cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

How-to fetch endpoint forensics reports on R80.20 programmatically

Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47.

For those who simply cannot wait, I present the following stopgap solution:

  1. Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value
    [Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242
    tcp        0      0 127.0.0.1:18242             0.0.0.0:*                   LISTEN      3247/smartlog_serve
    [Expert@stack-mgmt-a0:0]#​
    # authenticate and obtain FWMToken value
    curl_cli -v -d @fwm-login.xml 'http://127.0.0.1:18242/login' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml
    fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`​
    Content of fwm-login.xml:
    <login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login>
  2. Authenticate using mgmt_cli to obtain a "CPMToken" value
    # authenticate and obtain CPMToken value
    cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'`
  3. Fetch an XML report blog from the smartlog server service
    uid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F
    timestamp=`date -d '07/09/2019 12:00:00' +"%s"`

     

    # $1 - report uid
    # $2 - date - a unix timestamp that equals noon on the same day the event was created
    # fetch the XML report blob
    export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token"
    curl_cli -v 'http://127.0.0.1:18242/packet_capture?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incid...' --user-agent
     "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml

    The complete request parameters:

    '?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14'

    Note: Pay attention to the parameters that must be modified to match a different management server.

  4. Extract and decode XML report blob content
    # extract the XML report blob and decode it
    xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $1.zip