New Member

Solved

XML API SearchCriteria Syntax

Forum|Forum|9 years ago
June 12, 2017
1 reply
8662 views

Hi.

We're developing a custom solution for a customer and we're trying to use the XML API to retrieve log data.

We're new to the Fortinet products and currently trying to get the correct data through trial and error.

We've managed to get one of the result sets with the searchFazLog request.

Unfortunately, we're struggling to find documentation on the syntax that the <searchCriteria> must be written in so we can filter the results more.

For instance how do we filter for values <searchCriteria>subtype=system AND date=2017-06-11</searchCriteria> correctly?

Regards,

Best answer by hzhao_FTNT

Hi there, because date is not a valid log field from FGT, you can not search it directly, but you can use itime instead.

1. convert your desired time to epoch timestamp(please add your timezone), for example:

2017-06-11 00:00:59 -> 1497164400

2017-06-11 23:59:59 -> 1497250799

This can be done under linux or some websites

2. search for subtype=system itime<1497250799 itime>1497164400, we have to escape < by < and > by >

So the final request will be like below:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/"> <soapenv:Header/> <soapenv:Body> <r20:searchFazLog>  <servicePass>  <userID>admin</userID>  <password></password> </servicePass>  <adom></adom>  <content>logs</content>  <format>rawFormat</format>  <deviceName>FGT70D3Z15002697</deviceName> <logType>event</logType>  <searchCriteria>subtype=system itime<1497250799 itime>1497164400 </searchCriteria> <maxNumMatches>20</maxNumMatches> <startIndex>1</startIndex> <checkArchive>0</checkArchive>  <compression>tar</compression> </r20:searchFazLog> </soapenv:Body> </soapenv:Envelope>

regards,

hz

ntalbot

New Member

Hi Barry,

I have the same question. Were you ever able to figure this out?

hzhao_FTNTAnswer

Staff

Hi there, because date is not a valid log field from FGT, you can not search it directly, but you can use itime instead.

1. convert your desired time to epoch timestamp(please add your timezone), for example:

2017-06-11 00:00:59 -> 1497164400

2017-06-11 23:59:59 -> 1497250799

This can be done under linux or some websites

2. search for subtype=system itime<1497250799 itime>1497164400, we have to escape < by < and > by >

So the final request will be like below:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/"> <soapenv:Header/> <soapenv:Body> <r20:searchFazLog>  <servicePass>  <userID>admin</userID>  <password></password> </servicePass>  <adom></adom>  <content>logs</content>  <format>rawFormat</format>  <deviceName>FGT70D3Z15002697</deviceName> <logType>event</logType>  <searchCriteria>subtype=system itime<1497250799 itime>1497164400 </searchCriteria> <maxNumMatches>20</maxNumMatches> <startIndex>1</startIndex> <checkArchive>0</checkArchive>  <compression>tar</compression> </r20:searchFazLog> </soapenv:Body> </soapenv:Envelope>

regards,

hz

ntalbot

New Member

Thanks so much, That's exactly what I needed!

Thanks again,

Nick

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded