| Description |
This article described how to locate the DoS policy Log in the FortiAnalzyer. The administrator usually having difficulty to locate the DoS policy log as there is no separate sub section log in the Log View of this type of log. |
| Scope | |
| Solution |
First and foremost, FortiGate itself should have the DoS policy configured and there is anomaly DoS traffic hitting the same policy.
In the FortiAnalyzer, the DoS policy log is being grouped and categorized under the Intrusion Prevention (IPS) log under the Security event log.
Goto GUI > Log View -> FortiGate -> Security -> Intrusion Prevention -> Filter with subtype: anomaly to view all the receiving DoS policy log from the FortiGate with the respective time range.
Example as follows.
Sample raw log generated with CLI "diagnose log test" from the FortiGate,
date=2022-03-07 time=09:01:18 id=7072157054420386226 itime=2022-03-07 12:01:19 euid=3 epid=104 dsteuid=3 dstepid=101 type=utm subtype=anomaly level=alert action=clear_session sessionid=0 srcip=168.10.199.186 dstip=172.252.3.20 srcport=2560 dstport=20480 attackid=100663396 severity=critical proto=6 vrf=32 logid=0720018432 service=tcp/20480 eventtime=1646614879432319052 count=1123 policyid=0 crscore=50 craction=4096 crlevel=critical srcintfrole=lan dstintfrole=undefined srcintf=loopback dstintf=npu0_vlink0 ref=http://www.fortinet.com/ids/VID100663396 attack=tcp_syn_flood eventtype=anomaly srccountry=United States msg=anomaly: tcp_syn_flood tz=+0800 devid=FG81EPTK1900XXXX vd=root dtime=2022-03-07 09:01:18 itime_t=1646614879 cve= |
