https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/173829#M54665 <P>Hi All ,&nbsp;</P><P>&nbsp;</P><P>Can anyone tell how to extract &nbsp;old the log files from CLI , is there any dirctory to reach which contains log file please provide us the path .&nbsp;</P> Wed, 30 Aug 2017 12:17:29 GMT Himarya 2017-08-30T12:17:29Z https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/173829#M54665 <P>Hi All ,&nbsp;</P><P>&nbsp;</P><P>Can anyone tell how to extract &nbsp;old the log files from CLI , is there any dirctory to reach which contains log file please provide us the path .&nbsp;</P> Wed, 30 Aug 2017 12:17:29 GMT https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/173829#M54665 Himarya 2017-08-30T12:17:29Z https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/173846#M54667 <P>you can use scp|tftp export to extract log files off the device:</P> <P>&nbsp;</P> <PRE>admin@myNGFW&gt; scp export log &gt; log Use scp to export log in csv format &gt; log-file Use scp to export log-file &gt; logdb Use scp to export logdb</PRE> <P>&nbsp;</P> <P>'log' is in relation to traffic passing through the firewall </P> <P>&nbsp;</P> <PRE>admin@myNGFW&gt; scp export log &gt; alarm alarm &gt; auth auth &gt; config config &gt; data data &gt; system system &gt; threat threat &gt; traffic traffic &gt; tunnel tunnel &gt; url url &gt; userid userid &gt; wildfire wildfire </PRE> <P>while 'log-file' is in relation to system logs from system processes on dataplane or management-plane</P> <PRE>admin@myNGFW&gt; scp export log-file &gt; data-plane Use scp to export data-plane log-file &gt; management-plane Use scp to export management-plane log-file </PRE> <P>'logdb' is the whole (traffic+threat+...) log database</P> Wed, 30 Aug 2017 12:50:14 GMT https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/173846#M54667 reaper 2017-08-30T12:50:14Z https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174057#M54731 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>Yes we can use the command scp export log but where it will get exported is there any directory from where we have to extract further .&nbsp;</P><P>&nbsp;</P><P>Secondly , iwant to exatract old logs 60 days old, so how can we do that because in the command there is no such option available.&nbsp;</P><P>Thirdly , does logs can be extracted via Winscp?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 31 Aug 2017 08:01:13 GMT https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174057#M54731 Himarya 2017-08-31T08:01:13Z https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174093#M54736 <P>1. The firewall is not a traditional operating system so there are no directories, you just select which source you want to export from (you can use the &lt;tab&gt; key to help you browse the commands),</P> <P>&nbsp;</P> <P>-&gt; log (and choose which log to export: traffic, threat, url,...)</P> <P>-&gt; or log-file (and choose ALL the management-plane or ALL the dataplane logs)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>2. for the traffic related logs there are a few filters you can apply but not 'older than' (this can be achieved through the GUI however)</P> <PRE>admin@EMEA-TAC-GW&gt; scp export log traffic + max-log-count max number of logs to export + query query + remote-port SSH port number on remote host + source-ip Set source address to specified interface address * end-time end-time * start-time start-time * to Destination (username@host:path_to_destination_filename)</PRE> <P>in the GUI you can simply use a filter and export to CSV</P> <PRE>( receive_time leq '2017/06/31 00:00:01' )</PRE> <P>3. no, only to a *nux device, but you can also do tftp export to a windows server running tftp</P> Thu, 31 Aug 2017 10:28:01 GMT https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174093#M54736 reaper 2017-08-31T10:28:01Z https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174523#M54831 <P>HI All,&nbsp;</P><P>&nbsp;</P><P>From GUI i have use the command&nbsp;( receive_time leq '2017/07/31 00:00:01' ) but no output is coming so that means in GUI the old logs is not there , I have a task of extracting MAY month RAW logs in csv format without any TFTP or SCP server as destination &nbsp;is there any way of extracting three months LOGS from Palo Alto via CLI .&nbsp;</P> Mon, 04 Sep 2017 05:55:16 GMT https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174523#M54831 Himarya 2017-09-04T05:55:16Z https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174543#M54834 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/69002">@Himarya</a></P> <P>&nbsp;</P> <P>if the log does not show up on the GUI, it is also not available on the CLI. it may have been removed to make room for new log</P> <P>&nbsp;</P> <P>from the cli you can easily verify which logs are the oldes on your system as the 'show log' command will sort old to new by default:</P> <P>&nbsp;</P> <PRE>tpiens@myNGFW(active)&gt; show log traffic Time App From Src Port Source Rule Action To Dst Port Destination Src User Dst User End Reason ==================================================================================================== <STRONG>2016/05/10 11:08:49</STRONG> ssl v1-isp2 32920 10.192.16.81 policy2 allow v1-dynroute 443 198.51.100.5 aged-out <STRONG>2016/05/10 11:09:30</STRONG> unknown-udp v1-isp2 48504 10.192.16.81 policy2 allow v1-dynroute 1194 198.51.100.5 aged-out 2016/05/10 11:09:33 unknown-tcp local 51437 172.16.1.228 WAN-connection allow remote 7123 192.168.1.1 tcp-fin </PRE> <P>&nbsp;</P> <P>extraction via the CLI can only be accomplished via scp or tftp</P> Mon, 04 Sep 2017 07:52:01 GMT https://live.paloaltonetworks.com/t5/general-topics/raw-log-file-extraction/m-p/174543#M54834 reaper 2017-09-04T07:52:01Z