Elastic Stack
Kibana
Search Filters
This is an example of looking for an logs that contain the string "password":
passwordThis is an example of looking for logs that contain the name jhenderson stored in a field called user:
user:jhendersonNote: Sometimes a string needs to be surrounded with double quotes.
Example:
"sec555.com"This is an example of looking for logs that contain a source port greater than 40000:
source_port:>40000This is an example of looking for logs that contain a destination IP between 10.0.0.0 and 10.255.255.255:
destination_ip:[10.0.0.0 TO 10.255.255.255]This is an example of looking for logs that have a field named tls:
exists:tlsThis is an example of looking for logs that do not have a field named tls:
-exists:tlsThis is an example of looking for logs that do not have a tag of pci:
-tags:pciThis is an example of looking for logs that are between a specific date:
@timestamp:[2017-05-01 TO 2017-05-28]Combining search filters
Search filters can be combined using (), AND, and OR
This is an example of looking for a network connection sourcing from 192.168.0.1 going to 8.8.8.8:
source_ip:192.168.0.1 AND destination_ip:8.8.8.8This is an example of looking for a network connection coming from 192.168.0.1 or 192.168.0.2:
source_ip:192.168.0.1 OR source_ip:192.168.0.2This is an example of looking for a network connection coming from 192.168.0.1 or 192.168.0.2 that is destined for 8.8.8.8:
(source_ip:192.168.0.1 OR source_ip:192.168.0.2) AND destination_ip:8.8.8.8This is an example of looking for network connections coming from 192.168.0.1 that are not going to 8.8.8.8:
source_ip:192.168.0.1 AND -destination_ip:8.8.8.8Note: Using AND is not required when using an exclusion filter
Here is the same example as above that still works:
source_ip:192.168.0.1 -destination_ip:8.8.8.8This is an example of looking for network connections that are not going to a private IP address:
-destination_ip:[10.0.0.0 TO 10.255.255.255] -destination_ip:[192.168.0.0 TO 192.168.255.255]Last updated