Skip to main content
jkuo
Staff
jkuo
Staff
September 27, 2016

Technical Tip: How To Export Raw Events from the Command Line in FortiSIEM

  • September 27, 2016
  • 0 replies
  • 4117 views

Description

 

This article describes that a program called phExportEvent can be run from the FortiSIEM Supervisor or Worker console, to export events to files.

 

Scope

 

FortiSIEM.

 

Solution

 

Events are exported to files in EXCEL-style CSV format that contain the following fields:

  • Organization Name (applicable to SP/SaaS mode).
  • Reporting Device IP.
  • Reporting Device Name.
  • Event Received Time.
  • Raw Message.

 

The Usage of the command is as follows:

 

phExportEvent {--dest DESTINATION_DIR} {--starttime START_TIME | --relstarttime RELATIVE_START_TIME}
{--endtime END_TIME | --relendtime RELATIVE_END_TIME} [--dev DEVICE_NAME] [--org ORGANIZATION_NAME]
[-tzone TIME_ZONE]
 
Valid time limit is one of the following:
       --starttime <START_TIME> --endtime <END_TIME>
       --relstarttime <RELATIVE_START_TIME> --endtime <END_TIME>
       --starttime <START_TIME> --relendtime <RELATIVE_END_TIME>

       <TIME>: "YYYY-MM-DD hh:mm:ss[+-]TZ" (notice the quotation marks)
       <RELATIVE_TIME>: Num(d|h|m) d/h/m means days/hours/minutes
 
 
Example.
 
phExportEvent --dest /home/admin --starttime "2010-10-18 11:00:00-7" --endtime "2010-10-18 12:00:00-7" --org Super --org customer111
The timzone -7 is Pacific Daylight-saving Time(PDT) or GMT-7.

Note:
Events begin with 'PH_DEV_MON' are FortiSIEM generated events and will not be exported.
 

Parameter Description:

 

DESTINATION_DIR: Destination directory where the exported event files are saved.

START_TIME: Starting time of events to be exported. The format is "YYYY-MM-DD HH:MM:SS {+|-} TZ", if TZ is not given, local time zone of the machine where the script is running will be used. Example: "2010-03-10 23:00:00 -8" means pacific standard time "23:00:00

03/10/2010", "2010-07-29 10:20:00 +5:30" means India standard time "10:20:00 07/29/2010".

END_TIME: Ending time of events to be exported. The format is same as START_TIME.

RELATIVE_START_TIME: (Must be used together with END_TIME) Starting time of events to be exported relative backward to the end time as specified using "--endtime END_TIME". The format is

"NUM(d|h|m)", where NUM is the number of days or hours or minutes. For example, --relstarttime 5d means the starting time is 5 days prior to the ending time.

RELATIVE_END_TIME: (Must be used together with START_TIME) Ending time of events to be exported relative forward to the start time as specified using START_TIME. The format is same as RELATIVE_START_TIME.

DEVICE_NAME: Host name or IP of device whose events are to be exported. Use comma separated list to specify multiple IPs or host names, for example, --dev 10.1.1.1,10.10.10.1,router1,router2. Note: host name is case insensitive.

ORGANIZATION_NAME: (Applicable only to AO-SP): Name of the organization whose events are to be exported. To specify multiple organizations, supply this option multiple times – each for one organization, for example, --org "Public Bank" --org "Private Bank". Note: organization name is case insensitive.

TIMEZONE: Specifies the time zone used to format the event receive time in the exported event files. The format is "{+|-}TZ", for example, '-8' means Pacific standard time, "+5:30" means India standard time.

Terms & ConditionsAccessibility statement