Management API "show logs" not working as expected (R80.40 last jumbo)

cjunior — Fri, 18 Jun 2021 13:53:31 GMT

Hello,

I hope you are doing well.

I'm trying to collect logs with paging, but it get wrong for sometimes . It starts fine at first page and after few collected pages, the result is an empty logs list although the logs-count parameter shows that there must be log entries.

I have no idea where to find the way to fix this issue.

First command run: (always OK for any filter values)

mgmt_cli show logs new-query.time-frame last-7-days new-query.max-logs-per-request 50 new-query.filter app_category:Spam --session-id VWxBmdBgKK0ZRCXteLAD3xQtajmIPEcfYC9uQXguyPs --version 1.6.1 --debug on --format json

Paging command: (OK till 3 or 4 attempts / Depends on filter or max-logs-per-request values informed)

mgmt_cli show logs query-id WEB_API_4bd6e105-3479-4737-8c07-3e937954b1aa --session-id VWxBmdBgKK0ZRCXteLAD3xQtajmIPEcfYC9uQXguyPs --version 1.6.1 --debug on --format json

API debug result (on fail):

Put into map [query-id]=[WEB_API_4bd6e105-3479-4737-8c07-3e937954b1aa] Command: 'show-logs', JSON Payload is: '{"query-id":"WEB_API_4bd6e105-3479-4737-8c07-3e937954b1aa"}' Command [show-logs] Adding version to the URL: [1.6.1] The URL with version [https://127.0.0.1:443/web_api/v1.6.1] URL [https://127.0.0.1:443/web_api/v1.6.1] Headers: [X-chkp-sid: VWxBmdBgKK0ZRCXteLAD3xQtajmIPEcfYC9uQXguyPs, Accept: application/json, user-agent: mgmt_cli, Content-Type: application/json] SendRequest Adding version to the URL: [1.6.1] The URL with version [https://127.0.0.1:443/web_api/v1.6.1] Full URL [https://127.0.0.1:443/web_api/v1.6.1/show-logs] Using internal Check Point certificate verification . . . Local fingerprint is equal to the remote one SSLCtxVerifyCB returns [true] CRestRequest::WriteData size=[1], nmemb=[17] received data = [HTTP/1.1 200 OK ] Data [HTTP/1.1 200 OK ] is written CRestRequest::WriteData size=[1], nmemb=[37] received data = [Date: Thu, 17 Jun 2021 19:45:38 GMT ] Data [Date: Thu, 17 Jun 2021 19:45:38 GMT ] is written CRestRequest::WriteData size=[1], nmemb=[14] received data = [Server: CPWS ] Data [Server: CPWS ] is written CRestRequest::WriteData size=[1], nmemb=[64] received data = [Strict-Transport-Security: max-age=31536000; includeSubDomains ] Data [Strict-Transport-Security: max-age=31536000; includeSubDomains ] is written CRestRequest::WriteData size=[1], nmemb=[29] received data = [X-Frame-Options: SAMEORIGIN ] Data [X-Frame-Options: SAMEORIGIN ] is written CRestRequest::WriteData size=[1], nmemb=[32] received data = [Content-Type: application/json ] Data [Content-Type: application/json ] is written CRestRequest::WriteData size=[1], nmemb=[32] received data = [X-UA-Compatible: IE=EmulateIE8 ] Data [X-UA-Compatible: IE=EmulateIE8 ] is written CRestRequest::WriteData size=[1], nmemb=[28] received data = [X-Forwarded-Host-Port: 443 ] Data [X-Forwarded-Host-Port: 443 ] is written CRestRequest::WriteData size=[1], nmemb=[28] received data = [Transfer-Encoding: chunked ] Data [Transfer-Encoding: chunked ] is written CRestRequest::WriteData size=[1], nmemb=[2] received data = [ ] Data [ ] is written CRestRequest::WriteData size=[1], nmemb=[102] received data = [{ "logs" : [ ], "logs-count" : 50, "query-id" : "WEB_API_4bd6e105-3479-4737-8c07-3e937954b1aa" } 0 ] Data [{ "logs" : [ ], "logs-count" : 50, "query-id" : "WEB_API_4bd6e105-3479-4737-8c07-3e937954b1aa" }] is written Send request succeeded. Response code [200] Success message [{ "logs" : [ ], "logs-count" : 50, "query-id" : "WEB_API_4bd6e105-3479-4737-8c07-3e937954b1aa" }] Error message [] Getvalue of parameter [task-id] from json Missing [task-id] field in json Getvalue of parameter [login-required] from json Missing [login-required] field in json Getvalue of parameter [tasks] from json Missing [tasks] field in json No task-id in response

Please help me with this.

Thank you in advance.

cjunior

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

PhoneBoy — Fri, 18 Jun 2021 20:42:57 GMT

Just so I understand:

The initial query succeeds (which just sets up a task)
The first few queries to pull results based on task-id also succeeds.
After a few requests, the query to pull results fails.

Do I have that right?
Recommend a TAC case here.

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

cjunior — Fri, 18 Jun 2021 21:14:38 GMT

Yes, you got it perfectly.

Now we realize that we have problem to get logs on EventLog or SmartView as well. It present log gaps for time frame or filter queries.

e.g.
#1 - "last-7-days" "app_category:Spam", we can see few logs not from today.

#2 - "today" "app_category:Spam": we can see few logs from today that not appears in query above.

#3 -"last-hour" "app_category:Spam": we can see few logs from last hour that not appears in "today" time frame.

In other words, the logs exists but sometimes cannot be retrieved due to some query issue.

Anyway, I'm to going to open a ticket on TAC.

Thank you for the help.

cjunior

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

mohit_tater — Tue, 21 Sep 2021 13:46:27 GMT

hey @cjunior Did you find solution for this problem? I am facing a similar issue with show-logs management-api where I am not able to get the paged results.

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

cjunior — Tue, 21 Sep 2021 16:51:18 GMT

Yes, if I'm not wrong, it was fixed by take 119 (related issues: PRJ-23820, PRHF-12659).
Regards.

topic Re: Management API "show logs" not working as expected (R80.40 last jumbo) in Firewall and Security Management

Management API "show logs" not working as expected (R80.40 last jumbo)

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

Re: Management API "show logs" not working as expected (R80.40 last jumbo)

Re: Management API "show logs" not working as expected (R80.40 last jumbo)