cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
245
Views
0
Helpful
1
Replies
Highlighted
Beginner

Filter the logs from WSA CLI

Hello,

 

I have access to WSA CLI and I am searcing any possible deny of traffic based on a specific source IP address:

 

1. "access_logs" Type: "Access Logs" Retrieval: FTP Poll

 

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]> << If i leave as it is I will have a huge ammount of logs, butif I select `Y` I do not have any logs

Do you want to paginate the output? [N]>

 

Do you know if I can filter the huge logs I get for instance for the last month 

 

Thank you

Jack

 

 

Everyone's tags (1)
1 REPLY 1
Highlighted
Cisco Employee

Re: Filter the logs from WSA CLI

Hi Jack,

 

Try to filter the logs with the source IP address.

 

1. Quick command to filter the access logs:

wsa> grep "IP_Address" accesslogs

 

2. Another way is:

wsa.lab> grep

Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll

.

.

.

.

49. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
50. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
51. "webtapd_logs" Type: "Webtapd Logs" Retrieval: FTP Poll
52. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 1

Enter the regular expression to grep.
[]> IP_address

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]> Y (if you want to see real-time logs)

Do you want to paginate the output? [N]>

 

Note that WSA uses Unix epoch (or Unix time) format, sometimes it makes difficult to filter the logs. You can use any online epoch time converter tools to convert the time to filter the logs.

 

The easiest way to filter the transaction is using Web Tracking option, there are lots of predefined filter available which you can use.

 

If you would like to see the time stamp for each transaction in human-readable form in access logs then you can also consider adding %G in the custom field option under accesslogs settings.

 

Thanks,

Mohit