Knowledge Search


×
 

Export NSM logs to CSV file from the NSM CLI

  [KB14868] Show Article Properties


Summary:
NSM receives logs from all the devices and the logs are stored under /usr/netscreen/DevSvr/var/logs folder on NSM Device server.
These logs are saved in binary format and cannot be viewed directly.

Symptoms:
How to filter and export logs from NSM into a csv / XML format.

Solution:
To Export logs from the NSM Server, login to the NSM Device Server using the CLI, and then use the utility devSvrcli.sh as follows:
# cd /usr/netscreen/DevSvr/utils/
# sh devSvrcli.sh --help   


For example, to export the logs from Device named "ISG1000", the following command can to used:

#sh devSvrCli.sh --log2action --filter --device global:ISG1000 --action --csv --file-path /tmp/isg1000.csv --include-header
This command will export all the logs in the Log DB for this device "ISG1000" to the file /tmp/ISG1000.csv


Other filter options can be used by following appropriate Syntax as below.
[root@nsm-vm-nikhilt utils]# sh devSvrCli.sh --help

--help                         print the help for each of the following 
                               options 
--log2action                   This command directs the system to execute 
                               a specified query against the log database 
                               and then to execute the specified action 
                               for each matching log. 
--filter                       This parameter specifies how logs should 
                               be matched. If no filter is supplied, all 
                               logs will be matched. 
--time-recv                    <<yyyymmdd>:<hhmmss>>-<<yyyymmdd>:<hhmmss>>[,...]* 
--category                     <category> must be one/multiple of the following 
                               values: "self", "config", "traffic", "alarm", 
                               "info", "predefined", "custom", "screen", 
                               "implicit", "profiler", "urlfiltering", 
                               "user", "admin", "events", or "sensors" 
--device                       <device>[,...]* in which <device> must be 
                               in this format: <domain-path>:<device-name>. 
                               <domain-path> must in this format: global[/<subdomain-name>] 
--devicefamily                 <devicefamily> must be one/multiple of the 
                               following values: "sos", "idp", "junos-es", 
                               "ive-ic", "ive-sa", or "junos-ex" 
--domain                       <domain-path>[,...]* in which <domain-path> 
                               must in this format: global[/<subdomain-name>] 
--dst-port                     <[0-65535][-[0-65535]]>[,...]* 
--log-id                       <<yyyymmdd>:[0-MAX][-<yyyymmdd>:[0-MAX]]> 
--user-flag                    <[0-7]>[,...]* 
--rule                         <rule>[,...]* in which <rule> must in this 
                               format: <domain-path>:<policy-name>:<rulebase>:<rule 
                               number>. <rulebase> must be one of the following 
                               values: "fw", "idp", "honeypot", "backdoor", 
                               "synpro", "vpn", "mpolicy", "tsig" . 
--src-port                     <[0-65535][-[0-65535]]>[,...]* 
--dst-ip                       <a.b.c.d[/n|-<a.b.c.d>]>[,...]* 
--src-ip                       <a.b.c.d[/n|-<a.b.c.d>]>[,...]* 
--matches-to-return            Number of matches to return [1-4294967295] 
--severity                     <severity> must be one/multiple of the following 
                               value: none, info, device_warning_log, minor, 
                               major, device_critical_log, emergency, alert, 
                               critical, error, warning, notice, informational, 
                               or debug 
--action                       This parameter specifies which action the 
                               system should execute for each matching 
                               log 
--csv                          This parameter directes the system to output 
                               logs using the comma-separated variable 
                               format 
--file-path                    This parameter directs the system where 
                               to direct the output 
--include-header               This parameter directs the system to first 
                               print the name for each field 
--snmp                         This parameter directs the system to send 
                               log to a SNMP server 
--community                    The community is an arbitary string that 
                               SNMP server is configured to recognize 
--server                       This parameter specifies the SNMP server 
                               to send the SNMP message to. The value must 
                               be encoded as [IP|FQDN:<port>]] 
--script                       This parameter directs the system to execute 
                               the specified script, passing the log into 
                               it, formatted as XML, via STDIN. The script 
                               is expected to have exit status code 0 (no 
                               errors) or 1 (errors) 
--error-handling               This parameter specifies how errors occurring 
                               in the user's script should be handled. 
--retry                        This parameter directs NSM to try the action 
                               again for the same log. Retrying processing 
                               a log is mandatory if it must be guaranteed 
                               that every log is processed by the script 
--retry-secs                   This parameter specifies the number of seconds 
                               until the action will be tried again 
--num-retries                  This parameter specifies the maximum number 
                               of retries that should be attempted before 
                               giving up and moving on to the next log 
--skip                         The parameter directs NSM to skip over any 
                               log for which the script has an error. 
--script-name                  This parameter specifies the name of the 
                               script to be executed. The script is expected 
                               to be located in the /usr/netscreen/DevSvr/var/scripts/ 
                               directory 
--xml                          This parameter directs the system to output
                               logs using the XML format. 
--file-path                    This parameter directs the system where 
                               to direct the output 
--include-header               This parameter directs the system to first 
                               print the name for each field 
--email                        This parameter directs the system to output 
                               logs using the email format 
--sender                       The <sender> parameter specifies who it 
                               appears the email was sent from. <sender> 
                               must be a valid email address 
--recipient                    This parameter specifies who the email should 
                               be sent to. <recipient> must be a valid 
                               email address 
--syslog                       This parameter directs the system to send 
                               log to a syslog server 
--facility                     <facility> is the outbound syslog facility, 
                               and must be one of the following values: 
                               "kern", "user", "mail", "daemon", "auth", 
                               "syslog", "lpr", "news", "uucp", "cron", 
                               "authpriv", "ftp", "ntp", "audit", "alert", 
                               "clock", "local0", "local1", "local2", "local3", 
                               "local4", "local5", "local6", "local7". 
--server                       This parameter specifies the syslog server 
                               to send the syslog message to. The value 
                               must be encoded as [IP|FQDN:<port>]] 
--ddh-debug                    This command turns on/off debug print in 
                               devSvrDirectiveHandler. 
--debug                        This parameter turns the log level to debug 
--warn                         This parameter turns the log level to warn


Related Links: