This article describes a method to export malware IP data from FortiSIEM to a CSV file using a CLI-based workaround.
FortiSIEM does not currently provide a built-in feature in the GUI or official API to export malware IP lists directly to a CSV file. As a workaround, the data can be retrieved directly from the backend database and optionally automated using a cron job.
Step 1: Export malware IP data via CLI.
Log in to the FortiSIEM Supervisor via SSH as root.
Execute the following command:
psql -t -U phoenix -d phoenixdb -c "SELECT * FROM ph_malware_ip;" --csv > /tmp/PH_MALWARE_IP.csv
This command generates a CSV file at:
/tmp/PH_MALWARE_IP.csv
Note:Â The output includes all malware IP sources, not limited to FortiGuard.
Step 2: Schedule automatic export (Optional).
To automate the export process, configure a cron job as follows.
Open the cron editor:
crontab -e
Add the following entry to run the export daily at 2:00 AM:
0 2 * * * /usr/bin/psql -t -U phoenix -d phoenixdb -c "SELECT * FROM ph_malware_ip;" --csv > /tmp/PH_MALWARE_IP.csv
Explanation:
0 2 * * * → Executes daily at 02:00 AM
The command retrieves malware IP data from the database and writes the output to:
/tmp/PH_MALWARE_IP.csv
The > operator overwrites the existing file during each execution.
Summary:
FortiSIEM does not currently provide native UI or API functionality to export malware IP data directly to CSV. The CLI query above provides a workaround to retrieve the data from the backend database. Cron scheduling can be used to automate the export process.
| 
