cancel
Showing results for 
Search instead for 
Did you mean: 
ziad1
Level 7
Report Inappropriate Content
Message 1 of 9

Fetching raw logs via API

I'm trying to retrieve the raw logs stored by the ELM via the provided SOAP API. Right now, I can pass a list of EsmSelectFields to the qryExecuteDetail() API call to retrieve a specific set of fields. There are about 300+ fields I can select from, but none of them seem to retrieve the actual raw log entry.

How would I go about retrieving the raw logs? Is there something that corresponds to "raw" or "payload" that I can query for?

Thanks

8 Replies

Re: Fetching raw logs via API

Did someone manage to do that? I would also appreciate the help...

Re: Fetching raw logs via API

How did you solve this guys?

Re: Fetching raw logs via API

HI, mierwah. The API provides access to the aggregated events stored in the ESM database, not the original events in the ELM storage pools.

Re: Fetching raw logs via API

And there is no API to the ELM storage pools right?

Re: Fetching raw logs via API

There is only one API, and that API provides access to the aggregated events stored in the ESM database, not the original events in the ELM storage pools.

Re: Fetching raw logs via API

What about the "Packet" field ?? can this be fetched using the API?

Re: Fetching raw logs via API

The "packet" is transient information on the ERC and is not available via the API.

Highlighted

Re: Fetching raw logs via API

The API is a terrible mess and even if you manage to find an API call, you will struggle to get logs from high volume systems from the ELM using its "web UI" (the toolset that provides the ESM) with data. Those who like me tried to extract data from this platform know that if you receive more than a few GB per hour from a specific device you will end up getting truncated results, undermining the use of the web (and correlate scripts) to extract the data.

The only option is using the SFTP interface but good luck with that. It is by far the worse SFTP implementation I ever seen in my life

Hopefully will eventually get the developers to fix the ELM sftp. Until that happens be sure to use archiving to copy the data BEFORE it gets ingested by the McAfee platforms.

Hope this helps

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community