Technical Tip: How to perform a syslog and log test on a FortiGate with the 'diagnose log test' command
Description
This article describes how to perform a syslog/FortiAnalyzer/log test and how to check the resulting log entries in the FortiGate and FortiAnalyzer.
Scope
FortiGate.
Solution
It is possible to perform a log entry test from the FortiGate CLI using the 'diag log test' command. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System -> Status).
As the commands differ depending on the FortiOS version, the following are some examples of commands that can be run to generate logs, execute from global VDOM:
FortiGate # diagnose log test
generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning
On v7.2.11, the options would be as follows:
FortiGate # diagnose log test
generating an infected virus message with level - warning
generating a blocked virus message with level - warning
generating a URL block message with level - warning
generating a DLP message with level - warning
generating an IPS log message
generating an botnet log message
generating an anomaly log message
generating an application control IM message with level - information
generating an IPv6 application control IM message with level - information
generating deep application control logs with level - information
generating an antispam message with level - notification
generating a URL block message with level - warning
generating an ssh-command pass log with level - notification
generating an ssh-channel block with level - warning
generating an ssl-cert_blocklisted log with level - warning
generating FortiSwitch logs
On v7.4.7, the following entries have been added:
FortiGate # diagnose log test
generating a File Filter log with level - warning
generating a icap log with level - warning
generating a sctp filter log with level - warning
generating a virtual ot patch log with level - warning
generating a CASB monitor log with level - information
Entries on v7.6.2, will be the same as on v7.4.7.
From the FortiGate GUI, the results of the 'diagnose log test' command can be viewed by going to Log & Report -> Security Events, and on the 'Summary' page, the AntiVirus logs will be displayed by default. The test logs should be showing as seen below:
To view the other generated test logs, click the drop-down menu that shows 'AntiVirus' to select the desired log to view such as Web Filter, SSL, DNS Query, File Filter etc. as seen below:
The following is a list of the various test log entries (output may vary depending on the FortiOS version).
FortiGate # execute log filter category
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
On v7.2.11, the list looks as follows:
FortiGate # execute log filter category
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
23: forti-switch
On v7.4.7, the following have been added:
FortiGate # execute log filter category
24: utm-virtual-patch
25: utm-casb
Entries on v7.6.2, will be the same as on version v7.4.7.
Example:
Under the FortiGate:
FortiGate # diagnose log test 1 15 10 10 true 1692950676 0X0010 <----- To simulate a botnet the mask is set to 0X0010.
From the FortiAnalyzer side, it is possible to observe it from FortiView -> Threats.
FortiGate # diagnose log test <----- Press 'Enter' and all options are shown.
masks:
Virus: 0X0001
URL: 0X0002
DLP: 0X0004
IPS: 0X0008
BOTNET: 0X0010
ANOMALLY: 0X0020
APP: 0X0040
APP6: 0X0080
Deep App: 0X0100
Email: 0X0200
CR Web: 0X0400
SSH: 0X0800
SSL: 0X1000
diag log test <repeat> [<sleep-duration(milliseconds)> <# of srcip> <# of dstip> <gen-traffic-log> <seed> <masks>]
diag log test (repeat: 1) (sleep-duration(milliseconds): 10) (# of srcip: 10) (# of dstip: 10) (gen-traffic-log:True) (seed: 1692950676) (masks: ffffffff)
generating a system event message with level - warning
generating authentication event messages
1: generating an infected virus message with level - warning
1: generating a blocked virus message with level - warning
1: generating a URL block message with level - warning
1: generating a DLP message with level - warning
1: generating an IPS log message
1: generating an botnet log message
1: generating an anomaly log message
1: generating an application control IM message with level - information
1: generating an IPv6 application control IM message with level - information
1: generating deep application control logs with level - information
1: generating an antispam message with level - notification
1: generating a URL block message with level - warning
1: generating an ssh-command pass log with level - notification
1: generating an ssh-channel block with level - warning
1: generating an ssl-cert_blocklisted log with level - warning
1: generating FortiSwitch logs
In the FortiAnalyzer Event logs, the command will generate the following logs automatically:
If FortiGate is showing the logs and the FortiAnalyzer/Syslog server is not receiving the logs, perform the following steps:
- Basic connectivity check: ping the FortiAnalyzer/syslog server from the FortiGate CLI.
- If the ping is successful, perform the following packet capture to see the TCP handshake and if/which device resets the connection:
Related articles:
Technical Tip: Logs generated while using the 'diagnose log test' command
Technical Tip: Standard procedure to format a FortiGate Log Disk, log backup from disk
Technical Tip: How to download Logs from FortiGate GUI
Technical Tip: How to configure logging in memory in later FortiOS
Technical Tip: How to check/filter configuration changes logs
Technical Tip: Download Debug Logs and 'execute tac report'