This article describes that a program called phExportEvent can be run from the FortiSIEM Supervisor or Worker console, to export events to files.
Scope
FortiSIEM.
Solution
Events are exported to files in EXCEL-style CSV format that contain the following fields:
- Organization Name (applicable to SP/SaaS mode).
- Reporting Device IP.
- Reporting Device Name.
- Event Received Time.
- Raw Message.
The Usage of the command is as follows:
phExportEvent {--dest DESTINATION_DIR} {--starttime START_TIME | --relstarttime RELATIVE_START_TIME}
{--endtime END_TIME | --relendtime RELATIVE_END_TIME} [--dev DEVICE_NAME] [--org ORGANIZATION_NAME]
[-tzone TIME_ZONE]
Valid time limit is one of the following:
Example.
phExportEvent --dest /home/admin --starttime "2010-10-18 11:00:00-7" --endtime "2010-10-18 12:00:00-7" --org Super --org customer111
The timzone -7 is Pacific Daylight-saving Time(PDT) or GMT-7.
Note:
Events begin with 'PH_DEV_MON' are FortiSIEM generated events and will not be exported.
Parameter Description:
DESTINATION_DIR: Destination directory where the exported event files are saved.
START_TIME: Starting time of events to be exported. The format is "YYYY-MM-DD HH:MM:SS {+|-} TZ", if TZ is not given, local time zone of the machine where the script is running will be used. Example: "2010-03-10 23:00:00 -8" means pacific standard time "23:00:00
03/10/2010", "2010-07-29 10:20:00 +5:30" means India standard time "10:20:00 07/29/2010".
END_TIME: Ending time of events to be exported. The format is same as START_TIME.
RELATIVE_START_TIME: (Must be used together with END_TIME) Starting time of events to be exported relative backward to the end time as specified using "--endtime END_TIME". The format is
"NUM(d|h|m)", where NUM is the number of days or hours or minutes. For example, --relstarttime 5d means the starting time is 5 days prior to the ending time.
RELATIVE_END_TIME: (Must be used together with START_TIME) Ending time of events to be exported relative forward to the start time as specified using START_TIME. The format is same as RELATIVE_START_TIME.
DEVICE_NAME: Host name or IP of device whose events are to be exported. Use comma separated list to specify multiple IPs or host names, for example, --dev 10.1.1.1,10.10.10.1,router1,router2. Note: host name is case insensitive.
ORGANIZATION_NAME: (Applicable only to AO-SP): Name of the organization whose events are to be exported. To specify multiple organizations, supply this option multiple times – each for one organization, for example, --org "Public Bank" --org "Private Bank". Note: organization name is case insensitive.
TIMEZONE: Specifies the time zone used to format the event receive time in the exported event files. The format is "{+|-}TZ", for example, '-8' means Pacific standard time, "+5:30" means India standard time.
