Hi.
We're developing a custom solution for a customer and we're trying to use the XML API to retrieve log data.
We're new to the Fortinet products and currently trying to get the correct data through trial and error.
We've managed to get one of the result sets with the searchFazLog request.
Unfortunately, we're struggling to find documentation on the syntax that the <searchCriteria> must be written in so we can filter the results more.
For instance how do we filter for values <searchCriteria>subtype=system AND date=2017-06-11</searchCriteria> correctly?
Regards,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi there, because date is not a valid log field from FGT, you can not search it directly, but you can use itime instead.
1. convert your desired time to epoch timestamp(please add your timezone), for example:
2017-06-11 00:00:59 -> 1497164400
2017-06-11 23:59:59 -> 1497250799
This can be done under linux or some websites
2. search for subtype=system itime<1497250799 itime>1497164400, we have to escape < by < and > by >
So the final request will be like below:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/"> <soapenv:Header/> <soapenv:Body> <r20:searchFazLog> <!--Optional:--> <servicePass> <!--Optional:--> <userID>admin</userID> <!--Optional:--> <password></password> </servicePass> <!--Optional:--> <adom></adom> <!--Optional:--> <content>logs</content> <!--Optional:--> <format>rawFormat</format> <!--Optional:--> <deviceName>FGT70D3Z15002697</deviceName> <logType>event</logType> <!--Optional:--> <searchCriteria>subtype=system itime<1497250799 itime>1497164400 </searchCriteria> <maxNumMatches>20</maxNumMatches> <startIndex>1</startIndex> <checkArchive>0</checkArchive> <!--Optional:--> <compression>tar</compression> </r20:searchFazLog> </soapenv:Body> </soapenv:Envelope>
regards,
hz
Hi Barry,
I have the same question. Were you ever able to figure this out?
Hi there, because date is not a valid log field from FGT, you can not search it directly, but you can use itime instead.
1. convert your desired time to epoch timestamp(please add your timezone), for example:
2017-06-11 00:00:59 -> 1497164400
2017-06-11 23:59:59 -> 1497250799
This can be done under linux or some websites
2. search for subtype=system itime<1497250799 itime>1497164400, we have to escape < by < and > by >
So the final request will be like below:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:r20="http://r200806.ws.fmg.fortinet.com/"> <soapenv:Header/> <soapenv:Body> <r20:searchFazLog> <!--Optional:--> <servicePass> <!--Optional:--> <userID>admin</userID> <!--Optional:--> <password></password> </servicePass> <!--Optional:--> <adom></adom> <!--Optional:--> <content>logs</content> <!--Optional:--> <format>rawFormat</format> <!--Optional:--> <deviceName>FGT70D3Z15002697</deviceName> <logType>event</logType> <!--Optional:--> <searchCriteria>subtype=system itime<1497250799 itime>1497164400 </searchCriteria> <maxNumMatches>20</maxNumMatches> <startIndex>1</startIndex> <checkArchive>0</checkArchive> <!--Optional:--> <compression>tar</compression> </r20:searchFazLog> </soapenv:Body> </soapenv:Envelope>
regards,
hz
Thanks so much, That's exactly what I needed!
Thanks again,
Nick
Hi!
We having trouble with the example above. Doesn't matter what I try to write in searchCriteria, the API returns no results.
Request:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:namesp1="http://r200806.ws.fmg.fortinet.com/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<namesp1:searchFazLog>
<servicePass>
<userID xsi:type="xsd:string">coolGuy</userID>
<password xsi:type="xsd:string">asdf1234</password>
</servicePass>
<adom xsi:type="xsd:string">root</adom>
<content xsi:type="namesp1:searchContent">logs</content>
<format xsi:type="namesp1:logFormats">rawFormat</format>
<deviceName xsi:type="xsd:string">firewall01</deviceName>
<logType xsi:type="namesp1:logTypes">traffic</logType>
<searchCriteria xsi:type="xsd:string">itime>1509018316 itime<1509018816 </searchCriteria>
<maxNumMatches xsi:type="xsd:int">30</maxNumMatches>
<startIndex xsi:type="xsd:int">1</startIndex>
</namesp1:searchFazLog>
</soap:Body>
</soap:Envelope>
Answer:
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Body>
<ns3:searchFazLogResponse>
<errorMsg>
<errorCode>-104</errorCode>
<errorMsg>Can not find logs with criteria itime>1509018316 itime<1509018816
</errorMsg>
</errorMsg>
<totalResultsFound>0</totalResultsFound>
<matchesReturned>0</matchesReturned>
<startIndex>0</startIndex>
<logs/>
</ns3:searchFazLogResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Is there anything obvious we have missed?
Hi Jocar, what's your FAZ version? can you see logs without search criteria? If you can, please go to log view->traffic,
enter itime>1509018316 itime<1509018816
If you can see logs in GUI, but still no logs in XML, please enable below debug under CLI, run XML request, and attach logs here
dia de application fortimanagerws 8
dia de application sqlplugind 8
dia de en
regards,
hz
During the weekend our network guys upgraded the FAZ from 5.2.8 to 5.4.4 (via 5.2.10) and it now works just fine.
So it was probably an old bug related to the older version.
Off-topic, if CSV (as "format") is specified we only receive a lot of "data":
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://jaxb.dev.java.net/array" xmlns:ns3="http://r200806.ws.fmg.fortinet.com/">
<SOAP-ENV:Body>
<ns3:searchFazLogResponse>
<errorMsg>
<errorCode>0</errorCode>
<errorMsg>searchFazLog successfully</errorMsg>
</errorMsg>
<totalResultsFound>300</totalResultsFound>
<matchesReturned>30</matchesReturned>
<startIndex>1</startIndex>
<logs>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
<data/>
</logs>
</ns3:searchFazLogResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Along with Date/Time criteria can we append the src ip, dst ip & service port as well
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.