Updated on October 4, 2023

Fetch Events

Fetch Events

To fetch the application, connection, alert, and audit events, use these commands to create a cron job that pulls the events and sends them to a syslog server in a format specified.

Basic Commands

  • To route the events to a syslog server:
    set management-plane fetch-events syslog host <hostname or IP>
set management-plane fetch-events syslog port <port>

    To set an optional protocol:

    set management-plane fetch-events syslog protocol <protocol>

    Supported protocols are: tcp and udp (default).

  • To store the events in a file:
    set management-plane fetch-events fileoutput enable true

    Note

    Log processing must be disabled when fileoutput is enabled. You can disable log processing by running: 

    set log-upload enable false

    The files are stored for up to 3 days on the appliance at home/nstransfer/fetchevets location.

  • If an explicit proxy is deployed in the network, follow the instructions in Configure an Explicit Proxy.

Scheduling Jobs

You can schedule cron jobs to fetch events periodically. The jobs can be scheduled to run:

  • at a specified time of the day, or
  • after a certain number of hours or minutes.

Cron reads the job frequency syntax in the format ** where, the left ” * ” contains the minute in the range 0-59 and the right ” * ” contains the hour in the range 0-23.

  • To schedule the job frequency for an event:
    set management-plane fetch-events event-type <type of event> schedule hour <hour>
set management-plane fetch-events event-type <type of event> schedule minute <minute>

    where the <type of event> is application, connection, alert, infrastructure, or audit.

    For example,

    • to fetch alert events at 11:05 hours every day, run
      set management-plane fetch-events event-type alert schedule hour 11
set management-plane fetch-events event-type alert schedule minute 5
    • to fetch alert events every 2 hours and 5 minutes, run
      set management-plane fetch-events event-type alert schedule hour */2
set management-plane fetch-events event-type alert schedule minute */5
  • To fetch all the events that are generated during a 24 hour period of the previous day on a daily basis, run
    set management-plane fetch-events event-type connection daymode enable true

    For example, if you’ve scheduled to fetch alert events on a daily basis at 11:05 hours, on 08-30-2018 at 11:05 hours this job will fetch all events generated from 24:00 hours (12:00 AM) up to 23:59 hours (11:59 PM) on 08-29-2018. You will continue to receive a file with alert events every day until you set the parameter to false.

    Netskope recommends that you schedule this job to run after 05:00 hours daily.

    The file is saved in the format <eventtype-YYYY-MM-DD.OUTPUTFORMAT>. For example, connection-2018-08-29.csv.

  • To set the output format:
    set management-plane fetch-events event-type <type of event> output-format <format>

    Supported formats are: csv, kv, or json.

Advanced Options

  • To fetch only filtered events:
    set management-plane fetch-events event-type <type of event> query-string <query>
  • To fetch only the specified fields for the events in csv, use the following command.
     set management-plane fetch-events event-type <type of event> header <comma-separated header>
  • To set lookback-time. This is only applicable for the first time the script runs in seconds This value determines how much data should be fetched when run for the first time. For example, if you set 86400, it fetches one day of data from the current time.
    set management-plane fetch-events event-type <type of event> lookback-time <time in secs>
  • To set the multiquery time. This value determines how much data (in terms of secs) should be fetched in every query. For example: if you are running the script every 1 hour, and if you set the multi-query to 900, there will be 4 queries each of 15 min, and the final output will be aggregated.
    set management-plane fetch-events multiquery-time <secs>

Fetch HTTP Transaction logs from an MP into a SIEM

To configure fetch events to fetch HTTP transaction logs from an MP into a SIEM:

set management-plane fetch-web-proxy-logs syslog-server ip <ip-address>
set management-plane fetch-web-proxy-logs syslog-server port <port-number>
set management-plane fetch-web-proxy-logs syslog-server protocol udp
set management-plane fetch-web-proxy-logs enable true
save

You can view the configuration, run the show command.

View Cron Jobs

To view the list of cron jobs, enter show cronjobs at the nsshell prompt.

Share this Doc

Fetch Events

Or copy link

In this topic ...