topic Re: Filter the logs from WSA CLI in Web Security https://community.cisco.com/t5/web-security/filter-the-logs-from-wsa-cli/m-p/4103346#M9079 <P>Hi Jack,</P> <P>&nbsp;</P> <P>Try to filter the logs with the source IP address.</P> <P>&nbsp;</P> <P><STRONG>1. Quick command to filter the access logs:</STRONG></P> <P>wsa&gt; grep "IP_Address" accesslogs</P> <P>&nbsp;</P> <P><STRONG>2. Another way is:</STRONG></P> <P>wsa.lab&gt; grep</P> <P>Currently configured logs:<BR />1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll<BR />2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll</P> <P>.</P> <P>.</P> <P>.</P> <P>.</P> <P>49. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll<BR />50. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll<BR />51. "webtapd_logs" Type: "Webtapd Logs" Retrieval: FTP Poll<BR />52. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP Poll<BR />Enter the number of the log you wish to grep.<BR />[]&gt; 1</P> <P>Enter the regular expression to grep.<BR />[]&gt; <STRONG>IP_address</STRONG></P> <P>Do you want this search to be case insensitive? [Y]&gt;</P> <P>Do you want to search for non-matching lines? [N]&gt;</P> <P>Do you want to tail the logs? [N]&gt; <STRONG>Y (if you want to see real-time logs)</STRONG></P> <P>Do you want to paginate the output? [N]&gt;</P> <P>&nbsp;</P> <P><SPAN class="st">Note that WSA uses Unix epoch (or Unix time) format,&nbsp;sometimes it makes difficult to filter the logs. You can use any online epoch time converter tools to convert the time to filter the logs.</SPAN></P> <P>&nbsp;</P> <P>The easiest way to filter the transaction is using Web Tracking option, there are lots of predefined filter available which you can use.</P> <P>&nbsp;</P> <P>If you would like to see the time stamp for each transaction in human-readable form in access logs then you can also consider adding %G in the custom field option under accesslogs settings.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Mohit</P> Mon, 15 Jun 2020 13:55:21 GMT Mohit Soni 2020-06-15T13:55:21Z Filter the logs from WSA CLI https://community.cisco.com/t5/web-security/filter-the-logs-from-wsa-cli/m-p/4096765#M9065 <P>Hello,</P><P>&nbsp;</P><P>I have access to WSA CLI and I am searcing any possible deny of traffic based on a specific source IP address:</P><P>&nbsp;</P><P>1. "access_logs" Type: "Access Logs" Retrieval: FTP Poll</P><P>&nbsp;</P><P>Do you want this search to be case insensitive? [Y]&gt;</P><P>Do you want to search for non-matching lines? [N]&gt;</P><P>Do you want to tail the logs? [N]&gt; &lt;&lt; If i leave as it is I will have a huge ammount of logs, butif I select `Y` I do not have any logs</P><P>Do you want to paginate the output? [N]&gt;</P><P>&nbsp;</P><P>Do you know if I can filter the huge logs I get for instance for the last month&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>Jack</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Jun 2020 10:48:58 GMT https://community.cisco.com/t5/web-security/filter-the-logs-from-wsa-cli/m-p/4096765#M9065 giacomo12 2020-06-03T10:48:58Z Re: Filter the logs from WSA CLI https://community.cisco.com/t5/web-security/filter-the-logs-from-wsa-cli/m-p/4103346#M9079 <P>Hi Jack,</P> <P>&nbsp;</P> <P>Try to filter the logs with the source IP address.</P> <P>&nbsp;</P> <P><STRONG>1. Quick command to filter the access logs:</STRONG></P> <P>wsa&gt; grep "IP_Address" accesslogs</P> <P>&nbsp;</P> <P><STRONG>2. Another way is:</STRONG></P> <P>wsa.lab&gt; grep</P> <P>Currently configured logs:<BR />1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll<BR />2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll</P> <P>.</P> <P>.</P> <P>.</P> <P>.</P> <P>49. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll<BR />50. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll<BR />51. "webtapd_logs" Type: "Webtapd Logs" Retrieval: FTP Poll<BR />52. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP Poll<BR />Enter the number of the log you wish to grep.<BR />[]&gt; 1</P> <P>Enter the regular expression to grep.<BR />[]&gt; <STRONG>IP_address</STRONG></P> <P>Do you want this search to be case insensitive? [Y]&gt;</P> <P>Do you want to search for non-matching lines? [N]&gt;</P> <P>Do you want to tail the logs? [N]&gt; <STRONG>Y (if you want to see real-time logs)</STRONG></P> <P>Do you want to paginate the output? [N]&gt;</P> <P>&nbsp;</P> <P><SPAN class="st">Note that WSA uses Unix epoch (or Unix time) format,&nbsp;sometimes it makes difficult to filter the logs. You can use any online epoch time converter tools to convert the time to filter the logs.</SPAN></P> <P>&nbsp;</P> <P>The easiest way to filter the transaction is using Web Tracking option, there are lots of predefined filter available which you can use.</P> <P>&nbsp;</P> <P>If you would like to see the time stamp for each transaction in human-readable form in access logs then you can also consider adding %G in the custom field option under accesslogs settings.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Mohit</P> Mon, 15 Jun 2020 13:55:21 GMT https://community.cisco.com/t5/web-security/filter-the-logs-from-wsa-cli/m-p/4103346#M9079 Mohit Soni 2020-06-15T13:55:21Z