Looking at logs via CLI
(2024-11-28)
fw # exec log filter
category Category.
device Device to get log from.
dump Dump current filter settings.
field Filter by field.
free-style Filter by free-style expression.
ha-member HA member.
local-search-mode local log search mode
max-checklines Maximum number of lines to check.
pre-fetch-pages Number of pages to check in advance under on-demand log search mode.
reset Reset filter.
start-line Start line to display.
view-lines Lines per view.
fw # exec log filter pre-fetch-pages 10
fw # exec log filter view-lines 1000
fw # exec log filter category
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
20: utm-icap
fw # exec log filter cat 1
fw # exec log filter field subtype wireless
fw # exec log filter dump
category: event
device: memory
start-line: 1
view-lines: 1000
max-checklines: 0
HA member:
log search mode: on-demand
pre-fetch-pages: 10
Filter: ( subtype "wireless" )
Oftp search string: (and (or subtype=="wireless" not-exact))
fw # exec log display
[..]
fw # exec log filter reset
One thing to remember is that the logs are dumped in groups of view-lines number of entries. So for the config above, you will get line 1-1000 the first time, if you type exec log display
again you'll get lines 1001-2000, and so on.
My personal strategy is to dump all the logs to the console session, then copy the console session into a notepad or something searchable and look through the log that way.
Personally I've never got the message field to hit on anything; if I'm looking for incidents of a specific message I'll always have the logid to use instead. Just looking for a sting in the message has yet to work for me.