Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating Filters

 

Filters are used to search logs and view information about filter condition, time, or fields in the logs. You can configure basic and advanced filters to match the filtering conditions. You can either load existing filters or define a new filter. A filter allows you to enter specific information that must be displayed on the Event Viewer page; for example, the columns in the Event Viewer table, the time range, and the aggregation point. When you change an existing filter or create a new filter, the Event Viewer table is updated automatically. If filters contain time details, the time range in Event Viewer is updated with the time specified in the filter.

Filters provide:

  • Quick access to critical information—If you are a firewall administrator, you might have to regularly deny traffic from a specific application or a specific set of addresses. You might also have to allow or deny specific application access to some users. To achieve these conditions, you must set user search criteria, scan through the firewall logs that match that criteria, and display the matching logs.

  • Filter sharing among users—Other users in your domain can use the filters you create without modifying or deleting the filters.

  • Filter usage across multiple functional areas—Filters can be used across multiple functional areas such as the Event Viewer, dashboard, alerts, and reports.

Starting in Junos Space Security Director Release 19.2R1, in addition to the manual search using keywords, you can drag and drop the values from non-empty cells in the grid into the event viewer search bar. The value is added as the search criterion and the search results are displayed. You can drag and drop only searchable cells. When you hover over the rows in event viewer, searchable cells are displayed with blue background. If a cell is not searchable, there is no change in the background color. If you drag a searchable cell without any value or if the value = ’–’, you cannot drop the contents of such cells. If the search bar already has a search criterion, all the subsequent drag and drop search criteria are prepended by ‘AND’. After dropping the value in the search bar, the search condition is refreshed in the grid. This applies to both simple and complex search filters.

To create an Event Viewer filter:

  1. Select Monitor > Events & Logs.
  2. Click Detail View.
  3. Click the filter text field.

    The filter keys available are displayed alphabetically in a drop-down list.

  4. Type the exact key in the filter text field, or select the key from the drop-down key list.

    The key appears in the filter bar. While typing in the values, you are prompted with suggestions in the drop-down list whenever possible.

    In the search text box, an icon displays the example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not.

    For example: EventName =

  5. Continue to add filter expressions <key>space <operator> space <value>.

    The key appears, along with the value combination in the filter bar.

    For example: EventName = LOGIN_FAILED

  6. Repeat the Step 4 and Step 5 to add additional filter expressions. Press Enter to provide AND operator and comma for OR operator.

    The available filter keys are displayed alphabetically in the drop-down list.

    For example: EventName = LOGIN_FAILED AND SrcIP =

  7. Type in the required IP address.

    For example: EventName = LOGIN_FAILED AND SrcIP = 192.168.45.350

    The term operator AND/OR is displayed in the filter bar to add a different key. Starting in Junos Space Security Director Release 16.1, the term operator OR is displayed.

  8. Click Save > Save Filter.
  9. Enter the filter name.
  10. Click OK.

    The event logs for EventName = LOGIN_FAILED AND SrcIP = 192.168.45.350 are displayed.

Starting in Junos Space Security Director Release 18.4R1, you can perform complex filtering using AND and OR logical operators and brackets to group the search tokens.

For example: (Name = one and id = 11) or (Name = two and id = 12)

For examples on event log filters, see Advanced Search section in Events and Logs Overview.

Note

The filters that you have typed will appear in the filter history until the next session.