Focus

Next-Generation Firewall

Retrieve Logs

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Importing Basics

PAN-OS XML API Use Cases

Retrieve Logs

The following table describes different available log types to retrieve and their other acceptable parameters. The example included after the table details the process for retrieving an Asynchronous web request to retrieve traffic logs.

Parameter	Description
log-type	The type of logs to retrieve: log-type=traffic—Traffic logs log-type=threat—Threat logs log-type=config—Config logs log-type=system—System logs log-type=hipmatch— GlobalProtect Host Information Profile (HIP) matching logs log-type=globalprotect— GlobalProtect logs log-type=wildfire—WildFire logs log-type=url—URL filtering logs log-type=data—Data filtering logs log-type=corr—Correlated event logs as seen in the user interface within MonitorAutomated Correlated EngineCorrelated Events. log-type=corr-detail—Correlated event details as seen in the user interface when you select an event within Monitor > Automated Correlated Engine > Correlated Events. log-type=corr-categ—Correlated events by category, currently compromised hosts seen within ACCThreat ActivityCompromised Hosts. log-type=userid—User-ID logs log-type=auth—Authentication logs log-type=gtp—GPRS Tunneling Protocol (GTP) logs log-type=external—External logs log-type=iptag—IP tag logs log-type=decryption — Decryption logs
query	( `Optional`) Specify the match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. The query must be URL encoded.
nlogs	( `Optional`) Specify the number of logs to retrieve. The default is 20 when the parameter is not specified. The maximum is 5000.
skip	( `Optional`) Specify the number of logs to skip when doing a log retrieval. The default is 0. This is useful when retrieving logs in batches where you can skip the previously retrieved logs.
dir	( `Optional`) Specify whether logs are shown oldest first (forward) or newest first (backward). Default isbackward.
action	( `Optional`) Log data sizes can be large so the API uses an asynchronous job scheduling approach to retrieve log data. The initial query returns a Job ID (job-id) that you can then use for future queries with theaction parameter: action=get—Check status of an active job or retrieve the log data when the status isFIN (finished). This is slightly different than the asynchronous approach to retrieve tech support data where a separate status action is available. action=finish—Stop an active job. Not specified—When not specified, such as during an initial query, the system creates a new job to retrieve log data. Learn more about Asynchronous and Synchronous Requests to the PAN-OS XML API.

Create a job to retrieve all traffic logs that occurred after a certain time:

curl -X POST 'https://firewall/api?type=log&log-type=traffic&query=(receive_time geq '2012/06/22 08:00:00')"

A web-browser will automatically URL encode the parameters, but when using cURL, the query parameter must be URL encoded.

Response:


						<response status="success" code="19">
  <result>
    <msg>
      <line>query job enqueued with jobid 18</line>
    </msg>
    <job>18</job>
  </result>
</response>

Retrieve traffic log data using the following request using the job ID as the value returned in the previous response:
```
curl -X POST 'https://firewall/api?type=log&action=get&job-id=<id>"
					
```

Confirm that the XML response looks similar to the following:


						<response status="success"">
							<result>
							<job>...</job>
							<log>
							<logs count="20" progress="100n>
							<entry logid="5753304543500710425"> <domain>1</domain> <receive_time>2012/06/13 15:43:17</receive_time> <serial>001606000117</serial> <segno>6784588</segno>
							<actionflags>0x0</actionflags> <type>TRAFFIC</type> <subtype>start</subtype> <config_ver>1</config_ver> <time_generated>2012/06/13 15:43:17</time_generated>
							<src>172.16.1.2</src> <dst>10.2.0.246</dst> <natsrc>10.26.0.96</natsrc> <natdst>10.2.0.246</natdst> <rule>default allow</rule>

When the job status is FIN (finished), the response automatically includes all the logs in the XML data response. The <log> node in XML is not present when the job status is still pending. After successful log data retrieval, the system automatically deletes the job.

( Optional) Delete and active log retrieval job.To delete an active log retrieval job, run the following query:
```
curl -X POST 'https://firewall/api?type=log&action=finish&job-id=<id>"
					
```
A successful completion returns a job ID.

Importing Basics

PAN-OS XML API Use Cases

Next-Generation Firewall Docs

Retrieve Logs

Next-Generation Firewall Docs

Retrieve Logs

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner