Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: getting logs from forti analyzer
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
getting logs from forti analyzer
hello, i have problem when i getting log from FortiAnalyzer
This function is designed to retrieve logs from FortiAnalyzer and extract the application names from those logs.
However, I'm encountering an issue where not all logs are being retrieved consistently.
Some get log requests return the expected results, while others fail without any clear reason.
def process_logs_for_policy_two_interfaces(policies_two_interfaces, src_interface_name, des_interface_name, offset, last_offset):
# Ensure policies_one_interface is always a list
global error_count
if isinstance(policies_two_interfaces, dict): # If a single policy is passed
policies_two_interfaces = [policies_two_interfaces] # Convert it to a list
session_token = None
# Check for existing policies before logging in
policies_to_process = []
for policy in policies_two_interfaces[:]: # Use a slice to iterate over a copy of the list
policy_name = policy["name"]
policy_id = policy["policyid"]
existing_policy = check_existing_policy(policy_id)
state = save_to_excel_for_two_interfaces(src_interface_name, des_interface_name, policy_id, "",
policy_name, "", "", "")
if existing_policy:
print( f"Policy name '{policy_name}' already exists in sheet '{existing_policy['sheet_name']}'. Reusing data...")
# Extract the row data (excluding the interface name)
row_data = existing_policy["row_data"]
policy_name = row_data[1] # Policy Name
app_unknown = row_data[3] # Unknown Apps
total_logs = row_data[4] # total logs
offset_policy = row_data[5] # offset
all_app_name = row_data[6:] # App Names
# Save the policy with the new interface name
state = save_to_excel_for_two_interfaces(src_interface_name, des_interface_name, policy_id, all_app_name,
policy_name, app_unknown, total_logs, offset_policy)
if state:
break
else:
# Add the policy to the list of policies to process
policies_to_process.append(policy)
# If no policies need processing, exit early
if not policies_to_process:
print("All policies already exist in the Excel file. No processing needed.")
return
# Login to FortiAnalyzer (only if there are policies to process)
login_payload = {
"method": "exec",
"params": [
{
"data": {
"user": f"{analyzer_username}", # Replace with your analyzer_username if needed
"passwd": f"{analyzer_password}" # Replace with your analyzer_password if needed
},
"url": "/sys/login/user"
}
],
"id": 1
}
print("Logging in to FortiAnalyzer...")
attempt_login = 0
max_retry = 2
retry_delay = 5 # Delay between retries in seconds
while attempt_login <= max_retry:
try:
login_resp = requests.post(base_analyzer_url, json=login_payload, verify=False)
login_resp.raise_for_status() # Raise an exception for HTTP errors
login_data = login_resp.json()
session_token = login_data.get("session")
if session_token:
print(f"Login successful! Session token: {session_token}")
break # Exit the retry loop if login is successful
else:
print("Failed to retrieve session token.")
except requests.exceptions.RequestException as e:
print(f"Failed to connect to FortiAnalyzer: {e}")
attempt_login += 1
if attempt_login <= max_retry:
print(f"Retrying in {retry_delay} seconds...")
time.sleep(retry_delay)
if not session_token:
print("Max retries reached. Unable to log in. Exiting.")
return
print(f"Session token: {session_token}")
# Process only the policies that need to be processed
for policy in policies_to_process:
all_app_name = set()
policy_name = policy["name"]
policy_id = policy["policyid"]
app_unknown = 0
print(f"Processing logs for policy: {policy_name} (Policy ID: {policy_id})")
attempt_search = 0
# Create a log search task for the policy
search_payload = {
"id": "123456789",
"jsonrpc": "2.0",
"method": "add",
"params": [
{
"apiver": 3,
"case-sensitive": False,
"device": [
{"devid": f"{device_id}"} # Replace with your device ID
],
"filter": f"policyid=={policy_id}", # Filter by policy ID
"logtype": "traffic", # Log type is traffic
"time-order": "desc",
"url": f"/logview/adom/{adom}/logsearch",
}
],
"session": session_token
}
while attempt_search <= max_retry:
try:
print("\nCreating search task...")
search_resp = requests.post(base_analyzer_url, json=search_payload, verify=False)
search_data = search_resp.json()
tid = search_data.get("result", {}).get("tid")
if tid:
print(" create search task. 'tid' found.")
break
else:
print("Failed to retrieve 'tid' token.")
except requests.exceptions.RequestException as e:
print(f"Failed to connect to FortiAnalyzer to get 'tid': {e}")
attempt_search += 1
if attempt_search <= max_retry:
print(f"Retrying in {retry_delay} seconds...")
time.sleep(retry_delay)
if not tid:
print("Max retries reached. Unable to get 'tid'. Exiting.")
return
print(f"Search task created with tid: {tid}")
# Poll for search task completion
logs_payload = {
"id": "123456789",
"jsonrpc": "2.0",
"method": "get",
"params": [
{
"apiver": 3,
"offset": 0,
"limit": 1000,
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}
],
"session": session_token
}
print("\nPolling for search task progress...")
total_logs = 0
max_poll_attempts = 60 # Maximum 1 minute wait (60 attempts * 1 second)
poll_attempt = 0
while poll_attempt < max_poll_attempts:
try:
count_resp = requests.post(base_analyzer_url, json=logs_payload, verify=False,timeout=10)
count_resp.raise_for_status() # Raise HTTP errors
count_data = count_resp.json()
result = count_data.get("result", {})
progress = result.get("percentage", 0)
total_logs = result.get("total-count", 0)
task_status = result.get("status", "")
print(f"Progress: {progress}%, Total logs: {total_logs}, Status: {task_status}")
# Break conditions
if progress == 100:
print("Search task completed successfully")
break
if total_logs >= last_offset:
print(f"Reached target log count: {total_logs}")
break
if task_status == "error":
print("Search task failed")
break
except Exception as e:
print(f"Polling error: {str(e)}")
if "session" in str(e).lower():
# Session likely expired - refresh and retry
logs_payload["session"] = session_token
poll_attempt += 1
time.sleep(1) # Polling interval
else:
print(f"Max polling attempts reached ({max_poll_attempts}) without completion")
# Handle timeout case (cancel task, etc.)
return
# Final adjustment of last_offset
if 0 < total_logs < last_offset:
print(f"Adjusting last_offset from {last_offset} to {total_logs}")
last_offset = total_logs
elif total_logs == 0:
last_offset = total_logs
print("Warning: No logs found for this policy")
# Retrieve logs using pagination
all_logs = []
limit = 1000 # Use 1000 logs per page
max_attempts = 2 # Maximum attempts to retry fetching logs
error_count = 0
print("\nRetrieving logs in pages...")
while offset < last_offset :
logs_payload = {
"id": "123456789",
"jsonrpc": "2.0",
"method": "get",
"params": [
{
"apiver": 3,
"offset": offset,
"limit": limit,
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}
],
"session": session_token
}
# Retry mechanism for fetching logs
attempt = 0
while attempt < max_attempts:
logs_resp = requests.post(base_analyzer_url, json=logs_payload, verify=False)
time.sleep(1)
logs_resp = requests.post(base_analyzer_url, json=logs_payload, verify=False)
logs_data = logs_resp.json()
data = logs_data["result"].get("data", [])
if len(data) == 0:
print(f"Error fetching logs at offset {offset}")
if attempt == 2:
state = save_offset_error_to_excel(src_interface_name, des_interface_name, policy_name, policy_id,offset, 2)
if state:
offset+= limit
break
error_count += 1
attempt += 1
time.sleep(5) # Wait before retrying
continue
if state:
break
all_logs.extend(data)
for log in all_logs:
if 'app' in log and 'appid' in log and 'appcat' in log:
app_name_with_id = f"{log['app'].lower()} ({log['appid']})" # Combine app name and app ID
all_app_name.add(app_name_with_id) # Add to the set
else:
app_unknown += 1
all_logs.clear()
break # Exit the retry loop if data is fetched successfully
print(
f"Retrieved {len(data)} logs at offset {offset} %{int(100 * (offset + len(data)) / last_offset)} | app name:{all_app_name}")
# Save progress after processing each offset
save_state = save_to_excel_for_two_interfaces(src_interface_name, des_interface_name, policy_id, all_app_name,
policy_name, app_unknown, last_offset, offset + limit)
if save_state:
break
offset += len(data) # Move to the next batch
print(f"\nTotal logs retrieved for policy {policy_name}: {last_offset}")
print(f"Total unique app names found: {len(all_app_name)}")
print(f"Total logs with unknown app: {app_unknown}\n")
if error_count == 0 :
# Save app names to Excel
save_state = save_to_excel_for_two_interfaces(src_interface_name, des_interface_name, policy_id, all_app_name,
policy_name, app_unknown, last_offset, offset, is_finished=True)
if save_state:
break
# Remove values for all_app_name and app_unknown for the next policy
all_app_name.clear()
# Delete the search task (cleanup)
delete_payload = {
"session": session_token,
"id": "123456789",
"jsonrpc": "2.0",
"method": "delete",
"params": [
{
"apiver": 3,
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}
]
}
attempt_delete = 0
while attempt_delete <= max_retry:
try:
print("\nDeleting search task...")
delete_resp = requests.post(base_analyzer_url, json=delete_payload, verify=False)
delete_data = delete_resp.json()
if delete_data:
print("\nDeleted search task...")
break
else:
print("Failed to Deleting search task.")
except requests.exceptions.RequestException as e:
print(f"Failed to connect to FortiAnalyzer to Deleting search task: {e}")
attempt_delete += 1
if attempt_delete <= max_retry:
print(f"Retrying in {retry_delay} seconds...")
time.sleep(retry_delay)
if not delete_data:
print("Max retries reached. Unable to delete search task. Exiting.")
return
print("Deleted search task...")
# Logout from FortiAnalyzer with retry mechanism
logout_payload = {
"method": "exec",
"params": [
{
"url": "/sys/logout"
}
],
"session": session_token,
"id": 2
}
print("\nLogging out...")
attempt_logout = 0
max_retry = 2
retry_delay = 5 # Delay between retries in seconds
while attempt_logout <= max_retry:
try:
logout_resp = requests.post(base_analyzer_url, json=logout_payload, verify=False)
logout_resp.raise_for_status() # Raise an exception for HTTP errors
logout_data = logout_resp.json()
if logout_data:
print("Logout successful!")
break
else:
print("Failed to logout.")
except requests.exceptions.RequestException as e:
print(f"Failed to log out: {e}")
attempt_logout += 1
if attempt_logout <= max_retry:
print(f"Retrying in {retry_delay} seconds...")
time.sleep(retry_delay)
if attempt_logout > max_retry:
print("Max retries reached. Unable to log out.")
this part related to get logs request
# Retrieve logs using pagination
all_logs = []
limit = 1000 # Use 1000 logs per page
max_attempts = 2 # Maximum attempts to retry fetching logs
error_count = 0
print("\nRetrieving logs in pages...")
while offset < last_offset :
logs_payload = {
"id": "123456789",
"jsonrpc": "2.0",
"method": "get",
"params": [
{
"apiver": 3,
"offset": offset,
"limit": limit,
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}
],
"session": session_token
}
# Retry mechanism for fetching logs
attempt = 0
while attempt < max_attempts:
logs_resp = requests.post(base_analyzer_url, json=logs_payload, verify=False)
time.sleep(1)
logs_resp = requests.post(base_analyzer_url, json=logs_payload, verify=False)
logs_data = logs_resp.json()
data = logs_data["result"].get("data", [])
if len(data) == 0:
print(f"Error fetching logs at offset {offset}")
if attempt == 2:
state = save_offset_error_to_excel(src_interface_name, des_interface_name, policy_name, policy_id,offset, 2)
if state:
offset+= limit
break
error_count += 1
attempt += 1
time.sleep(5) # Wait before retrying
continue
if state:
break
all_logs.extend(data)
for log in all_logs:
if 'app' in log and 'appid' in log and 'appcat' in log:
app_name_with_id = f"{log['app'].lower()} ({log['appid']})" # Combine app name and app ID
all_app_name.add(app_name_with_id) # Add to the set
else:
app_unknown += 1
all_logs.clear()
break # Exit the retry loop if data is fetched successfully
print(
f"Retrieved {len(data)} logs at offset {offset} %{int(100 * (offset + len(data)) / last_offset)} | app name:{all_app_name}")
Labels:
- Labels:
-
API
-
FortiAnalyzer
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mohammed,
I have found this solution, can you tell me if it helps?
To troubleshoot the issue of inconsistent log retrieval from FortiAnalyzer, follow these steps:
- Check FortiAnalyzer Configuration:
- Ensure that the FortiAnalyzer is properly configured to receive logs from the devices.
- Verify that the devices are correctly sending logs to the FortiAnalyzer.
2. Verify API Requests:
- Ensure that the API requests are correctly formatted and include all necessary parameters.
- Check that the `session_token` is valid and not expired.
3. Review Error Handling:
- Implement robust error handling to capture and log any exceptions or errors during API requests.
- Ensure that retries are properly managed and do not exceed the maximum allowed attempts.
4. Check Network Connectivity:
- Verify network connectivity between the script and the FortiAnalyzer.
- Ensure no network issues or firewalls are blocking the requests.
5. Inspect Log Search Task:
- Confirm that the log search task is created successfully and returns a valid `tid`.
- Monitor the progress of the search task and ensure it completes without errors.
6. Pagination and Offset Management:
- Ensure that the pagination logic is correctly implemented and offsets are managed properly.
- Verify that the `offset` and `limit` values are set correctly to retrieve all logs.
7. Debugging and Logging:
- Add detailed logging to capture the flow of the script and identify where it fails.
- Use print statements or a logging framework to track the progress and any issues encountered.
8. Review FortiAnalyzer Logs: Check the FortiAnalyzer logs for any errors or warnings that might indicate issues with log retrieval. By following these steps, you should be able to identify and resolve the issue with inconsistent log retrieval from FortiAnalyzer. If the problem persists, consider reaching out to Fortinet support for further assistance.
Jean-Philippe - Fortinet Community Team
Labels
-
FortiGate
10,495 -
FortiClient
2,131 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
561 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
125 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
FortiDNS
44 -
VDOM
44 -
Application control
44 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
FortiAI
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
FortiAIOps
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.