- | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby message:"dstport=3389" why doesnt the last command work and what can i do to fix it. Security onion. Onion query language
groupby message:"dstport=3389": The problem is that the logs are coming in in a diffrent way because of the infra setup of the switches and the routers. So how do i query data that i can only find in the message field of the log?
- | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby message:"dstport=3389" why doesnt the last command work and what can i do to fix it. Security onion. Onion query language
groupby message:"dstport=3389": The problem is that the logs are coming in in a diffrent way because of the infra setup of the switches and the routers. So how do i query data that i can only find in the message field of the log?
Share Improve this question asked Mar 3 at 13:31 billmukenga01billmukenga01 11 Answer
Reset to default 0OQL is separated into two parts within a basic query in HUNT or DASHBOARDS. They are separated by the pipe or | symbol. Left of the pipe is OQL based on Lucerne query syntax. This is where you would put message:"dstport=3389". But in this case I would not suggest using the message block because the data is parsed from that into other fields value pairs. Instead use destination.port:3389.
The right side of | is where you perform data aggregation or transformation. This is where for example I want to see data aggregated by destination ip and destination port. You would use group by destination.ip destination.port. You could even expand it further by performing groupby source.ip source.port destination.ip destination.port
So effectively a proper query with DA&T would look something like this:
Destination.port:3389 | groupby source.ip source.port destination.ip destination.port
You can add additional separate DA&T by adding another separator | and looking at other fields of interests. For example, maybe you would want to see what the data sources are you could do:
Destination.port:3389 | groupby source.ip source.port destination.ip destination.port | groupby event.module event.dataset event.code
For more information see the SecOnion read the docs page on Dashboards and scroll down to OQL.
https://docs.securityonion/en/2.4/dashboards.html
Hope that helps.