Exporting traffic logs via CLI - scp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Exporting traffic logs via CLI - scp

L0 Member

Is there a way to group by source or destination address from the cli. for example:

scp export log traffic query "(port eq 514) and ( proto eq tcp ) and ( app eq insufficient-data ) or (app eq unknown-tcp)" start-time equal 2013/03/18@01:00:00 end-time equal 2013/03/26@01:00:00 to foobar@x.x.x.x:/home/orlando/unknown-tcp.csv

This returns tons of values, how can i do the same but have it group by Source Address or Destination Address?

Thanks.rtt

1 accepted solution

Accepted Solutions

L5 Sessionator

There is no literal group by functionality but you should be able to achieve similar results by expanding your query to include source and destination addresses.

For example:

scp export log traffic query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"

or

show log traffic direction equal backward query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"

The above query will return all traffic logs with either of the source addresses above and port 443 traffic. 

Another example covers both source and destination addresses:

show log traffic direction equal backward query equal "( addr.src in 192.168.142.212 ) and ( addr.dst in 208.67.222.222 or addr.dst in 172.17.132.243 ) and ( port.dst eq 53 )"

regards,

-Bryan

View solution in original post

5 REPLIES 5

L5 Sessionator

CLI or even WebUI do not have a feature to GroupBY a field (eg: IP address) , unless you tune your query to filter results based on that feild.

You can always use  MS Excel to group the results.

Regards,

Ameya

L0 Member

The Gui does have a "Group By" field when you create Custom Reports.  I was looking to find a way to do something similar via command line and scp over to remote host.

L5 Sessionator

There is no literal group by functionality but you should be able to achieve similar results by expanding your query to include source and destination addresses.

For example:

scp export log traffic query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"

or

show log traffic direction equal backward query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"

The above query will return all traffic logs with either of the source addresses above and port 443 traffic. 

Another example covers both source and destination addresses:

show log traffic direction equal backward query equal "( addr.src in 192.168.142.212 ) and ( addr.dst in 208.67.222.222 or addr.dst in 172.17.132.243 ) and ( port.dst eq 53 )"

regards,

-Bryan

Not surprised it can't do this, but figure i ask anyways.  Thank you for your time, i'll see if i put in a feature request. The GUI takes so darn long, if we could do scp to .csv file while reducing the file size by "Grouping" scripts could be written to  manipulate the data.

Another workaround might be to enable syslog for TRAFFIC logs (and/or THREATS aswell, and while you are at it CONFIG and SYSTEM too :smileysilly:) - this way you will have the logs in csv format at your syslog server (PA default mode for syslogging is in csv format).

  • 1 accepted solution
  • 8611 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!