user activity ACC -CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

user activity ACC -CLI

L2 Linker

Dears

 

I want to know the IP of this user "None",as per to a below image, through CLI ...Can I do?

 

Please feedback with the command or the way to know who it is ?

 

thanks

 

User Activity Log.png

3 REPLIES 3

Cyber Elite
Cyber Elite

(receive_time geq '2018/04/05 14:30:00') AND (receive_time leq '2018/04/05 15:15:00') AND ((srcuser eq '')) AND ((dstuser eq ''))

 

If you filter your traffic logs with that query it will display the logs that actually make up that traffic during the time period that you have displayed in your screenshot. 

Thank you to your reply

 

this filter no give us the source IP which is mentioned by "None" .
I need to determine the "user activity " by specefic command to know that

@AhmedEmam,

That command will give you all of the traffic that would have matched the screenshot you provided in your original post. But let me try again with a little more of a description. 

 

1) There is no one source IP that would be granted the source-user None. This source-user ID is applied to all traffic that traverses your firewall that does not have a user-mapping associated with it. This could be caused by a user-id age-out being met, or it could be that the source truly doesn't have anything that would match to a user-id (ex: Printers). 

 

2) The command provided eariler was specific to your prior example and provides a timeframe of a query that would need to be run on the traffic logs. It was not an example of a full cli command to do so; you would need to incorporate it into your command to view the traffic logs. 

 

3) There is a button on the right of that display that will be 'Jump to logs' that will bring you right to the logs that the ACC is reading to generate the display. 

 

4)

The CLI to view log files is the following: 

show log traffic

You would then need to actually set the query, for example

show log traffic query equal ' ((srcuser eq "")) and ((dstuser eq "")) '

That query typed in directly would provide you any log that was matching what the ACC was viewing to get the statistic originally displayed without the time restriction. 

  • 2558 Views
  • 3 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!