Created on 11-24-2005 12:00 AM Edited on 09-30-2024 01:17 AM By Jean-Philippe_P
Description
This article describes how to perform a syslog/log test and check the resulting log entries.
Scope
FortiGate.
Solution
It is possible to perform a log entry test from the FortiGate CLI using the 'diag log test' command. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System -> Status).
Example of output (output may vary depending on the FortiOS version):
fgt200a # diag log test
generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning
The following list of the various test log entries (output may vary depending on the FortiOS version) :
below one can see the output for categories that are highlighted in 'bold' case
FGT # execute log filter category
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
Traffic (output from FortiOS 5.6.5).
FGTv5.6.5 # execute log filter category traffic
11: date=2018-07-26 time=16:51:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1532616695 srcip=7.1.1.1 srcport=10016 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" sessionid=10006 proto=6 action="accept" policyid=1 policytype="policy" service="tcp/20" dstcountry="France" srccountry="United States" trandisp="noop" appid=35421 app="Dropbox_File.Download" appcat="Storage.Backup" apprisk="medium" applist="default" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction="allow" countapp=1 devtype="iPad" osname="Apple" osversion="ver" mastersrcmac="07:01:01:01:01:01" srcmac="07:01:01:01:01:01" srcserver=0 dstdevtype="Android Phone" dstosname="Android" dstosversion="ver" masterdstmac="02:02:02:02:02:02" dstmac="02:02:02:02:02:02" dstserver=0 utmref=65491-194
Event.
1: date=2018-07-26 time=17:24:25 logid=0107045056 type=event subtype=endpoint level=notice vd=SOUTH-WEB logdesc="FortiClient license limit reached" action=add status=error license_limit=10 reason="License Number Exceeded" repeat=1 msg="FortiClient license maximum has been reached."
2: date=2018-07-26 time=17:24:24 logid=0102043020 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FortiGuard override successful" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=success reason="reason" scope=user expiry="Sun Jan 11 02:00:00 1970" oldwprof="old_profile" profile="new_profile" msg="User user added webfilter override entry scope_data from 1.1.1.1"
3: date=2018-07-26 time=17:24:24 logid=0102043018 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override failed" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="User user failed authentication when creating a FortiGuard Web Filtering override from 1.1.1.1"
4: date=2018-07-26 time=17:24:24 logid=0102043019 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override table full" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="FortiGuard Web Filtering override table is full"
Web Filter (output from FortiOS 5.6.5).
FGT # execute log filter category 3
FGT # execute log display
4 logs found.
4 logs returned.
1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"
2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"
3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"
DNS:
FGT # execute log filter category dns
FGT # execute log display
2 logs found.
2 logs returned.
1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0
2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0
Example:
Under the FortiGate:
SiteC-esx48 # diag log test 1 15 10 10 true 1692950676 0X0010 <----- To simulate a botnet the mask is set to 0X0010.
From the FortiAnalyzer side, it is possible to observe it from FortiView -> Threats.
SiteC-esx48 # diag log test <----- Enter and all options are shown.
masks:
Virus: 0X0001
URL: 0X0002
DLP: 0X0004
IPS: 0X0008
BOTNET: 0X0010
ANOMALLY: 0X0020
APP: 0X0040
APP6: 0X0080
Deep App: 0X0100
Email: 0X0200
CR Web: 0X0400
SSH: 0X0800
SSL: 0X1000
diag log test <repeat> [<sleep-duration(milliseconds)> <# of srcip> <# of dstip> <gen-traffic-log> <seed> <masks>]
diag log test (repeat: 1) (sleep-duration(milliseconds): 10) (# of srcip: 10) (# of dstip: 10) (gen-traffic-log:True) (seed: 1692950676) (masks: ffffffff)
generating a system event message with level - warning
generating authentication event messages
1: generating an infected virus message with level - warning
1: generating a blocked virus message with level - warning
1: generating a URL block message with level - warning
1: generating a DLP message with level - warning
1: generating an IPS log message
1: generating an botnet log message
1: generating an anomaly log message
1: generating an application control IM message with level - information
1: generating an IPv6 application control IM message with level - information
1: generating deep application control logs with level - information
1: generating an antispam message with level - notification
1: generating a URL block message with level - warning
1: generating an ssh-command pass log with level - notification
1: generating an ssh-channel block with level - warning
1: generating an ssl-cert_blocklisted log with level - warning
1: generating FortiSwitch logs
In the Event logs, it will generate the below logs automatically:
Related articles:
Technical Tip: Standard procedure to format a FortiGate Log Disk, log backup from disk
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.