Search Webfilter Logs#
Search for web filtering logs to analyze blocked websites, URL filtering activity, and web access patterns.
✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.
Overview#
This example shows how to search webfilter logs - useful for:
Investigating blocked website access attempts
Monitoring web filtering policy effectiveness
Compliance reporting on web access
Identifying users visiting inappropriate sites
Analyzing web threat patterns
This operation uses the two-step asynchronous pattern. See the LogView Search Overview for complete workflow details.
Endpoint Details#
Method: POST
URL: /jsonrpc
API Path (Step 1): /logview/adom/{adom}/logsearch
API Path (Step 2): /logview/adom/{adom}/logsearch/{tid}
Step 1: Submit Search Request#
Key Parameters#
Parameter |
Type |
Required |
Description |
|---|---|---|---|
|
|
Yes |
ADOM name (e.g., “root”) |
|
|
Optional |
Device list (omit for all devices) |
|
|
Yes |
Must be |
|
|
No |
Filter expression (e.g., “action=blocked”) |
|
|
Yes |
Time range for search |
Common Filters#
Blocked Sites:
action=blocked
Specific Category:
cat desc=gambling
cat desc=social-networking
By User:
user=jdoe
By URL Pattern:
hostname contains "facebook"
Combined Filters:
action=blocked and user=jdoe
cat desc=malware and action=blocked
{
"method": "add",
"params": [{
"url": "/logview/adom/root/logsearch",
"data": {
"logtype": "webfilter",
"filter": "action=blocked",
"time-range": {
"start": "2025-11-09 00:00:00",
"end": "2025-11-09 23:59:59"
}
}
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {
"tid": 12346
},
"status": {
"code": 0,
"message": "OK"
}
}]
}
Step 2: Fetch Results#
{
"method": "get",
"params": [{
"url": "/logview/adom/root/logsearch/12346",
"data": {
"limit": 100,
"offset": 0
}
}],
"session": "{{session_id}}",
"id": 2
}
{
"result": [{
"data": {
"tid": 12346,
"status": "done",
"percentage": 100,
"total_lines": 127,
"logs": [
{
"date": "2025-11-09",
"time": "09:15:32",
"devname": "FGT-01",
"srcip": "10.0.1.50",
"user": "jdoe",
"hostname": "blocked-site.example.com",
"url": "https://blocked-site.example.com/page",
"action": "blocked",
"cat desc": "gambling",
"policyid": 10
}
]
},
"status": {
"code": 0,
"message": "OK"
}
}]
}
Complete Python Example#
import requests
import urllib3
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def search_webfilter_logs(session_id, adom, filter_expr, time_range):
"""
Search webfilter logs
Args:
session_id: Active session ID
adom: ADOM name
filter_expr: Filter expression (e.g., "action=blocked")
time_range: Time range dict
Returns:
list: Matching webfilter log entries
"""
url = "https://faz.example.com/jsonrpc"
# Step 1: Submit search
payload = {
"method": "add",
"params": [{
"url": f"/logview/adom/{adom}/logsearch",
"data": {
"logtype": "webfilter",
"filter": filter_expr,
"time-range": time_range
}
}],
"session": session_id,
"id": 1
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
if result['result'][0]['status']['code'] != 0:
raise Exception(f"Search failed: {result['result'][0]['status']['message']}")
tid = result['result'][0]['data']['tid']
print(f"✓ Webfilter search submitted. TID: {tid}")
# Step 2: Poll and fetch
while True:
payload = {
"method": "get",
"params": [{
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}],
"session": session_id,
"id": 2
}
response = requests.post(url, json=payload, verify=False)
data = response.json()['result'][0]['data']
if data['status'] == 'done' and data['percentage'] == 100:
print(f"✓ Found {data['total_lines']} webfilter logs")
return data.get('logs', [])
print(f" Status: {data['percentage']}%")
time.sleep(2)
# Example: Find all blocked websites in last 24 hours
logs = search_webfilter_logs(
session_id="your_session_id",
adom="root",
filter_expr="action=blocked",
time_range={"last-n-hours": 24}
)
# Display summary
for log in logs[:10]:
print(f"{log['time']} | {log.get('user', 'unknown')} -> "
f"{log['hostname']} | Category: {log.get('cat desc', 'N/A')}")
Use Cases#
Monitor Blocked Access Attempts#
# Find all blocked website access in last 24 hours
logs = search_webfilter_logs(
session_id=session,
adom="root",
filter_expr="action=blocked",
time_range={"last-n-hours": 24}
)
Investigate Specific User Activity#
# Check web filtering for specific user
logs = search_webfilter_logs(
session_id=session,
adom="root",
filter_expr="user=jsmith and action=blocked",
time_range={"last-n-hours": 8}
)
Category Analysis#
# Find all social media access attempts
logs = search_webfilter_logs(
session_id=session,
adom="root",
filter_expr='cat desc=social-networking',
time_range={"last-n-hours": 24}
)
Compliance Reporting#
# Generate report of inappropriate content access
logs = search_webfilter_logs(
session_id=session,
adom="root",
filter_expr='(cat desc=gambling or cat desc=adult) and action=blocked',
time_range={
"start": "2025-11-01 00:00:00",
"end": "2025-11-30 23:59:59"
}
)
Webfilter Categories#
Common category descriptors for filtering:
gambling- Gambling and betting sitessocial-networking- Social media platformsadult- Adult contentmalware- Known malware sitesphishing- Phishing sitesspyware- Spyware and adwarefile-sharing- File sharing and P2Pstreaming-media- Video streaming sitesgaming- Online gaming sites