Each log has a filter area that allows you
to set a criteria for which log entries to display. The ability
to filter logs is useful for focusing on events on your firewall
that possess particular properties or attributes. Filter logs by
artifacts that are associated with individual log entries.
For
example, filtering by the rule UUID makes it easier to pinpoint
the specific rule you want to locate, even among many similarly-named
rules. If your ruleset is very large and contains many rules, using
the rule’s UUID as a filter spotlights the particular rule you need
to find without having to navigate through pages of results.
(Unified logs only) Select the log types
to include in the Unified log display.
Click Effective Queries (
).
Select one or more log types from the list (traffic, threat, url, data,
and wildfire).
Click OK. The Unified log updates
to show only entries from the log types you have selected.
Add a filter to the filter field.
If the value of the artifact matches
the operator (such as has or in),
enclose the value in quotation marks to avoid a syntax error. For
example, if you filter by destination country and use IN as a value
to specify INDIA, enter the filter as ( dstloc eq “IN” ).
Click one or more artifacts (such as the application type associated
with traffic and the IP address of an attacker) in a log entry.
For example, click the Source 10.0.0.25 and
Application web-browsing of a log entry to
display only entries that contain both artifacts in the log (AND
search).
To specify artifacts to add to the filter field, click Add Filter
(
).
To add a previously saved filter, click Load Filter (
).
Apply the filter to the log.
Click Apply Filter (
).
The log will refresh to display only log entries that match the
current filter.
(Optional) Save frequently used filters.
Click Save Filter (
).
Enter a Name for the filter.
Click OK. You can view your
saved filters by clicking Load Filter (