Query src + dst subnet and action

tbayer82 — Thu, 17 Oct 2024 14:36:44 GMT

Dear all,

I'm trying to search for denied actions in a subnet, regardless if it is the source or destination.

I tried those without success, maybe you can help me out. Thank you!

index=* AND src="192.168.1.0/24" OR dst="192.168.1.0/24" AND action=deny index=* action=deny AND src_ip=192.168.1.0/24 OR dst_ip=192.168.1.0/24

Just found it:

index=* dstip="192.168.1.0/24" OR srcip="192.168.1.0/24" action=deny

Re: Query src + dst subnet and action

gcusello — Thu, 17 Oct 2024 08:17:12 GMT

the order of filters isn't relevant, but if you have OR operators I'd prefer to use parenthesis:

index=* (dstip="192.168.1.0/24" OR srcip="192.168.1.0/24") action=deny

and you don't need to use the AND operator that's the default.

Ciao.

Giuseppe