- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Getting the data
I have been researching a way to get threat logs from the system using the RESTful API as a carrier. It seems you can access reports and configuration this way but not the "raw" logs.
The "raw" logs are accessable through the CLI it seems, for instance you can get data by issuing this command:
show log threat csv-output equal yes start-time 2009/10/22@10:00:00
I would be great if you could get this same output through the RESTful API aswell.
When getting data from the logs you are able to restrict the output to alot of different things like source, dest, application, etc, etc. When implementing some kind of automated log-retrieval system i would be really cool if each log-row had an uniqe ID and you could place the following command to the CLI (or RESTful API)
show log threat csv-output equal yes since-id equal <unique-id>
This would allow a system to uninterrupted get data from the device even if the retrieval application goes offline for awhile.
Does anyone know of a way to solve problem 1 or 2 with the features that are available now.
Thanks for the feedback on the API. We will considers these ideas as
we enhance the API in future releases.
As for options to perform similar function today, there are a couple
of options for getting logs off of the device in a programmatic way.
The most real-time method is to use the syslog forwarding function
which will forward all specified logs as they come in. If you want a
less real-time approach, you can use the scheduled log export function
which will connect to an FTP server once a day and dump any logs for
the previous day in a CSV file format. Alternatively, you can use the
CLI command "scp|ftp export log traffic|data|threat|url unexported-
only equal yes ..." The system internally marks the logs that have
been exported to ensure you don't miss any logs.
Hi thanks for your answer.
We would not like to use syslog since that protocol does not have any security in it, if a link goes down we will lose data.
The ftp and scp export command in the cli are good, but as you say they are hard-to-use for realtime operations. Do you know if there is a say to send command to the cli directly just like you can with normal ssh shells like bash?
ssh user@box "ls -la /"
if you could do:
ssh user@box "<command for outputting a specified amount of logdata to STDOUT>" This would make a pretty good say to pull logs from the machine using for instance a python script.
However, the best way would be access to logs using the REST api.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!