Skip to main content

Looking at logs via CLI

(2024-11-28)

fw # exec log filter 
category             Category.
device               Device to get log from.
dump                 Dump current filter settings.
field                Filter by field.
free-style           Filter by free-style expression.
ha-member            HA member.
local-search-mode    local log search mode
max-checklines       Maximum number of lines to check.
pre-fetch-pages      Number of pages to check in advance under on-demand log search mode.
reset                Reset filter.
start-line           Start line to display.
view-lines           Lines per view.

fw # exec log filter pre-fetch-pages 10

fw # exec log filter view-lines 1000

fw # exec log filter category 
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
20: utm-icap

fw # exec log filter cat 1

fw # exec log filter field subtype wireless

fw # exec log filter dump
category: event
device: memory
start-line: 1
view-lines: 1000
max-checklines: 0
HA member: 
log search mode: on-demand
pre-fetch-pages: 10
Filter: ( subtype "wireless" )
Oftp search string: (and (or subtype=="wireless" not-exact))

fw # exec log display
[..]

fw # exec log filter reset

One thing to remember is that the logs are dumped in groups of view-lines number of entries. So for the config above, you will get line 1-1000 the first time, if you type exec log display again you'll get lines 1001-2000, and so on.

My personal strategy is to dump all the logs to the console session, then copy the console session into a notepad or something searchable and look through the log that way.

Personally I've never got the message field to hit on anything; if I'm looking for incidents of a specific message I'll always have the logid to use instead. Just looking for a sting in the message has yet to work for me.