I see no support for reading logs (audit or rule) in the R80.10 Management API.
Am I missing it ?
Is it likely to appear in future ?
Look for the “log exporter” thread at CheckMates. The new logs API provide a secure channel for exporting logs with same-arrival-rate with just 1 line of configuration. There is no official way for one-time consumption of existing logs, though.
The current version of Management API (v1.2) doesn't support reading logs information.
This will be supported in the future release.
Thanks for the quick reply.
Is there a feature development road-map that indicates when that may be ?
It would help me decide whether to cobble together an alternative or just defer until then.
Timelines for this have not been finalized.
As Tomer Sole suggested, your best bet is to use Log Exporter for this, which makes the logs available via syslog.
Log Exporter guide
For some specific use cases, the good old 'fw log' command (with all its flags) can also be useful.
This option has been around for a long time but it sometimes feels as if many people are not aware of it.
It's somewhat limited in its usability but does work for some use cases.
Out of professional curiosity, could you elaborate on your use case, please?
The use case is to extract a monthly audit report which is reviewed by another person. It's not hard to do manually, but it is the only GUI/manual extraction in an otherwise completely automated set of data collection tasks.
Thanks for the reminder about 'fw log ...' that's probably what I'll use as I have SSH access. I had forgotten about it as I was distracted by the potential of a RESTful API.
I sometimes visit clients where I am not already integrated into their support team. Having data collection tools that don't require the logistical overhead of OPSEC or GUI-clients configuration make life much easier. I expect permission configuration for the API but I hope it's less).
fw log does sound like it's potentially what you're looking for.
But as Tomer suggested, I'd still keep the Log Exporter in mind as a viable option.
You can set it up to export only audit logs, and limit it to export to 30 days back.
Once per month turn it on to have it export the past 30 days, or leave it running ( and use the reexport flag when needed).
Both the log exporter and 'fw log' can be made to work for this use case.
The log exporter will need a receiving server, which is either a plus or minus depending on your environment, and the fw log will probably need a bit more tinkering with the output (but you'll probably have to do this in any case to parse the information).
Neither option is ideal for this use case, but both can be made to work. Off the top of my head, I don't see a clear advantage to either one.
I'd start tinkering with both of them and see if one of them comes out the clear winner.
Good luck, and post back here if you need help with implementing this.
Retrieving data ...