WatchGuard Query Language.

Your query can include any field name that shows in a FireCloud log message.

WatchGuard Cloud does not support wildcard searches for all fields and all log message types. You must select a log message type and include a field name when you want to use a wildcard character.

  1. To run the search, press Enter or click Search.
    The page updates to show log messages that match your search query.


FireCloud Log Messages

FireCloud log messages consist of a number of fields separated by commas. Each field contains specific information about an event, and can include a field name and a value.

For example, in FireCloud log search results, a log message could look like this:

disp=allow, d=2024-04-30 08:02:43, wgc_client_id=test1, wgc_policy_id=fwnpl_firewan_wVAjUuMf7EwBOw, proto=tcp, src_ip=10.20.133.104, src_port=57628, dst_ip=108.156.172.123, dst_port=443, dst_host=atlas.ngtv.io, http_uri=/v2/locate, http_method=OPTIONS, sent=498, rcvd=699, took=19, log_type=tr, geo_dst=USA, app_cat=Web services, app_cat_id=14, app_name=Google Chrome, app_id=8, url_cat=Business and Economy

In a log message, an equals sign (=) separates field names and values. In a Log Search query, you use a colon (:) to separate field names and values.

WatchGuard Query Language

You can use WatchGuard Query Language to build simple or complex searches of your FireCloud log messages. For the best results, include a field name that shows in a FireCloud log message.

Your query can include:

  • Field names — Specify the field name that shows in the FireCloud log message. This is required for all searches that include logs from more than 10 days ago.
  • Search terms — After you type or select a field name, specify the values to search for.
  • Wildcard Characters — Match any number of characters. You must use the * wildcard character to search for a partial word in log messages.
  • Search Operators — Specify how each search term expands or restricts the search.
  • Parentheses — Specify the order of operations in a query that contains multiple search operators.

The sections below explain these elements in more detail.

Field Names

We strongly recommend that your query includes a field name that shows in a FireCloud log message. If your search includes log messages from more than 10 days ago a list of suggested field name searches shows in the page.

The available field names depend on the type of log messages you select. For a full list of available field names for the selected log type, use the basic search to help you build your query.

Search Terms

Your query can include one or more search terms.

  • Search terms are not case-sensitive. For example, if your query specifies User1, the search results might include log messages with the text user1 as well as User1.
  • If your search term includes a space, the space is considered part of the text to search for.
  • You must use the * wildcard character to find a partial word in log messages. For example, to find log messages from a user whose name begins with an "A", search for "src_user:a*".
  • For best results, each search term should include a field name and a value. Specify the field name and the value to find. Field names are always lowercase. For example, src_ip:10.0.10.1.
  • If your query uses specific terms such as “bovpn”, “ssl”, “auth”, “virus”, or “ips”, and no results return, try to find those events as part of the message. For example, to find "auth" events in a message, search for msg:*auth*. For additional examples, go to Example Queries.

Wildcard Characters

Search terms support the * wildcard character , which matches any number of characters in a log message field.

  • Search terms without a field name support central and trailing wildcard characters only. Leading wildcard characters are not supported.
  • Search terms that include a field name support leading, central, and trailing wildcard characters.
  • The entire search query can contain a maximum of four wildcard characters.

Search Operators

In your query, you can specify one or more items to find, separated by one of these search operators:

  • OR — Expands the search. Search results include log messages that contain either one or both items.
  • AND — Narrows the search. Search results include only log messages that contain both items.
  • NOT — Narrows the search. Search results exclude log messages that contain this term. If this is not the first term in the search, you must precede it with AND or OR.

Search operators must be uppercase.

Parentheses

In a query with multiple search operators, you can use parentheses to group items you want to evaluate first. You can use one level of parentheses to group items within a query. For example, disp:allow AND (dst_ip:10.0.10.2 OR dst_ip:10.0.10.3)

Example Queries

When you create a search, start with simple partial query searches and then expand the search criteria, if necessary.

Find log messages where FireCloud denied traffic for any destination host:

dst_host:* AND disp:deny*

Find log messages where FireCloud denied traffic for the user [email protected]:

wgc_client_id:[email protected] AND disp:deny

Find log messages where the access rule name is Default, and where the destination IP address is not 8.8.8.8:

policy:Default AND NOT dst_ip:8.8.8.8

When search results are too large, WatchGuard Cloud does not return results. Reduce the time range or enter more specific search criteria.

Related Topics

Log Manager (WatchGuard Cloud)

Configure FireCloud Notification Rules

About the FireCloud Usage Report