Download Sensor Logs
Sometimes, when working with sensors, you may need to troubleshoot problems with the sensor, whether that be transmission of collected data to the server, connectivity issues, and so forth. Cybereason sensors contain very extensive logs with data on the sensor’s operation to help you with troubleshooting and auditing of the sensor.
As a system admin, you can use the API to retrieve these logs automatically. You have to send multiple requests:
One request to retrieve the logs from the sensor and send them to the server
A second request to download the logs
In this topic:
Step 1: Plan your request
Before you begin, ask yourself from which sensors do I need to retrieve the logs? You will need to know the sensors to find the appropriate fields for the request.
Step 2: Build your request to retrieve logs
When you download sensor logs with the API, first you must retrieve the logs from the specific sensor. This retrieval operation gets the logs from the sensor and sends them to the relevant sensor.
To construct the request, you must provide the sensor ID value for the sensors from which you want to download logs. You use the sensorId value that is unique to the sensor.
Note
If you do not know the sensorId value for the sensor you need, you can retrieve sensor data for all sensors or a specific sensor. For details on how to retrieve these sensor details, see Query Sensors.
Add the value of the sensor ID in the sensorsIds parameter and create the relevant cURL command, request body example, or Python script. In this example, we are using a stand-in address for a Cybereason server (myserver.com). If you use this request, replace this address with your actual server address.
curl --request POST \
--url https://myserver.com/rest/sensors/action/fetchLogs \
--header 'Content-Type: application/json' \
--data '{
"sensorsIds": [
"<sensorID>"
]
}'
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"sensorsIds": [
"<sensorID>"
]
}
Note
The code in this sample is repeated in the second sample below. You do not need to run the script now but it is used here to help you understand how you build the request.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests import json # Login information username = "[email protected]" password = "mypassword" server = "yourserver.com" port = "443" data = { "username": username, "password": password } headers = {"Content-Type": "application/json"} base_url = "https://" + server + ":" + port login_url = base_url + "/login.html" session = requests.session() login_response = session.post(login_url, data=data, verify=True) print (login_response.status_code) print (session.cookies.items()) # Request URL endpoint_url_1 = "/rest/sensors/action/fetchLogs" api_url_1 = base_url + endpoint_url_1 # These are the variables that represent different fields in the request. sensor_id = "58ae74fae4b06dca39c1d4bc:PYLUMCLIENT_INTERNAL_WIN7-64B-DEMO_0050568A3C55" query = json.dumps({"sensorsIds":[sensor_id]}) api_response = session.request("POST", api_url_1, data=query, headers=headers) your_response = json.loads(api_response.content) print(json.dumps(your_response, indent=4, sort_keys=True))
Step 3: Run your request and generate the response
In the command line, REST API client, or IDE, run the command or script that contains the request. After a few seconds, the Cybereason API returns a response.
If you are using the sample Python script you should not run your script yet. You will run the script in a later step.
When you run the response, note the value of the batchId parameter in the response. You will need this value to run the next request.
Step 4: Build your request to download the logs
To build your request to actually download the sensor logs, you need the batchId parameter you retrieved in the previous response.
Add the batch ID of the sensor ID in the batchId parameter and create the relevant cURL command, request body example, or Python script. In this example, we are using a stand-in address for a Cybereason server (myserver.com). If you use this request, replace this address with your actual server address.
Note
Replace the value of the batch ID parameter in the examples below with a relevant batch ID from your environment.
curl --request GET \
--url https://myserver.com/rest/sensors/action/downloadLogs/2054495090 \
--header 'Content-Type: application/json' \
If you are running this in an API client like Postman, you will need to save the response as a file. For example, in Postman, you can use the Send and download option.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests import json import os import sys import zipfile import io # Login information username = "[email protected]" password = "mypassword" server = "yourserver.com" port = "443" data = { "username": username, "password": password } headers = {"Content-Type": "application/json"} base_url = "https://" + server + ":" + port login_url = base_url + "/login.html" session = requests.session() login_response = session.post(login_url, data=data, verify=True) print (login_response.status_code) print (session.cookies.items()) # Request URL to retrieve the logs endpoint_url_1 = "/rest/sensors/action/fetchLogs" api_url_1 = base_url + endpoint_url_1 # These are the variables that represent different fields in the request for the first request to retrieve logs. sensor_id = "58ae74fae4b06dca39c1d4bc:PYLUMCLIENT_INTERNAL_WIN7-64B-DEMO_0050568A3C55" query = json.dumps({"sensorsIds":[sensor_id]}) api_response = session.request("POST", api_url_1, data=query, headers=headers) your_response = json.loads(api_response.content) batch_id = your_response['batchId'] print (batch_id) # Request URL to download the logs endpoint_url_2 = "/rest/sensors/action/download-logs/" api_url_2 = base_url + endpoint_url_2 + "batch_id" api_response_2 = session.request("GET", api_url_2, headers=headers) cwd = os.getcwd() outputDir = cwd + "\\sensorlogs" logs = zipfile.ZipFile(io.BytesIO(api_response_2.content)) logs.extractall(outputDir)
Step 5: Run the request to download the logs
In the command line, REST API client, or IDE, run the command or script that contains the request. After a few seconds, the Cybereason API returns a response.
Step 6: Evaluate the response
When you run this request, you will receive no visual confirmation other than the HTTP status code that it succeeded. However, in the background, the logs download to the location you specify.
For example, in a REST API client, you need to save the returned file. The response in the API client displays as random unreadable or binary characters. You can save the file in your API client to a relevant location. For example, in Postman, you can use the Send and download option.
In Python or another programming language, you must add additional lines of code to process and save the file to a relevant location. The example in this use-case contains one method of saving the zip file.