Raw log file extraction

L1 Bithead

Raw log file extraction

Hi All , 

 

Can anyone tell how to extract  old the log files from CLI , is there any dirctory to reach which contains log file please provide us the path . 

Community Manager

Re: Raw log file extraction

you can use scp|tftp export to extract log files off the device:

 

admin@myNGFW> scp export log
> log        Use scp to export log in csv format
> log-file   Use scp to export log-file
> logdb      Use scp to export logdb

 

'log' is in relation to traffic passing through the firewall

 

admin@myNGFW> scp export log 
> alarm      alarm 
> auth       auth 
> config     config 
> data       data 
> system     system 
> threat     threat 
> traffic    traffic 
> tunnel     tunnel 
> url        url 
> userid     userid 
> wildfire   wildfire 

while 'log-file' is in relation to system logs from system processes on dataplane or management-plane

admin@myNGFW> scp export log-file 
> data-plane         Use scp to export data-plane log-file
> management-plane   Use scp to export management-plane log-file

'logdb' is the whole (traffic+threat+...) log database


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Raw log file extraction

Hi All, 

 

Yes we can use the command scp export log but where it will get exported is there any directory from where we have to extract further . 

 

Secondly , iwant to exatract old logs 60 days old, so how can we do that because in the command there is no such option available. 

Thirdly , does logs can be extracted via Winscp? 

 

 

Community Manager

Re: Raw log file extraction

1. The firewall is not a traditional operating system so there are no directories, you just select which source you want to export from (you can use the <tab> key to help you browse the commands),

 

-> log (and choose which log to export: traffic, threat, url,...)

-> or log-file (and choose ALL the management-plane or ALL the dataplane logs)

 

 

2. for the traffic related logs there are a few filters you can apply but not 'older than' (this can be achieved through the GUI however)

admin@EMEA-TAC-GW> scp export log traffic 
+ max-log-count   max number of logs to export
+ query           query 
+ remote-port     SSH port number on remote host
+ source-ip       Set source address to specified interface address
* end-time        end-time 
* start-time      start-time 
* to              Destination (username@host:path_to_destination_filename)

in the GUI you can simply use a filter and export to CSV

( receive_time leq '2017/06/31 00:00:01' )

3. no, only to a *nux device, but you can also do tftp export to a windows server running tftp


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Raw log file extraction

HI All, 

 

From GUI i have use the command ( receive_time leq '2017/07/31 00:00:01' ) but no output is coming so that means in GUI the old logs is not there , I have a task of extracting MAY month RAW logs in csv format without any TFTP or SCP server as destination  is there any way of extracting three months LOGS from Palo Alto via CLI . 

Community Manager

Re: Raw log file extraction

Hi @Himarya

 

if the log does not show up on the GUI, it is also not available on the CLI. it may have been removed to make room for new log

 

from the cli you can easily verify which logs are the oldes on your system as the 'show log' command will sort old to new by default:

 

tpiens@myNGFW(active)> show log traffic 
Time                App             From                            Src Port          Source
Rule                Action          To                              Dst Port          Destination
                    Src User        Dst User                        End Reason
====================================================================================================
2016/05/10 11:08:49 ssl             v1-isp2                         32920             10.192.16.81
policy2              allow           v1-dynroute                     443               198.51.100.5
                                                                    aged-out
2016/05/10 11:09:30 unknown-udp     v1-isp2                         48504             10.192.16.81
policy2              allow           v1-dynroute                     1194              198.51.100.5
                                                                    aged-out
2016/05/10 11:09:33 unknown-tcp     local                           51437             172.16.1.228
WAN-connection      allow           remote                          7123              192.168.1.1
                                                                    tcp-fin

 

extraction via the CLI can only be accomplished via scp or tftp


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!