Fortinet black logo

Administration Guide

Home FortiAnalyzer BigData 7.0.5 Administration Guide
7.0.5
7.4.0
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.1
6.4.6
6.4.5
6.2.5
6.2.1

Log Query Language (LogQL)

Log Query Language (LogQL)

To create custom queries, use LogQL in the log query input box of the Global Search. LogQL can be considered a distributed grep that aggregates log sources. LogQL uses labels and operators for filtering.

A basic log query consists of two parts:

  • Log stream selector

  • Log pipeline

Log Stream Selector

The log stream selector determines which log streams should be included in your query results. The stream selector is comprised of one or more key-value pairs, where each key is a log label and each value is that label’s value. The log stream selector is written by wrapping the key-value pairs in a pair of curly braces:

{logType="fgt/traffic", adomid="3"}

In the example above, all log streams that have a label of logType, whose value is fgt/traffic and a label of “adomid” whose value is 3 will be included in the query results. This will match any log stream whose labels contains at least 3 for their adomid label. If there are multiple streams that contain that label, logs from all of the matching streams will appear in the results.

The = operator after the label name is a label matching operator. The following label matching operators are supported:

  • =: Equals exactly
  • !=: Not equal

Log Pipeline

Optionally, the log stream selector can be followed by a log pipeline. A log pipeline is a set of stage expressions chained together and applied to the selected log streams.

A log pipeline can be appended to a log stream selector to further process and filter log streams. This usually consists of one or multiple expressions, each expression is executed in sequence for each log line. If an expression filters out a log line, the pipeline will stop at this point and start processing the next line. An expression is a SQL-where-clause-like condition.

{logType="fgt/traffic", appcat="Collaboration"} | osname ILIKE 'windows%' AND dstinetsvc IREGEXP '^.*gmail.*' AND sentbyte > 10000000

In the example above , the condition will filter out the FortiGate traffic Collaboration app category log messages when the OS name contains “windows” in the beginning and destination internet service matches Gmail and sent bytes is greater than 1000000010MB).

The following operators are supported in the Log Pipeline expression:

Operator Description
=, !=, <, <=, >, >= Comparison operators.
AND, OR, NOT Logical operators.
BETWEEN ... AND Compares to both a lower (>=) and upper (<=) bound.
IN Compares an argument value to a set of values and returns TRUE if the argument matches any value in the set. NOT IN reverses the comparison.
LIKE Comparison operator for STRING, with basic wildcard capability using _ to match a single character and % to match multiple characters.
ILIKE Case insensitive LIKE.
REGEXP

Tests whether an argument value matches a regular expression.

Uses the POSIX regular expression syntax where ^ and $ match the beginning and end of the string:

  • . represents any single character,
  • * represents a sequence of zero or more items,
  • + represents a sequence of one or more items,
  • ? produces a non-greedy match, and so on.
IREGEXP Case insensitive REGEX.
Previous
Next

Log Query Language (LogQL)

To create custom queries, use LogQL in the log query input box of the Global Search. LogQL can be considered a distributed grep that aggregates log sources. LogQL uses labels and operators for filtering.

A basic log query consists of two parts:

  • Log stream selector

  • Log pipeline

Log Stream Selector

The log stream selector determines which log streams should be included in your query results. The stream selector is comprised of one or more key-value pairs, where each key is a log label and each value is that label’s value. The log stream selector is written by wrapping the key-value pairs in a pair of curly braces:

{logType="fgt/traffic", adomid="3"}

In the example above, all log streams that have a label of logType, whose value is fgt/traffic and a label of “adomid” whose value is 3 will be included in the query results. This will match any log stream whose labels contains at least 3 for their adomid label. If there are multiple streams that contain that label, logs from all of the matching streams will appear in the results.

The = operator after the label name is a label matching operator. The following label matching operators are supported:

  • =: Equals exactly
  • !=: Not equal

Log Pipeline

Optionally, the log stream selector can be followed by a log pipeline. A log pipeline is a set of stage expressions chained together and applied to the selected log streams.

A log pipeline can be appended to a log stream selector to further process and filter log streams. This usually consists of one or multiple expressions, each expression is executed in sequence for each log line. If an expression filters out a log line, the pipeline will stop at this point and start processing the next line. An expression is a SQL-where-clause-like condition.

{logType="fgt/traffic", appcat="Collaboration"} | osname ILIKE 'windows%' AND dstinetsvc IREGEXP '^.*gmail.*' AND sentbyte > 10000000

In the example above , the condition will filter out the FortiGate traffic Collaboration app category log messages when the OS name contains “windows” in the beginning and destination internet service matches Gmail and sent bytes is greater than 1000000010MB).

The following operators are supported in the Log Pipeline expression:

Operator Description
=, !=, <, <=, >, >= Comparison operators.
AND, OR, NOT Logical operators.
BETWEEN ... AND Compares to both a lower (>=) and upper (<=) bound.
IN Compares an argument value to a set of values and returns TRUE if the argument matches any value in the set. NOT IN reverses the comparison.
LIKE Comparison operator for STRING, with basic wildcard capability using _ to match a single character and % to match multiple characters.
ILIKE Case insensitive LIKE.
REGEXP

Tests whether an argument value matches a regular expression.

Uses the POSIX regular expression syntax where ^ and $ match the beginning and end of the string:

  • . represents any single character,
  • * represents a sequence of zero or more items,
  • + represents a sequence of one or more items,
  • ? produces a non-greedy match, and so on.
IREGEXP Case insensitive REGEX.
Previous
Next