cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
757
Views
0
Helpful
4
Replies

ASDM Real-Time Log Viewer / AND vs OR

stuartkendrick
Level 1
Level 1

In the Filter By: box, I would like to OR a couple of filter:

FILTER:descr=bobjones;srcIP=74.52.48.101

i.e. I would like to see all entries related to the user 'bobjones' OR related to srcIP=74.52.48.101

 

As far as I can tell, the only option is AND, i.e. that semi-colon between the two filter criteria functions as an AND

 

Is there a way to OR two filter criteria?

 

Interestingly, looks like I can enter any text I like instead of the semi-colon ... with the result AND results:

FILTER:descr=bobjones or srcIP=74.52.48.101

FILTER:descr=bobjones foo srcIP=74.52.48.101

FILTER:descr=bobjones, srcIP=74.52.48.101

[...]

 

Use case:

- I want to see all entries related to a particular user attempting to login, i.e. all entries related to that's user's SSL connection (srcIP=74.52.48.101) as well as all entries related to this user's authentication and GroupPolicy selection

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

I suggest seeing first you able to get Logs as you expected ( that proves your Syslog working)

 

try below and let us know before we suggest or look further.

 

FILTER:srcIP=74.52.48.101;

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

stuartkendrick
Level 1
Level 1

Right, that FILTER:srcIP=74.52.48.101 works fine ... as does FILTER:descr=username ... but I don't see a way to *combine* the two FILTER criteria with an OR

 

And at this point, I don't believe it is possible.  I have filed a Request For Enhancement with our Cisco sales team

 

--sk

i did some test i can do with below :

 

Username = username, IP = x.x.x.x,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I am not seeing the same behavior as you are

 

I have found that the following are equivalent:

bobjones

FILTER:descr=bobjones

 

But this gives me zero hits:

Username=bobjones

 

And this gives me all log entries (i.e. ASDM ignores the filter attempt):

FILTER:Username=bobjones

 

These give me zero hits:

IP=74.52.48.101 

FILTER:IP=74.52.48.101 

 

I believe that the only way to see log entries related to a particular IP address is the following:

FILTER:srcIP=74.52.48.101 

 

But, to return to my original challenge, I still do not see a way to OR filter criteria:

 

This following gives me identical output (only entries related to 74.52.48.101)

FILTER:srcIP=74.52.48.101

FILTER:srcIP=74.52.48.101,bobjones

 

This gives me the empty set (i.e. nothing)

FILTER:srcIP=74.52.48.101,descr=bobjones

FILTER:srcIP=74.52.48.101,FILTER:descr=bobjones

FILTER:srcIP=74.52.48.101;FILTER:descr=bobjones

 

ASDM 7.15(1)

 

--sk