FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vraev
Staff
Staff
Article Id 356468
Description

 

The following article will describe how to search, count and retrieve the logs from the analytics DB of FortiAnalyzer.

 

Scope

 

FortiAnalyzer.

 

Solution

 

To retrieve the log data there are few API calls that are related with this process.

First is to retrieve the API token that will be used during the session.

Then we create a search task that will return the tid (task id).

The tid will be used to retrieve the statistics, to retrieve the logs (if the search is correct) and to delete the task.

 

First API cal is to create the session token:

 

{

"method": "exec",

"params": [

{

"data": {

"passwd": "json",

"user": "json"

},

"url": "/sys/login/user"

}

],

"session": "string",

"id": 1

}

 

After the session token is provided.

 

Make an API call to create the search itself:

 

{

"id": "123456789",

"jsonrpc": "2.0",

"method": "add",

"params": [

{

"apiver": 3,

"case-sensitive": false,

"device": [

{

"devid": "All_Devices"

}

],

"filter": "msg = \"Health Check SLA status*\" or msg = \"Performance statistics:*\" or msg = \"IPsec tunnel statistics*\"",

"logtype": "event",

"time-order": "asc",

"time-range": {

"start": "2024-10-01T00:00:00",

"end": "2024-11-01T00:00:00"

 

},

"url": "/logview/adom/{{adom}}/logsearch"

}

],

"session": "{{session}}"

}

 

Examples for device:

 

"csfname": "Corp_SF",

"devid": "FGTxxx[root]",

"devname": "FGT-vr[traffic]"

 

Examples for filter:

 

"filter": "",

"logtype": "traffic",

"time-order": "desc",

"time-range": {

"end": "2019-07-03T17:16:35",

"start": "2019-07-02T17:16:35"

 

"filter": "dstip = '8.8.8.8'",

"logtype": "traffic",

"time-range": {

"start": "2023-08-01T00:00:00",

"end": "2025-09-01T00:00:00"

 

Note:

For filter, use the raw log as an example and how the data is present there.

 

The output:

 

{

"jsonrpc": "2.0",

"result": {

"tid": 512753674

},

"id": "0"

}

 

 

To get the count:

 

{

"id": "123456789",

"jsonrpc": "2.0",

"method": "get",

"params": [

{

"apiver": 3,

"url": "/logview/adom/{{adom}}/logsearch/count/{{tid}}"

}

],

"session": "{{session}}"

}

 

The output:

 

{

"jsonrpc": "2.0",

"result": {

"total-logs": 388884,

"scanned-logs": 184019,

"matched-logs": 184019,

"elapsed-time-ms": 1,

"estimated-remain-sec": 0,

"progress-percent": 0,

"status": {

"code": 0,

"message": "succeeded"

}

},

"id": "123456789"

}

 

 

The next API call is to review the output of the search.

 

{

"id": "123456789",

"jsonrpc": "2.0",

"method": "get",

"params": [

{

"apiver": 3,

"limit": 1000,

"offset": 0,

"url": "/logview/adom/{{adom}}/logsearch/{{tid}}"

}

],

"session": "{{session}}"

}

 

The output (when there is no matching data):

 

{

"jsonrpc": "2.0",

"result": {

"percentage": 100,

"return-lines": 0,

"total-use-time": 1,

"total-count": 0,

"data": [],

"status": {

"code": 0,

"message": "succeeded"

},

"tid": 512753674

},

"id": "123456789"

}

 

The output when there is a matching data with limit set to one:

 

{

"jsonrpc": "2.0",

"result": {

"percentage": 100,

"return-lines": 1,

"total-use-time": 34569,

"total-count": 184019,

"data": [

{

"date": "2024-11-08",

"time": "14:48:06",

"id": "7434904872631140371",

"itime": "2024-11-08 14:48:07",

"euid": "3",

"epid": "3",

"dsteuid": "3",

"dstepid": "101",

"logver": "704012463",

"type": "traffic",

"subtype": "local",

"level": "notice",

"action": "accept",

"policyid": "0",

"sessionid": "1265120",

"srcip": "10.5.21.206",

"dstip": "8.8.8.8",

"trandisp": "noop",

"duration": "64",

"proto": "1",

"sentbyte": "200",

"rcvdbyte": "0",

"sentpkt": "5",

"rcvdpkt": "0",

"logid": "0001000014",

"dstname": "dns.google",

"service": "icmp/8/0",

"app": "icmp/8/0",

"appcat": "unscanned",

"srcintfrole": "undefined",

"dstintfrole": "wan",

"eventtime": "1731073685818923631",

"srccountry": "Reserved",

"dstcountry": "United%20States",

"srcintf": "root",

"dstintf": "port2",

"identifier": "3067",

"tz": "+0100",

"devid": "FGxxx",

"vd": "root",

"csf": "ONIUM",

"dtime": "2024-11-08 14:48:06",

"itime_t": "1731073687",

"devname": "ONIUM-206"

}

],

"status": {

"code": 0,

"message": "succeeded"

},

"tid": 1242759186

},

"id": "123456789"

}

 

 

To delete the search task (if there are many task created this will be necessary):

 

{

"session" : "{{session}}",

"id" : 123456789,

"jsonrpc": "2.0",

"method" : "delete",

"params" : [

{

"apiver":3,

"url":"/logview/adom/{{adom}}/logsearch/{{tid}}"

}

]

}

 

First time delete is returning success:

 

{

"jsonrpc": "2.0",

"result": {

"status": {

"code": 0,

"message": "succeeded"

},

"task-id": 512753674

},

"id": 123456789

}

 

The output when the task is already deleted:

 

{

"jsonrpc": "2.0",

"error": {

"code": -32005,

"message": "Server error: delete log search error, errcode=-2."

},

"id": 123456789

}

 

 

Troubleshooting:

 

Wrong token:

 

{

"result": [

{

"status": {

"code": -11,

"message": "No permission for the resource"

}

}

],

"id": "123456789"

 

No data is received. First review in the LogView that the search data is present in the specific time range. That the search filter is correct like srcip instead of dstip.

 

diagnose debug reset

diagnose debug application fazsvcd 255

diagnose debug enable

 

After the test use:

 

diagnose debug reset

diagnose debug disable

 

 

Related articles: