Log Filtering

Ivanti Policy Secure(IPS) allows you to filter and format the data in your events, user access, and administrator access log files. When you filter log files, IPS displays only those messages specified within the filter query. For example, you can create a query that logs only entries for a particular range of IP addresses, or users who are signed into a specific realm. This topic describes how to use log filters.

Creating a Custom Log Collection Filter

If desired, you can create custom log collection filters to change the records displayed or exported. For example, it is common to see administrators use a filter for RADIUS accounting logs. This filter allows only the accounting log message, and it puts the entire message in a comma separated list. The order of the filtered message is: Date, Time, User, Realm, "List of Roles", NAS-ID, Acct-Status, Auth-Type, Attr-Value1, Attr-Value2, Attr-Value3.

Accounting attribute messages are different from authentication attribute messages in that the attribute name is not printed in the log message, but a comma is inserted for every attribute to be logged, even if it is not present.

To create a custom log collection filter:

Select System > Log/Monitoring.
Click the Events tab.
Click the Filter tab.
Click New Filter to display the configuration page.
Complete the configuration as described in table.
Save the configuration.

Settings	Guidelines
Filter Name	Specify a name that is helpful to you and other administrators in understanding usage for your customer filter.
Make default	Make the filter the default on syslog and archiving configuration pages.
Query
Start Date	Enter a start date. Click Earliest Date to write all logs from the first available date stored in the log file.
End Date	Enter an end date. Click Latest Date to write all logs up to the last available date stored in the log file.
Query	Use the Filter Variables Dictionary to insert query expressions in the Query box. Enclose the query value in single quotes. For example, insert the query expression sourceip=. Then complete the expression by adding the value ’192.168.0.1’.
Export Format	Select an export format: •Standard (default)—This log filter format logs the date, time, node, source IP address, user, realm, event ID, and message. •WELF—This customized WebTrends Enhanced Log Format (WELF) filter combines the standard WELF format with information about the system realms, roles, and messages. •Custom—Use the Standard as a template for your custom selection of columns to be included in exports (when log collections are saved to files).

Log query filters change only the data displayed (or rows exported). Log format filters change only the data displayed (or columns exported). Use of filters does not affect the log data that has been collected.

Reviewing the Configuration of Predefined Log Format Filters

To view the configuration of predefined log format filters:

Select System > Log/Monitoring.
Click the Events tab.
Click the Filter tab to display the log filters page.
Click the hyperlinked name of the filter to display its configuration page. You cannot edit the predefined filter named Standard, but you may edit the predefined WELF filters and any other custom filters that appear in the list.

Example: Using the Source IP Address Filter

When drilling into logs to verify behavior or troubleshoot an issue with a dual-stack device, it is helpful to redisplay the log collection filtered on the IP address.

To filter on an IP address:

Select System > Log/Monitoring.
Create the filter:
Select User Access and then Filter.
Define the filter expression, name the filter, and click Save. In this example, we create a filter based on source IP address and name it IPv6_Address_Filter:Standard.
Use the filter:
Select Logs to display the user logs table.
Under View by filter, select IPv6_Address_Filter:Standard.
If desired, under Edit Query, edit the value of the sourceip= variable expression to filter on different source IP addresses.
Click Update to apply the filter and redisplay the log collection.