Prerequisites

• Access to the relevant API endpoint with proper permissions.
• Knowledge of Unix epoch time and the ability to convert dates into epoch timestamps is essential.
• A lawful API access token for authentication purposes: Connect FortiGate device via API Token

Step 1: Convert human-readable dates to Unix epoch timestamps.

To filter event logs based on time, first convert the human-readable dates into Unix epoch timestamps in milliseconds.

Example:

Date & Time: '2024-08-14 10:33:51' -> '1723617231000'.

These conversions can be done using various tools like online converters or programmatically using languages like Python.

For example: epochconverter.com.

Step 2: Construct the API GET request.

Use the epoch timestamps to create the API GET request, ensuring that the filter conditions are properly structured and combined.

Example API Requests:

Example 1:

To retrieve the logs greater than or equal to the timestamp '2024-08-14 10:33:51', use the '>=' filter.

https://<api_endpoint>/api/v2/log/memory/event/system?access_token=<insert_access_token>&filter=_metadata.timestamp>=1723617231000

Example 2:

To retrieve the logs exactly matching the timestamp '2024-08-14 10:33:51', use the '==' filter.

https://<api_endpoint>/api/v2/log/memory/event/system?access_token=<insert_access_token>&filter=_metadata.timestamp==1723617231000

Example 3:

To retrieve the logs starting from the timestamp '27 August 2024 10:30:00' until '27 August 2024 12:30:00', use the '>=' and '<' filter.

https://<api_endpoint>/api/v2/log/memory/event/system?access_token=<insert_access_token>&filter=_metadata.timestamp>=1724740200000&filter=_metadata.timestamp<1724747400000

Key components:

• Replace <api_endpoint> with the actual API endpoint IP address or URL.
• Replace <insert_access_token> with the valid access token.
• The filter parameter includes the conditions for filtering the timestamp (for example: >=, <=, ==, etc).

Step 3: Execute the request and verify the results.

Submit the GET request to the API and review the returned logs to make sure they are within the given period.

Output for example 1:

Output for example 2:

Output for example 3 (Using an API tool such as postman):

• No Results: Verify that timestamp conversion is done correctly, particularly that it accurately reflects the desired time range.
• Filter Errors: Ensure that filter syntax is supported by the API and is properly formatted in both requests.

Collect FortiOS output from these commands:

Debug commands:

diag test app fgtlog 1
diag test app fgtlog 4
diag test app fgtlog 6
diag test app fgtlog 9
diag test app fgtlog 41
diag debug app fgtlog -1
diag debug app miglogd 0x1000
diag debug app miglogd -1
please add diag test app syslogd 1/4/6/9 (7.4/7.2/7.0)
diag sniff migsock ssl-trace enable
diag sniff migsock filter "name=xxx service=oftp" (name: logsearch fortiview faz-cloud global-faz global-faz2 ...)
diag sniff migsock start

Debug commands for the REST API:

diagnose debug application httpsd -1
diagnose debug application nodejs -1

By following these steps, it is possible to successfully use an API GET request with Unix epoch timestamp filters to retrieve event logs from particular times. This method is best for isolating logs for specific events or periods.