CLI FTP Export Log URL Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

CLI FTP Export Log URL Issue

L1 Bithead

I'm trying to run a report on user activity via the webfilter for a particular user. I would use the GUI but the the GUI is only allowing me the last 500 hits (via a custom report). If I go to the actual monitor and try to export I get a server 500 error. This has led me to the CLI.

ftp export log url query "src.user eq '<domain\username>'" start-time equal 2013/06/01@00:00:01 end-time equal 2013/07/08@12:00:00 to ftp:user@server

I am receiving the error "mark exported failed"...

I have never done a log export like this. Are there any tricks or suggestions?

6 REPLIES 6

L5 Sessionator

Max rows in .csv export and User Activity report is set to :65535 by default and can be altered  navigating to (Device>Setup>Management>Logging  and Report Setting) .

The number can be increased to 1048576, but is governed by the Managment Plane capacity of each Platform .

Are you able to export the logs with a shorter time-frame eg:10 days etc. ?

I tried doing an export of one day and I'm still getting "mark exported failed"

Build your query using GUI.

Try printing the logs on the CLI :

> show log url query equal "user.src eq test"

and then use the same query for FTP export.

I'm able to get the following to work without issue:

show log url query equal "user.src eq 'domain\username'"

However it does not transfer cleanly to the ftp export. The ftp export command does not like "equal" after the query command. If I remove it the tab tab key entry provides me with additional options. Also the show log command does not require a time frame but the FTP does.

So this works:

show log url query equal "user.src eq 'domain\username'"

And this does not

ftp export log url query "src.user eq 'domain\username'" start-time equal 2013/07/05@00:00:00 end-time equal 2013/07/08@00:00:00 to ftp:username@destination

I'm trying to avoid pulling logs for all users from the FW but it appears that may be my only choice.

I was able to export the logs using following query

> ftp export log url query "user.src eq test" start-time equal 2013/07/01@00:00:00 end-time equal 2013/07/08@12:00:00 to user1:paloalto@host

"ftp:username@destination <==> username:password:host"

L5 Sessionator

you can also try the following:-

Open Putty and change the following setting: lines of scrollback -set the number of lines

Log in using ssh.

Issue the command

> set cli pager off

> show log traffic srcuser equal test start-time equal 2013/08/01@10:00:00 end-time equal 2013/08/01@12:00:00

  • 3564 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!