Description | This article describes how to use a CLI console to filter and extract specific logs. |
Scope | FortiGate. |
Solution |
In some circumstances, FortiGate GUI may lag or fail to display the logs when filtered. In such a state, a CLI console or an SSH session can be used to extract the much-needed logs to analyze or troubleshoot.
For more information on filter options refer to the following community article: Technical Tip: Displaying logs via FortiGate's CLI
To extract the forward traffic of logs of a particular source and destination IP of the specific day to know the policy getting matched and the action applied for specific traffic:
exe log filter device 0 <----- Log location is consider as memory.
On executing the 'exe log display' commands, FortiGate will display the first 5 logs total matching logs:
HO_t3emealab # exe log display
1: date=2024-12-19 time=11:48:20 eventtime=1734637699544337903 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=16198 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=244602 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=16198 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11682
2: date=2024-12-19 time=11:47:58 eventtime=1734637679204334884 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=21216 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=244119 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=21216 appcat="unknown" applist="default" duration=2 sentbyte=1487 rcvdbyte=3019 sentpkt=12 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11516
3: date=2024-12-19 time=11:47:38 eventtime=1734637657774347052 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=59972 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=243483 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=59972 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11326
4: date=2024-12-19 time=11:47:17 eventtime=1734637637244336847 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=39470 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=242960 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=39470 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11212
5: date=2024-12-19 time=11:46:57 eventtime=1734637616714341114 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=16064 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=242399 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=16064 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11060
On executing the 'exe log display' commands again, will show the next 5 of 80 logs found:
To search the logs matching access of URL in web filter logs:
exe log filter device 0 <----- Log location is considered as memory.
OR:
exe log filter device 0 <----- Log location is consider as memory.
HO_t3emealab # exe log display 1: date=2024-12-19 time=12:07:25 eventtime=1734638845448721804 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policytype="policy" sessionid=278248 srcip=172.30.18.94 srcport=50716 srccountry="Reserved" srcintf="port4" srcintfrole="undefined" srcuuid="a002f5aa-9815-51ef-0c67-81d7dd453c08" dstip=3.165.136.42 dstport=80 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="a002f5aa-9815-51ef-0c67-81d7dd453c08" proto=6 httpmethod="GET" service="HTTP" hostname="community.fortinet.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" profile="default" action="blocked" reqtype="direct" url="http://community.fortinet.com/" sentbyte=458 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"
To exact logs for Performance statistics from system event logs exe log filter reset
HO_t3emealab # exe log display 1: date=2024-12-19 time=12:23:43 eventtime=1734639823656350985 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=38 disk=1 bandwidth="5/191" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=9332 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 38, setup-rate: 0" 2: date=2024-12-19 time=12:18:44 eventtime=1734639523662208368 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=43 disk=1 bandwidth="9/214" setuprate=5 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=9032 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 43, setup-rate: 5" 3: date=2024-12-19 time=12:13:44 eventtime=1734639223660798823 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=57 totalsession=45 disk=1 bandwidth="7/185" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=8732 waninfo="N/A" msg="Performance statistics: average CPU: 1, memory: 57, concurrent sessions: 45, setup-rate: 0" 4: date=2024-12-19 time=12:08:44 eventtime=1734638923662042377 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=71 disk=1 bandwidth="21/177" setuprate=4 disklograte=2 fazlograte=2 freediskstorage=15171 sysuptime=8432 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 71, setup-rate: 4" 5: date=2024-12-19 time=12:03:43 eventtime=1734638623656533942 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=40 disk=1 bandwidth="46/221" setuprate=1 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=8132 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 40, setup-rate: 1"
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.