New Member

Question

Report of config changes

Forum|Forum|11 years ago
August 28, 2014
13 replies
56230 views

Hi, we have an FortiAnalyzer 400B running FortiOS 5.0.7 and want to create reports off configuration changes on our FortiGates (e.g. add/delete/edit firewall rules). The problem I have is that I can' t select events with subtype ' config' on the Analyzer. In general: I can' t see any events of subtype ' config' on the FortiAnalyzer. And yes, we have activated the Event Logging of " Configuration change event" on the FortiGate and see those events in the event log of the FortiGate. Any ideas on how to resolve this problem? Regards, Olav

AtiT

New Member

Hi, I think that no subtype config is in event logs. For example policy changes are system subtypes. Search for " firewall" in message column:

If10625.jpg

OlavAuthor

New Member

Hi AtiT, thank your for the fast reply! Unfortunately I can' t see any events concerning firewall changes when I search for " firewall" in the message column. How can I verify that those messages are transfered from the FortiGate to the FortiAnalyzer? Is there a debug command on the CLI which I can use? Olav

FatalHalt

New Member

On the firewall, go to the Log & Report tab, Log config, Log Settings. Make sure you have Event Logging enabled, and for this specific need you want to make sure you have System Activity event checked (and possibly user activity event).

jlozen

New Member

What version of FortiOS are you running on the FortiGate? If the FortiGate is has been " upgraded" to 5.2 they changed a bunch of stuff with policies and logging so that might be throwing a wrench into the gears of your FortiAnalyzer. I' ve been having all kinds of various issues with logging and our devices running 5.2. Our FortiAnalyzer is stuck on v5.0-build4037 131010 (GA) since we use the AWS instance and can' t update the firmware until amazon releases a new AMI

AtiT

New Member

Hi Olav, I have FAZ on v5.07 and FGT on v5.0.9. What is your FGT OS version? On 5.0.7 (probably similar on other versions) check the output of the command: get log eventfilter If you have VDOMS on FG check it under the VDOM. (the same as in the GUI - see the reponse from FatalHalt) Do you have any logs in the Event log? You can also try to test the logging with command: diagnose log test If you have VDOMs on FG check it under the VDOM. It should generate some logs into the log database. Do you see them?

OlavAuthor

New Member

Hi everybody and thank you all for your answers! we are running 4.3 Patch 15 on our FortiGate 800C cluster. Event logging ist enabled on the FGT (see image). On CLI I can see the eventfilter activated and the test events from the command " diagnose log test" are tansfered to the analyzer. These events show up in the " Security" branch of the FAZ Log View section. Config changes are still not visible on the FortiAnalyzer.

Mk25923.jpg

Warren_Olson_FTNT

Staff

Olav, You' re looking in the Event logs section of FAZ correct? Make sure you disable any/all column filters, and also check " config log fortianalyzer filter" and make sure everything is set to enable...

TuncayBAS

Explorer

if you want to get the report. Dataset :

  select from_dtime(dtime) as date, f_user, msg, devid from ###(select dtime, `user` as f_user, ui, msg,devid from $log   where $filter and logid in (â€™44547â€²,â€™32212â€²) order by dtime desc)### t order by dtime desc

OlavAuthor

New Member

Hi Warren, yes, I' m looking in the Events log section of the FAZ and there are no column filters activ. When I open the elog.log over Log View \ <ADOM> \ Log Browse I can' t see any entiries about config changes, which must be in there. I have also checked config log fortianalyzer filter - everything is enabled. Hi Tuncay, thanks for your very much for your query, it is very useful for what I want to do with these log messages! I have set up a Dataset with your query and the Test result is the following. There are no entries found in the log! I am clueless. I will open a ticket for support on this. Cheers, Olav

Zx71893.jpg

TuncayBAS

Explorer

please run code CLI screen execute sql-query-dataset root event-Config-Changes_3 All_FortiGates faz " 2014-08-01 00:00:00" " 2014-08-30 23:59:59" I think the error will be written to the screen

OlavAuthor

New Member

will test it on monday. Have to leave now for weekend :-) Thanks and nice weekend!!!

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded