TOC & Recently Viewed

Recently Viewed Topics

Full Text Searches

Full text searches may be performed on the data stored within the attached LCE servers. When viewing the events page the Search field will accept text strings as valid search criteria. Search terms are not case sensitive and a Boolean search may be utilized to further enhance search results. This enables searching the raw logs for details contained in the events.

LCE can search for compound groups of full text tokens.

Tokens

A token in this context is a full word, 2 characters or more, separated by punctuation or whitespace.

For example, if you want to search for logs containing "Microsoft" then Microsoft would be the example of the token here.

Operators

Operators are case sensitive, and must be capitalized. For example, a search for mike or miked will actually yield mike AND or AND miked. Multiple operators can be used in a single query.

Operator Description

AND

Finds logs both directly preceding token and the directly following token.

OR

Finds logs containing the directly preceding token, the directly following token, or both.

NOT

Finds logs that do not include the subsequent token.

XOR

Finds logs with exactly one but not both tokens.

Grouping

Parentheses may be used to group conditionals together to show evaluation precedence just as in mathematics. This is useful in compound conditionals. Without grouping, the query text="blocked AND denied AND dropped OR firewall" would return any log with just “firewall” in it because it satisfies the entire query.

The following query would provide a more accurate result: text="blocked AND denied AND (dropped OR firewall)"

This requires that the log contains blocked, denied, and either dropped or firewall. Because it has additional constraints now on the other terms, we expect that this query would return the same or fewer results.

Search Query Examples:

Query String Actual Query What It Means Example Result Example Non-Result Why It Didn't Match

text="Heartbeat"

text="Heartbeat"

Show me logs with the term "Heartbeat"

LCE Client Heartbeat| 07/23/2014 00:25:00 AM Hostname: lce_demo IP: 192.168.1.106 Revision: LCE Client 4.2.0 build 20131004

Heart

does not contain the full term "Heartbeat" by itself, only as a substring

text="linux process"

text="linux AND process"

Show me logs with the term "linux" and the term "process"

This linux host executed process "ls". 

This linux host executed nothing.

missing "process"

text="linux NOT process"

text="linux NOT process"

Show me logs with the term "linux" but NOT the term "process"

This linux host executed nothing.

This linux host executed process "ls". 

contains "process"

text="linux OR nothing"

text="linux OR nothing"

Show me logs with either term "linux" or term "nothing"

This linux host executed process "ls".

 

This linux host executed nothing.

This nix host did everything.

does not contain "linux" and does not contain "nothing"

text="(linux OR nothing) AND process"

text="(linux OR nothing) AND process"

Show me logs that have terms "linux" and "process" or "nothing" and "process"

This linux host executed process "ls".

 

The process did nothing.

This process did everything.

 

This linux host did nothing.

contains "process" but not "linux" and not "nothing"

 

contains "linux" and "nothing" but not "process"

text="172.26.20.66"

text="172 AND 26 AND 20 AND 66"

Show me logs with 172 and 26 and 20 and 66. The punctuation in the query string is treated as a delimiter like whitespace and ignored, then the terms and AND'd together by default.

 

In general, if you have an IP in your log it is more desirable to filter these using an "ip=", "sourceip=", or "destinationip=" filters, all of which accept an IP (172.26.20.66) or IP/CIDR (172.26.20.0/24). 

This linux host IP is 172.26.20.66.

 

This linux host IP is 66.20.172.26.

 

This linux host IP is 172.26.20.100 and there are 66 users.

This linux host IP is 172.26.20.100.

missing "66"

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.