Technical Tip: Who created a system administrator user and when it has been created
| Description | This article describes how to locate logs that detail the creation of a system administrator user, including information on who acted. |
| Scope | FortiGate. |
| Solution | Details about who created a system administrator user and when it was created can be obtained by reviewing the logs under System Events. It enables the Administrator to identify the creator of a specific user and the corresponding date.
To locate the logs associated with the event, navigate to Logs & Report -> System Events.
A log filter must be applied due to the high volume of logs being saved daily. To create the filter, navigate to the 'Logs' add a new filter, select the 'Message' column, and enter 'add system.admin'.
In this way, the administrator will be able to identify the exact date and the user who created the new system administrator account.
The system event can also be viewed by searching with logid: 44547:
To know who creates a local user instead of a system administrator refer to this article: Technical Tip: How to review user creation logs to determine who created it |
