Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to View Endpoint LogsHow to Use Audit LogsHow to Use Agent LogsWhere to Find PostgreSQL LogsAdvanced Log and Log Location Information for Power UsersWhat are common errors shown in the Agent Log and how do I fix them?Can I Export Agent Log Data for External Analysis?Can I export Audit Log data for External Analysis?How do I export Audit Log data via the Web API?Can I customize which events appear in the Audit Log?Can I schedule automated exports of Audit Log data?Is there a sample script for API-based audit log export?Guide to Analyzing Logs and Generating Graphs in Time IntervalsIs There a Sample Script for Exporting Agent Log Data?What are Best Practices for Managing Large Log Exports?Is There an Example of Filtering Logs by Severity?What are best practices for storing and securing exported log data?What Tools Integrate Well with Spirion for Log Integrity VerificationIs There a Sample Script for Hash Verification?
PowerBI
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

Is There a Sample Script for Exporting Agent Log Data?

This script provides a robust, paginated way to export Agent Log data from the Spirion platform.

To export Agent Log data via the Web API, you use a similar pattern to the Audit Log export but target the Agent-specific endpoints.

This script enables you to pull technical events (EPS, IDF, and IFS logs) from your distributed Agents for external analysis or SIEM ingestion.

Python Sample Script for Agent Log Export

import requests
import json
import time
from datetime import datetime, timedelta

# --- CONFIGURATION ---
TENANT_URL = "https://your-tenant.spirion.com"
API_TOKEN = "YOUR_BEARER_TOKEN"
LOG_FILE = "spirion_agent_logs.json"
STATE_FILE = "last_agent_log_timestamp.txt"
LIMIT_PER_PAGE = 500

def get_last_timestamp():
    try:
        with open(STATE_FILE, 'r') as f:
            return f.read().strip()
    except FileNotFoundError:
        # Default to the last 24 hours
        return (datetime.utcnow() - timedelta(days=1)).isoformat() + "Z"

def save_last_timestamp(timestamp):
    with open(STATE_FILE, 'w') as f:
        f.write(timestamp)

def export_agent_logs():
    last_seen = get_last_timestamp()
    # Endpoint for Agent Logs
    endpoint = f"{TENANT_URL}/api/v1/agentlogs"
    
    headers = {
        "Authorization": f"Bearer {API_TOKEN}",
        "Content-Type": "application/json"
    }
    
    all_events_processed = 0
    has_more_data = True
    current_start_date = last_seen

    print(f"Fetching Agent Logs since: {current_start_date}...")

    while has_more_data:
        params = {
            "startDate": current_start_date,
            "limit": LIMIT_PER_PAGE,
            "sort": "timestamp_asc"
        }

        try:
            response = requests.get(endpoint, headers=headers, params=params)
            response.raise_for_status()
            logs = response.json()

            if not logs or len(logs) == 0:
                has_more_data = False
                break

            # Append logs to local file
            with open(LOG_FILE, 'a') as f:
                for entry in logs:
                    f.write(json.dumps(entry) + "\n")
            
            all_events_processed += len(logs)
            last_batch_timestamp = logs[-1]['timestamp']
            
            if len(logs) == LIMIT_PER_PAGE:
                current_start_date = last_batch_timestamp
                print(f"Processed {all_events_processed} events. Paginating...")
                time.sleep(1) # Rate limiting
            else:
                save_last_timestamp(last_batch_timestamp)
                has_more_data = False

        except requests.exceptions.RequestException as e:
            print(f"Error exporting Agent Logs: {e}")
            has_more_data = False

    print(f"Export complete. Total Agent Log events: {all_events_processed}")

if __name__ == "__main__":
    export_agent_logs()

Key Differences for Agent Logs vs. Audit Logs

  • Endpoint: The script uses /api/v1/agentlogs.
  • Data Volume: Agent logs are typically much higher volume than Audit logs because they record every scan heartbeat, file access error, and result shipment.
  • Filtering by Agent: You can add an agentId or hostname parameter to the params dictionary if you only want to export logs for a specific machine (e.g., "agentId": "12345").

Recommendations for Agent Log Exports

  • Filter by Log Family: If you only care about scanning errors, you can often filter the API request by the "Log Family" (e.g., IDF for search errors or IFS for shipping errors). This significantly reduces the amount of data you need to export and store.
  • Monitor for "Access Denied": When ingesting these logs into a SIEM, create an alert for the string "Access Denied". This is the most common indicator that an agent's service account lacks the permissions needed to scan a specific target.
  • Correlation IDs: Each log entry in the export will contain a correlationId. Use this ID in your SIEM to link an agent-side error (e.g., "Failed to ship") with a console-side event, providing a full end-to-end view of the data pipeline.
  • Storage Management: Because Agent Logs are verbose, ensure your SIEM or storage location has a clear retention policy. You likely don't need "Heartbeat Success" logs from six months ago, but you do need "Access Denied" errors for at least 90 days for compliance auditing.

Summary

This script provides a robust, paginated way to export Agent Log data from the Spirion platform. By automating this export, you can move technical troubleshooting and health monitoring into your organization's existing operational tools.

Was this article helpful?

Powered by Product Fruits