open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • Query Language Overview
  • Query Language Usage

Was this helpful?

  1. references

Event Query Language

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria. To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in detail to the query language.

The basic query syntax is [<Field>:] <Filter Criterion>.

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> {AND|OR|NOT} [<Field>:] <Filter Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example, "sourceip:<X>" is case sensitive ("SourceIP:<X>" does not match). If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case.

When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

Query Language Usage

Criteria Values

Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP address, or URL, without delimiters. Phrases or text strings that contain more than one word must be surrounded by quotation marks.

One word string examples:

  • Accept

  • Medium

  • 192.168.2.1

  • www.urlexample.com

  • 4a6ad969-398c-4075-bba6-e30f931d0a4f

Phrase examples

  • "My Asset"

  • "Schema Validation"

  • "SQL Injection"

IP Addresses

IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons.

Examples:

  • 192.0.2.1

  • 2001:db8::f00:d

You can also use the '*' wildcard character with IP addresses, as well as the standard network suffix, to look for all logs that match IP addresses within a range.

Examples:

  • 192.168.0.0/16 - shows all records for the source IP 192.168.0.0 to 192.168.255.255 inclusive.

  • 192.168.1.0/24 - shows all records for the source IP 192.168.1.0 to 192.168.1.255 inclusive.

  • 192.168.2.* - shows all records for the source IP 192.168.2.0 to 192.168.2.255 inclusive.

  • 192.168.* - shows all records for 192.168.0.0 to 192.168.255.255 inclusive.

NOT Values

You can use NOT <field> values with Field Keywords in log queries to find logs for which the value of the field is not the value in the query.

Syntax:

NOT <field>: <value>

Example

NOT src:10.0.4.10

Wildcards

You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in log records. You can use more than the wildcard character.

Wildcard syntax:

  • The ? (question mark) matches one character.

  • The * (asterisk) matches a character string.

Examples:

  • MyAsset? - shows MyAsset1 and MyAsset2, but not MyAsset12.

  • MyAsset* - shows MyAsset1, MyAsset12, and MyAsset209-d.

If your criteria value contains more than one word, you can use the wildcard in each word.

For example, “Asset* AZ*” - shows “Asset1 AZ45”, “Asset23 AZ90”, and so on.

Using a single ‘*’ creates a search for a non-empty value string. For example assetname:*

open-appsec Events Field Keywords

You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields.

Syntax for a field name query:

<field name>:<values>

  • <field name> - One of the predefined field names

  • <values> - One or more filters

Examples:

  • sourceip:192.168.2.1

  • securityaction:(Prevent OR Drop)

You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you search in fields for multiple values, you must:

  • Write the Boolean operator, for example OR.

  • Use parentheses.

Boolean Operators

You can use the Boolean operators AND , OR , and NOT to create filters with many different criteria. You can put multiple Boolean expressions in parentheses.

If you enter more than one criteria without a Boolean operator, the AND operator is implied. When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.

Examples:

  • practicetype:"Threat Prevention" AND securityaction:Prevent

    Shows log records caused by “Threat Prevention” type security practices where traffic was blocked.

  • 192.168.2.133 10.19.136.101

    Shows log entries that match the two IP addresses. The AND operator is presumed.

  • 192.168.2.133 OR 10.19.136.101

    Shows log entries that match one of the IP addresses.

  • (assetname: "MyAsset1" OR assetname: "MyAsset2" AND NOT securityaction:PreventAccept

    Shows all log entries for assets “MyAsset1” and “MyAsset2” that are without the “Accept” security action. The criteria in the parentheses is applied before the AND NOT criterion.

  • sourceip:(192.168.2.1 OR 192.168.2.2) AND destinationip:17.168.8.2

    Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2. This example also shows how you can use Boolean operators with field criteria.

PreviousAgent CLINextEvents/Logs Schema

Last updated 2 months ago

Was this helpful?

For a list of all field names that can be used as filter keywords, visit the documentation

Events/Logs Schema