Configure query on SGBox logs

This article explain how to configure the Log Queries functionality, that allows you to obtain any data on SGBox logs. This queries can use to send alerts, create events or run a Playbook.

Requirements:

• SGBox version 5.5.4

From SGBox menu, go to LM> Analysis > Events Queries and select New Query and select Logs
Use SQL syntax to write query sections:

• SELECT: you can use placeholders $TIMESTAMP, $HOST, $LINE.
• FROM: you to select hosts on which to perform the query.
• WHERE: you can filter the value $LINE.
• FINALLY: additional information to complete the query like GROUP or LIMIT

You can now SAVE or TEST your query. Here the result: