Contents

Log Search (WatchGuard Cloud)

From the WatchGuard Cloud Log Search page for a device, you can create simple or complex search queries to find specific details in the log messages. Log search uses WatchGuard Query Language to search log messages stored in WatchGuard Cloud. After you run a search, you can export the search results to a file that you can save for later use outside of WatchGuard Cloud.

Run a Search from the Log Search Page

Fireboxes can send several types of log messages for events that occur on the Firebox. The log messages types are Traffic, Alarm, Event, Debug, and Statistic. For information about log message types, see the WatchGuard Log Catalog, available on the Firebox Documentation page.

To search log messages in WatchGuard Cloud:

  1. Log in to WatchGuard Cloud.
  2. Select Monitor > Fireboxes.
    The Device Manager page appears.
  3. From the Device Manager list, select a device.
  4. To select the date range for log messages, click the Calendar .
  1. From the list of reports, select Logs > Log Search.
    The Log Search page appears for the selected device.

    Screen shot of the Log Search page

  2. To specify which type of log messages to include in the search, from the drop-down list at the right side of the page, select the log message type.
  3. In the Search text box, type the search query. To select a log message field name from a list, type a space or click . For more information about how to create a query, see WatchGuard Query Language.

The drop-down list of fields does not include every field that could appear in a log message. Your query can include any field name that appears in a Firebox log message.

  1. To run the search, press Enter or click .
    The page updates to show the log messages that match your search query.

    Screen shot of the Log Search results

Firebox Log Messages

Firebox log messages consist of a number of fields separated by commas. Each field contains specific information about an event, and can include a field name and a value. For more information about Firebox log messages, see Read a Log Message.

For example, in WatchGuard Cloud, a log message could look like this:

FWDeny, Denied, disp=Deny, pri=4, policy=Unhandled External Packet-00, protocol=25536/udp, src_ip=192.168.41.58, src_port=25536, dst_ip=255.255.255.255, dst_port=25536, src_intf=0-External, dst_intf=Firebox, rc=101, pckt_len=208, ttl=128, 3000-0148

In a log message, field names and values are separated by an equals sign (=). In a Log Search query, you use a colon (:) to separate field names and values.

WatchGuard Query Language

You can use WatchGuard Query Language to build simple or complex searches of your Firebox log messages. Your query can include:

  • Search terms — specify the fields to search and the values to search for
  • Wildcards — match any number of characters
  • Operators — specify how each search term expands or restricts the search
  • Parentheses — specifies the order of operations in a query that contains multiple operators.

Each of these is explained in more detail in the sections below.

Search Terms

Your query can include one or more search terms.

  • Search terms are not case-sensitive. For example, if your query specifies User1, the search results might include log messages with the text user1 as well as User1.
  • If your search term includes a space, the space is considered part of the text to search for.
  • All search terms support CIDR notation to match IP addresses on a network. For example, you could specify 10.0.1.0/24 to find log messages that include an IP address on that network.
  • Each search term can be a single value, or can include a field name and a value.
  • To find a value in any log message field, specify the value without a field name. For example, http*.
  • To find a value in a specific log message field, specify the field name and the value to find. Field names are always lower-case. For example, src_ip:10.0.10.1.

Wildcards

Search terms support the * wildcard, which matches any number of characters in a log message field.

  • Search terms without a field name support central and trailing wildcards only. Leading wildcards are not supported.
  • Search terms that include a field name support leading, central, and trailing wildcards.
  • The entire search query can contain a maximum of four wildcards.

Operators

In your query, you can specify one or more items to find, separated by one of these operators:

  • OR — Expands the search. Search results include log messages that contain either one or both items.
  • AND — Narrows the search. Search results include only log messages that contain both items.
  • NOT — Narrows the search. Search results exclude log messages that contain this term. If this is not the first term in the search, you must precede it with AND or OR.

Search operators must be uppercase.

Parentheses

In a query with multiple operators, you can use parentheses to group items you want to evaluate first. You can use one level of parentheses to group items within a query. For example, disp:allow AND (dst_ip:10.0.10.2 OR dst_ip:10.0.10.3)

Escape Special Characters

WatchGuard Query Language syntax uses the colon (:) to separate field names and values. To specify a value, such as a mac address, that contains a colon, precede each colon with a backslash (\).

Example Queries

Find log messages that contain the text DNS in any field:

DNS

Find log messages where the policy name begins with outgoing:

policy:outgoing*

Find log messages that contain the mac address ac:00:bb:cc:dd:ee in any field:

ac\:00\:bb\:cc\:dd\:ee

Find log messages where the policy name is Unhandled External Packet-00:

policy:unhandled external packet-00

Find log messages where the FQDN name starts with watch and ends with .com:

fqdn_dst_match:watch*.com

Find log messages where the policy name begins with unhandled, and where the destination IP address is not 255.255.255.255:

policy:unhandled* AND NOT dst_ip:255.255.255.255

Find log messages that contain the exact value http/tcp or https/tcp in any field:

http/tcp OR https/tcp

Find log messages where the source IP address is 10.0.2.1 and application name contains the value google:

src_ip:10.0.2.1 AND app_name:*google*

Find log messages where any field value starts with the text microsoft and where the source IP address is on the 10.0.2.0/24 or 10.0.1.0/24 networks:

microsoft* AND (src_ip:10.0.2.0/24 OR src_ip:10.0.1.0/24)

Export Search Results

After your search completes, you can export the search results to a CSV file that you can download in a ZIP file. The ZIP file contains the CSV file with the search results and a text file with the search parameters.

To export search results from the Log Search page:

  1. Above the search parameters section, click the CSV icon .
  2. If the file does not download automatically, select to open or save the file.

See Also

Log Manager (WatchGuard Cloud)

WatchGuard Cloud Device Reports

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search