Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JozkoMrkvicka
Leader
Leader

API show logs

Hello guys,

I want to use API call "show logs" to show me all logs. I want to see ALL logs, not only last 100. Is that possible ? Using following commands I am able to get only 100 logs, not more (within 7 days period):

mgmt_cli -s sid.txt show logs new-query.filter "src:10.20.30.40" new-query.time-frame last-7-days --format json
mgmt_cli -s sid.txt show logs query-id "$QUERYID" --format json

Variable QUERYID is fetched from first API call.

First 100 logs are shown, but then if I want to go to the "next page" I am getting following from query-id:

{
  "logs" : [ ],
  "logs-count" : 100,
  "query-id" : "WEB_API_3eb4f228-abff-4cbf-83bb-377bcc3272ad"
}

There are for sure more than 100 logs (checked within SmartView and SmartConsole).

Running latest Take of R80.30.

Kind regards,
Jozko Mrkvicka
0 Kudos
7 Replies
Tal_Paz-Fridman
Employee
Employee

Looking at the Management API Reference Guide it seems 100 is the limit:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.8%20

show logs.JPG

 

I'll forward this to R&D owners to see if this can be improved in future versions.

 

 

0 Kudos
JozkoMrkvicka
Leader
Leader

My guess would be to do not stress API with huge output - therefore maximum 100 logs per call.

Anyway, I managed to handle it with infinity loop (while true) where I am checking "log-count" value. If it is less than 100, the log search is over.

Also the issue with empty "query-id" was solved, but I dont know how 😄 Maybe the quotes were the issue...

I would like to have the same options like we have in SmartView GUI. For example, you can choose which columns you want to export (not all like in API call). Something like "set log-template" where you will be able to add/remove columns according your needs. Once set, add mandatory parameter in "show logs" to include the log template.

Kind regards,
Jozko Mrkvicka
0 Kudos
Amir_Senn
Employee
Employee

After your initial command you will also get session id/sid.

Please try this syntax:

mgmt_cli show-logs query-id <query-id> --session-id <session-id>

This should page further. You can repeat this command for further paging.

I think session is alive for 600 seconds after your initial command + credentials.

Kind regards, Amir Senn
0 Kudos
mohit_tater
Explorer

I am also facing a similar issue with the show-logs API. let's say I want to retrieve more than 100 logs, I make an API call. The first call returns me the log-count(100), list of logs event (size 100) and a query-id.

I use this query-id to make subsequent API call and this call returns me log-count(100) but the list of logs is empty []. Any API call after this point behaves similarly.

 

payload for the first request:

{
"new-query": {
"time-frame": "custom",
"custom-start": "2021-08-10T12:05:19.000Z",
"custom-end": "2021-09-10T11:20:31+0000",
"filter": "blade:\"Threat Emulation\"",
"type": "logs",
"max-logs-per-request" : 100
}
}
 
payload for subsequent requests
{
"query-id": "admin-api_cf0eac6a-883c-42e8-xxxxxxxxxxxxxxx"
}
 
I am not sure if I am doing something wrong here. Please help.
0 Kudos
PhoneBoy
Admin
Admin

Recommend a TAC case.

0 Kudos
Amir_Senn
Employee
Employee

I think it will show you 100 max logs per request regardless of number of results.

I suggest you try a few things:

Make sure that in SmartConsole you have results for that filter and timeframe.

Try to drop the filter/timeframe and do the query again and see if you have results.

Kind regards, Amir Senn
0 Kudos
JozkoMrkvicka
Leader
Leader

I have to run the script more times in order to get me the real logs based on filter set.

Sometimes the output from "show logs" is only 100 logs, sometimes 300 logs, sometimes all logs (lets say I have 1543 logs for filter in total).

Looks like the api call is warming up and is fully ready after multiple triggers 😄 Like starting your old car in the winter 😄

Kind regards,
Jozko Mrkvicka
0 Kudos