ログの検索
- 印刷する
- PDF
ログの検索
- 印刷する
- PDF
記事の要約
この要約は役に立ちましたか?
ご意見ありがとうございます
Cloud Log Analyticsに保存されているログを検索します。ページング処理できます。
リクエスト
リクエスト URL
POST https://cloudloganalytics.apigw.ntruss.com/api/{regionCode}-v1/logs/search
リクエストヘッダ
ヘッダ名 | 説明 |
---|---|
x-ncp-apigw-timestamp | 1970年1月1日 00:00:00 協定世界時(UTC)からの経過時間をミリ秒(Millisecond)で表し、 API Gatewayサーバとの時間差が5分以上の場合は無効なリクエストとみなす x-ncp-apigw-timestamp:{Timestamp} |
x-ncp-apigw-api-key | API Gatewayから発行されたキーx-ncp-apigw-api-key:{API Gateway API Key} |
x-ncp-iam-access-key | NAVERクラウドプラットフォームポータルで発行された Access Key IDx-ncp-iam-access-key:{Account Access Key} |
x-ncp-apigw-signature-v2 | Access Key IDと Secret Keyで暗号化した署名x-ncp-apigw-signature-v2:{API Gateway Signature} |
Content-Type | Request body content typeは application/jsonに指定Content-Type: application/json |
リクエストボディ
Parameter名 | Parameterの説明 | 必須の有無 | Available Values | Data Type |
---|---|---|---|---|
keyword | 検索キーワード 含まれない場合、すべてのログを検索する。 | N | 例) error, user | String |
logTypes | ログタイプ 含まれない場合、すべてのタイプのログを検索する。 | N | 例) SYSLOG, security_log, tomcat | String |
timestampFrom | 検索開始時間 | N | 例) 1593848345548(timestamp) | String |
timestampTo | 検索終了時間 | N | 例) 1593848345548(timestamp) | String |
interval | 間隔 | N | Default : 5m 例) 1d(1日)、1h(1時間)、1m(1分) | String |
pageNo | ページ番号 | N | Default : 1 例) 1, 2 | Integer |
pageSize | ページサイズ | N | Default : 10 例) 10, 20 | Integer |
例
リクエスト例
POST https://cloudloganalytics.apigw.ntruss.com/api/{regionCode}-v1/classic/servers/collecting-infos
HOST: cloudloganalytics.apigw.ntruss.com
Content-Type: application/json
x-ncp-apigw-signature-v2: FJSBB4K3XnaGAvVe0Hzj3/2hfNWvgLHR1rQHW2Et2Rs=
x-ncp-apigw-timestamp: 1593848345548
x-ncp-iam-access-key: 11IKBWgQegM4DwiJL4mo
{
"keyword" : "account",
"timestampFrom": "1593848345548",
"timestampTo": "1593848345548",
"interval": "4h",
"pageNo": 1,
"pageSize": 10
}
curl -X POST "https://cloudloganalytics.apigw.ntruss.com/api/{regionCode}-v1/logs/search"
-H "accept: application/json"
-H "Content-Type: application/json"
-H "x-ncp-iam-access-key: 11IKBWgQegM4DwiJL4mo"
-H "x-ncp-apigw-timestamp: 1594036233769"
-H "x-ncp-apigw-signature-v2: fna1XDGxBrUdql0haeWti2UUkI9QePnL08Kdu/JH+rg="
-d "{ \"keyword\" : \"account\", \"timestampFrom\": \"1593848345548\", \"timestampTo\": \"1593848345548\", \"interval\": \"4h\", \"pageNo\": 1, \"pageSize\": 10}"
レスポンス例
{
"code": 0,
"message": "リクエストが正常に処理されました。",
"result": {
"pageSize": 10,
"currentPage": 1,
"totalPage": 944,
"totalCount": 9431,
"isPaged": true,
"chartData": [
[
1593993600000,
763
],
[
1594008000000,
1561
],
[
1594022400000,
1587
],
[
1594036800000,
1564
],
[
1594051200000,
1580
],
[
1594065600000,
1566
],
[
1594080000000,
810
]
],
"searchResult": [
{
"logTime": "1594087365153",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
},
{
"logTime": "1594087365153",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
},
{
"logTime": "1594087365153",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x6fc\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
},
{
"logTime": "1594087365058",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x3340\n\nProcess:\n\tProcess ID:\t0x3fc\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)"
},
{
"logTime": "1594087365040",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
},
{
"logTime": "1594087365040",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
},
{
"logTime": "1594087365040",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x7d0\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
},
{
"logTime": "1594087305101",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
},
{
"logTime": "1594087305101",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x748\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
},
{
"logTime": "1594087305101",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
}
]
}
}
この記事は役に立ちましたか?