All of the commands below need to be applied on the Log Concentrator via an SSH session:
If you do have "SSL trustmode" enabled on the Log Concentrator service then please issue below commands:
#NwConsole
> login localhost:56005:ssl admin password
> sdk output /tmp
> sdk open nws://admin:password@localhost:56005
> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa')" fileExt=.log append="devicetypename.log"
If you don't have "SSL trustmode" enabled on the Log Concentrator service then please issue below commands:
#NwConsole
> login localhost:50005 admin password
> sdk output /tmp
> sdk open nw://admin:password@localhost:50005
> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa')" fileExt=.log append="devicetypename.log"
The variables in the above commands are as follows:
- Service-password password.
- The output directory for extracted logs "/tmp" make sure to put the directory with largest free-space in order to accommodate the extracted log file with no impact on the overall storage and operations of the Log Concentrator/Hybrid appliance.
- The "time-frame" and MetaKey value of "device.type" such as: time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa' you can change them based on your own preferred time-frame and device.type you want to extract it's logs.
- The filename "devicetypename.log" of the extracted log file, please change it upon your own desired naming-convention.
A successful run of the "sdk content" command will be as follows:
[localhost:56005] /> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && devic
e.type = 'ciscoasa')" fileExt=.log append=ciscoasa.log
15:22:46: Sessions 1 to 296827 have meta range 1 to 6860568
15:22:46: Submitting query for sessions: query="select sessionid where (time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa')" id1=1 id2=6860568
15:22:46: Query is now executing on service
15:22:49: Submitting request to stream logs for 5754 sessions
15:22:50: 4154 logs written, 100% complete
15:22:50: Packets has finished, the last session extracted was 296827
15:22:50: Command finished in 3 seconds