How to get all trafic logs by Rest-API?

smorandell · ‎12-16-2024

Hi guys,
I am trying to get all forward traffic logs from the last 7 days via the Rest-API, filtered by specific policy IDs, but I only get the logs of a specific policy ID from the current second as a result (for example 2 logentries instead of over 1000). Does anyone have a solution to this problem?

I use the following path in the Webbrowser:
https://<ip fortigate>/api/v2/log/disk/traffic/forward/system?access_token=...&filter=policyid==...

I also tried to use a timestamp in the path, but it didnt solved my problem.

thanks

smorandell · ‎12-16-2024

additional information of the api-request:

  "vdom":"root",
  "device":"disk",
  "category":"traffic",
  "subcategory":"forward",
  "start":1,
  "rows":400,
  "completed":2,
  "percent_logs_processed":2,
  "total_lines":4,
  "now":1734351608533,
  "ready":false,
  "status":"success",
  "version":"v7.2.9",

ebilcari · ‎12-17-2024

I did some tests with firmware 7.2.10 and by default it gets 400 rows. The value can also be increased, tested with 999 and got all the results in the output:
https://gw.eb.eu/api/v2/log/disk/traffic/forward/system?filter=policyid==19&rows=999

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

smorandell · ‎12-17-2024

Hi Emirjon,
I dont know why, but I dont get any logs.
The only result I get:

{
  "http_method":"GET",
  "results":[
  ],
  "vdom":"root",
  "device":"disk",
  "category":"traffic",
  "subcategory":"forward",
  "start":1,
  "rows":999,
  "session_id":5382,
  "completed":2,
  "percent_logs_processed":2,
  "total_lines":0,
  "now":1734437234123,
  "ready":false,
  "status":"success",
  "version":"v7.2.9",
  "build":1688
}

Any Ideas?

ebilcari · ‎12-17-2024

Have you verified in the Forward traffic logs in FGT if there are entries for that specific Policy ID in location Disk?

],

"vdom": "root",

"device": "disk",

"category": "traffic",

"subcategory": "forward",

"start": 1,

"rows": 999,

"session_id": 42,

"completed": 9,

"percent_logs_processed": 9,

"total_lines": 1787,

"now": 1734439885868,

"ready": true,

"status": "success",

"serial": "FGVM01.....",

"version": "v7.2.10",

"build": 1706

}

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

ebilcari · ‎12-17-2024

Similar API query exist for memory, fortianalyzer, forticloud, like:

https://gw.eb.eu/api/v2/log/memory/traffic/forward/system?filter=policyid==19&rows=999

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

smorandell · ‎12-17-2024

Yes, there are more than 500 entries in the forward traffic logs in FTG for that specific Policy ID.
If I filter the logs for that specific Policy ID, it takes long time to load the logs.
The following message appears:
"Only 25 out of 500 results are available at this moment. Would you like to see the results now?"

It might be taking too long to retrieve the logs via the API? Is that possible?

ebilcari · ‎12-17-2024

It may be, you can try to enable debugs in FGT:

# dia de app httpsd -1

# dia de console timestamp enable

# dia de en

In the lab the request ends up in a second:

2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] fweb_debug_init[451] -- New GET request for "/api/v2/log/disk/traffic/forward/system" from "10.0.0.2:52295"
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] fweb_debug_init[453] -- User-Agent: "PostmanRuntime/7.43.0"
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] fweb_debug_init[455] -- Handler "api_log-handler" assigned to request
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 warning] api_access_check_for_api_key[687] -- API Key request authorized for gwapi from 10.0.0.2.
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] api_store_parameter[332] -- add API parameter 'filter' (type=string)
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] api_store_parameter[332] -- add API parameter 'rows' (type=int)
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] endpoint_process_req_vdom[1024] -- new API request (action='?subtype',path=':source',name=':type',vdom='root',user='gwapi')
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] api_v2_parse_filter[348] -- parsing single filter "policyid==19"
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] api_v2_parse_filter_segment[287] -- parsing filter segment "policyid==19"
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] api_v2_parse_filter_segment[319] -- found filter (key='policyid', operator='==', pattern='19')
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] api_init_log_present_filter[1181] -- Set log params category=traffic.forward, device_id=1, start=1, row=999, session_id=0
2024-12-17 15:29:06 [httpsd 1183 - 1734445746 info] _build_filter[1003] -- Added filter value (0) policyid == 19
2024-12-17 15:29:07 [httpsd 1183 - 1734445747 info] endpoint_process_req_vdom[1030] -- completed API request (rss_pre=35712, rss_post=52176, rss_delta=16464)
2024-12-17 15:29:07 [httpsd 1183 - 1734445747 info] fweb_debug_final[319] -- Completed GET request for "/api/v2/log/disk/traffic/forward/system" (HTTP 200 OK)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

smorandell · ‎12-19-2024

No errors were found in the debugging information. I have opened a ticket with Fortinet.

How to get all trafic logs by Rest-API?

Nominate a Forum Post for Knowledge Article Creation