FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 365720

 

Description This article describes how to use a CLI console to filter and extract specific logs.
Scope FortiGate.
Solution

In some circumstances, FortiGate GUI may lag or fail to display the logs when filtered. In such a state, a CLI console or an SSH session can be used to extract the much-needed logs to analyze or troubleshoot.
It is important to understand the filter options that can be applied to retrieve the specific logs needed from Fortigate CLI using the  'execute log filter' command

 

For more information on filter options refer to the following community article: Technical Tip: Displaying logs via FortiGate's CLI

 

To extract the forward traffic of logs of a particular source and destination IP of the specific day to know the policy getting matched and the action applied for specific traffic:

 

exe log filter device 0 <----- Log location is consider as memory.
exe log filter category 0 <----- Traffic logs.
exe log filter field srcip 172.26.153.31
exe log filter field dstip 208.184.237.75
exe log filter field date 2024-12-19
exe log filter field time 10:00:00-23:58:59 <----- Extract the logs from 10AM to 11:58PM of FortiGate Local time.
exe log filter view-lines 5 <----- 5 log entries that will be displayed.
exe log filter dump<----- This command will provide us the condition set for log query.
category: traffic
device: memory
start-line: 1
view-lines: 5
max-checklines: 100
HA member:
log search mode: on-demand
pre-fetch-pages: 2
Filter: ( time "10:00:00-23:58:59" ) AND ( date "2024-12-19" ) AND ( dstip "208.184.237.75" )
Oftp search string: (and (and time>=100000 time<=235859) (or date==20241219) (or dstip==208.184.237.75))

 

On executing the 'exe log display' commands, FortiGate will display the first 5 logs total matching logs:

 

HO_t3emealab # exe log display


80 logs found. <----- Total 80 logs found matching the log query.
5 logs returned. <----- The first 5 logs are extracted and displayed.
24.4% of logs has been searched.

1: date=2024-12-19 time=11:48:20 eventtime=1734637699544337903 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=16198 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=244602 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=16198 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11682

 

2: date=2024-12-19 time=11:47:58 eventtime=1734637679204334884 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=21216 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=244119 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=21216 appcat="unknown" applist="default" duration=2 sentbyte=1487 rcvdbyte=3019 sentpkt=12 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11516

 

3: date=2024-12-19 time=11:47:38 eventtime=1734637657774347052 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=59972 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=243483 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=59972 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11326

 

4: date=2024-12-19 time=11:47:17 eventtime=1734637637244336847 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=39470 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=242960 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=39470 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11212

 

5: date=2024-12-19 time=11:46:57 eventtime=1734637616714341114 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.16.168 srcname="172.30.16.168" srcport=16064 srcintf="port4" srcintfrole="undefined" dstip=208.184.237.75 dstname="usforticlient.fortinet.net" dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=242399 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="HTTPS" trandisp="snat" transip=10.5.144.159 transport=16064 appcat="unknown" applist="default" duration=2 sentbyte=1435 rcvdbyte=3019 sentpkt=11 rcvdpkt=13 vwlid=0 wanin=6392 wanout=855 lanin=7094 lanout=2487 utmaction="block" countweb=1 countssl=1 crscore=5 craction=262144 crlevel="low" msg="Connection Failed" utmref=65535-11060

 

On executing the 'exe log display' commands again, will show the next 5 of 80 logs found:

 

To search the logs matching access of URL in web filter logs:

 

exe log filter device 0 <----- Log location is considered as memory.
exe log filter category 3 <----- utm-webfilters.
exe log filter field srcip 172.26.153.31
exe log filter field url http://community.fortinet.com/
exe log filter field date 2024-12-19
exe log filter field time 10:00:00-23:58:59 <----- Extract the logs from 10AM to 11:58PM of Fortigate Local time.
exe log filter view-lines 5 <----- The 5 log entries that will be displayed.
exe log filter dump

 

OR:

 

exe log filter device 0 <----- Log location is consider as memory.
exe log filter category 3 <----- utm-webfilters.
exe log filter field srcip 172.26.153.31
exe log filter field hostname community.fortinet.com
exe log filter field date 2024-12-19
exe log filter field time 10:00:00-23:58:59
exe log filter view-lines 5
exe log display

 

HO_t3emealab # exe log display
1 logs found.
1 logs returned.

1: date=2024-12-19 time=12:07:25 eventtime=1734638845448721804 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policytype="policy" sessionid=278248 srcip=172.30.18.94 srcport=50716 srccountry="Reserved" srcintf="port4" srcintfrole="undefined" srcuuid="a002f5aa-9815-51ef-0c67-81d7dd453c08" dstip=3.165.136.42 dstport=80 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="a002f5aa-9815-51ef-0c67-81d7dd453c08" proto=6 httpmethod="GET" service="HTTP" hostname="community.fortinet.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" profile="default" action="blocked" reqtype="direct" url="http://community.fortinet.com/" sentbyte=458 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"

 

To exact logs for Performance statistics from system event logs

exe log filter reset
exe log filter device 0
exe log filter category 1
exe log filter field action perf-stats
exe log filter field date 2024-12-19
exe log filter field time 10:00:00-23:58:59
exe log filter view-lines 5
exe log display

 

HO_t3emealab # exe log display
29 logs found.
5 logs returned.

1: date=2024-12-19 time=12:23:43 eventtime=1734639823656350985 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=38 disk=1 bandwidth="5/191" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=9332 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 38, setup-rate: 0"

2: date=2024-12-19 time=12:18:44 eventtime=1734639523662208368 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=43 disk=1 bandwidth="9/214" setuprate=5 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=9032 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 43, setup-rate: 5"

3: date=2024-12-19 time=12:13:44 eventtime=1734639223660798823 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=57 totalsession=45 disk=1 bandwidth="7/185" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=8732 waninfo="N/A" msg="Performance statistics: average CPU: 1, memory: 57, concurrent sessions: 45, setup-rate: 0"

4: date=2024-12-19 time=12:08:44 eventtime=1734638923662042377 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=71 disk=1 bandwidth="21/177" setuprate=4 disklograte=2 fazlograte=2 freediskstorage=15171 sysuptime=8432 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 71, setup-rate: 4"

5: date=2024-12-19 time=12:03:43 eventtime=1734638623656533942 tz="-0800" logid="0100040704" type="event" subtype="system" level="notice" vd="root" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=57 totalsession=40 disk=1 bandwidth="46/221" setuprate=1 disklograte=0 fazlograte=0 freediskstorage=15171 sysuptime=8132 waninfo="N/A" msg="Performance statistics: average CPU: 0, memory: 57, concurrent sessions: 40, setup-rate: 1"

 

  • To filter and extract the logs of admin login use 'exe log filter field action login'.
  • To filter and extract the logs of configuration changes use 'exe log filter field logdesc Object\ attribute\ configured'.
  • To filter and extract the logs related to SD-WAN: 'execute log filter field subtype sdwan'.

 

Related document:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/831b6976-e083-11ed-8e6d-fa163e...

Contributors