TABLE OF CONTENTS

  • Product Details
  • Issue/ Problem
  • Prerequisites
  • Solution
  • Best Practise
  • Summary


Product: Menlo

Component: Log Fetch API

Version: 1.0



Issue/ Problem:

Unable to fetch log for events more than 500 per query using Insight.


For deep investigation, thousands of logs required to identify problem occurs. By using Insight feature in Menlo, user only able to observe or download 500 logs per query.


Prerequisites:

  • Python3
  • API Token
  • Admin Role
  • Log Fetch API Python Script


Solution:


Step 1: Configure Menlo Admin Portal 

  1. 1. Sign in to Menlo Admin Portal 

  1. 2. Go to Settings > Authentication > Admin Roles 
     


  2. 3. Create or Edit Role. Ensure the ‘LOG EXPORT API’ role is ticked. 
     


  2. 4. Go to API Tokens 
     


  2. 5. Create API token by click “Create Token”. Make sure to save the Token as it can’t be retrieved after closing it. 
     


Step 2: Download API Python Script

  1. 1. Go to Log Fetch API Python Script – Customer Success Knowledge Portal (menlosecurity.com). 

  1. 2. Download the “log_fetch_py3.py file 

     

Step 3: Run Python Script

  1. 1. Open CMD 

  1. 2. Ensure python is installed. To verify enter command ‘python --version’ 

  1. 3. Enter the command script to retrieve the logs. 

  2. python3 log_fetch_py3.py -host admin.menlosecurity.com -t web -r v2 -f CSV -o logtest.csv -s 20240821000000 -e 20240822000000 <API token> 


Where  

-ooutput file name
-ddebug mode
-sstart time using the format YYYYMMDDhhmmss UTC time zone
-eend time using the format YYYYMMDDhhmmss UTC time zone
-ffile format [CEF, JSON, KVP, CSV, LEEF]
-ttype of logging [web, safemail, audit, smtp, attachment, dlp]
-hosthost to query for the logs
-aappend a string to all log entries. Apply for KVP, CEF and LEEF format
tokenthis is a unique key for your tenant and user.
-qquery value used for filtering
-hshow help message
-lmaximum number of events to receive each API call
-rversion v1 or v2


Best Practice: 

To avoid the needs to use the log fetch API, filter your query to your specific needs to reduce the number of events.


Troubleshooting Step:

1. SSL Certificate Error  

  • Ensure you are using Menlo Proxy

Summary: 

 The solution provided is used when log fetch more than 500 events per query. To fetch the logs, use log fetch API to retrieve the logs.


Version Control:

Document VersionChange SummaryAuthorReviewerApproverChange Date
1.0Initial CreationAriffWeil YangWeil Yang2024-09-03