Search Traffic Logs by Destination IP#
Search for all traffic logs matching a specific destination IP address.
β All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.
Overview#
This example shows how to search traffic logs filtered by destination IP address - useful for:
Investigating connections to specific servers or services
Tracking traffic to external IP addresses
Security incident analysis for known malicious IPs
Compliance auditing for access to regulated systems
This operation uses the two-step asynchronous pattern. See the LogView Search Overview for complete workflow details, polling strategies, and pagination examples.
Endpoint Details#
Method: POST
URL: /jsonrpc
API Path (Step 1): /logview/adom/{adom}/logsearch
API Path (Step 2): /logview/adom/{adom}/logsearch/{tid}
Step 1: Submit Search Request#
Key Parameters#
Parameter |
Type |
Required |
Description |
|---|---|---|---|
|
|
Yes |
ADOM name (e.g., βrootβ) |
|
|
Yes |
Device list to search |
|
|
Yes |
Must be |
|
|
Yes |
Filter expression: |
|
|
Yes |
Time range for search |
Filter Syntax#
Single IP:
dstip==192.168.1.100
IP with Subnet:
dstip==192.168.1.0/24
Combined Filters:
dstip==192.168.1.100 and dstport==443
dstip==10.0.0.0/8 and action==deny
{
"method": "add",
"params": [{
"url": "/logview/adom/root/logsearch",
"data": {
"device": [{"devname": "FGT-01"}],
"logtype": "traffic",
"filter": "dstip==154.52.10.106",
"time-range": {
"start": "2025-11-09 00:00:00",
"end": "2025-11-09 23:59:59"
}
}
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {
"tid": 12345
},
"status": {
"code": 0,
"message": "OK"
}
}]
}
π Note: Save the TID value for Step 2!
Step 2: Fetch Results#
Use the TID from Step 1 to poll and retrieve results. See LogView Search Overview for complete polling implementation.
{
"method": "get",
"params": [{
"url": "/logview/adom/root/logsearch/12345",
"data": {
"limit": 100,
"offset": 0
}
}],
"session": "{{session_id}}",
"id": 2
}
{
"result": [{
"data": {
"tid": 12345,
"status": "done",
"percentage": 100,
"total_lines": 45,
"logs": [
{
"date": "2025-11-09",
"time": "14:23:15",
"devname": "FGT-01",
"srcip": "10.0.1.100",
"srcport": 54321,
"dstip": "154.52.10.106",
"dstport": 443,
"action": "accept",
"policyid": 5,
"service": "HTTPS",
"sentbyte": 2048,
"rcvdbyte": 8192
}
]
},
"status": {
"code": 0,
"message": "OK"
}
}]
}
Complete Python Example#
import json
import requests
import urllib3
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def search_by_destination_ip(session_id, adom, device, dst_ip, time_range):
"""
Search traffic logs by destination IP
Args:
session_id: Active session ID
adom: ADOM name
device: Device name or list
dst_ip: Destination IP address or subnet
time_range: Time range dict
Returns:
list: Matching log entries
"""
url = "https://faz.example.com/jsonrpc"
# Step 1: Submit search
payload = {
"method": "add",
"params": [{
"url": f"/logview/adom/{adom}/logsearch",
"data": {
"device": [{"devname": device}] if isinstance(device, str) else device,
"logtype": "traffic",
"filter": f"dstip=={dst_ip}",
"time-range": time_range
}
}],
"session": session_id,
"id": 1
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
if result['result'][0]['status']['code'] != 0:
raise Exception(f"Search failed: {result['result'][0]['status']['message']}")
tid = result['result'][0]['data']['tid']
print(f"β Search submitted. TID: {tid}")
# Step 2: Poll until complete
while True:
payload = {
"method": "get",
"params": [{
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}],
"session": session_id,
"id": 2
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
data = result['result'][0]['data']
if data['status'] == 'done' and data['percentage'] == 100:
print(f"β Found {data['total_lines']} logs")
return data.get('logs', [])
print(f" Status: {data['percentage']}%")
time.sleep(2)
# Example usage
logs = search_by_destination_ip(
session_id="your_session_id",
adom="root",
device="FGT-01",
dst_ip="154.52.10.106",
time_range={
"start": "2025-11-09 00:00:00",
"end": "2025-11-09 23:59:59"
}
)
# Display results
for log in logs[:5]:
print(f"{log['time']} | {log['srcip']}:{log['srcport']} -> "
f"{log['dstip']}:{log['dstport']} | {log['action']}")
Use Cases#
Investigate Traffic to Specific Server#
# Find all connections to database server
search_by_destination_ip(
session_id=session,
adom="root",
device="All_FortiGate",
dst_ip="10.10.10.50",
time_range={"last-n-hours": 24}
)
Track External API Calls#
# Monitor traffic to external API endpoint
search_by_destination_ip(
session_id=session,
adom="root",
device="FGT-DMZ",
dst_ip="203.0.113.45",
time_range={"last-n-hours": 1}
)
Security Analysis#
# Investigate connections to suspicious IP
search_by_destination_ip(
session_id=session,
adom="root",
device="All_FortiGate",
dst_ip="198.51.100.75",
time_range={"last-n-hours": 48}
)