You are here: Getting Started > Integration > Using SecurityCenter with LCE > Full Text Searches

TOC & Recently Viewed

Recently Viewed Topics

Full Text Searches

Full text searches may be performed on the data stored within the attached LCE servers. When viewing the events page the Search field will accept text strings as valid search criteria. Search terms are case insensitive and Boolean searches may be utilized to further enhance search results. This enables searching the raw logs for details contained in the events.

The LCE text search feature is powerful but requires a bit of knowledge of the available operators as well as the underlying search engine. To summarize, we will explain what it means when we say that LCE can search for compound groups of full text tokens.

Tokens

A token is a full word, 2 characters or more, separated by punctuation or whitespace. A token does not include single-character strings or punctuation.

LCE searches on full tokens, meaning that if you want to find “software” and “Microsoft” because you want to see your Windows software update logs, then you must search for “software AND Microsoft” rather than “soft”, which would be a common substring.

Operators

Operators are case sensitive, and must be capitalized. For example, a search for mike or miked will actually yield mike AND or AND miked. Multiple operators can be used in a single query.

Operator Description

AND

Finds logs containing both of the results.

OR

Finds logs containing either of the results.

NOT

Finds logs that do not include the subsequent token.

XOR

Finds logs with exactly one but not both tokens.

Grouping

Parentheses may be used to group conditionals together to show evaluation precedence just as in mathematics. This is useful in compound conditionals. Without grouping, the query text="blocked AND denied AND dropped OR firewall" would return any log with just “firewall” in it because it satisfies the entire query.

The following query would provide a more accurate result: text="blocked AND denied AND (dropped OR firewall)"

This requires that the log contains blocked, denied, and either dropped or firewall. Because it has additional constraints now on the other terms, we expect that this query would return the same or fewer results.

Search Query Examples:

Query String Actual Query What It Means Example Result Example Non-Result Why It Didn't Match

text="Heartbeat"

text="Heartbeat"

Show me logs with the term "Heartbeat"

LCE Client Heartbeat| 07/23/2014 00:25:00 AM Hostname: lce_demo IP: 192.168.1.106 Revision: LCE Client 4.2.0 build 20131004

Heart

does not contain the full term "Heartbeat" by itself, only as a substring

text="linux process"

text="linux AND process"

Show me logs with the term "linux" and the term "process"

This linux host executed process "ls". 

This linux host executed nothing.

missing "process"

text="linux NOT process"

text="linux NOT process"

Show me logs with the term "linux" but NOT the term "process"

This linux host executed nothing.

This linux host executed process "ls". 

contains "process"

text="linux OR nothing"

text="linux OR nothing"

Show me logs with either term "linux" or term "nothing"

This linux host executed process "ls".

 

This linux host executed nothing.

This nix host did everything.

does not contain "linux" and does not contain "nothing"

text="(linux OR nothing) AND process"

text="(linux OR nothing) AND process"

Show me logs that have terms "linux" and "process" or "nothing" and "process"

This linux host executed process "ls".

 

The process did nothing.

This process did everything.

 

This linux host did nothing.

contains "process" but not "linux" and not "nothing"

 

contains "linux" and "nothing" but not "process"

text="172.26.20.66"

text="172 AND 26 AND 20 AND 66"

Show me logs with 172 and 26 and 20 and 66. The punctuation in the query string is treated as a delimiter like whitespace and ignored, then the terms and AND'd together by default.

 

In general, if you have an IP in your log it is more desirable to filter these using an "ip=", "sourceip=", or "destinationip=" filters, all of which accept an IP (172.26.20.66) or IP/CIDR (172.26.20.0/24). 

This linux host IP is 172.26.20.66.

 

This linux host IP is 66.20.172.26.

 

This linux host IP is 172.26.20.100 and there are 66 users.

This linux host IP is 172.26.20.100.

missing "66"

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.