| Description | This article describes how to show authentication logs for web filter user overrides. |
| Scope | FortiGate. |
| Solution |
In this example, the following user overrides are configured on the web filter profile for 'Streaming Media and Download'. Under 'Allow users to override blocked categories', another web filter profile 'new' is assigned, which has the above category set to allow.
When a user is authenticated against this override category, the log for this override event can be checked under Log & Reports -> System Events -> User Events -> Filter: Log Description = FortiGuard override successful.
Raw log for the above event:
date=2024-08-07 time=15:33:50 eventtime=1723059230000599485 tz="-0400" logid="0102043020" type="event" subtype="user" level="notice" vd="root" logdesc="FortiGuard override successful" srcip=192.200.10.2 dstip=X.X.X.X initiator="test" status="success" reason="none" scope="ip" expiry="Wed Aug 7 15:38:49 2024" oldwprof="default" profile="new" msg="User test added webfilter override entry from 192.200.10.2"
When any user override failed to authenticate, the following filter can be used to check this.
Filter: Log Description = FortiGuard override failed.
Raw log for the above event:
date=2024-08-07 time=17:27:58 eventtime=1723066078396475242 tz="-0400" logid="0102043018" type="event" subtype="user" level="warning" vd="root" logdesc="FortiGuard override failed" srcip=192.200.10.2 dstip=x.x.x.x initiator="test" status="failure" reason="credentials" msg="User test failed authentication when creating a FortiGuard Web Filtering override from 192.200.10.2" |
