Next-Generation Firewall
Retrieve Logs
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Retrieve Logs
The following table describes different available log types to retrieve and their other
acceptable parameters. The example included after the table details the process for
retrieving an Asynchronous web request to
retrieve traffic logs.
Parameter
|
Description
|
---|---|
log-type
|
The type of logs to retrieve:
|
query
|
( Optional) Specify the match criteria for the logs.
This is similar to the query provided in the web interface
under the Monitor tab when viewing the logs. The query must
be URL encoded.
|
nlogs
|
( Optional) Specify the number of logs to retrieve.
The default is 20 when the parameter is not specified. The
maximum is 5000.
|
skip
|
( Optional) Specify the number of logs to skip when
doing a log retrieval. The default is 0. This is useful when
retrieving logs in batches where you can skip the previously
retrieved logs.
|
dir
|
( Optional) Specify whether logs are shown oldest
first (forward) or newest first
(backward). Default
isbackward.
|
action
|
( Optional) Log data sizes can be large so the API
uses an asynchronous job scheduling approach to retrieve log
data. The initial query returns a Job ID
(job-id) that you can then use
for future queries with theaction
parameter:
Learn more about Asynchronous and Synchronous
Requests to the PAN-OS XML API. |
- Create a job to retrieve all traffic logs that occurred after a certain time:curl -X POST 'https://firewall/api?type=log&log-type=traffic&query=(receive_time geq '2012/06/22 08:00:00')"A web-browser will automatically URL encode the parameters, but when using cURL, the query parameter must be URL encoded.Response:<response status="success" code="19"> <result> <msg> <line>query job enqueued with jobid 18</line> </msg> <job>18</job> </result> </response>Retrieve traffic log data using the following request using the job ID as the value returned in the previous response:curl -X POST 'https://firewall/api?type=log&action=get&job-id=<id>"Confirm that the XML response looks similar to the following:<response status="success""> <result> <job>...</job> <log> <logs count="20" progress="100n> <entry logid="5753304543500710425"> <domain>1</domain> <receive_time>2012/06/13 15:43:17</receive_time> <serial>001606000117</serial> <segno>6784588</segno> <actionflags>0x0</actionflags> <type>TRAFFIC</type> <subtype>start</subtype> <config_ver>1</config_ver> <time_generated>2012/06/13 15:43:17</time_generated> <src>172.16.1.2</src> <dst>10.2.0.246</dst> <natsrc>10.26.0.96</natsrc> <natdst>10.2.0.246</natdst> <rule>default allow</rule>When the job status is FIN (finished), the response automatically includes all the logs in the XML data response. The <log> node in XML is not present when the job status is still pending. After successful log data retrieval, the system automatically deletes the job.( Optional) Delete and active log retrieval job.To delete an active log retrieval job, run the following query:curl -X POST 'https://firewall/api?type=log&action=finish&job-id=<id>"A successful completion returns a job ID.