Setting a Log Viewing Filter
The Log Browser filters log events to be displayed. The language that it uses is identical to the filtering options of the logdump command in the command-line program; it is a superset of the language used by the Solaris snoop packet monitor tool.
You have full access to this language typing an arbitrary logdump expression in the Current Filter text entry box in its Retrieval Settings tab and clicking the Apply button to activate it.
In addition, the Filter Keywords controls provide the ability to create many simple filtering expressions. These controls reduce typing effort as well as serving as reminders of filtering options.
The Filter Keywords controls are used by selecting one or more operations from their choice lists or entering a target (operand) in the rightmost editable combo box. After this choosing or typing your entry, click the Add to Current Filter button to add these items to the Filter Keywords text entry box at its current insertion pointer.
The leftmost editable combo box contains the Boolean operators and, or, and not.
The left-center editable combo box provides filtering terms that are complete and restrict the type of log event displayed. TABLE 5-6 describes the terms in the left-center editable combo box.
Table 5-6 Filter Terms of the Left-Center Editable Combo Box|
Term |
Description |
|---|---|
|
loglvl pkt |
Allows displaying network packet-type events |
|
loglvl sess |
Allows displaying network session-type events |
|
loglvl auth |
Allows displaying events related to authentication operations |
|
loglvl app |
Allows displaying events related to screen application (usually proxy) operations |
|
logapp auth |
Allows displaying events from the authentication subsystem |
|
logapp edit |
Allows displaying events related to registry or policy editing |
|
logapp ftpp |
Allows displaying events from the FTP proxy |
|
logapp log |
Allows displaying events related to the logging facilities themselves |
|
logapp httpp |
Allows displaying events from the HTTP proxy |
|
logapp smtpp |
Allows displaying events from the SMTP proxy |
|
logapp telnetp |
Allows displaying events from the Telnet proxy |
|
logsev emerg |
Allows displaying events of an emergency severity |
|
logsev alert |
Allows displaying events of an alert severity or above |
|
logsev crit |
Allows displaying events of a critical severity or above |
|
logsev err |
Allows displaying events of an erroneous severity or above |
|
logsev warn |
Allows displaying events of a warning severity or above |
|
logsev note |
Allows displaying events of a notice severity or above |
|
logsev info |
Allows displaying events of an informative severity or above (all events that are not of debug severity) |
|
logsev debug |
Allows displaying events of a debug severity or above (all events) |
The right-center editable combo box provides filtering terms most of which are incomplete and require an operand value, You type these in the rightmost editable combo box. They are added to the choice list of the rightmost editable combo box for reference so that you need not retype the value if you want to use it again. TABLE 5-7 describes the filter terms in the right-center editable combo box.
Table 5-7 Filter Terms in the Right-Center Editable Combo Box|
Term |
Description |
|---|---|
|
logwhy reason# |
Restricts display to packets that have the given logging reason why code (See Appendix D, Error Messages, TABLE 11-16 |
|
logiface iface |
Restricts display to packets that arrived on the interface named iface |
|
host hostname |
Restricts display to events either from or to hostname |
|
dst hostname |
Restricts display to events destined for hostname |
|
src hostname |
Restricts display to events origination from hostname |
|
port hostname |
Restricts display to events related to the service svcname |
|
dstport hostname |
Restricts display to events targeted to the service svcname |
|
srcport svcname |
Restricts display to events originating from the service svcname |
|
net netaddr |
Restricts display to events either from or to the network whose number is netaddr |
|
gateway gwyaddr |
Restricts display to packets that used gwyaddr as a gateway |
|
udp |
Restricts display to events related to the UDP transport protocol |
|
tcp |
Restricts display to events related to the TCP transport protocol |
|
icmp |
Restricts display to packets of the ICMP control protocol |
|
rpc |
Restricts display to packets of the RPC protocol |
|
etheraddr etheraddr |
Restricts display to packets that have arrived from this Ethernet address |
The terms in italics are variables for which you must supply a value or values in the when you choose this term from the choice list. The values for the variable are as follow:
-
reason # The reason number is shown in TABLE 11-16 in Appendix D, Error Messages.
-
hostname can be:
-
svcname can be:
-
A numeric TCP or UDP port number (for example, 23 for Telnet)
-
A numeric TCP or UDP port number range (for example, 6000. .6023 for X windows)
-
A service name known to the screen's naming service (for example, domain found in /etc/services)
-
-
iface can be:
-
The name of an interface (for example hme0)
-
-
netaddr can be:
-
The IP network number (for example 199.12.200)
-
-
gwyaddr can be:
-
The name of an Ethernet address (link-layer address gateway through which packets are flowing)
-
-
etheraddr can be:
-
The 6-octet Ethernet address (for example 8:0:20:A0:EE:E4)
-
- © 2010, Oracle Corporation and/or its affiliates