Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2459
Views
5
Helpful
1
Replies

Filter the logs from WSA CLI

giacomo12
Level 1
Level 1

‎06-03-2020 03:48 AM

Hello,

 

I have access to WSA CLI and I am searcing any possible deny of traffic based on a specific source IP address:

 

1. "access_logs" Type: "Access Logs" Retrieval: FTP Poll

 

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]> << If i leave as it is I will have a huge ammount of logs, butif I select `Y` I do not have any logs

Do you want to paginate the output? [N]>

 

Do you know if I can filter the huge logs I get for instance for the last month 

 

Thank you

Jack

 

 

Labels:
0 Helpful
1 Reply 1

Mohit Soni
Cisco Employee
Cisco Employee

‎06-15-2020 06:55 AM

Hi Jack,

 

Try to filter the logs with the source IP address.

 

1. Quick command to filter the access logs:

wsa> grep "IP_Address" accesslogs

 

2. Another way is:

wsa.lab> grep

Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll

.

.

.

.

49. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
50. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
51. "webtapd_logs" Type: "Webtapd Logs" Retrieval: FTP Poll
52. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 1

Enter the regular expression to grep.
[]> IP_address

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]> Y (if you want to see real-time logs)

Do you want to paginate the output? [N]>

 

Note that WSA uses Unix epoch (or Unix time) format, sometimes it makes difficult to filter the logs. You can use any online epoch time converter tools to convert the time to filter the logs.

 

The easiest way to filter the transaction is using Web Tracking option, there are lots of predefined filter available which you can use.

 

If you would like to see the time stamp for each transaction in human-readable form in access logs then you can also consider adding %G in the custom field option under accesslogs settings.

 

Thanks,

Mohit

Customers Also Viewed These Support Documents