Technical Tip: Displaying logs via FortiGate's CLI

dbabic · ‎04-10-2017

Description

A FortiGate is able to display logs via both the GUI and the CLI. This article describes how to display logs through the CLI.

Scope

FortiGate.

Solution

To display log records, use the following command:

execute log display

However, it is advised to instead define a filter providing the necessary logs and that the command above should return.

Set different types of log filter options, the number of results, and from which point in the collected logs it should start displaying.

The first steps may be to check the current filter settings, or reset/clear them:

execute log filter reset
execute log filter dump <- To show settings. Example output below.
category: traffic
device: disk
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
log search mode: on-demand
pre-fetch-pages: 2
Oftp search string:

The next step is to set the source of the logs:

execute log filter device

Since FortiOS 6.2, those available devices contain the following extended set (which is the same for FortiOS versions 6.2 / 6.4 and 7.0):

Example output (can be different if disk logging is available):

Available devices:

0: memory
1: disk
2: fortianalyzer
3: fortianalyzer-cloud <----- Added with the FortiAnalyzer-cloud introduction.
4: forticloud <----- Moved one position down.

Until v6.2, the listing was:

Example output (can be different if disk logging is available):
Available devices:

0: memory
1: disk
2: fortianalyzer
3: forticloud

execute log filter device 0 <- This will display logs from memory.

The next step is to choose the category of logs to display:

execute log filter category

Available categories in FortiOS 7.0:

These are the same as in FortiOS 6.2 (listed below), but with the following new categories:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter

Available categories in FortiOS 6.4:

These are the same as in FortiOS 6.2 (listed below), but with the following new categories:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
20: utm-icap

Available categories in FortiOS 6.2:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter

Available categories in FortiOS 6.0:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
16: utm-ssh

Available categories in FortiOS 5.6:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

Available categories in FortiOS 5.4:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf

The default log filter configuration looks like the following:

Note:

The following outputs might look different on different FortiGate models depending on the hardware/VM, or without internal disk storage:

FortiOS 7.0, 7.2 and 7.4:

show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set gtp enable
end

FortiOS 6.4:

show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set gtp enable
set filter ''
    set filter-type include
end

FortiOS 6.2:

show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set ssh enable
    set ssl enable
    set cifs enable
    set filter ''
    set filter-type include
end

FortiOS 6.0:

show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set ssh enable
    set filter ''
    set filter-type include
end

FortiOS 5.6:

show full-configuration log memory filter
config log memory filter
    set severity warning
    set forward-traffic enable
    set local-traffic disable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set filter ''
    set filter-type include
end

FortiOS 5.4:
The log filter a FortiGate has the following options:

show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set filter ''
    set filter-type include
end

For example, by using the following log filters, FortiGate will display all utm-webfilter logs with the destination IP address 40.85.78.63:

execute log filter category 3
execute log filter field dstip 40.85.78.63
execute log display
1 logs found.
1 logs returned.

1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

Alternatively, by using the following log filters, FortiGate will display all utm-webfilter logs with destination IP address 40.85.78.63 that are not from September 13, 2019:

execute log filter free-style "(date 2019-09-13 not) and (dstip 40.85.78.63)"
1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

Other examples of using the free-style log filter:

execute log filter free-style "srcip 172.16.1.1"
execute log filter free-style "(srcip 172.16.1.1) or (dstip 172.16.1.2)"
execute log filter free-style "(srcip 172.16.1.1) and (dstip 172.16.1.2)"
execute log filter free-style "((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"

Also, it is possible to configure the following log filter commands:

execute log filter
category          Category.
device            Device to get log from.
dump              Dump current filter settings.
field             Filter by field. Specify from 1to 5 values value1 [value2 ... value5] [not]
Use not to reverse the condition.
Each value can be an individual value or a value range.
For value range, "-" is used to separate two values.
For example, 2013/06/13-2013/06/14 is for a date range from Jun 13, 2013 to Jun 14, 2013

free-style        Filter by free-style expression.
ha-member         HA member.
max-checklines    Maximum number of lines to check (maximum number of log entries that will be checked, 0 means all will be checked)
reset             Reset filter.
start-line        Start line to display (the log entry to start displaying from; so if set to 10, the 10th entry onward will be displayed)
view-lines        Lines per view (the number of log entries that will be displayed, default 10)

To view multiple log entries, increase the number of rows displayed at once using the following command:

execute log filter view-lines 1000

Then, run:

execute log display

Continue running the execute log display command repeatedly to scroll through the pages until reaching the last entry as desired.

Also, it is possible to work with the logs - roll, backup, delete local logs, list log details like occupied space/date/time of the log and more:

execute log
backup     Backup.
delete Delete local logs of one category.
delete-all    Delete all local logs.
detail    Display UTM log entries for a particular traffic log.
display    Display filtered log entries.
filter    Set filters we discussed here.
flush-cache   Write disk log cache of current category to disk in compressed format.
flush-cache-all Write disk log cache of all categories to disk in compressed format.
fortianalyzer FortiAnalyzer.
fortianalyzer-cloud FortiAnalyzer-cloud.
fortiguard FortiGuard.
list List current and rolled log files info.
raw-backup Raw-backup.
roll Roll log files now.

Related articles:

Viewing FortiGate log entries from the CLI (FortiOS 4.0)
Notes on Traffic log generation and logging support for ongoing sessions