Log Search (WatchGuard Cloud)

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

On the WatchGuard Cloud Log Search page for a device or folder, you can create simple or complex search queries to find specific details in the log messages. Log search uses WatchGuard Query Language to search log messages stored in WatchGuard Cloud. After you run a search, you can export the search results to a file that you can save for later use outside of WatchGuard Cloud.

Run a Search from the Log Search Page

Fireboxes can send several types of log messages for events that occur on the Firebox. The log messages types are Traffic, Alarm, Event, Debug, and Statistic. For information about log message types, see Types of Log Messages.

WatchGuard Cloud stores diagnostic log messages sent by a Firebox, but they are not visible in Log Manager or Log Search. If you need to troubleshoot an issue, you can request these diagnostic log messages from WatchGuard Technical Support.

In Fireware v12.5.4 and higher, the Firebox sends diagnostic log messages to WatchGuard Cloud only when Support Access is enabled. For more information, see Support Access to Your Firebox.

To search log messages in WatchGuard Cloud:

  1. Log in to WatchGuard Cloud.
  2. Select Monitor > Devices.
  3. Select a folder or device.
  4. To select the date range for log messages, click .
  1. From the list of reports, select Logs > Log Search.
    The Log Search page opens for the selected device.

    Screenshot of the Log Search page with recent log searches and example searches

  1. To specify which type of log messages to include in the search, from the drop-down list at the right side of the page, select the log message type (Traffic Logs, Alarm Logs, Event Logs, or Statistic Logs). To search all log message types, select All Logs.
  2. To repeat a recent search, in the Recent Log Searches section, click a query.
  3. In the Search text box, type the name of a log message field, followed by a colon, or to select a field name from a list, click .
  4. After the field name, type the search query text.
    To search for a partial word, you must include the wildcard * at the end of the partial word. For more information about how to create a query, see WatchGuard Query Language.

Your query can include any field name that shows in a Firebox log message. For more information about some of the log messages generated by your Firebox, see the WatchGuard Log Catalog, available on the Product Documentation page.

WatchGuard Cloud does not support wildcard searches across all fields and all log message types. You must select a log message type and include a field name when you want to use a wildcard.

  1. To run the search, press Enter or click .
    The page updates to show the log messages for the selected device or devices that match your search query. If you selected a folder, a Device column shows in the results. If you selected a FireCluster, Device and Serial Number columns show in the results.

If the search criteria are too broad, after 30 seconds, partial results are shown. You must reduce the time range or enter more specific search criteria.

If you select a date or date range that includes log messages from more than 10 days ago, a notification message appears. To receive a notification when the search completes, click Notify Me.


Firebox Log Messages

Firebox log messages consist of a number of fields separated by commas. Each field contains specific information about an event, and can include a field name and a value. For more information about Firebox log messages, see Read a Log Message.

For example, in WatchGuard Cloud log search results, a log message could look like this:

FWAllowEnd, disp=Allow, pri=6, policy=Any From Firebox-00, protocol=dns/udp, src_ip=127.0.0.1, src_port=57844, dst_ip=124.0.0.1, dst_port=53, src_intf=Firebox, rc=106, duration=180, rcvd_bytes=410, sent_bytes=156, 3000-0151

In a log message, an equals sign (=) separates field names and values. In a Log Search query, you use a colon (:) to separate field names and values.

WatchGuard Query Language

You can use WatchGuard Query Language to build simple or complex searches of your Firebox log messages. For the best results, include a field name that shows in a Firebox log message. To select the field name from a list, in the search text box, click .

Your query can include:

  • Field names — Specify the field name that shows in the Firebox log message. This is required for all searches for a Firebox with Basic Security Suite. It is also required for searches for a Firebox with Total Security Suite that include logs from more than 10 days ago.
  • Search terms — After you type or select a field name, specify the values to search for.
  • Wildcards — Match any number of characters. You must use the * wildcard to search for a partial word in log messages.
  • Operators — Specify how each search term expands or restricts the search.
  • Parentheses — Specify the order of operations in a query that contains multiple operators.

The sections below explain these elements in more detail.

Field Names

We strongly recommend that your query includes a field name that shows in a Firebox log message. If your search includes log messages from more than 10 days ago, or if your search is for log messages from a Firebox with Basic Security Suite and you do not include a field name, a list of suggested field name searches shows in the page.

Screenshot of the Log Search page with search assistance

The available field names depend on the type of log messages you select. For a full list of available field names for the selected log type, in the search text box, click .

Search Terms

Your query can include one or more search terms.

  • Search terms are not case-sensitive. For example, if your query specifies User1, the search results might include log messages with the text user1 as well as User1.
  • If your search term includes a space, the space is considered part of the text to search for.
  • You must use the * wildcard to find a partial word in log messages. For example, to find log messages from a user whose name begins with an "A", search for "src_user:a*".
  • For best results, each search term should include a field name and a value. Specify the field name and the value to find. Field names are always lowercase. For example, src_ip:10.0.10.1.
  • If your query uses specific terms such as “bovpn”, “ssl”, “auth”, “virus”, or “ips”, and no results return, try to find those events as part of the message. For example, to find "auth" events in a message, search for msg:*auth*. For additional examples, go to Example Queries.

Wildcards

Search terms support the * wildcard, which matches any number of characters in a log message field.

  • Search terms without a field name support central and trailing wildcards only. Leading wildcards are not supported.
  • Search terms that include a field name support leading, central, and trailing wildcards.
  • The entire search query can contain a maximum of four wildcards.

Operators

In your query, you can specify one or more items to find, separated by one of these operators:

  • OR — Expands the search. Search results include log messages that contain either one or both items.
  • AND — Narrows the search. Search results include only log messages that contain both items.
  • NOT — Narrows the search. Search results exclude log messages that contain this term. If this is not the first term in the search, you must precede it with AND or OR.

Search operators must be uppercase.

Parentheses

In a query with multiple operators, you can use parentheses to group items you want to evaluate first. You can use one level of parentheses to group items within a query. For example, disp:allow AND (dst_ip:10.0.10.2 OR dst_ip:10.0.10.3)

Example Queries

When you create a search, start with simple partial query searches and then expand the search criteria, if needed.

The log message type filter is set to Traffic Logs by default. To search all log messages, select All Logs.

Find a FQDN in log messages:

dstname:www.example.net

Find event log messages where the msg: field includes a virus event:

msg:*virus*

Find event log messages with an SSL VPN authentication event:

msg:*auth*

Find event log messages where the msg: field includes a BOVPN up or down (rekey) event:

msg:*bovpn*

Find event log messages where the msg: field value starts with the text DHCP:

msg:DHCP*

Find event log messages where the msg: field value starts with the text DHCP and contains the mac address : ac:00:bb:cc:dd:ee

msg:DHCP*ac:00:bb:cc:dd:ee*

Find log messages with APT events:

msg:APT*

Find log messages where the policy name begins with outgoing:

policy:outgoing*

Find log messages where the policy name is Unhandled External Packet-00:

policy:unhandled external packet-00

Find log messages where the policy name begins with unhandled, and where the destination IP address is not 255.255.255.255:

policy:unhandled* AND NOT dst_ip:255.255.255.255

Find log messages that contain the exact value http/tcp or https/tcp in the protocol field:

pr:http/tcp OR pr:https/tcp

Find log messages where the source IP address is 10.0.2.1:

src_ip:10.0.2.1

Find log messages where the source IP address is on the 10.168.150.0/24 network:

src_ip:>10.168.150.0 AND src_ip:<10.168.150.255

Find log messages where the source IP address is on the 10.0.2.0/24 or 10.0.1.0/24 networks and the destination FQDN is Microsoft:

dstname:microsoft* AND (src_ip:10.0.2.* OR src_ip:10.0.1.*)

When search results are too large, WatchGuard Cloud does not return results. You should reduce the time range or enter more specific search criteria.

Export Search Results

After your search completes, you can export the search results to a .CSV file that you can download in a .ZIP file. The .ZIP file contains the .CSV file with the search results and a text file with the search parameters.

The .CSV file can include up to 20,000 log messages. The time zone that shows in the .CSV file is the local time on the client computer, not UTC time.

To export search results from the Log Search page:

  1. Above the search parameters section, click the CSV icon .
  2. If the file does not download automatically, select to open or save the file.

Related Topics

Log Manager (WatchGuard Cloud)

WatchGuard Cloud Device Reports List