Define how log data is exported

You can define which log data to export, and the destination for the exported log data.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Right-click Tasks in the Administration tree and select New > Export Log Task.
  3. In the Export Log Task Properties, click to the Operation tab.
  4. Select the Storage directories to export from.
  5. (Optional) Select the Filter for Exporting.
  6. (Optional, IPS traffic recordings only) Enter the IPS Record ID of the traffic capture.
  7. Define Server (‘export’ Directory) as the destination file location.
    The destination file is saved in the <installation directory>/data/export directory on the Log Server.
  8. Specify a name for the destination file.
  9. In If file already exists, specify what happens when a previous file with the same name exists in the same folder.
  10. Click OK.

Result

The task appears under Task Definitions in the Tasks branch of the Administration view. If you want to delete the data after exporting, set up a scheduled task.

Export Log Task Properties dialog box

Use this dialog box to copy log data from the active storage to the selected location.

Option Definition
General tab
Name Specifies the Export Log Task name.
Comment An optional comment for your own reference.
Operation Type Select the format to export in.
  • Export XML — Exports log data in XML format.
  • Export CSV — Exports log data in comma separated value format.
  • Export Short CSV — Exports log data in short comma separated value format.
  • Export CEF — Exports log data in common event format.
  • Export LEEF — Exports log data in log extended event format.
  • Export NetFlow v9 — Exports log data in a format that is compatible with NetFlow v9.
  • Export IPFIX — Exports log data in a format that is compatible with IPFIX.
  • Export McAfee ESM — Exports log data in a format that is compatible with McAfee ESM.
  • Export Forcepoint UEBA — This option is not yet supported. For more information about Forcepoint UEBA, see the Forcepoint UEBA documentation at https://⁠support.forcepoint.com/Documentation.
  • Export IPS Recordings as PCAP — Exports traffic recordings in PCAP format.
  • Export IPS Recordings as SNOOP — Exports traffic recordings in SNOOP format.
Servers Shows the servers from which you can export logs.
Search Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Add Adds the selected servers to the Target list.
Remove Removes the selected servers from the Target list.
Target Shows the servers that you have selected.
Option Definition
Task tab
Target Data Select the type of log data to archive.
Time Range

Specifies the time range of the log entries. You have several options to limit the time range.

For example, select Absolute Time Range in the Time Range list and define the Start and End Time.
Script to Execute After the Task The Log Server triggers this script after completing the task.
Option Definition
Operation tab
Storage directories to export from Select the storage directories from which to export the data.
  • Default — The directory where active log data is stored on the selected server.
  • Primary archive — The directory where archived log data is stored.
  • Custom — Allows you to select one or more directories from the list.
If the file exists, specify what happens when a previous file with the same name exists in the same folder:
  • Append — The new data is inserted at the end of the existing file.
  • Overwrite — The previous file is replaced with the new export file.
  • Use Number in File Name — A number is added to the end of the new file’s name.
  • Fail Task — The operation is canceled.
Filter for Exporting

(Optional)

Select the filter for exporting.
Select Opens the Select Filter dialog box.
IPS Record ID

(Optional, IPS traffic recordings only)

Enter the IPS Record ID of the traffic capture.
Destination file

Specifies a name for the destination file.

Note: The destination file is saved in the <installation directory>/data/export directory on the Log Server.

You can use the following variables to automatically add information to the file name:

  • %D — Adds the file creation date to the file name.
  • %T — Adds the file creation time to the file name.
  • %S — Adds the name of the server from which the log data was exported to the file name.
Browse This option is not supported in Export Log Tasks.
If file already exists Specifies what happens when a previous file with the same name exists in the same folder:
  • Append — The new data is inserted at the end of the existing file. This option is not supported for traffic recordings.
  • Overwrite — The previous file is replaced with the new export file.
  • Use Number in File Name — A number is added to the end of the new file’s name.
  • Fail Task — The operation is canceled.