Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
serge_FTNT
Staff
Staff

Created on ‎11-24-2005 12:00 AM Edited on ‎10-13-2024 10:28 PM By Community Manager

Article Id 194606

Technical Tip: How to perform a syslog and log test on a FortiGate with the 'diagnose log test' command

Description

 

This article describes how to perform a syslog/log test and check the resulting log entries.

 

Scope

 

FortiGate.

 

Solution

 

It is possible to perform a log entry test from the FortiGate CLI using the 'diag log test' command. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System -> Status).

 

Example of output (output may vary depending on the FortiOS version):

 

fgt200a # diag log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning

 

The following list of the various test log entries (output may vary depending on the FortiOS version). The below one can see the output for categories that are highlighted in 'bold' case

 

FGT # execute log filter category
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

 

Traffic (output from v5.6.5):

 

FGTv5.6.5 # execute log filter category traffic

FGTv5.6.5 # execute log display

11: date=2018-07-26 time=16:51:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1532616695 srcip=7.1.1.1 srcport=10016 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" sessionid=10006 proto=6 action="accept" policyid=1 policytype="policy" service="tcp/20" dstcountry="France" srccountry="United States" trandisp="noop" appid=35421 app="Dropbox_File.Download" appcat="Storage.Backup" apprisk="medium" applist="default" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction="allow" countapp=1 devtype="iPad" osname="Apple" osversion="ver" mastersrcmac="07:01:01:01:01:01" srcmac="07:01:01:01:01:01" srcserver=0 dstdevtype="Android Phone" dstosname="Android" dstosversion="ver" masterdstmac="02:02:02:02:02:02" dstmac="02:02:02:02:02:02" dstserver=0 utmref=65491-194

 

Event.

 

FGTv5.4 (SOUTH-WEB) # execute log filter category 1
FGTv5.4 (SOUTH-WEB) # execute log display
200 logs found.
10 logs returned

1: date=2018-07-26 time=17:24:25 logid=0107045056 type=event subtype=endpoint level=notice vd=SOUTH-WEB logdesc="FortiClient license limit reached" action=add status=error license_limit=10 reason="License Number Exceeded" repeat=1 msg="FortiClient license maximum has been reached."

2: date=2018-07-26 time=17:24:24 logid=0102043020 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FortiGuard override successful" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=success reason="reason" scope=user expiry="Sun Jan 11 02:00:00 1970" oldwprof="old_profile" profile="new_profile" msg="User user added webfilter override entry scope_data from 1.1.1.1"

3: date=2018-07-26 time=17:24:24 logid=0102043018 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override failed" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="User user failed authentication when creating a FortiGuard Web Filtering override from 1.1.1.1"

4: date=2018-07-26 time=17:24:24 logid=0102043019 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override table full" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="FortiGuard Web Filtering override table is full"

 

Web Filter (output from v5.6.5):

 

FGT # execute log filter category 3
FGT # execute log display
4 logs found.
4 logs returned.

1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

 

AV Output:

       

FGT # exec log filter category 2

FGT# exec log display
4 logs found.
4 logs returned.

 

1: date=2024-10-12 time=11:50:04 eventtime=1728758998733258325 tz="-0700" logid="0212008448" type="utm" subtype="virus" eventtype="filename" level="warning" vd="root" policyid=1 policytype="policy" msg="File is blocked." action="passthrough" service="NNTP" sessionid=1131176239 srcip=168.10.199.186 dstip=224.141.85.77 srcport=41752 dstport=80 srccountry="United States" dstcountry="Reserved" srcintf="ssl.root" srcintfrole="undefined" dstintf="port5" dstintfrole="undefined" proto=6 vrf=32 direction="incoming" filefilter="file-pattern" filetype="ignored" filename="file_test" checksum="12345" quarskip="No-quarantine-for-oversized-files" user="user2" group="group2" crscore=5 craction=2 crlevel="low"

 

2: date=2024-10-12 time=11:50:04 eventtime=1728758999191989729 tz="-0700" logid="0201009238" type="utm" subtype="virus" eventtype="analytics" level="notice" vd="root" srcip=1.1.1.1 dstip=2.2.2.2 srcport=23456 dstport=80 action="monitored" service="http" filename="test-fsa.exe" fsaverdict="malicious" analyticscksum="47fd6cadce503e53ad2c543eb728ae2d017277afb3db6b16954e49ac1cf4cc20" dtype="fortisandbox"

 

3: date=2024-10-12 time=11:50:03 eventtime=1728758998733259917 tz="-0700" logid="0201009238" type="utm" subtype="virus" eventtype="analytics" level="notice" vd="root" srcip=1.1.1.1 dstip=2.2.2.2 srcport=23456 dstport=80 action="monitored" service="http" filename="test-fsa.exe" fsaverdict="malicious" analyticscksum="47fd6cadce503e53ad2c543eb728ae2d017277afb3db6b16954e49ac1cf4cc20" dtype="fortisandbox"

 

4: date=2024-10-12 time=11:50:03 eventtime=1728758998733256732 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 policytype="policy" msg="File is infected." action="passthrough" service="NNTP" sessionid=1131176238 srcip=168.10.199.186 dstip=224.141.85.77 srcport=41751 dstport=80 srccountry="United States" dstcountry="Reserved" srcintf="ssl.root" srcintfrole="undefined" dstintf="port5" dstintfrole="undefined" proto=6 vrf=32 direction="incoming" filename="file_test2" checksum="23456" quarskip="No-skip" viruscat="cat2" dtype="dtype2" user="user" group="group2" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

 

DNS:

 

FGT # execute log filter category dns

FGT # execute log display
2 logs found.
2 logs returned.

1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0


Example.

Under the FortiGate:

 

SiteC-esx48 # diag log test 1 15 10 10 true 1692950676 0X0010 <----- To simulate a botnet the mask is set to 0X0010.

 

From the FortiAnalyzer side, it is possible to observe it from FortiView -> Threats.


botnet_test.png

 

 

SiteC-esx48 # diag log test  <----- Enter and all options are shown.
masks:
Virus: 0X0001
URL: 0X0002
DLP: 0X0004
IPS: 0X0008
BOTNET: 0X0010
ANOMALLY: 0X0020
APP: 0X0040
APP6: 0X0080
Deep App: 0X0100
Email: 0X0200
CR Web: 0X0400
SSH: 0X0800
SSL: 0X1000
diag log test <repeat> [<sleep-duration(milliseconds)> <# of srcip> <# of dstip> <gen-traffic-log> <seed> <masks>]
diag log test (repeat: 1) (sleep-duration(milliseconds): 10) (# of srcip: 10) (# of dstip: 10) (gen-traffic-log:True) (seed: 1692950676) (masks: ffffffff)
generating a system event message with level - warning
generating authentication event messages
1: generating an infected virus message with level - warning
1: generating a blocked virus message with level - warning
1: generating a URL block message with level - warning
1: generating a DLP message with level - warning
1: generating an IPS log message
1: generating an botnet log message
1: generating an anomaly log message
1: generating an application control IM message with level - information
1: generating an IPv6 application control IM message with level - information
1: generating deep application control logs with level - information
1: generating an antispam message with level - notification
1: generating a URL block message with level - warning
1: generating an ssh-command pass log with level - notification
1: generating an ssh-channel block with level - warning
1: generating an ssl-cert_blocklisted log with level - warning
1: generating FortiSwitch logs

 

In the Event logs, it will generate the below logs automatically:

image (8) (1).png

 

Related articles:

Technical Tip: Standard procedure to format a FortiGate Log Disk, log backup from disk

Technical Tip: How to download Logs from FortiGate GUI

76562
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.