topic Re: Exporting traffic logs via CLI - scp in General Topics

Exporting traffic logs via CLI - scp

opiedrah — Wed, 27 Mar 2013 20:41:42 GMT

Is there a way to group by source or destination address from the cli. for example:

scp export log traffic query "(port eq 514) and ( proto eq tcp ) and ( app eq insufficient-data ) or (app eq unknown-tcp)" start-time equal 2013/03/18@01:00:00 end-time equal 2013/03/26@01:00:00 to foobar@x.x.x.x:/home/orlando/unknown-tcp.csv

This returns tons of values, how can i do the same but have it group by Source Address or Destination Address?

Thanks.rtt

Re: Exporting traffic logs via CLI - scp

UhMayYeah — Wed, 27 Mar 2013 21:38:09 GMT

CLI or even WebUI do not have a feature to GroupBY a field (eg: IP address) , unless you tune your query to filter results based on that feild.

You can always use MS Excel to group the results.

Regards,

Ameya

Re: Exporting traffic logs via CLI - scp

opiedrah — Wed, 27 Mar 2013 21:49:51 GMT

The Gui does have a "Group By" field when you create Custom Reports. I was looking to find a way to do something similar via command line and scp over to remote host.

Re: Exporting traffic logs via CLI - scp

bvandivier — Wed, 27 Mar 2013 21:50:19 GMT

There is no literal group by functionality but you should be able to achieve similar results by expanding your query to include source and destination addresses.

For example:

scp export log traffic query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"

show log traffic direction equal backward query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"

The above query will return all traffic logs with either of the source addresses above and port 443 traffic.

Another example covers both source and destination addresses:

show log traffic direction equal backward query equal "( addr.src in 192.168.142.212 ) and ( addr.dst in 208.67.222.222 or addr.dst in 172.17.132.243 ) and ( port.dst eq 53 )"

regards,

-Bryan

Re: Exporting traffic logs via CLI - scp

opiedrah — Wed, 27 Mar 2013 21:56:03 GMT

Not surprised it can't do this, but figure i ask anyways. Thank you for your time, i'll see if i put in a feature request. The GUI takes so darn long, if we could do scp to .csv file while reducing the file size by "Grouping" scripts could be written to manipulate the data.

Re: Exporting traffic logs via CLI - scp

mikand — Thu, 28 Mar 2013 21:20:27 GMT

Another workaround might be to enable syslog for TRAFFIC logs (and/or THREATS aswell, and while you are at it CONFIG and SYSTEM too :smileysilly:) - this way you will have the logs in csv format at your syslog server (PA default mode for syslogging is in csv format).