API for Logs
Overview
API for Logs lets you use a single management API command to query for logs or top statistics. The API uses the same filter parameters as entered in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Logs tab search bar (see Configuration below).
Use Case
For customers who do not have access to SmartConsole and are familiar with using management APIs. The API for logs can be used inside a customer's automation script to get logs and run statistics on the logs without the need to access SmartConsole.
Run the API on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to get the logs from the environment.
With API for Logs, you can:
-
Fetch Logs:
You can fetch logs from any Log Server Dedicated Check Point server that runs Check Point software to store and process logs. in the environment with a single management API command.
Input
Output
Optional query parameters include:
-
Logs type: Traffic / Audit
-
Time-frame
-
Filter criteria – Equivalent to query line in SmartConsole.
-
Query from specific Log Servers.
-
Limit results count
Matching logs with all fields in JSON format.
-
-
Page through Logs:
Logs are fetched in small chunks (default and max limit is 100) so queries do not overload the Log Server.
The first "page" of results shows a limited number of logs.
To get the next set of results from a previously run query, enter the
query-id
from the API command. -
Get Top Statistics:
Query for the top statistics for multiple fields, including top sources and top destinations.
-
Fetch Log Attachments:
-
Each log in a query response indicates whether it contains an attachment.
An attachment can be a packet capture or Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent..
-
Another API command (Log Attachments API) fetches the attachment by log ID, and returns all the attachments in a single JSON response.
-
-
Generate API Commands in SmartConsole:
In SmartConsole, click the button to generate an API command according to the currently presented query in the Logs tab.
This includes:
-
Time-frame.
-
Selected log servers.
-
Filter criteria - Query line.
-
Limit of 50 results by default.
-
The mechanism for API for logs is the same as for SmartConsole log queries.
Permissions are enforced according to the logged in user profile.
Configuration
For a new logs query:
|
Parameter |
Description |
---|---|
filter |
The filter as entered in SmartConsole/SmartView. Type: String |
time-frame |
Specify the time frame to query logs. Valid values:
Default: last-7-days Type: String |
custom-start |
Type: String Must be in ISO861 format. |
custom-end |
Type: String Must be in ISO861 format . |
max-logs-per-request |
Valid values: 1-100 Default: 10 Type: String |
type |
Type of logs to return Valid values: logs, audit Default: logs Type: String |
log-servers |
List of IPs of log servers to query Default: all Type: String |
To get results for custom time frames:
|
To get results for top statistics:
|
Parameter |
Description |
---|---|
count |
Valid values: 1-50 Type: String |
field |
Valid values:
Type: String |
To get more results for an existing query:
|
Parameter |
Description |
---|---|
query-id |
Get the next page of the last run query with a specified limit. Type: String |
ignore-warnings |
Ignore warnings if they exist. Type: Boolean |
Limitations
-
The parameter "
time-frame
" in the API command does not accept this format as input:yyyymmddThhmmssZ
-
The command does not support non-index mode log queries.