Elastic Stack
Kibana
Search Filters
This is an example of looking for an logs that contain the string "password":
password
This is an example of looking for logs that contain the name jhenderson stored in a field called user:
user:jhenderson
Note: Sometimes a string needs to be surrounded with double quotes.
Example:
"sec555.com"
This is an example of looking for logs that contain a source port greater than 40000:
source_port:>40000
This is an example of looking for logs that contain a destination IP between 10.0.0.0 and 10.255.255.255:
destination_ip:[10.0.0.0 TO 10.255.255.255]
This is an example of looking for logs that have a field named tls:
exists:tls
This is an example of looking for logs that do not have a field named tls:
-exists:tls
This is an example of looking for logs that do not have a tag of pci:
-tags:pci
This is an example of looking for logs that are between a specific date:
@timestamp:[2017-05-01 TO 2017-05-28]
Combining search filters
Search filters can be combined using (), AND, and OR
This is an example of looking for a network connection sourcing from 192.168.0.1 going to 8.8.8.8:
source_ip:192.168.0.1 AND destination_ip:8.8.8.8
This is an example of looking for a network connection coming from 192.168.0.1 or 192.168.0.2:
source_ip:192.168.0.1 OR source_ip:192.168.0.2
This is an example of looking for a network connection coming from 192.168.0.1 or 192.168.0.2 that is destined for 8.8.8.8:
(source_ip:192.168.0.1 OR source_ip:192.168.0.2) AND destination_ip:8.8.8.8
This is an example of looking for network connections coming from 192.168.0.1 that are not going to 8.8.8.8:
source_ip:192.168.0.1 AND -destination_ip:8.8.8.8
Note: Using AND is not required when using an exclusion filter
Here is the same example as above that still works:
source_ip:192.168.0.1 -destination_ip:8.8.8.8
This is an example of looking for network connections that are not going to a private IP address:
-destination_ip:[10.0.0.0 TO 10.255.255.255] -destination_ip:[192.168.0.0 TO 192.168.255.255]
Last updated