Since logs usually contain lots of entries, UserGate offers convenient ways to search for and filter the necessary information. Administrators may choose between the basic and advanced search modes in logs.
In the basic search mode, administrators can use a GUI to set up filtering by one or more fields in logs and thus exclude excessive data. For example, it is possible to set up filters by time period, list of users, category, etc. Setting up various search criteria is intuitive and does not require any special knowledge.
More sophisticated filters can be configured by means of the advanced search mode with a special query language. In the advanced search mode, you are free to compose queries using log fields that are not available in the basic mode. Such queries may also include field names, field values, keywords, and operators. If you want to enter field values that contain spaces, make sure to put single or double quotes. Parentheses can be used for grouping multiple conditions.
Keywords must be separated by spaces and may be as follows:
|
Name |
Description |
|---|---|
|
AND/and |
Logical AND: all conditions in the query must be met. |
|
OR/or |
Logical OR: at least one condition in the query must be met. |
You can use the following operators to define filter conditions:
|
Name |
Description |
|---|---|
|
= |
Equal to. Searches for the specified value only, e.g. the query ip=172.16.31.1 will display all log entries in which the "IP" field exactly equals to "172.16.31.1". |
|
!= |
Not equal to. Searches for any values except the specified one, e.g. the query ip!=172.16.31 will display all log entries in which the "IP" field is not equal to "172.16.31.1". |
|
<= |
Less or equal. The field value must be less or equal to that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date <= '2019-03-28T20:59:59' AND statusCode=303 |
|
>= |
Greater or equal. The field value must be greater or equal to that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date >= "2019-03-13T21:00:00" AND statusCode=200 |
|
< |
Less. The field value must be less than that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date < '2019-03-28T20:59:59' AND statusCode=404 |
|
> |
Greater. The field value must be greater than that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. (statusCode>200 AND statusCode <300) OR (statusCode=404) |
|
IN |
Allows you to specify multiple field values in a query. Use parentheses to denote a list of values, e.g. category IN (botnets, compromised, 'illegal software', 'phishing and fraud','reputation high risk','unknown category') |
|
~ |
Contains. Allows you to specify a substring that must be found in a given field, e.g. browser ~ "Mozilla/5.0" This operator is applicable only to the string fields. |
|
!~ |
Does not contain. Allows you to specify a substring that must not be found in a given field, e.g. browser !~ "Mozilla/5.0" This operator is applicable only to the string fields. |
For your convenience, UserGate will be prompting you the possible field names, applicable operators and allowed values when composing an extended query. When you switch from the basic search mode to the advanced one, UserGate automatically generates a search string according to the filter conditions that you have specified in the basic search mode.