How to retrieve Event Logs Using an API GET Request with Specific Filters

This article describes how to retrieve event logs using an API GET request with specific filters, with emphasis on the use of Unix epoch timestamps in milliseconds for log filtering.

Table of Contents

Scope
Solution
Prerequisites
Step 1: Convert Human-Readable Dates to Unix Epoch Timestamps.
Step 2: Construct the API GET Request
Step 3: Execute the Request and Verify Results
Troubleshooting

Scope

FortiGate.

Solution

Prerequisites

Access to the relevant API endpoint with proper permissions.
Knowledge of Unix epoch time and the ability to convert dates into epoch timestamps is essential.
A lawful API access token for authentication purposes: Connect FortiGate device via API Token

Step 1: Convert Human-Readable Dates to Unix Epoch Timestamps.

To filter event logs based on time, first convert the human-readable dates into unix epoch timestamps in milliseconds.

Example:

Date & Time: “2024-08-14 10:33:51” → “1723617231000”

These conversions can be done using various tools like online converters or programmatically using languages like Python.

Example: https://www.epochconverter.com/

Step 2: Construct the API GET Request

Use the epoch timestamps to create the API GET request, ensuring that the filter conditions are properly structured and combined.

Example API Request:

**Instance1**
Need to retrieve the logs greater than or equal to the timestamp "2024-08-14 10:33:51",so using the filter ">=".
"https://<api_endpoint>/api/v2/log/memory/event/system?access_token=your_access_token&filter=_metadata.timestamp>=1723617231000"
**Instance2**
Need to retrieve the logs exactly matching the timestamp "2024-08-14 10:33:51",so using the filter "=="
"https://<api_endpoint>/api/v2/log/memory/event/system?access_token=your_access_token&filter=_metadata.timestamp==1723617231000"

Key Components:

Replace <api_endpoint> with your actual API endpoint IP address or URL.
Replace <your_access_token> with the valid access token.
The filter parameter includes the conditions for filtering the timestamp(example: >=,<=,==,etc..).

Step 3: Execute the Request and Verify Results

Submit the GET request to the API and review the returned logs to make sure they are within the given period.

Output for Instance1:

Output for Instance1

Output for Instance2:

Troubleshooting

No Results: Verify that timestamp conversion is done correctly, such that it accurately reflects the desired time range.
Filter Errors: Ensure that filter syntax is supported by the API and is properly formatted in both requests.

Collect FortiOS output from these commands:

Debug Commands:

diag test app fgtlog 1
diag test app fgtlog 4
diag test app fgtlog 6
diag test app fgtlog 9
diag test app fgtlog 41
diag debug app fgtlog -1
diag debug app miglogd 0x1000
diag debug app miglogd -1
please add diag test app syslogd 1/4/6/9 (7.4/7.2/7.0)
diag sniff migsock ssl-trace enable
diag sniff migsock filter "name=xxx service=oftp" (name: logsearch fortiview faz-cloud global-faz global-faz2 ...)
diag sniff migsock start

Debug Commands: REST-API:

diagnose debug application httpsd -1
diagnose debug application nodejs -1

By following these steps, it is possible to successfully use an API GET request with Unix epoch timestamp filters to retrieve event logs from particular times. This method is best for isolating logs for specific events or periods.