Fetch Events
Fetch Events
To fetch the application, connection, alert, and audit events, use these commands to create a cron job that pulls the events and sends them to a syslog server in a format specified.
Note
The REST API token needs to be configured on the Netskope UI prior to running these commands. An error occurs if the REST API token is not generated.
Basic Commands
- To route the events to a syslog server:
set management-plane fetch-events syslog host <hostname or IP> set management-plane fetch-events syslog port <port>
To set an optional protocol:
set management-plane fetch-events syslog protocol <protocol>
Supported protocols are:
tcp
andudp
(default). - To store the events in a file:
set management-plane fetch-events fileoutput enable true
Note
Log processing must be disabled when fileoutput is enabled. You can disable log processing by running:
set log-upload enable false
The files are stored for up to 3 days on the appliance at
home/nstransfer/fetchevets
location. - If an explicit proxy is deployed in the network, follow the instructions in Configure an Explicit Proxy.
Scheduling Jobs
You can schedule cron jobs to fetch events periodically. The jobs can be scheduled to run:
- at a specified time of the day, or
- after a certain number of hours or minutes.
Cron reads the job frequency syntax in the format **
where, the left ” *
” contains the minute in the range 0-59 and the right ” *
” contains the hour in the range 0-23.
- To schedule the job frequency for an event:
set management-plane fetch-events event-type <type of event> schedule hour <hour> set management-plane fetch-events event-type <type of event> schedule minute <minute>
where the
<type of event>
is application, connection, alert, infrastructure, or audit.For example,
- to fetch alert events at 11:05 hours every day, run
set management-plane fetch-events event-type alert schedule hour 11 set management-plane fetch-events event-type alert schedule minute 5
- to fetch alert events every 2 hours and 5 minutes, run
set management-plane fetch-events event-type alert schedule hour */2 set management-plane fetch-events event-type alert schedule minute */5
- to fetch alert events at 11:05 hours every day, run
- To fetch all the events that are generated during a 24 hour period of the previous day on a daily basis, run
set management-plane fetch-events event-type connection daymode enable true
For example, if you’ve scheduled to fetch alert events on a daily basis at 11:05 hours, on 08-30-2018 at 11:05 hours this job will fetch all events generated from 24:00 hours (12:00 AM) up to 23:59 hours (11:59 PM) on 08-29-2018. You will continue to receive a file with alert events every day until you set the parameter to
false
.Netskope recommends that you schedule this job to run after 05:00 hours daily.
The file is saved in the format
<eventtype-YYYY-MM-DD.OUTPUTFORMAT>
. For example,connection-2018-08-29.csv
. - To set the output format:
set management-plane fetch-events event-type <type of event> output-format <format>
Supported formats are:
csv
,kv
, orjson
.
Advanced Options
- To fetch only filtered events:
set management-plane fetch-events event-type <type of event> query-string <query>
- To fetch only the specified fields for the events in csv, use the following command.
set management-plane fetch-events event-type <type of event> header <comma-separated header>
- To set lookback-time. This is only applicable for the first time the script runs in seconds This value determines how much data should be fetched when run for the first time. For example, if you set
86400
, it fetches one day of data from the current time.set management-plane fetch-events event-type <type of event> lookback-time <time in secs>
- To set the multiquery time. This value determines how much data (in terms of secs) should be fetched in every query. For example: if you are running the script every 1 hour, and if you set the multi-query to 900, there will be 4 queries each of 15 min, and the final output will be aggregated.
set management-plane fetch-events multiquery-time <secs>
Fetch HTTP Transaction Logs from an MP into a SIEM
To configure fetch events to fetch HTTP transaction logs from an MP into a SIEM:
set management-plane fetch-web-proxy-logs syslog-server ip <ip-address> set management-plane fetch-web-proxy-logs syslog-server port <port-number> set management-plane fetch-web-proxy-logs syslog-server protocol udp set management-plane fetch-web-proxy-logs enable true save
You can view the configuration, run the show
command.
View Cron Jobs
To view the list of cron jobs, enter show cronjobs
at the nsshell prompt.