you can use scp|tftp export to extract log files off the device:
admin@myNGFW> scp export log > log Use scp to export log in csv format > log-file Use scp to export log-file > logdb Use scp to export logdb
'log' is in relation to traffic passing through the firewall
admin@myNGFW> scp export log > alarm alarm > auth auth > config config > data data > system system > threat threat > traffic traffic > tunnel tunnel > url url > userid userid > wildfire wildfire
while 'log-file' is in relation to system logs from system processes on dataplane or management-plane
admin@myNGFW> scp export log-file > data-plane Use scp to export data-plane log-file > management-plane Use scp to export management-plane log-file
'logdb' is the whole (traffic+threat+...) log database
Yes we can use the command scp export log but where it will get exported is there any directory from where we have to extract further .
Secondly , iwant to exatract old logs 60 days old, so how can we do that because in the command there is no such option available.
Thirdly , does logs can be extracted via Winscp?
1. The firewall is not a traditional operating system so there are no directories, you just select which source you want to export from (you can use the <tab> key to help you browse the commands),
-> log (and choose which log to export: traffic, threat, url,...)
-> or log-file (and choose ALL the management-plane or ALL the dataplane logs)
2. for the traffic related logs there are a few filters you can apply but not 'older than' (this can be achieved through the GUI however)
admin@EMEA-TAC-GW> scp export log traffic + max-log-count max number of logs to export + query query + remote-port SSH port number on remote host + source-ip Set source address to specified interface address * end-time end-time * start-time start-time * to Destination (username@host:path_to_destination_filename)
in the GUI you can simply use a filter and export to CSV
( receive_time leq '2017/06/31 00:00:01' )
3. no, only to a *nux device, but you can also do tftp export to a windows server running tftp
From GUI i have use the command ( receive_time leq '2017/07/31 00:00:01' ) but no output is coming so that means in GUI the old logs is not there , I have a task of extracting MAY month RAW logs in csv format without any TFTP or SCP server as destination is there any way of extracting three months LOGS from Palo Alto via CLI .
if the log does not show up on the GUI, it is also not available on the CLI. it may have been removed to make room for new log
from the cli you can easily verify which logs are the oldes on your system as the 'show log' command will sort old to new by default:
tpiens@myNGFW(active)> show log traffic Time App From Src Port Source Rule Action To Dst Port Destination Src User Dst User End Reason ==================================================================================================== 2016/05/10 11:08:49 ssl v1-isp2 32920 10.192.16.81 policy2 allow v1-dynroute 443 198.51.100.5 aged-out 2016/05/10 11:09:30 unknown-udp v1-isp2 48504 10.192.16.81 policy2 allow v1-dynroute 1194 198.51.100.5 aged-out 2016/05/10 11:09:33 unknown-tcp local 51437 172.16.1.228 WAN-connection allow remote 7123 192.168.1.1 tcp-fin
extraction via the CLI can only be accomplished via scp or tftp
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!