Help with searching syslog messages.
I had a question about searching event logs from a syslog device. I'll try and explain this the best I can.
The device is a Barracuda web filter. The syslog message is in the form:
Message : barracuda_pqman: 1636520258 1 10.0.0.0 204.79.197.200 - 10.0.0.0 https://www.bing.com/ 0 BYF ALLOWED CLEAN 2 0 0 0 0 (-) 0 - 0 - 0 bing.com search-engines-portals [ANON] https://www.bing.com/
Time : 2019-01-03 00:00:00 Device : 10.0.0.4 Source : Local4 Severity : warning Facility : Local4 LogType : Barracuda Device Source Type : -Transmission Protocol : -Source Ip : -Source Port : -Destination Ip : -Destination Port : -Rule Name : -
all of the information regarding the source, destination, weather it was allowed or blocked, etc is all included in the 'Message' line. The portion I am interested in is the sequence of 5 numbers (2 0 0 0 0) that follow 'BYF ALLOWED CLEAN'
The fourth number in this sequence (bolded) 2 0 0 0 0 indicates if the connection was allowed, blocked, monitored etc. 0 = Connection Allowed, 1 = Connection Blocked, 5 = Connection matched a rule and is being monitored.
The other numbers mean various other things and can be different depending on their meanings so you could have 2 1 0 0 0, 2 1 0 1 1, etc but i'm only interested in searching on the 4th number in this sequence.
If anyone is interested here is the link to the Barracuda documentation describing their syslog format: https://campus.barracuda.com/product/websecuritygateway/doc/6160435/syslog-and-the-barracuda-web-security-gateway/?sl=AWgVB_5_BDp2IHciPxpU&so=1=
What I need to do is search and filter these messages by that fourth number being a 0, 1 or 5. Since all of the information is included in the 'Message' block, I cannot find a way to do this. Searching for just a number could match ip addresses, ports, etc.
The sequence of numbers I need to filter on always follow the text 'BYF ALLOWED CLEAN' but I couldn't find any way of using wildcards or any kind of REGEX to look for a certain number in the 4th place of the number sequence in question.
Any help or suggestions would be appreciated. Please let me know if what I'm trying to accomplish isn't clear or isn't possible.
New to ADSelfService Plus?