Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JozkoMrkvicka
Leader
Leader

API show logs

Hello guys,

I want to use API call "show logs" to show me all logs. I want to see ALL logs, not only last 100. Is that possible ? Using following commands I am able to get only 100 logs, not more (within 7 days period):

mgmt_cli -s sid.txt show logs new-query.filter "src:10.20.30.40" new-query.time-frame last-7-days --format json
mgmt_cli -s sid.txt show logs query-id "$QUERYID" --format json

Variable QUERYID is fetched from first API call.

First 100 logs are shown, but then if I want to go to the "next page" I am getting following from query-id:

{
  "logs" : [ ],
  "logs-count" : 100,
  "query-id" : "WEB_API_3eb4f228-abff-4cbf-83bb-377bcc3272ad"
}

There are for sure more than 100 logs (checked within SmartView and SmartConsole).

Running latest Take of R80.30.

Kind regards,
Jozko Mrkvicka
0 Kudos
3 Replies
Tal_Paz-Fridman
Employee
Employee

Looking at the Management API Reference Guide it seems 100 is the limit:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.8%20

show logs.JPG

 

I'll forward this to R&D owners to see if this can be improved in future versions.

 

 

0 Kudos
JozkoMrkvicka
Leader
Leader

My guess would be to do not stress API with huge output - therefore maximum 100 logs per call.

Anyway, I managed to handle it with infinity loop (while true) where I am checking "log-count" value. If it is less than 100, the log search is over.

Also the issue with empty "query-id" was solved, but I dont know how 😄 Maybe the quotes were the issue...

I would like to have the same options like we have in SmartView GUI. For example, you can choose which columns you want to export (not all like in API call). Something like "set log-template" where you will be able to add/remove columns according your needs. Once set, add mandatory parameter in "show logs" to include the log template.

Kind regards,
Jozko Mrkvicka
0 Kudos
Amir_Senn
Employee
Employee

After your initial command you will also get session id/sid.

Please try this syntax:

mgmt_cli show-logs query-id <query-id> --session-id <session-id>

This should page further. You can repeat this command for further paging.

I think session is alive for 600 seconds after your initial command + credentials.

Kind regards, Amir Senn
0 Kudos