Cisco Cisco Firepower Management Center 4000
56-11
FireSIGHT System User Guide
Chapter 56 Auditing the System
Viewing the System Log
Caution
The System Log page does not allow the use of pipe characters for
OR
expressions. For example, if you
use
[word_1|word_2]
, you will receive an invalid filter error.
The following table shows the regular expression syntax you can use in System Log filters:
The following table shows some example filters you can use on the System Log page.
To search for specific message content in the system log:
Access:
Admin/Maint
Step 1
Select
System > Monitoring > Syslog
.
The System Log page appears.
Step 2
Enter a word or query in the
Filter
field.
See the
table and the
table for more information
about the filter syntax you can use.
Table 56-6
System Log Filter Syntax
Syntax Component
Description
Example
.
Matches any character or white space
Admi.
matches
Admin
,
AdmiN
,
Admi1
, and
Admi&
[[:alpha:]]
Matches any alphabetic character
[[:alpha:]]dmin
matches
Admin
,
bdmin
, and
Cdmin
[[:upper:]]
Matches any uppercase alphabetic character
[[:upper:]]dmin
matches
Admin
,
Bdmin
, and
Cdmin
[[:lower:]]
Matches any lowercase alphabetic character
[[:lower:]]dmin
matches
admin
,
bdmin
, and
cdmin
[[:digit:]]
Matches any numeric character
[[:digit:]]dmin
matches
0dmin
,
1dmin
, and
2dmin
[[:alnum:]]
Matches any alphanumeric character
[[:alnum:]]dmin
matches
1dmin
,
admin
,
2dmin
, and
bdmin
[[:space:]]
Matches any white space, including tabs
Feb[[:space:]]29
matches logs from February 29th.
*
Matches zero or more instances of the
character or expression it follows
character or expression it follows
ab*
matches
a
,
ab
,
abb
,
ca
,
cab
, and
cabb
[ab]*
matches anything
?
Matches zero or one instances
ab?
matches
a
or
ab
.
\
Allows you to search for a character typically
interpreted as regular expression syntax
interpreted as regular expression syntax
alert\?
matches
alert?
.
Table 56-7
System Log Filter Examples
To search for all log entries that...
Use...
Are generated on November 5
Nov[[:space:]]*5
Contain the user name “Admin”
Admin
Contain authorization debugging information on
November 5
November 5
Nov[[:space:]]*5.*AUTH.*DEBUG