Technical Tip: How to perform a syslog and log test on a FortiGate with the 'diagnose log test' command

serge_FTNT · ‎11-24-2005

Description

This article describes how to perform a syslog/FortiAnalyzer/log test and how to check the resulting log entries in FortiAnalyzer.

Visual examples of logs generated in FortiGate can be found in the related article.

Scope

FortiGate.

Solution

It is possible to perform a log entry test from the FortiGate CLI using the 'diag log test' command. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System -> Status).

As the commands differ depending on the FortiOS version, the following are some examples of commands that can be run to generate logs:

FortiGate # diagnose log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning

On version 7.2.11, the options would be as follows:

FortiGate # diagnose log test

generating an infected virus message with level - warning

generating a blocked virus message with level - warning

generating a URL block message with level - warning

generating a DLP message with level - warning

generating an IPS log message

generating an botnet log message

generating an anomaly log message

generating an application control IM message with level - information

generating an IPv6 application control IM message with level - information

generating deep application control logs with level - information

generating an antispam message with level - notification

generating a URL block message with level - warning

generating an ssh-command pass log with level - notification

generating an ssh-channel block with level - warning

generating an ssl-cert_blocklisted log with level - warning

generating FortiSwitch logs

On version 7.4.7, the following entries have been added:

FortiGate # diagnose log test

generating a File Filter log with level - warning
generating a icap log with level - warning
generating a sctp filter log with level - warning
generating a virtual ot patch log with level - warning
generating a CASB monitor log with level - information

Entries on version 7.6.2, will be the same as on version 7.4.7.

The following is a list of the various test log entries (output may vary depending on the FortiOS version).

FortiGate # execute log filter category
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

On version 7.2.11, the list looks as follows:

FortiGate # execute log filter category

Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
23: forti-switch

On version 7.4.7, the following have been added:

FortiGate # execute log filter category

24: utm-virtual-patch
25: utm-casb

Entries on version 7.6.2, will be the same as on version 7.4.7.

Example: Under the FortiGate:

FortiGate # diagnose log test 1 15 10 10 true 1692950676 0X0010 <----- To simulate a botnet the mask is set to 0X0010.

From the FortiAnalyzer side, it is possible to observe it from FortiView -> Threats.

FortiGate # diagnose log test <----- Press 'Enter' and all options are shown.
masks:
Virus: 0X0001
URL: 0X0002
DLP: 0X0004
IPS: 0X0008
BOTNET: 0X0010
ANOMALLY: 0X0020
APP: 0X0040
APP6: 0X0080
Deep App: 0X0100
Email: 0X0200
CR Web: 0X0400
SSH: 0X0800
SSL: 0X1000
diag log test <repeat> [<sleep-duration(milliseconds)> <# of srcip> <# of dstip> <gen-traffic-log> <seed> <masks>]
diag log test (repeat: 1) (sleep-duration(milliseconds): 10) (# of srcip: 10) (# of dstip: 10) (gen-traffic-log:True) (seed: 1692950676) (masks: ffffffff)
generating a system event message with level - warning
generating authentication event messages
1: generating an infected virus message with level - warning
1: generating a blocked virus message with level - warning
1: generating a URL block message with level - warning
1: generating a DLP message with level - warning
1: generating an IPS log message
1: generating an botnet log message
1: generating an anomaly log message
1: generating an application control IM message with level - information
1: generating an IPv6 application control IM message with level - information
1: generating deep application control logs with level - information
1: generating an antispam message with level - notification
1: generating a URL block message with level - warning
1: generating an ssh-command pass log with level - notification
1: generating an ssh-channel block with level - warning
1: generating an ssl-cert_blocklisted log with level - warning
1: generating FortiSwitch logs

In the FortiAnalyzer Event logs, the command will generate the below logs automatically:

image (8) (1).png

If FortiGate is showing the logs and the FortiAnalyzer/Syslog server is not receiving the logs, perform the following steps:

Basic connectivity check: ping the FortiAnalyzer/syslog server from the FortiGate CLI.
If the ping is successful, perform the following packet capture to see the TCP handshake and if/which device resets the connection:

diagnose sniffer packet any ' host x.x.x.x ' 4 0 l <----- x.x.x.x is the log server IP.

Related articles:

Technical Tip: How to perform a syslog and log test on a FortiGate with the 'diagnose log test' command

You are leaving our website