Description

This article describes how the log 'Configuration is changed in the admin session' is triggered.

Scope

FortiGate.

Solution

Sometimes, it is possible to notice that the log message for configuration change is being triggered, but there are no details for the log on what configuration change has been made:

date=2021-03-12 time=14:06:09 logid="0100032102" type="event" subtype="system" level="alert" vd="root" eventtime=1615529168900386234 tz="+0800" logdesc="Configuration changed" user="admin" ui="https(192.168.244.133)" msg="Configuration is changed in the admin session"

The above log is generated when the admin logs out, or when the admin session has timed out.

The meaning of the log is that while the admin is logged in, the admin has made some changes to the configuration, and to locate the changes, it is necessary to locate the date/time that the admin logs in:

date=2021-03-12 time=14:02:59 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1615528979676440368 tz="+0800" logdesc="Admin login successful" sn="1615528979" user="admin" ui="https(192.168.244.133)" method="https" srcip=192.168.244.133 dstip=10.47.1.59 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(192.168.244.133)"

After that, it is possible to locate the changes that is being made by the admin:

date=2021-03-12 time=14:03:37 logid="0100044547" type="event" subtype="system" level="information" vd="root" eventtime=1615528897288320196 tz="+0800" logdesc="Object attribute configured" user="admin" ui="GUI(192.168.244.133)" action="Add" cfgtid=8388615 cfgpath="router.static" cfgobj="49" cfgattr="dst[4.4.4.3 255.255.255.255]device[CRK04-IPSEC]" msg="Add router.static 49"

If the admin is an SSO admin, the first time it logs in to the root VDOM or the first time it switches to another VDOM, the SSO admin account is created in the system. Even though the admin does not make any real changes (or has a read-only profile), log messages for configuration change are still triggered:

date="2024-12-12" time="14:08:13" logid="0100123456" vd="VDOM1" type="event" subtype="system" action="Edit" cfgattr="gui-dashboard:12[name[FortiView Sessions]vdom[E-Commerce]layout-type[standalone]csf[disable]widget:1[type[fortiview]width[6]height[3]fortiview-type[realtimeSessions]fortiview-sort-by[bytes]fortiview-timeframe[realtime]fortiview-visualization[table]]]gui-dashboard:11[name[FortiView Policies]vdom[VDOM1]layout-type[standalone]csf[disable]widget:1[type[fortiview]width[6]height[3]fortiview-type[policy]fortiview-sort-by[bytes]fortiview-timeframe[hour]fortiview-visualization[table]]]gui-dashboard:10[name[FortiView Web Sites]vdom[VDOM1]layout-type[standalone]csf[disable]widget:1[type[fortiview]width[6]height[3]fortiview-type[website]fortiview-sort-by[sessions]fortiview-timeframe[hour]fortiview-visualization[table]]]gui-dashboard:9[name[FortiView Applications]vdom[VDOM1]layout-type[standalone]csf[disable]widget:1[type[fortiview]width[6]height[3]fortiview-type[application]fortiview-sort-by[bytes]fortiview-timeframe[hour]fortiview-visualization[table]]]gui-dashboard:8[name[FortiView Destinations" cfgobj="ssoadmin1@example.com" cfgpath="system.sso-admin" cfgtid="12977157" eventtime=1733965692811301853 level="information" logdesc="Object attribute configured" logid="0100044547" logver=702101706" msg="Edit system.sso-admin ssoadmin1@example.com" user="ssoadmin1@example.com"

When accessing FortiGate using the cloud access in FortiGate Cloud for the first time, similar logs will be generated, although no actual changes will be made. The admin will be in the format of <admin>@fortigatecloud.com:

date=2025-03-19 time=13:57:50 eventtime=1742349470283527484 logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="bf33eb91b223@fortigatecloud.com" ui="fgfm_fgc" action="Edit" cfgtid=129106071 cfgpath="system.sso-fortigate-cloud-admin" cfgobj="bf33eb91b223@fortigatecloud.com" cfgattr="gui-dashboard:5[name[WiFi]vdom[root]widget:8[type[wifi-login-failures]x-pos[7]width[2]height[1]]widget:7[type[interfering-ssids]x-pos[6]width[2]height[1]wifi-band[both]]widget:6[type[historical-clients]x-pos[5]width[2]height[1]wifi-band[both]]widget:5[type[rogue-ap]x-pos[4]width[2]height[1]]widget:4[type[client-signal-strength]x-pos[3]width[2]height[1]wifi-band[both]]widget:3[type[clients-by-ap]x-pos[2]width[2]height[1]wifi-band[both]]widget:2[type[channel-utilization]x-pos[1]width[2]height[1]wifi-band[both]]widget:1[type[ap-status]width[2]height[1]]]gui-dashboard:4[name[Users & Devices]vdom[root]widget:5[type[nac-vlans]x-pos[4]width[2]height[1]]widget:4[type[quarantine]x-pos[3]width[2]height[1]]widget:3[type[firewall-user]x-pos[2]width[2]height[1]]widget:2[type[forticlient]x-pos[1]width[2]height[1]table-visualization[charts]device-list-online[online]device-list-telemetry[sending]device-list-view-type[interface]]widget:1[type[device-inventory]width[2]height[1]table-visualization[charts]device-list-vi [001]" msg="Edit system.sso-fortigate-cloud-admin bf33eb91b223@fortigatecloud.com"

Related article:

Technical Tip: Log IDs for for configuration changes made in the FortiGate