On the WatchGuard Cloud Log Search page for a device or folder, you can create simple or complex search queries to find specific details in the log messages. Log search uses WatchGuard Query Language to search log messages stored in WatchGuard Cloud. After you run a search, you can export the search results to a file that you can save for later use outside of WatchGuard Cloud.
Fireboxes can send several types of log messages for events that occur on the Firebox. The log messages types are Traffic, Alarm, Event, and Statistic. For information about log message types, see the WatchGuard Log Catalog, available on the Firebox Documentation page.
WatchGuard Cloud stores diagnostic log messages sent by a Firebox, but they are not visible in Log Manager or Log Search. If you need to troubleshoot an issue, you can request these diagnostic log messages from WatchGuard Technical Support.
In Fireware v12.5.4 and higher, the Firebox sends diagnostic log messages to WatchGuard Cloud only when Support Access is enabled. For more information, see Enable Support Access.
To search log messages in WatchGuard Cloud:
- Log in to WatchGuard Cloud.
- Select Monitor > Devices.
- Select a folder or device.
- To select the date range for log messages, click .
From the list of reports, select Logs > Log Search.
The Log Search page opens for the selected device.
- To specify which type of log messages to include in the search, from the drop-down list at the right side of the page, select the log message type. To search all log message types, select All Logs.
- In the Search text box, type the search query. To select a log message field name from a list, type a space or click . To search for a partial word, you must include the wildcard * at the end of the partial word. For more information about how to create a query, see WatchGuard Query Language.
The drop-down list of fields does not include every field that could appear in a log message. Your query can include any field name that shows in a Firebox log message.
WatchGuard Cloud does not support search across all fields and all logs with wildcards. You must select a log message type and a field when if you want to use a wildcard.
- To run the search, press Enter or click .
The page updates to show the log messages that match your search query. Terms that match the search query are bold. If the search criteria are too broad, after 30 seconds, partial results are shown. You must reduce the time range or enter more specific search criteria.
Firebox Log Messages
Firebox log messages consist of a number of fields separated by commas. Each field contains specific information about an event, and can include a field name and a value. For more information about Firebox log messages, see Read a Log Message.
For example, in WatchGuard Cloud log search results, a log message could look like this:
FWDeny, Denied, disp=Deny, pri=4, policy=Unhandled External Packet-00, protocol=25536/udp, src_ip=192.168.41.58, src_port=25536, dst_ip=255.255.255.255, dst_port=25536, src_intf=0-External, dst_intf=Firebox, rc=101, pckt_len=208, ttl=128, 3000-0148
In a log message, field names and values are separated by an equals sign (=). In a Log Search query, you use a colon (:) to separate field names and values.
You can use WatchGuard Query Language to build simple or complex searches of your Firebox log messages. Your query can include:
- Search terms — Specify the fields to search and the values to search for.
- Wildcards — Match any number of characters. You must use the * wildcard to search for a partial word in log messages.
- Operators — Specify how each search term expands or restricts the search.
- Parentheses — Specify the order of operations in a query that contains multiple operators.
Each of these is explained in more detail in the sections below.
Your query can include one or more search terms.
- Search terms are not case-sensitive. For example, if your query specifies User1, the search results might include log messages with the text user1 as well as User1.
- If your search term includes a space, the space is considered part of the text to search for.
- You must use the * wildcard to find a partial word in log messages. For example to find log messages about a virus name that begins with "eicar", search for "virus:eicar*".
- All search terms support CIDR notation to match IP addresses on a network. For example, you could specify 10.0.1.0/24 to find log messages that include an IP address on that network.
- Each search term can be a single value, or can include a field name and a value.
- To find a value in any log message field, specify the value without a field name. For example, http*.
- To find a value in a specific log message field, specify the field name and the value to find. Field names are always lower-case. For example, src_ip:10.0.10.1.
Search terms support the * wildcard, which matches any number of characters in a log message field.
- Search terms without a field name support central and trailing wildcards only. Leading wildcards are not supported.
- Search terms that include a field name support leading, central, and trailing wildcards.
- The entire search query can contain a maximum of four wildcards.
In your query, you can specify one or more items to find, separated by one of these operators:
- OR — Expands the search. Search results include log messages that contain either one or both items.
- AND — Narrows the search. Search results include only log messages that contain both items.
- NOT — Narrows the search. Search results exclude log messages that contain this term. If this is not the first term in the search, you must precede it with AND or OR.
Search operators must be uppercase.
In a query with multiple operators, you can use parentheses to group items you want to evaluate first. You can use one level of parentheses to group items within a query. For example, disp:allow AND (dst_ip:10.0.10.2 OR dst_ip:10.0.10.3)
Escape Special Characters
WatchGuard Query Language syntax uses the colon (:) to separate field names and values. To specify a value, such as a mac address, that contains a colon, precede each colon with a backslash (\). For example, mac:ac\:00\:bb\:cc\:dd\:ee
The log message type filter is set to Traffic Logs by default. To search all log messages, select All Logs.
Find event log messages where the msg: field value starts with the text DHCP:
Find event log messages where a field value starts with the text DHCP and contains the mac address : ac\:00\:bb\:cc\:dd\:ee
Find log messages where a field value starts with DNS in any field:
Find log messages where the policy name begins with outgoing:
Find log messages where the mac: field value starts with ac:00:bb:cc:
Find log messages where the policy name is Unhandled External Packet-00:
policy:unhandled external packet-00
Find log messages where the FQDN name starts with watch and ends with .com:
Find log messages where the policy name begins with unhandled, and where the destination IP address is not 255.255.255.255:
policy:unhandled* AND NOT dst_ip:255.255.255.255
Find log messages that contain the exact value http/tcp or https/tcp in any field:
http/tcp OR https/tcp
Find log messages where the source IP address is 10.0.2.1 and application name contains the value google:
src_ip:10.0.2.1 AND app_name:*google*
Find log messages where any field value starts with the text microsoft and where the source IP address is on the 10.0.2.0/24 or 10.0.1.0/24 networks:
microsoft* AND (src_ip:10.0.2.0/24 OR src_ip:10.0.1.0/24)
Export Search Results
After your search completes, you can export the search results to a CSV file that you can download in a ZIP file. The ZIP file contains the CSV file with the search results and a text file with the search parameters.
To export search results from the Log Search page:
- Above the search parameters section, click the CSV icon .
- If the file does not download automatically, select to open or save the file.