The following article will describe how to search, count and retrieve the logs from the analytics DB of FortiAnalyzer.
FortiAnalyzer.
To retrieve the log data there are few API calls that are related with this process.
First is to retrieve the API token that will be used during the session.
Then we create a search task that will return the tid (task id).
The tid will be used to retrieve the statistics, to retrieve the logs (if the search is correct) and to delete the task.
First API cal is to create the session token:
{
"method": "exec",
"params": [
{
"data": {
"passwd": "json",
"user": "json"
},
"url": "/sys/login/user"
}
],
"session": "string",
"id": 1
}
After the session token is provided.
Make an API call to create the search itself:
{
"id": "123456789",
"jsonrpc": "2.0",
"method": "add",
"params": [
{
"apiver": 3,
"case-sensitive": false,
"device": [
{
"devid": "All_Devices"
}
],
"filter": "msg = \"Health Check SLA status*\" or msg = \"Performance statistics:*\" or msg = \"IPsec tunnel statistics*\"",
"logtype": "event",
"time-order": "asc",
"time-range": {
"start": "2024-10-01T00:00:00",
"end": "2024-11-01T00:00:00"
},
"url": "/logview/adom/{{adom}}/logsearch"
}
],
"session": "{{session}}"
}
Examples for device:
"csfname": "Corp_SF",
"devid": "FGTxxx[root]",
"devname": "FGT-vr[traffic]"
Examples for filter:
"filter": "",
"logtype": "traffic",
"time-order": "desc",
"time-range": {
"end": "2019-07-03T17:16:35",
"start": "2019-07-02T17:16:35"
"filter": "dstip = '8.8.8.8'",
"logtype": "traffic",
"time-range": {
"start": "2023-08-01T00:00:00",
"end": "2025-09-01T00:00:00"
Note:
For filter, use the raw log as an example and how the data is present there.
The output:
{
"jsonrpc": "2.0",
"result": {
"tid": 512753674
},
"id": "0"
}
To get the count:
{
"id": "123456789",
"jsonrpc": "2.0",
"method": "get",
"params": [
{
"apiver": 3,
"url": "/logview/adom/{{adom}}/logsearch/count/{{tid}}"
}
],
"session": "{{session}}"
}
The output:
{
"jsonrpc": "2.0",
"result": {
"total-logs": 388884,
"scanned-logs": 184019,
"matched-logs": 184019,
"elapsed-time-ms": 1,
"estimated-remain-sec": 0,
"progress-percent": 0,
"status": {
"code": 0,
"message": "succeeded"
}
},
"id": "123456789"
}
The next API call is to review the output of the search.
{
"id": "123456789",
"jsonrpc": "2.0",
"method": "get",
"params": [
{
"apiver": 3,
"limit": 1000,
"offset": 0,
"url": "/logview/adom/{{adom}}/logsearch/{{tid}}"
}
],
"session": "{{session}}"
}
The output (when there is no matching data):
{
"jsonrpc": "2.0",
"result": {
"percentage": 100,
"return-lines": 0,
"total-use-time": 1,
"total-count": 0,
"data": [],
"status": {
"code": 0,
"message": "succeeded"
},
"tid": 512753674
},
"id": "123456789"
}
The output when there is a matching data with limit set to one:
{
"jsonrpc": "2.0",
"result": {
"percentage": 100,
"return-lines": 1,
"total-use-time": 34569,
"total-count": 184019,
"data": [
{
"date": "2024-11-08",
"time": "14:48:06",
"id": "7434904872631140371",
"itime": "2024-11-08 14:48:07",
"euid": "3",
"epid": "3",
"dsteuid": "3",
"dstepid": "101",
"logver": "704012463",
"type": "traffic",
"subtype": "local",
"level": "notice",
"action": "accept",
"policyid": "0",
"sessionid": "1265120",
"srcip": "10.5.21.206",
"dstip": "8.8.8.8",
"trandisp": "noop",
"duration": "64",
"proto": "1",
"sentbyte": "200",
"rcvdbyte": "0",
"sentpkt": "5",
"rcvdpkt": "0",
"logid": "0001000014",
"dstname": "dns.google",
"service": "icmp/8/0",
"app": "icmp/8/0",
"appcat": "unscanned",
"srcintfrole": "undefined",
"dstintfrole": "wan",
"eventtime": "1731073685818923631",
"srccountry": "Reserved",
"dstcountry": "United%20States",
"srcintf": "root",
"dstintf": "port2",
"identifier": "3067",
"tz": "+0100",
"devid": "FGxxx",
"vd": "root",
"csf": "ONIUM",
"dtime": "2024-11-08 14:48:06",
"itime_t": "1731073687",
"devname": "ONIUM-206"
}
],
"status": {
"code": 0,
"message": "succeeded"
},
"tid": 1242759186
},
"id": "123456789"
}
To delete the search task (if there are many task created this will be necessary):
{
"session" : "{{session}}",
"id" : 123456789,
"jsonrpc": "2.0",
"method" : "delete",
"params" : [
{
"apiver":3,
"url":"/logview/adom/{{adom}}/logsearch/{{tid}}"
}
]
}
First time delete is returning success:
{
"jsonrpc": "2.0",
"result": {
"status": {
"code": 0,
"message": "succeeded"
},
"task-id": 512753674
},
"id": 123456789
}
The output when the task is already deleted:
{
"jsonrpc": "2.0",
"error": {
"code": -32005,
"message": "Server error: delete log search error, errcode=-2."
},
"id": 123456789
}
Troubleshooting:
Wrong token:
{
"result": [
{
"status": {
"code": -11,
"message": "No permission for the resource"
}
}
],
"id": "123456789"
No data is received. First review in the LogView that the search data is present in the specific time range. That the search filter is correct like srcip instead of dstip.
diagnose debug reset
diagnose debug application fazsvcd 255
diagnose debug enable
After the test use:
diagnose debug reset
diagnose debug disable
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.