Technical Tip: Displaying logs via FortiGate's CLI

dbabic · ‎04-10-2017

Description

A FortiGate is able to display by both the GUI and via CLI. This article explains how to display logs through CLI.

Scope

FortiGate.

Solution

To display log records use command:

#execute log display

But it would be better to define a filter giving the logs you need and that the command above should return.

Set different types of log filter options, the number of results and from what point in the collected logs it is to start displaying.

First steps might be to check current filter settings, or reset/clear those:

#execute log filter reset
#execute log filter dump <--- to show settings, example output bellow

category: traffic
device: disk
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
log search mode: on-demand
pre-fetch-pages: 2
Oftp search string:

Next step is to set source of the logs:

#execute log filter device

Since FortiOS 6.2 those available devices contain following extended set:
(which is same for FortiOS versions 6.2 / 6.4 and 7.0 )

Example output (can be different if disk logging is available):
Available devices:

0: memory
1: disk
2: fortianalyzer
3: fortianalyzer-cloud <--- added with FortiAnalyzer-cloud introduction
4: forticloud <--- moved one position down

Until FortiOS 6.2 listing was:

Example output (can be different if disk logging is available):
Available devices:

0: memory
1: disk
2: fortianalyzer
3: forticloud

#execute log filter device 0 <--- this will display logs from memory

Next step is to choose category of logs to display:

#execute log filter category

Available categories in FortiOS 7.0:

.. are the same as in FortiOS 6.2 (listed bellow), but adds following new categories:
20: utm-icapp
22: utm-sctp-filter

.. complete listing is:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter

Available categories in FortiOS 6.4:

.. are the same as in FortiOS 6.2 (listed bellow), but adds following new category:
20: utm-icap

.. complete listing is:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
20: utm-icap

Available categories in FortiOS 6.2:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter

Available categories in FortiOS 6.0:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
16: utm-ssh

Available categories in FortiOS 5.6:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

Available categories in FortiOS 5.4:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf

The default log filter configuration looks like below.

Note.

The following outputs might look different on different FortiGate models depending on the hardware/VM, or w/o internal disk storage:

FortiOS 7.0, 7.2 and 7.4:

# show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set gtp enable
end

FortiOS 6.4:

# show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set gtp enable
set filter ''
    set filter-type include
end

FortiOS 6.2:

# show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set ssh enable
    set ssl enable
    set cifs enable
    set filter ''
    set filter-type include
end

FortiOS 6.0:

# show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set ssh enable
    set filter ''
    set filter-type include
end

FortiOS 5.6:

# show full-configuration log memory filter
config log memory filter
    set severity warning
    set forward-traffic enable
    set local-traffic disable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set filter ''
    set filter-type include
end

FortiOS 5.4:
The log filter a FortiGate has the following options:

# show full-configuration log memory filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set filter ''
    set filter-type include
end

For example, by using the following log filters FortiGate will display all utm-webfilter logs with the destination ip address 40.85.78.63:

# execute log filter category 3
# execute log filter field dstip 40.85.78.63
# execute log display
1 logs found.
1 logs returned.

1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

Alternatively, by using the following log filters FortiGate will display all utm-webfilter logs with destination ip address 40.85.78.63 that are not from September 13, 2019:

# execute log filter free-style "(date 2019-09-13 not) and (dstip 40.85.78.63)"

1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

Other examples of using the free-style log filter:

# execute log filter free-style "srcip 172.16.1.1"
# execute log filter free-style "(srcip 172.16.1.1) or (dstip 172.16.1.2)"
# execute log filter free-style "(srcip 172.16.1.1) and (dstip 172.16.1.2)"
# execute log filter free-style "((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"

Also, it is possible to configure the following log filter commands:

# execute log filter
category          Category.
device            Device to get log from.
dump              Dump current filter settings.
field             Filter by field. Specify from 1to 5 values value1 [value2 ... value5] [not]
Use not to reverse the condition.
Each value can be an individual value or a value range.
For value range, "-" is used to separate two values.
For example, 2013/06/13-2013/06/14 is for a date range from Jun 13, 2013 to Jun 14, 2013

free-style        Filter by free-style expression.
ha-member         HA member.
max-checklines    Maximum number of lines to check (maximum number of log entries that will be checked, 0 means all will be checked)
reset             Reset filter.
start-line        Start line to display (the log entry to start displaying from; so if set to 10, the 10th entry onward will be displayed)
view-lines        Lines per view (the number of log entries that will be displayed, default 10)

Also, it is possible to work with the logs - roll, backup, delete local logs, list log details like occupied space/date/time of the log and more:

# execute log
backup     Backup.
delete Delete local logs of one category.
delete-all    Delete all local logs.
detail    Display UTM log entries for a particular traffic log.
display    Display filtered log entries.
filter    Set filters we discused here.
flush-cache   Write disk log cache of current category to disk in compressed format.
flush-cache-all Write disk log cache of all categories to disk in compressed format.
fortianalyzer FortiAnalyzer.
fortianalyzer-cloud FortiAnalyzer-cloud.
fortiguard FortiGuard.
list List current and rolled log files info.
raw-backup Raw-backup.
roll Roll log files now.