Skip to main content
Sumo Logic

1.2 You want to look for errors in sshd logs

Problem

You want to find errors, as in Problem 1.1, but only when a solid-state hard drive is involved.

Solution

Boolean operators like AND and OR can be used to create complex keyword search expressions. To search for sshd errors or access failures, use a Boolean search query like this:

sshd AND ( fail* OR error OR allowed OR identity )

This query will find log messages containing "sshd" as well as (AND) keywords that are associated with failures.

Discussion

Boolean operators, AND, OR, and NOT, can be combined with parentheses to create specific queries that select particular log messages. Boolean searches use common sense definitions of words like and and or.

Remember that AND produces fewer log messages--selected messages must match both keywords--and OR produces more log messages. Depending on the keyword, the set of log messages that do NOT match a particular keyword can be huge compared to those that do.