This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

user activity ACC -CLI

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

user activity ACC -CLI

AhmedEmam
L2 Linker

‎04-05-2018 06:50 AM

Dears

 

I want to know the IP of this user "None",as per to a below image, through CLI ...Can I do?

 

Please feedback with the command or the way to know who it is ?

 

thanks

 

User Activity Log.png

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎04-05-2018 06:57 AM

(receive_time geq '2018/04/05 14:30:00') AND (receive_time leq '2018/04/05 15:15:00') AND ((srcuser eq '')) AND ((dstuser eq ''))

 

If you filter your traffic logs with that query it will display the logs that actually make up that traffic during the time period that you have displayed in your screenshot. 

0 Likes Likes

AhmedEmam
L2 Linker
In response to BPry

‎04-08-2018 03:08 AM

Thank you to your reply

 

this filter no give us the source IP which is mentioned by "None" .
I need to determine the "user activity " by specefic command to know that

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to AhmedEmam

‎04-09-2018 02:18 PM

@AhmedEmam,

That command will give you all of the traffic that would have matched the screenshot you provided in your original post. But let me try again with a little more of a description. 

 

1) There is no one source IP that would be granted the source-user None. This source-user ID is applied to all traffic that traverses your firewall that does not have a user-mapping associated with it. This could be caused by a user-id age-out being met, or it could be that the source truly doesn't have anything that would match to a user-id (ex: Printers). 

 

2) The command provided eariler was specific to your prior example and provides a timeframe of a query that would need to be run on the traffic logs. It was not an example of a full cli command to do so; you would need to incorporate it into your command to view the traffic logs. 

 

3) There is a button on the right of that display that will be 'Jump to logs' that will bring you right to the logs that the ACC is reading to generate the display. 

 

4)

The CLI to view log files is the following: 

show log traffic

You would then need to actually set the query, for example

show log traffic query equal ' ((srcuser eq "")) and ((dstuser eq "")) '

That query typed in directly would provide you any log that was matching what the ACC was viewing to get the statistic originally displayed without the time restriction. 

0 Likes Likes
  • 2860 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks