search

graylog-labs / graylog2-web-interface

[DEPRECATED]
https://www.graylog.org/
611 stars 174 forks source link

Cannot search for messages including a forward slash #1706

Closed jontaa closed 8 years ago

jontaa commented 8 years ago

We have setup the graylog with the vmware OVA file, running graylog 1.2.2 currently To this graylog we are sending syslog from switches and firewalls. I am now trying to find out what happened to a specific port on a cisco switch a while back.

Lets do this in steps to see what happens:

First I change to search in the last 14 days, and enter query: gl2_remote_ip:192.168.12.142

No problem here. I now get only log messages from the specific switch. Great! Ok now lets filter down to all logs which has to do with port GigabitEthernet1/0/6 I know that the field is called "message"

gl2_remote_ip:192.168.12.142 message:"GigabitEthernet1/0/6"

Ok now I still get only messages from this switch, however I get hits on messages such as: "%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/42, changed state to up" image

Not really what I searched for. Ok maybe I need to escape the forward slashes? gl2_remote_ip:192.168.12.142 message:"GigabitEthernet1\/0\/6" Ok, so still getting hits on %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/42, changed state to up image

Ok so lets try withouth the quotes? Lets try withouth escaping the slashes first gl2_remote_ip:192.168.12.142 message:GigabitEthernet1/0/6 Now I get hits from totally different devices, which doesnt match gl2_remote_ip:192.168.12.142 image

Ok lets try withouth the quotes by escapin the slashes gl2_remote_ip:192.168.12.142 message:GigabitEthernet1\/0\/6

Nope, still finding things from different machines image

Ok I am going mad here : )

  1. What should I write to get a hit on a log message that looks like: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/6, changed state to up
  2. Why do I get hits that are not from IP 192.168.12.142 when I dont have quotes around the message bit? Why would it ignore the first part of the query which is gl2_remote_ip:192.168.12.142 ?
jontaa commented 8 years ago

Also I now tried using regexp with ? instead of slashes Still does not match correctly gl2_remote_ip:192.168.12.142 message:"GigabitEthernet1?0?6" image

jontaa commented 8 years ago

Actually, now it won't mach correctly at all Searching for gl2_remote_ip:192.168.12.142 message:GigabitEthernet1

Matches %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/4, changed state to up

image

edmundoa commented 8 years ago

Hi,

I think all you were missing at the beginning is an AND between both conditions. From our documentation:

By default all terms or phrases are OR connected so all messages that have at least one hit are returned.

We use Github for bug requests, kindly ask in our mailing list or #graylog on Freenode for further questions.