03-27-2013 01:41 PM
Is there a way to group by source or destination address from the cli. for example:
scp export log traffic query "(port eq 514) and ( proto eq tcp ) and ( app eq insufficient-data ) or (app eq unknown-tcp)" start-time equal 2013/03/18@01:00:00 end-time equal 2013/03/26@01:00:00 to foobar@x.x.x.x:/home/orlando/unknown-tcp.csv
This returns tons of values, how can i do the same but have it group by Source Address or Destination Address?
Thanks.rtt
03-27-2013 02:50 PM
There is no literal group by functionality but you should be able to achieve similar results by expanding your query to include source and destination addresses.
For example:
scp export log traffic query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"
or
show log traffic direction equal backward query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"
The above query will return all traffic logs with either of the source addresses above and port 443 traffic.
Another example covers both source and destination addresses:
show log traffic direction equal backward query equal "( addr.src in 192.168.142.212 ) and ( addr.dst in 208.67.222.222 or addr.dst in 172.17.132.243 ) and ( port.dst eq 53 )"
regards,
-Bryan
03-27-2013 02:38 PM
CLI or even WebUI do not have a feature to GroupBY a field (eg: IP address) , unless you tune your query to filter results based on that feild.
You can always use MS Excel to group the results.
Regards,
Ameya
03-27-2013 02:49 PM
The Gui does have a "Group By" field when you create Custom Reports. I was looking to find a way to do something similar via command line and scp over to remote host.
03-27-2013 02:50 PM
There is no literal group by functionality but you should be able to achieve similar results by expanding your query to include source and destination addresses.
For example:
scp export log traffic query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"
or
show log traffic direction equal backward query equal "(src eq 192.168.142.212 or src eq 172.17.128.140) and (port eq 443)"
The above query will return all traffic logs with either of the source addresses above and port 443 traffic.
Another example covers both source and destination addresses:
show log traffic direction equal backward query equal "( addr.src in 192.168.142.212 ) and ( addr.dst in 208.67.222.222 or addr.dst in 172.17.132.243 ) and ( port.dst eq 53 )"
regards,
-Bryan
03-27-2013 02:56 PM
Not surprised it can't do this, but figure i ask anyways. Thank you for your time, i'll see if i put in a feature request. The GUI takes so darn long, if we could do scp to .csv file while reducing the file size by "Grouping" scripts could be written to manipulate the data.
03-28-2013 02:20 PM
Another workaround might be to enable syslog for TRAFFIC logs (and/or THREATS aswell, and while you are at it CONFIG and SYSTEM too :smileysilly:) - this way you will have the logs in csv format at your syslog server (PA default mode for syslogging is in csv format).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
