Retrieve raw Python logs
Google recommends using the API endpoint /api/external/v1/logging/python
with specific filters to get only
the information that you need.
For full information on /api/external/v1/logging/python
and other
API endpoints, refer to your localized Swagger documentation.
There are two types of filters available: SOAR specific and generic.
SOAR specific filters
-
labels.integration_name -
labels.integration_instance -
labels.integration_version -
labels.connector_name -
labels.connector_instance -
labels.action_name -
labels.job_name -
labels.correlation.id
Generic filters
Built-in log filters can be found in Build queries by using the Logging query language .
Examples for common filters
The following examples show you some common query filters for retrieving the information you need.
Integration version
To retrieve logs for a specific integration version, use the following filters together:
labels.integration_name="INTEGRATION_NAME"AND labels.integration_version="INTEGRATION_NUMBER"
labels.integration_name="Exchange" AND labels.integration_version="19"
Integration instance
To retrieve logs for a specific integration instance, use the following filter:
labels.integration_instance= "INTEGRATION_NAME"
labels.integration_instance="GoogleAlertCenter_1"
All connectors
To retrieve logs for all connectors, use the following filter with the regular expression:
labels.connector_name=~"^."
Specific connector
To retrieve logs for a specific connector, use the following filter:
labels.connector_name= "CONNECTOR_NAME"
labels.connector_name="Exchange Mail Connector v2 with Oauth Authentication"
All jobs
To retrieve logs for all jobs, use the following filter with the regular expression:
labels.job_name=~"^."
Specific job
To retrieve logs for a specific job, use the following filter:
labels.job_name= "JOB_NAME"
labels.job_name="Cases Collector"
All actions
To retrieve logs for all actions, use the following filter with the regular expression:
labels.action_name=~"^."
Specific action
To retrieve logs for a specific action, use the following filter:
labels.action_name= "ACTION_NAME"
labels.action_name="Enrich Entities"
Failed actions
To retrieve logs for a failed action, use the following filters together:
labels.action_name=" ACTION_NAME
" AND SEARCH("Result Value: False")
labels.action_name="Enrich Entities" AND SEARCH("Result Value: False")
Case sensitive search
To retrieve logs for a case sensitive search result, use the following filter:
SEARCH(" FREE_TEXT
")
SEARCH("`Find my CASE SensiTive stRing`")
Specific message text
To retrieve logs for a specific message, use the following filter:
textPayload=~" FREE_TEXT
"
textPayload=~"Invalid JSON payload"
Siemplify Cases Collector job
To retrieve logs for cases collector errors, use the following filters together:
textPayload=~(\\".\*----Cases Collector DB started---\*\\") AND severity>="Error"
Server errors
To retrieve logs for server errors, use the following filter:
textPayload=~"Internal Server Error"
Correlation ID
To retrieve logs for a correlation ID, use the following filter:
labels.correlation_id=" CORRELATION_ID
"
labels.correlation_id="e4a0b1f4afeb43e5ab89dafb5c815fa7"
Timestamp filter
You can retrieve logs using timestamps, using either RFC 3339 or ISO 8601 format. In query expressions, timestamps in RFC 3339 format can specify a timezone with Z or ±hh:mm . Timestamps are represented to nanosecond accuracy.
For more information, refer to Values and conversions .
To retrieve logs newer than a specific timestamp (UTC), use the following filter:
timestamp>= "ISO_8601_format"
timestamp>="2023-12-02T21:28:23.045Z"
To retrieve logs for a specific day, use the following filters together:
timestamp>="YYYY-MM-DD"AND timestamp<"YYYY-MM-DD"
timestamp>="2023-12-01" AND timestamp\<"2023-12-03"
Need more help? Get answers from Community members and Google SecOps professionals.
