# Lesson 3 - Logging Service

## Overview

The Logging Service is a Palo Alto Networks cloud service which allows
for the storage and retrieval of logging data. Any type of textual
logging data can be stored in the Logging Service. Palo Alto Networks
firewalls and software can write logging data to this service, as can
the software and services created by Palo Alto Network's various
partners.

The `pancloud` SDK comes packaged with a client library for interacting with
the Logging Service. In addition to low-level coverage of the API, the `LoggingService`
class also provides helper methods for performing log pagination.

In this lesson we'll step through the process of generating, accessing, storing and refreshing credentials.

> **Note:** Run the following code cells using the <button class="btn btn-default btn-xs"><i class="fa-step-forward fa"></i><span class="toolbar-btn-label">Run</span></button> button or `Shift-Enter`.

**Step 1: Import LoggingService**  
To get started, you will first need to import the `LoggingService` class.

In [1]:
from pancloud import LoggingService

Since we're planning to access protected API endpoints, we'll also need `Credentials`.

In [2]:
from pancloud import Credentials

**Step 2: Instantiate LoggingService class**

> **Note:** Passing `credentials` into a `LoggingService` instance will automatically handle applying the `access_token` to the authorization header.

In [3]:
# API Gateway URL
url = 'https://apigw-stg4.us.paloaltonetworks.com'

ls = LoggingService(url=url, credentials=Credentials())

**Step 3: Query**
Let's start with a basic `query()` example

In [4]:
d = {
    "query": "select * from panw.traffic limit 1",
    "startTime": 0,  # 1970
    "endTime": 1609459200,  # 2021
    "maxWaitTime": 0  # guarantees no logs in initial response
}

# Query the Logging Service
q = ls.query(json=d)

Now that we've performed a `query()`, let's take a peek at the raw, JSON response.

In [5]:
q.text

'{"queryId":"af1a9d5a-8f88-441a-8061-1c7db78f0746","sequenceNo":0,"queryStatus":"RUNNING","clientParameters":{},"result":{"esResult":null,"esQuery":{"table":["panw.traffic"],"query":{"aggregations":{},"size":1},"selections":[],"params":{}}}}'

Use the built-in `json()` method to convert the raw response into a python `dict` object.

In [6]:
q.json()

{'queryId': 'af1a9d5a-8f88-441a-8061-1c7db78f0746',
 'sequenceNo': 0,
 'queryStatus': 'RUNNING',
 'clientParameters': {},
 'result': {'esResult': None,
  'esQuery': {'table': ['panw.traffic'],
   'query': {'aggregations': {}, 'size': 1},
   'selections': [],
   'params': {}}}}

**Step 4: Poll**
Let's use the `queryId` to `poll()` for results

In [7]:
query_id = q.json()['queryId']  # access 'queryId' from 'query' response

params = {  # Prepare 'poll' parameters
    "maxWaitTime": 3000
}

# Poll 'query' for results
p = ls.poll(
    query_id=query_id, 
    sequence_no=0, 
    params=params
)

Now that we've performed a `poll()`, let's take a peek at the raw, JSON response.

In [8]:
p.text

'{"queryId":"af1a9d5a-8f88-441a-8061-1c7db78f0746","sequenceNo":0,"queryStatus":"JOB_FINISHED","clientParameters":{},"result":{"esResult":{"took":120,"hits":{"total":72045,"maxScore":2,"hits":[{"_index":"147278001_panw.all_2018073000-2018080900_000000","_type":"traffic","_id":"147278001_lcaas:0:23188:1","_score":2,"_source":{"risk-of-app":"4","logset":"ForwardToLoggingService","bytes_received":2053,"natsport":24969,"sessionid":423752,"type":"traffic","parent_start_time":0,"packets":17,"characteristic-of-app":["able-to-transfer-file","has-known-vulnerability","tunnel-other-application","prone-to-misuse","is-saas"],"dg_hier_level_4":0,"dg_hier_level_1":11,"dg_hier_level_3":0,"dg_hier_level_2":0,"action":"allow","recsize":1524,"from":"L3-Untrust","parent_session_id":0,"repeatcnt":1,"app":"ms-rdp","vsys":"vsys1","nat":1,"technology-of-app":"client-server","pkts_received":8,"chunks_sent":0,"receive_time":1532908827,"non-standard-dport":0,"subcategory-of-app":"remote-access","chunks_received

Use the `json()` method to convert the raw response into a python `dict` object.

In [9]:
p.json()

{'queryId': 'af1a9d5a-8f88-441a-8061-1c7db78f0746',
 'sequenceNo': 0,
 'queryStatus': 'JOB_FINISHED',
 'clientParameters': {},
 'result': {'esResult': {'took': 120,
   'hits': {'total': 72045,
    'maxScore': 2,
    'hits': [{'_index': '147278001_panw.all_2018073000-2018080900_000000',
      '_type': 'traffic',
      '_id': '147278001_lcaas:0:23188:1',
      '_score': 2,
      '_source': {'risk-of-app': '4',
       'logset': 'ForwardToLoggingService',
       'bytes_received': 2053,
       'natsport': 24969,
       'sessionid': 423752,
       'type': 'traffic',
       'parent_start_time': 0,
       'packets': 17,
       'characteristic-of-app': ['able-to-transfer-file',
        'has-known-vulnerability',
        'tunnel-other-application',
        'prone-to-misuse',
        'is-saas'],
       'dg_hier_level_4': 0,
       'dg_hier_level_1': 11,
       'dg_hier_level_3': 0,
       'dg_hier_level_2': 0,
       'action': 'allow',
       'recsize': 1524,
       'from': 'L3-Untrust',
       '