07-08-2013 09:49 AM
I'm trying to run a report on user activity via the webfilter for a particular user. I would use the GUI but the the GUI is only allowing me the last 500 hits (via a custom report). If I go to the actual monitor and try to export I get a server 500 error. This has led me to the CLI.
ftp export log url query "src.user eq '<domain\username>'" start-time equal 2013/06/01@00:00:01 end-time equal 2013/07/08@12:00:00 to ftp:user@server
I am receiving the error "mark exported failed"...
I have never done a log export like this. Are there any tricks or suggestions?
07-08-2013 10:55 AM
Max rows in .csv export and User Activity report is set to :65535 by default and can be altered navigating to (Device>Setup>Management>Logging and Report Setting) .
The number can be increased to 1048576, but is governed by the Managment Plane capacity of each Platform .
Are you able to export the logs with a shorter time-frame eg:10 days etc. ?
07-08-2013 11:05 AM
I tried doing an export of one day and I'm still getting "mark exported failed"
07-08-2013 11:11 AM
Build your query using GUI.
Try printing the logs on the CLI :
> show log url query equal "user.src eq test"
and then use the same query for FTP export.
07-08-2013 11:29 AM
I'm able to get the following to work without issue:
show log url query equal "user.src eq 'domain\username'"
However it does not transfer cleanly to the ftp export. The ftp export command does not like "equal" after the query command. If I remove it the tab tab key entry provides me with additional options. Also the show log command does not require a time frame but the FTP does.
So this works:
show log url query equal "user.src eq 'domain\username'"
And this does not
ftp export log url query "src.user eq 'domain\username'" start-time equal 2013/07/05@00:00:00 end-time equal 2013/07/08@00:00:00 to ftp:username@destination
I'm trying to avoid pulling logs for all users from the FW but it appears that may be my only choice.
07-08-2013 11:54 AM
I was able to export the logs using following query
> ftp export log url query "user.src eq test" start-time equal 2013/07/01@00:00:00 end-time equal 2013/07/08@12:00:00 to user1:paloalto@host
"ftp:username@destination <==> username:password:host"
07-08-2013 09:46 PM
you can also try the following:-
Open Putty and change the following setting: lines of scrollback -set the number of lines
Log in using ssh.
Issue the command
> set cli pager off
> show log traffic srcuser equal test start-time equal 2013/08/01@10:00:00 end-time equal 2013/08/01@12:00:00
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
