설명
Cloud Log Analytics에 저장되어 있는 로그를 검색합니다. 페이징 처리가 가능합니다.
요청
요청 URL
POST https://cloudloganalytics.apigw.gov-ntruss.com/api/{regionCode}-v1/logs/search
요청 헤더
| 헤더명 | 설명 |
|---|---|
| x-ncp-apigw-timestamp | 1970년 1월 1일 00:00:00 협정 세계시(UTC)부터의 경과 시간을 밀리초(Millisecond)로 나타내며 API Gateway 서버와 시간 차가 5분 이상 나는 경우 유효하지 않은 요청으로 간주 x-ncp-apigw-timestamp:{Timestamp} |
| x-ncp-apigw-api-key | APIGW에서 발급받은 키 값x-ncp-apigw-api-key:{API Gateway API Key} |
| x-ncp-iam-access-key | 네이버 클라우드 플랫폼 포털에서 발급받은 Access Key ID 값x-ncp-iam-access-key:{Account Access Key} |
| x-ncp-apigw-signature-v2 | Access Key ID 값과 Secret Key로 암호화한 서명x-ncp-apigw-signature-v2:{API Gateway Signature} |
| Content-Type | Request body content type을 application/json으로 지정Content-Type: application/json |
요청 바디
| Parameter 이름 | Parameter 설명 | 필수 여부 | Available Values | Data Type |
|---|---|---|---|---|
| keyword | 검색 키워드 포함하지 않으면 모든 로그를 검색한다. |
N | ex) error, user | String |
| logTypes | 로그 타입 포함하지 않으면 모든 타입의 로그를 검색한다. |
N | ex) SYSLOG, security_log, tomcat | String |
| timestampFrom | 검색 시작 시간 | N | ex) 1593848345548(timestamp) | String |
| timestampTo | 검색 종료 시간 | N | ex) 1593848345548(timestamp) | String |
| interval | 간격 | N | Default : 5mex) 1d(1일), 1h(1시간), 1m(1분) |
String |
| pageNo | 페이지 번호 | N | Default : 1ex) 1, 2 |
Integer |
| pageSize | 페이지 사이즈 | N | Defatlt : 10ex) 10, 20 |
Integer |
예시
요청 예시
POST https://cloudloganalytics.apigw.gov-ntruss.com/api/{regionCode}-v1/classic/servers/collecting-infos
HOST: cloudloganalytics.apigw.gov-ntruss.com
Content-Type: application/json
x-ncp-apigw-signature-v2: FJSBB4K3XnaGAvVe0Hzj3/2hfNWvgLHR1rQHW2Et2Rs=
x-ncp-apigw-timestamp: 1593848345548
x-ncp-iam-access-key: 11IKBWgQegM4DwiJL4mo
{
"keyword" : "account",
"timestampFrom": "1593848345548",
"timestampTo": "1593848345548",
"interval": "4h",
"pageNo": 1,
"pageSize": 10
}
curl -X POST "https://cloudloganalytics.apigw.gov-ntruss.com/api/{regionCode}-v1/logs/search"
-H "accept: application/json"
-H "Content-Type: application/json"
-H "x-ncp-iam-access-key: 11IKBWgQegM4DwiJL4mo"
-H "x-ncp-apigw-timestamp: 1594036233769"
-H "x-ncp-apigw-signature-v2: fna1XDGxBrUdql0haeWti2UUkI9QePnL08Kdu/JH+rg="
-d "{ \"keyword\" : \"account\", \"timestampFrom\": \"1593848345548\", \"timestampTo\": \"1593848345548\", \"interval\": \"4h\", \"pageNo\": 1, \"pageSize\": 10}"
응답 예시
{
"code": 0,
"message": "요청이 정상적으로 처리되었습니다",
"result": {
"pageSize": 10,
"currentPage": 1,
"totalPage": 944,
"totalCount": 9431,
"isPaged": true,
"chartData": [
[
1593993600000,
763
],
[
1594008000000,
1561
],
[
1594022400000,
1587
],
[
1594036800000,
1564
],
[
1594051200000,
1580
],
[
1594065600000,
1566
],
[
1594080000000,
810
]
],
"searchResult": [
{
"logTime": "1594087365153",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
},
{
"logTime": "1594087365153",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
},
{
"logTime": "1594087365153",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x6fc\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
},
{
"logTime": "1594087365058",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x3340\n\nProcess:\n\tProcess ID:\t0x3fc\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)"
},
{
"logTime": "1594087365040",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
},
{
"logTime": "1594087365040",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
},
{
"logTime": "1594087365040",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x7d0\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
},
{
"logTime": "1594087305101",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "An <span style='background-color: #f39c12;'>account</span> was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2d0\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the <span style='background-color: #f39c12;'>account</span> on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the <span style='background-color: #f39c12;'>account</span> for whom the new logon was created, i.e. the <span style='background-color: #f39c12;'>account</span> that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
},
{
"logTime": "1594087305101",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tS172553A3C3F$\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x748\n\nProcess:\n\tProcess ID:\t0x2d0\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;RCGXGR;;;BA)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601)"
},
{
"logTime": "1594087305101",
"logType": "wineventlog",
"servername": "cla-test",
"logDetail": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\t<span style='background-color: #f39c12;'>Account</span> Name:\t\tSYSTEM\n\t<span style='background-color: #f39c12;'>Account</span> Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege"
}
]
}
}