Firewall log: exact IP match

heavymetalforever78 · Jan 8, 2025, 3:57 PM

Good evening community.
Since I've tried several ways with no positive result, I'm here to ask for a question.

On the "Advanced log filter" section:

I'd like to retrieve matches for a specific IP, for example 192.168.174.1.

By putting 192.168.174.1 as Source IP Address:

this is an example of the results:

which means of course that the last octect, "1", is threated as "contains" instead of "equals" value.

I'd like to understand how to obtain the results only related to 192.168.174.1, already tried:

192.168.174.1 (KO, same behaviour)
/\b192.168.174.1\b/ (KO, no logs to display)
^192.168.174.1$ (KO, no logs to display)

Any ideas?
Thank you for your support,
regards.
Giuseppe

KOM · Jan 8, 2025, 4:30 PM

This post is deleted!

jimp · Jan 8, 2025, 6:24 PM

They are regex fields, so 192\.168\.174\.1$ should exactly match the .1 address and only the .1 address. It works for me here, with or without the starting anchor (^). In this case you shouldn't need the start anchor but for an address with 1-2 numbers in the first octet, it could be necessary.

If that doesn't find anything then there may not be any matching logs for that one address at the time you searched.

heavymetalforever78 · Jan 13, 2025, 9:19 AM

@jimp
It works, thank you for your help!

Just a little more question if possibile:

To see logs in command line (realtime) I use:
tail -f /var/log/filter.log | filterparser.php | grep -w [ip address]

I noticed however that this command allows only 1 grep.

Is there a way to increase to at least 2 grep?
For example it should be useful to add:

tail -f /var/log/filter.log | filterparser.php | grep -w [ip address] | grep block

but as you may see there are no results.

Thanks,
Giuseppe

jimp · Jan 13, 2025, 2:01 PM

What you posted there would work but maybe just didn't have any matches at the time you were watching. It's all just text output there, string parsing, nothing that would stop multiple grep commands from working.

To be more efficient, if you want to match lines with both strings, you should make one pattern that has both in the correct order:

: tail -f /var/log/filter.log | filterparser.php | grep 'block.*x\.x\.x\.x'

If you want to match multiple patterns (e.g. all blocks or all matches of that IP address) then you would use egrep or grep -e along with a pattern like '(block|x\.x\.x\.x|y\.y\.y\.y)' and it will match any of those patterns rather than requiring them all.

heavymetalforever78 · Jan 13, 2025, 2:53 PM

@jimp

Hi Jimp, I didn't post previous screen for security reasons, entries were present ;)
In any case, I tried your command for multiple grep matches and it works!
Thank you a lot!
Have a nice day.
Giuseppe