Hi Folks,
We want to focus on specific source subnet (10.3.0.0/16) identified by the proxy device. Is there a way to get the data through investigation tab or by creating report?
Best Regards,
Utsav Sejpal
Hi Folks,
We want to focus on specific source subnet (10.3.0.0/16) identified by the proxy device. Is there a way to get the data through investigation tab or by creating report?
Best Regards,
Utsav Sejpal
If it is a small amount of data, you can run the query below then select to export / save the logs to a file which you can then download:
ip.src = '10.3.0.0/16'
You can further drill down to a point where you feel you'll need to extract the data then export from toolbar menu option.
By the way, query across that entire subnet is taxing on a system. If you plan to run queues like that often, it best to deploy the traffic flow parser to the Log Decoders then define the subnet in the lua options file so netname.src etc...would have a tag for that network segment and searches can be made simpler (and faster) running something like: netname.src = 'datacenter1_lab' assuming you tagged it that way in the options file.
Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843<tel:612.772.5843> | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>
Hi Naushad Kasu
Thanks for your inputs.
I ran query as you suggested for last one hour logs.
It gives me proper output when I select "event count". However, when I try to pull the complete logs by selecting "none" option it does not display any data.
Please find attachments.
Thanks,
Utsav Sejpal
Above result popped in while running the test utility in the report configuration.
However, I tried executing the report (without disappointing to see the test results ) using the query you suggested and it worked like a charm.
Thanks heaps.
Best Regards,
Utsav Sejpal
If it is a small amount of data, you can run the query below then select to export / save the logs to a file which you can then download:
ip.src = '10.3.0.0/16'
You can further drill down to a point where you feel you'll need to extract the data then export from toolbar menu option.
By the way, query across that entire subnet is taxing on a system. If you plan to run queues like that often, it best to deploy the traffic flow parser to the Log Decoders then define the subnet in the lua options file so netname.src etc...would have a tag for that network segment and searches can be made simpler (and faster) running something like: netname.src = 'datacenter1_lab' assuming you tagged it that way in the options file.
Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843<tel:612.772.5843> | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>
<https://community.rsa.com/welcome>
<https://community.rsa.com/welcome>