Retrieve Sensor Logs
Endpoint URL: https://<your server>/rest/sensors/action/fetchLogs
Endpoint URI: sensors/action/fetchLogs
Action: POST
Retrieves logs from a sensor.
After retrieving the logs you can download them. For details on the request to use to download the logs, see Download Sensor Logs.
You must be assigned the System Admin role and Sensor Admin L1 role (if your Cybereason environment uses sensor grouping) to send requests to this endpoint URL.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
Input: JSON
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
{
"sensorsIds": [
"<sensorID>"
]
}
Request Parameters
URL/URI parameters: none
Request Body Parameters: You must provide the REQUIRED sensorsIds parameter. Enter the string with the unique pylum ID value the platform uses to identify the sensor.
Response Status Codes
This request can return the following status codes:
200: Success OK or an error message saying why
204: No content - the sensor name is incorrect
400 Bad Request: An error message with NO_MATCHING_SENSORS message
Response Success Schema
The response includes a detailed list of codes, including a batchID. Take the batchID and run a GET command at “sensors/action/download-logs/<batchID>”.
In addition, the sensor logs are downloaded to the root folder of the machine matching the sensor ID parameter in the request.
The response contains the following objects and fields:
Parameter |
Type |
Description |
|---|---|---|
finalState |
Boolean |
The final state for the specified action. |
totalNumberofProbes |
Integer |
The number of sensors to which the action is pending or in progress. |
initiatorUser |
String |
The user who started the specified action. |
startTime |
Timestamp |
The time (in epoch) when the action was begun. |
aborterUser |
String |
The user that aborted the specified action. |
abortTime |
String |
The time (in epoch) when the action was aborted. |
abortTimeout |
Boolean |
Indicates whether the action was aborted because of timeout settings on the sensor. |
abortHttpStatusCode |
Integer |
The HTTP status code sent to the server when the action was aborted. |
Response Failure Schema
400 - Bad Request NO_MATCHING_SENSORS
Important Response Fields
Important information is found in these fields:
batchID: The operation identifier for the sensor operation.
actionType: The type of sensor operation. For this request to retrieve sensor logs, this should report FetchLog.
stats object: This object contains details on the final result of the operation for the sensors included in the batch. View the different fields available in this object and the number of sensors to which this status applied.
totalNumberOfProbes:* The total number of sensors to which this operation applied.
Example: Retrieve the log from a sensor
Request
curl --request POST \
--url https://12.34.56.78/rest/sensors/action/fetchLogs \
--header 'Content-Type:application/json' \
--data '{
"sensorsIds":["58ae74fae4b06dca39c1d4bc:PYLUMCLIENT_INTERNAL_WIN7-64B-DEMO_0050568A3C55"]
}'
Response
{
"batchId": 1268429474,
"actionType": "FetchLog",
"actionArguments": null,
"globalStats": {
"stats": {
"FailedSending": 0,
"InvalidState": 0,
"ProbeRemoved": 0,
"TimeoutSending": 0,
"Pending": 0,
"ChunksRequired": 0,
"MsiFileCorrupted": 0,
"SendingMsi": 0,
"NewerInstalled": 0,
"MsiSendFail": 0,
"partialResponse": 0,
"EndedWithSensorTimeout": 0,
"FailedSendingToServer": 0,
"GettingChunks": 0,
"Aborted": 0,
"Started": 0,
"InProgress": 0,
"Disconnected": 0,
"Failed": 0,
"Timeout": 0,
"EndedWithTooManyResults": 0,
"AlreadyUpdated": 0,
"EndedWithTooManySearches": 0,
"Succeeded": 0,
"NotSupported": 0,
"EndedWithUnknownError": 0,
"None": 1,
"Primed": 0,
"EndedWithInvalidParam": 0,
"UnknownProbe": 0,
"AbortTimeout": 0,
"UnauthorizedUser": 0
}
},
"finalState": false,
"totalNumberOfProbes": 1,
"initiatorUser": "[email protected]",
"startTime": 1523875331560,
"aborterUser": null,
"abortTime": 0,
"abortTimeout": false,
"abortHttpStatusCode": null
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"sensorsIds": [
"58ae74fae4b06dca39c1d4bc:PYLUMCLIENT_MYCOMPUTER_CYBERHUNT_D05099606386"
]
}
Response
{
"batchId": 1268429474,
"actionType": "FetchLog",
"actionArguments": null,
"globalStats": {
"stats": {
"FailedSending": 0,
"InvalidState": 0,
"ProbeRemoved": 0,
"TimeoutSending": 0,
"Pending": 0,
"ChunksRequired": 0,
"MsiFileCorrupted": 0,
"SendingMsi": 0,
"NewerInstalled": 0,
"MsiSendFail": 0,
"partialResponse": 0,
"EndedWithSensorTimeout": 0,
"FailedSendingToServer": 0,
"GettingChunks": 0,
"Aborted": 0,
"Started": 0,
"InProgress": 0,
"Disconnected": 0,
"Failed": 0,
"Timeout": 0,
"EndedWithTooManyResults": 0,
"AlreadyUpdated": 0,
"EndedWithTooManySearches": 0,
"Succeeded": 0,
"NotSupported": 0,
"EndedWithUnknownError": 0,
"None": 1,
"Primed": 0,
"EndedWithInvalidParam": 0,
"UnknownProbe": 0,
"AbortTimeout": 0,
"UnauthorizedUser": 0
}
},
"finalState": false,
"totalNumberOfProbes": 1,
"initiatorUser": "[email protected]",
"startTime": 1523875331560,
"aborterUser": null,
"abortTime": 0,
"abortTimeout": false,
"abortHttpStatusCode": null
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/sensors/action/fetchLogs"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
sensor_id = "58ae74fae4b06dca39c1d4bc:PYLUMCLIENT_INTERNAL_CYBERSETUP7X64_005056A13A24"
query = json.dumps({"sensorsIds":[sensor_id]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{
"batchId": 1268429474,
"actionType": "FetchLog",
"actionArguments": null,
"globalStats": {
"stats": {
"FailedSending": 0,
"InvalidState": 0,
"ProbeRemoved": 0,
"TimeoutSending": 0,
"Pending": 0,
"ChunksRequired": 0,
"MsiFileCorrupted": 0,
"SendingMsi": 0,
"NewerInstalled": 0,
"MsiSendFail": 0,
"partialResponse": 0,
"EndedWithSensorTimeout": 0,
"FailedSendingToServer": 0,
"GettingChunks": 0,
"Aborted": 0,
"Started": 0,
"InProgress": 0,
"Disconnected": 0,
"Failed": 0,
"Timeout": 0,
"EndedWithTooManyResults": 0,
"AlreadyUpdated": 0,
"EndedWithTooManySearches": 0,
"Succeeded": 0,
"NotSupported": 0,
"EndedWithUnknownError": 0,
"None": 1,
"Primed": 0,
"EndedWithInvalidParam": 0,
"UnknownProbe": 0,
"AbortTimeout": 0,
"UnauthorizedUser": 0
}
},
"finalState": false,
"totalNumberOfProbes": 1,
"initiatorUser": "[email protected]",
"startTime": 1523875331560,
"aborterUser": null,
"abortTime": 0,
"abortTimeout": false,
"abortHttpStatusCode": null
}