How to search all log sources in log search?


Is there a way or command that I can use to search all of my log source in log search so I do not have to manually select all log sources in log search?

There is no option to select all and this typically stems from the fact that you typically shouldn’t be selecting all event sources when doing a search.

Typically speaking you should try to familiarize yourself the log sets and try to target the log sets that contain the logs you’re looking for. For example if you’re looking for actions from a rogue IP external to your network then Ingress authentications would be a good place to start. However, that IP is most likely not going to show up in ActiveDirectory admin activity or other log sets like that.

This is to create faster and more efficient searches to return specifically what you’re looking for. By selecting all event sources and doing a search over the last 20 minutes even could contain millions of logs depending on the volume in your environment, thus slowing down the actual time it takes to return the logs you’re looking for and if using a loose search it could potentially return logs not associated with the use case that you’re searching for.

Save a search with all log sets selected, then use that search when you want all logs. I feel that there is a need to search all logs for a short period of time on occassion.

interesting workaround! would you mind elaborating about the situations when this need to search all the logs and log sets arise for you? i am curious about the motivation.