Description | This article describes how to check failed admin logins on FortiGate via either the GUI or the CLI. |
Scope | FortiGate. |
Solution |
To check failed admin logins in the GUI, go to Log & Report -> System Events -> General System Events and apply the filter Log Description = Admin login failed.
To check failed admin logins from the CLI, run the following command:
diag alertconsole list
Or:
diag alertconsole list | grep login
It is also possible to create an automation stitch to get alerts for failed admin logins. Go to Security Fabric -> Automation -> Create new, andcreate an Automation Trigger for the FortiOS Event Log with the 'Admin login failed' event.
Create an Automation Action with Email.
The final automation stitch will look like this:
The same configuration from the CLI:
config system automation-trigger edit "Login_Failed" set event-type event-log set logid 32002 next end
2. Automation Action:
config system automation-action edit "Login-Failed_Email" set action-type email set email-to "myemail@example.com" set email-subject "FortiGate Admin Login Failed" next end
3. Automation Stitch:
config system automation-stitch edit "Admin_Login_Failed" set trigger "Login_Failed" config actions edit 1 set action "Login-Failed_Email" set required enable next end next end
Once there a failed login event triggers, the stitch will activate and send an alert message. The email body should look like the following raw logs.
date=2024-07-30 time=09:12:22 eventtime=1722345142416647315 tz="-0400" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testlogin" ui="https(172.25.181.118)" method="https" srcip=172.25.181.118 dstip=10.9.11.34 action="login" status="failed" reason="name_invalid" msg="Administrator testlogin login failed from https(172.25.181.118) because of invalid user name"
date=2024-07-30 time=09:10:19 eventtime=1722345019384149693 tz="-0400" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testlogin" ui="ssh(172.25.181.118)" method="ssh" srcip=172.25.181.118 dstip=10.9.11.34 action="login" status="failed" reason="name_invalid" msg="Administrator testlogin login failed from ssh(172.25.181.118) because of invalid user name" |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.