Skip to content

Instantly share code, notes, and snippets.

@reyjrar

reyjrar/errors.log

Last active November 20, 2016 13:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save reyjrar/5699b058f869fe81ca9d94ccd4b6c87f to your computer and use it in GitHub Desktop.
Save reyjrar/5699b058f869fe81ca9d94ccd4b6c87f to your computer and use it in GitHub Desktop.
Download ZIP
Sample Queries with es-search.pl
Raw
errors.log
brad@janus $ es-search.pl --top program error
= Querying Indexes: syslog-2016.11.20
count program
487 sshd
33 postfix/smtpd
24 postfix/smtps/smtpd
1 freshclam
# Search Parameters:
# {"bool":{"must":[{"query_string":{"query":"error"}}]}}
# Displaying 4 of 545 in 0 seconds.
# Indexes (1 of 1) searched: syslog-2016.11.20
Raw
fields.log
brad@janus $ es-search.pl --fields
Fields available for search:
- acct
- action
- driver
- file
- hostname
- message
- phase
- program
- proto_app
- seconds
- src_ip
- src_port
- status
- tags
- timestamp
- timing.phase
- timing.seconds
# Fields: 17 from a combined 1 indices.
Raw
ssh_login_fails.log
brad@janus $ es-search.pl --top src_ip --with acct program:sshd and status:failure
= Querying Indexes: syslog-2016.11.20
count src_ip
20 acct root 20 221.194.44.195
14 acct root 14 221.194.47.208
13 acct root 13 121.18.238.109
13 acct root 13 221.194.47.229
9 acct root 9 121.18.238.104
8 acct root 8 121.18.238.98
8 acct root 8 221.194.47.224
8 acct root 8 221.194.47.249
6 acct root 6 221.194.44.219
5 acct root 5 121.18.238.114
5 acct root 5 221.194.44.224
5 acct root 5 221.194.44.231
4 acct root 4 116.31.116.47
4 acct root 4 203.177.11.195
2 acct root 2 85.249.47.34
2 acct root 2 216.246.52.38
1 acct root 1 163.172.77.10
1 acct root 1 187.115.73.70
# Search Parameters:
# {"bool":{"must":[{"query_string":{"query":"program:sshd AND status:failure"}}]}}
# Displaying 18 of 134 in 0 seconds.
# Indexes (1 of 1) searched: syslog-2016.11.20
Raw
sshd_basic.log
brad@janus $ es-search.pl program:sshd and _exists_:acct --show driver,status,acct,src_ip
= Querying Indexes: syslog-2016.11.20
timestamp driver status acct src_ip
2016-11-20T13:19:16+0100 publickey success brad 172.58.137.194
2016-11-20T11:57:05+0100 password failure root 221.194.47.208
2016-11-20T11:57:00+0100 password failure root 221.194.47.208
2016-11-20T11:56:55+0100 password failure root 221.194.47.208
2016-11-20T11:56:52+0100 password failure root 221.194.47.208
2016-11-20T11:56:48+0100 password failure root 221.194.47.208
2016-11-20T11:19:45+0100 password failure root 221.194.44.219
2016-11-20T11:19:31+0100 password failure root 221.194.44.219
2016-11-20T11:19:27+0100 password failure root 221.194.44.219
2016-11-20T11:19:22+0100 password failure root 221.194.44.219
2016-11-20T11:19:18+0100 password failure root 221.194.44.219
2016-11-20T11:19:14+0100 password failure root 221.194.44.219
2016-11-20T07:32:30+0100 password failure root 216.246.52.38
2016-11-20T07:26:19+0100 password failure root 121.18.238.98
2016-11-20T07:26:14+0100 password failure root 121.18.238.98
2016-11-20T07:26:08+0100 password failure root 121.18.238.98
2016-11-20T07:26:03+0100 password failure root 121.18.238.98
2016-11-20T07:13:39+0100 password failure root 221.194.47.229
2016-11-20T07:13:35+0100 password failure root 221.194.47.229
2016-11-20T07:13:30+0100 password failure root 221.194.47.229
# Search Parameters:
# {"bool":{"must":[{"query_string":{"query":"program:sshd AND _exists_:acct"}}]}}
# Displaying 20 of 129 in 0 seconds.
# Indexes (1 of 1) searched: syslog-2016.11.20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment