Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
jkuo
Staff
Staff

Created on ‎09-27-2016 06:04 AM Edited on ‎05-26-2022 08:57 AM By Anonymous

Article Id 190987

Technical Tip: [Accelops KB] How To Export Raw Events from the Command Line

Description

A program called phExportEvent can be run from the AccelOps supervisor or worker console, to export events to files.

Events are exported to files in EXCEL-style CSV format that contains the following fields:

*Organization Name (applicable to SP/SaaS mode)
*Reporting Device IP
*Reporting Device Name
*Event Received Time
*Raw Message

The Usage of the command is as follows:

phExportEvent {--dest DESTINATION_DIR} {--starttime START_TIME | --relstarttime RELATIVE_START_TIME}
{--endtime END_TIME | --relendtime RELATIVE_END_TIME} [--dev DEVICE_NAME] [--org ORGANIZATION_NAME]
[-tzone TIME_ZONE]
Valid time limit is one of the following:
       --starttime <START_TIME> --endtime <END_TIME>
       --relstarttime <RELATIVE_START_TIME> --endtime <END_TIME>
       --starttime <START_TIME> --relendtime <RELATIVE_END_TIME>

       <TIME>: "YYYY-MM-DD hh:mm:ss[+-]TZ" (notice the quotation marks)
       <RELATIVE_TIME>: Num(d|h|m) d/h/m means days/hours/minutes

EXAMPLE.
phExportEvent --dest /home/admin --starttime "2010-10-18 11:00:00-7" --endtime "2010-10-18 12:00:00-7" --org Super --org customer111
The timzone -7 is Pacific Daylight-saving Time(PDT) or GMT-7.

NOTE.
Events begin with 'PH_DEV_MON' are AccelOps generated events and will not be exported.
 

Parameter Description:

DESTINATION_DIR: Destination directory where the exported event files are saved.

START_TIME: Starting time of events to be exported. The format is "YYYY-MM-DD HH:MM:SS {+|-} TZ", if TZ is not given, local time zone of the machine where the script is running will be used. Example: "2010-03-10 23:00:00 -8" means pacific standard time "23:00:00

03/10/2010", "2010-07-29 10:20:00 +5:30" means India standard time "10:20:00 07/29/2010".

END_TIME: Ending time of events to be exported. The format is same as START_TIME.

RELATIVE_START_TIME: (Must be used together with END_TIME) Starting time of events to be exported relative backward to the end time as specified using "--endtime END_TIME". The format is

"NUM(d|h|m)", where NUM is the number of days or hours or minutes. For example, --relstarttime 5d means the starting time is 5 days prior to the ending time.

RELATIVE_END_TIME: (Must be used together with START_TIME) Ending time of events to be exported relative forward to the start time as specified using START_TIME. The format is same as RELATIVE_START_TIME.

DEVICE_NAME: Host name or IP of device whose events are to be exported. Use comma separated list to specify multiple IPs or host names, for example, --dev 10.1.1.1,10.10.10.1,router1,router2. Note: host name is case insensitive.

ORGANIZATION_NAME: (Applicable only to AO-SP): Name of the organization whose events are to be exported. To specify multiple organizations, supply this option multiple times – each for one organization, for example, --org "Public Bank" --org "Private Bank". Note: organization name is case insensitive.

TIMEZONE: Specifies the time zone used to format the event receive time in the exported event files. The format is "{+|-}TZ", for example, "-8" means Pacific standard time, "+5:30" means India standard time.

 

Labels:
1927
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.