Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Laurent_Le_Foll
Explorer

R80.10 Smartview Web or SmartConsole : Exporting ALL filtered logs to CSV

Hello,

From the Smartconsole -> Logs & Monitor -> Log view or from the Smartview Web interface, I would like to export all logs from a filtered log view to CSV. In both cases, I use the "Export to Excel" function but I have two different problems :

  • In smartconsole, I only get the displayed logs in the CSV, not the complete list of filtered logs. Is there a way to change that ?
  • In smartview, I can choose the number of logs to export and I have figured out that the exported CSV is on the "New Tab" -> Archive but the CSV file only contains a very limited subset of fields. Is there a way to change the fields exported ?

Thanks.

11 Replies
PhoneBoy
Admin
Admin

As far as I know, the "Export to CSV" option only exporting visible fields is a known limitation.

What fields do you want to see in SmartView that are not showing right now?

Laurent_Le_Foll
Explorer

I am currently working on SmartEvent policies (especially Scans, Denial of service, Abnomalies policies) and I need to set detection thresholds. One way to adjust them is to use the "Max Num Count Detected" (max_num_count_detected) field we can find in correlated logs. Getting this field for a number of logs for given events could allow me to analyze current behaviours and define baseline thresholds adapted to my traffic.

I have tried to use "fwm logexport" on my log server and filter returned logs (grep, cut,..) but it looks like "fwm logexport" returns inconsistent line format in my case. For example, below is an extract of 3 lines in an export :

;udp;389;;;;;;;;;;2000;IP sweep from internal network;

;udp;389;;;;;;;2000;IP sweep from internal network;

;udp;389;;;;;2000;IP sweep from internal network;

On that part of the export, the number of empty fields is not always the same....

So as I have problems with fwm logexport for the time being, I am trying to figure another way around to export logs with all the fields I am interested in.

Thanks,

0 Kudos
PhoneBoy
Admin
Admin

fwm logexport output has historically varied.
For sure it only exports raw logs and not events correlated.

If I understand the problem you're trying to solve: You're trying to see how many of a given event is "normal" in your environment so you can adjust SmartEvent detection thresholds to a reasonable value.

I'll see if I can get R&D to provide some guidance here.

0 Kudos
Juan_Concepcion
Advisor

What is the default location where these files are saved?? I have run this several times and cannot find the csv file.

0 Kudos
PhoneBoy
Admin
Admin

When you ask for a CSV export, the request is queued and run.

These request may take some time to run.

They may exist somewhere on the management server, but not sure where.

When the job is completed, you should be able to download said CSV file.

0 Kudos
Juan_Concepcion
Advisor

I have run several jobs, small jobs, and I get the notification that it was completed but no option to download or indication where the file is.

0 Kudos
PhoneBoy
Admin
Admin

I got one (see below).

But this was on R80.20 SmartView.

0 Kudos
Juan_Concepcion
Advisor

R80.20 works like a champ. The R80.10 is my challenge.

0 Kudos
Juan_Concepcion
Advisor

Figured it out – so in R80.10 you do not get the option to download instead you have to go to “Archives” section under “New Tab Catalog” to download the reports created in SmartView:

Juan_Concepcion
Advisor

Under "New Tab Catalog" after you've run your export

0 Kudos
Juan_Concepcion
Advisor

Is there a way to disable resolution in SmartView as you do in SmartConsole Log??

 

--Juan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events