API for Logs

Overview

API for Logs lets you use a single management API command to query for logs or top statistics. The API uses the same filter parameters as entered in the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Logs tab search bar (see Configuration below).

Use Case

For customers who do not have access to SmartConsole and are familiar with using management APIs. The API for logs can be used inside a customer's automation script to get logs and run statistics on the logs without the need to access SmartConsole.

Run the API on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to get the logs from the environment.

With API for Logs, you can:

The mechanism for API for logs is the same as for SmartConsole log queries.

Permissions are enforced according to the logged in user profile.

Configuration

For a new logs query:

mgmt_cli show-logs new-query.filter product:<product name> new-query.time-frame <time-frame> new-query.max-logs-per-request <limit>

Parameter

Description

filter

The filter as entered in SmartConsole/SmartView.

Type: String

time-frame

Specify the time frame to query logs.

Valid values:

  • last-7-days

  • last-hour

  • today

  • last-24-hours

  • yesterday

  • this-week

  • this-month

  • last-30-days

  • all-time

  • custom

Default: last-7-days

Type: String

custom-start

Type: String

Must be in ISO861 format.

custom-end

Type: String

Must be in ISO861 format .

max-logs-per-request

Valid values: 1-100

Default: 10

Type: String

type

Type of logs to return

Valid values: logs, audit

Default: logs

Type: String

log-servers

List of IPs of log servers to query

Default: all

Type: String

To get results for custom time frames:

mgmt_cli show logs new-query.time-frame "custom" new-query.custom-start YYYY-MM-DD new-query.custom-end YYYY-MM-DD

To get results for top statistics:

mgmt_cli show-logs new-query.filter product:<product name> new-query.top.field blades new-query.top.count <number> --format json -r true

Parameter

Description

count

Valid values: 1-50

Type: String

field

Valid values:

  • sources

  • destinations

  • services

  • actions

  • blades

  • origins

  • users

  • applications

Type: String

To get more results for an existing query:

mgmt_cli show-logs query-id <query-id> --session-id <session-id>

Parameter

Description

query-id

Get the next page of the last run query with a specified limit.

Type: String

ignore-warnings

Ignore warnings if they exist.

Type: Boolean

Limitations

  • The parameter "time-frame" in the API command does not accept this format as input:

    yyyymmddThhmmssZ

  • The command does not support non-index mode log queries.