CLI FTP Export Log URL Issue

Reply
L1 Bithead

CLI FTP Export Log URL Issue

I'm trying to run a report on user activity via the webfilter for a particular user. I would use the GUI but the the GUI is only allowing me the last 500 hits (via a custom report). If I go to the actual monitor and try to export I get a server 500 error. This has led me to the CLI.

ftp export log url query "src.user eq '<domain\username>'" start-time equal 2013/06/01@00:00:01 end-time equal 2013/07/08@12:00:00 to ftp:user@server

I am receiving the error "mark exported failed"...

I have never done a log export like this. Are there any tricks or suggestions?

Highlighted
L5 Sessionator

Re: CLI FTP Export Log URL Issue

Max rows in .csv export and User Activity report is set to :65535 by default and can be altered  navigating to (Device>Setup>Management>Logging  and Report Setting) .

The number can be increased to 1048576, but is governed by the Managment Plane capacity of each Platform .

Are you able to export the logs with a shorter time-frame eg:10 days etc. ?

Highlighted
L1 Bithead

Re: CLI FTP Export Log URL Issue

I tried doing an export of one day and I'm still getting "mark exported failed"

Highlighted
L5 Sessionator

Re: CLI FTP Export Log URL Issue

Build your query using GUI.

Try printing the logs on the CLI :

> show log url query equal "user.src eq test"

and then use the same query for FTP export.

Highlighted
L1 Bithead

Re: CLI FTP Export Log URL Issue

I'm able to get the following to work without issue:

show log url query equal "user.src eq 'domain\username'"

However it does not transfer cleanly to the ftp export. The ftp export command does not like "equal" after the query command. If I remove it the tab tab key entry provides me with additional options. Also the show log command does not require a time frame but the FTP does.

So this works:

show log url query equal "user.src eq 'domain\username'"

And this does not

ftp export log url query "src.user eq 'domain\username'" start-time equal 2013/07/05@00:00:00 end-time equal 2013/07/08@00:00:00 to ftp:username@destination

I'm trying to avoid pulling logs for all users from the FW but it appears that may be my only choice.

Highlighted
L5 Sessionator

Re: CLI FTP Export Log URL Issue

I was able to export the logs using following query

> ftp export log url query "user.src eq test" start-time equal 2013/07/01@00:00:00 end-time equal 2013/07/08@12:00:00 to user1:paloalto@host

"ftp:username@destination <==> username:password:host"

Highlighted
L5 Sessionator

Re: CLI FTP Export Log URL Issue

you can also try the following:-

Open Putty and change the following setting: lines of scrollback -set the number of lines

Log in using ssh.

Issue the command

> set cli pager off

> show log traffic srcuser equal test start-time equal 2013/08/01@10:00:00 end-time equal 2013/08/01@12:00:00

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!