Retrieve raw Python logs

Supported in:

Google SecOps SOAR

Google recommends using the API endpoint /api/external/v1/logging/python with specific filters to get only the information that you need.

For full information on /api/external/v1/logging/python and other API endpoints, refer to your localized Swagger documentation.

There are two types of filters available: SOAR specific and generic.

SOAR specific filters

labels.integration_name
labels.integration_instance
labels.integration_version
labels.connector_name
labels.connector_instance
labels.action_name
labels.job_name
labels.correlation.id

Generic filters

Built-in log filters can be found in Build queries by using the Logging query language.

Examples for common filters

The following examples show you some common query filters for retrieving the information you need.

Integration version

To retrieve logs for a specific integration version, use the following filters together:

labels.integration_name="INTEGRATION_NAME" AND
labels.integration_version="INTEGRATION_NUMBER"

For example:
labels.integration_name="Exchange" AND labels.integration_version="19"

Integration instance

To retrieve logs for a specific integration instance, use the following filter:

labels.integration_instance="INTEGRATION_NAME"

For example:
labels.integration_instance="GoogleAlertCenter_1"

All connectors

To retrieve logs for all connectors, use the following filter with the regular expression:

labels.connector_name=~"^."

Specific connector

To retrieve logs for a specific connector, use the following filter:

labels.connector_name="CONNECTOR_NAME"

For example:
labels.connector_name="Exchange Mail Connector v2 with Oauth Authentication"

All jobs

To retrieve logs for all jobs, use the following filter with the regular expression:

labels.job_name=~"^."

Specific job

To retrieve logs for a specific job, use the following filter:

labels.job_name="JOB_NAME"

For example:
labels.job_name="Cases Collector"

All actions

To retrieve logs for all actions, use the following filter with the regular expression:

labels.action_name=~"^."

Specific action

To retrieve logs for a specific action, use the following filter:

labels.action_name="ACTION_NAME"

For example:
labels.action_name="Enrich Entities"

Failed actions

To retrieve logs for a failed action, use the following filters together:

labels.action_name="ACTION_NAME" AND SEARCH("Result Value: False")

For example:
labels.action_name="Enrich Entities" AND SEARCH("Result Value: False")

Case sensitive search

To retrieve logs for a case sensitive search result, use the following filter:

SEARCH("FREE_TEXT")

For example:
SEARCH("`Find my CASE SensiTive stRing`")

Specific message text

To retrieve logs for a specific message, use the following filter:

textPayload=~"FREE_TEXT"

For example:
textPayload=~"Invalid JSON payload"

Siemplify Cases Collector job

To retrieve logs for cases collector errors, use the following filters together:

textPayload=~(\\".\*----Cases Collector DB started---\*\\") AND
severity>="Error"

Server errors

To retrieve logs for server errors, use the following filter:

textPayload=~"Internal Server Error"

Correlation ID

To retrieve logs for a correlation ID, use the following filter:

labels.correlation_id="CORRELATION_ID"

For example:
labels.correlation_id="e4a0b1f4afeb43e5ab89dafb5c815fa7"

Timestamp filter

You can retrieve logs using timestamps, using either RFC 3339 or ISO 8601 format. In query expressions, timestamps in RFC 3339 format can specify a timezone with Z or ±hh:mm. Timestamps are represented to nanosecond accuracy.

For more information, refer to Values and conversions.

To retrieve logs newer than a specific timestamp (UTC), use the following filter:

timestamp>="ISO_8601_format"

For example:
timestamp>="2023-12-02T21:28:23.045Z"

To retrieve logs for a specific day, use the following filters together:

timestamp>="YYYY-MM-DD" AND
timestamp<"YYYY-MM-DD"

For example:
timestamp>="2023-12-01" AND timestamp\<"2023-12-03"