Skip to main content
jbindra
Staff
jbindra
Staff
October 29, 2024

Technical Tip: How to review user creation logs to determine who created it

  • October 29, 2024
  • 0 replies
  • 3789 views
Description This article describes where to find logs for the creation of a local user and determine who created the user.
Scope FortiGate.
Solution

Information and details can be collected for User creation by reviewing the log located under System events.
This will allow an administrator to know who created the user including the time and date.

 

In the given example, a local test user is created by navigating to:

 

User & Authentication -> User definition -> Create new -> Local user -> provide username and password -> Next -> Submit.

 

local user.PNG

 

To check the logs related to that, navigate to Logs & Reports -> System Events.

 

log created.PNG

 

This log can be further expanded to see more details:

 

final log.PNG

 

date=2025-08-25 time=03:09:07 eventtime=1756116546532568348 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(172.26.48.22)" action="Add" cfgtid=19726688 cfgpath="user.local" cfgobj="test" cfgattr="type[password]passwd[*]" msg="Add user.local test"

 

If there are multiple logs, an appropriate log filter can be applied to see the user creation logs:

 

Under the Log Description column, filter for 'Local user added'.

 

filter.PNG

 

Note: Logs in FortiGate memory are only retained for 7 days. If FortiGate Cloud logging is not enabled, logs from the previous 7 days will not be viewed.

 

Starting February 28, 2025, a FortiGate without an active FortiGate Cloud subscription is required to upgrade to the latest firmware patch within 7 days of a new GA patch release, or FortiGate Cloud services will be paused for that device.

This will affect the cloud retention service, where logs will not be forwarded to FortiCloud until the device is updated to the latest firmware patch if using a Free FortiGate Cloud account: Technical Tip: Security enforcement change for FortiGates provisioned to FortiGate Cloud without active subscriptions.

 

A possible issue if the logging is not working due to a known issue ID 1045253. This issue causes the FortiGate logs not to be transferred to the FortiGate Cloud Log server. It is fixed on versions v7.2.11, v7.4.8, or v7.6.1, or above.

 

Related articles:
    Terms & ConditionsAccessibility statement