Search log

Article summary

Did you find this summary helpful?

Thank you for your feedback

The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.

Search logs stored in Cloud Log Analytics. Paging processing is available.

Request

Request URL

POST https://cloudloganalytics.apigw.ntruss.com/api/{regionCode}-v1/logs/search

Request headers

Header name	Description
x-ncp-apigw-timestamp	It indicates the elapsed time in milliseconds since January 1, 1970 00:00:00 UTC Request is considered invalid if the timestamp differs from the current time by more than 5 minutes `x-ncp-apigw-timestamp:{Timestamp}`
x-ncp-apigw-api-key	Key value issued by API gateway `x-ncp-apigw-api-key:{API Gateway API Key}`
x-ncp-iam-access-key	Value of access key ID issued in the NAVER Cloud Platform portal `x-ncp-iam-access-key:{Account Access Key}`
x-ncp-apigw-signature-v2	Signature encrypted with the access key ID value and secret key `x-ncp-apigw-signature-v2:{API Gateway Signature}`
Content-Type	Specify the request body content type as application/json `Content-Type: application/json`

Request body

Parameter name	Parameter description	Required	Available Values	Data Type
keyword	If a search keyword is not included, then all logs are searched.	N	E.g., error, user	String
logTypes	If a log type is not included, then all types of logs are searched.	N	E.g., SYSLOG, security_log, tomcat	String
timestampFrom	Search start time	N	E.g., 1593848345548(timestamp)	String
timestampTo	Search end time	N	E.g., 1593848345548(timestamp)	String
interval	Interval	N	`Default : 5m` E.g., 1d (1 day), 1h (1 hour), 1m (1 minute)	String
pageNo	Page number	N	`Default : 1` E.g., 1, 2	Integer
pageSize	Page size	N	`Default : 10` E.g., 10, 20	Integer

Examples

Request example

POST https://cloudloganalytics.apigw.ntruss.com/api/{regionCode}-v1/classic/servers/collecting-infos
HOST: cloudloganalytics.apigw.ntruss.com
Content-Type: application/json
x-ncp-apigw-signature-v2: FJSBB4K3XnaGAvVe0Hzj3/2hfNWvgLHR1rQHW2Et2Rs=
x-ncp-apigw-timestamp: 1593848345548
x-ncp-iam-access-key: 11IKBWgQegM4DwiJL4mo

{
  "keyword" : "account",
  "timestampFrom": "1593848345548",
  "timestampTo": "1593848345548",
  "interval": "4h",
  "pageNo": 1,
  "pageSize": 10
}

curl -X POST "https://cloudloganalytics.apigw.ntruss.com/api/{regionCode}-v1/logs/search" 
-H "accept: application/json" 
-H "Content-Type: application/json" 
-H "x-ncp-iam-access-key: 11IKBWgQegM4DwiJL4mo" 
-H "x-ncp-apigw-timestamp: 1594036233769" 
-H "x-ncp-apigw-signature-v2: fna1XDGxBrUdql0haeWti2UUkI9QePnL08Kdu/JH+rg=" 
-d "{ \"keyword\" : \"account\",  \"timestampFrom\": \"1593848345548\", \"timestampTo\": \"1593848345548\", \"interval\": \"4h\", \"pageNo\": 1, \"pageSize\": 10}"

Response example

{
  "code": 0,
  "message": "The request has been successfully processed.",
  "result": {
    "pageSize": 10,
    "currentPage": 1,
    "totalPage": 944,
    "totalCount": 9431,
    "isPaged": true,
    "chartData": [
      [
        1593993600000,
        763
      ],
      [
        1594008000000,
        1561
      ],
      [
        1594022400000,
        1587
      ],
      [
        1594036800000,
        1564
      ],
      [
        1594051200000,
        1580
      ],
      [
        1594065600000,
        1566
      ],
      [
        1594080000000,
        810
      ]
    ],
    "searchResult": [
      {
        "logTime": "1594087365153",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi  \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
      },
      {
        "logTime": "1594087365153",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
      },
      {
        "logTime": "1594087365153",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x6fc\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
      },
      {
        "logTime": "1594087365058",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x3340\n\nProcess:\n\tProcess ID:\t0x3fc\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)"
      },
      {
        "logTime": "1594087365040",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi  \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
      },
      {
        "logTime": "1594087365040",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
      },
      {
        "logTime": "1594087365040",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x7d0\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
      },
      {
        "logTime": "1594087305101",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi  \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
      },
      {
        "logTime": "1594087305101",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x748\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
      },
      {
        "logTime": "1594087305101",
        "logType": "wineventlog",
        "servername": "cla-test",
        "logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
      }
    ]
  }
}

Was this article helpful?

What's Next

View Export History

Table of contents

Request
Examples