topic Re: user activity ACC -CLI in General Topics

user activity ACC -CLI

AhmedEmam — Thu, 05 Apr 2018 13:50:02 GMT

Dears

I want to know the IP of this user "None",as per to a below image, through CLI ...Can I do?

Please feedback with the command or the way to know who it is ?

thanks

Re: user activity ACC -CLI

BPry — Thu, 05 Apr 2018 13:57:38 GMT

(receive_time geq '2018/04/05 14:30:00') AND (receive_time leq '2018/04/05 15:15:00') AND ((srcuser eq '')) AND ((dstuser eq ''))

If you filter your traffic logs with that query it will display the logs that actually make up that traffic during the time period that you have displayed in your screenshot.

Re: user activity ACC -CLI

AhmedEmam — Sun, 08 Apr 2018 10:08:06 GMT

Thank you to your reply

this filter no give us the source IP which is mentioned by "None" .
I need to determine the "user activity " by specefic command to know that

Re: user activity ACC -CLI

BPry — Mon, 09 Apr 2018 21:18:32 GMT

@AhmedEmam,

That command will give you all of the traffic that would have matched the screenshot you provided in your original post. But let me try again with a little more of a description.

1) There is no one source IP that would be granted the source-user None. This source-user ID is applied to all traffic that traverses your firewall that does not have a user-mapping associated with it. This could be caused by a user-id age-out being met, or it could be that the source truly doesn't have anything that would match to a user-id (ex: Printers).

2) The command provided eariler was specific to your prior example and provides a timeframe of a query that would need to be run on the traffic logs. It was not an example of a full cli command to do so; you would need to incorporate it into your command to view the traffic logs.

3) There is a button on the right of that display that will be 'Jump to logs' that will bring you right to the logs that the ACC is reading to generate the display.

The CLI to view log files is the following:

show log traffic

You would then need to actually set the query, for example

show log traffic query equal ' ((srcuser eq "")) and ((dstuser eq "")) '

That query typed in directly would provide you any log that was matching what the ACC was viewing to get the statistic originally displayed without the time restriction.