| Description | This article describes where to find logs for the creation of a local user and determine who created the user. |
| Scope | FortiGate. |
| Solution |
Information and details can be collected for User creation by reviewing the log located under System events.
In the given example, a local test user is created by navigating to:
User & Authentication -> User definition -> Create new -> Local user -> provide username and password -> Next -> Submit.
To check the logs related to that, navigate to Logs & Reports -> System Events.
This log can be further expanded to see more details:
date=2025-08-25 time=03:09:07 eventtime=1756116546532568348 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(172.26.48.22)" action="Add" cfgtid=19726688 cfgpath="user.local" cfgobj="test" cfgattr="type[password]passwd[*]" msg="Add user.local test"
If there are multiple logs, an appropriate log filter can be applied to see the user creation logs:
Under the Log Description column, filter for 'Local user added'.
Note: Logs in FortiGate memory are only retained for 7 days. If FortiGate Cloud logging is not enabled, logs from the previous 7 days will not be viewed. |
