Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsubramanian
Staff
Staff

Created on ‎12-16-2019 06:43 AM

Article Id 192137

Troubleshooting Tip: Syslog and log trouble shooting via CLI

Description
This article describes how to perform a syslog/log test and check the resulting log entries.

Solution
Perform a log entry test from the FortiGate CLI is possible  using the 'diag log test' command.
This will create various test log entries on the unit hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device or to the unit System Dashboard (System -> Status).

Example of output (output may vary depending on the FortiOS version):
# diag log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning
The following list the various test log entries (output may vary depending on the FortiOS version):

Below one can see the output for category which are highlighted in 'bold' case.
# execute log filter category
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
Traffic (output form FortiOS 5.6.5)
# execute log filter category traffic

# execute log display
11: date=2018-07-26 time=16:51:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1532616695 srcip=7.1.1.1 srcport=10016 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" sessionid=10006 proto=6 action="accept" policyid=1 policytype="policy" service="tcp/20" dstcountry="France" srccountry="United States" trandisp="noop" appid=35421 app="Dropbox_File.Download" appcat="Storage.Backup" apprisk="medium" applist="default" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction="allow" countapp=1 devtype="iPad" osname="Apple" osversion="ver" mastersrcmac="07:01:01:01:01:01" srcmac="07:01:01:01:01:01" srcserver=0 dstdevtype="Android Phone" dstosname="Android" dstosversion="ver" masterdstmac="02:02:02:02:02:02" dstmac="02:02:02:02:02:02" dstserver=0 utmref=65491-194
Traffic (output form FortiOS 5.4)
# execute log filter category 1

# execute log display
200 logs found.
10 logs returned
1: date=2018-07-26 time=17:24:25 logid=0107045056 type=event subtype=endpoint level=notice vd=SOUTH-WEB logdesc="FortiClient license limit reached" action=add status=error license_limit=10 reason="License Number Exceeded" repeat=1 msg="FortiClient license maximum has been reached."

2: date=2018-07-26 time=17:24:24 logid=0102043020 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FortiGuard override successful" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=success reason="reason" scope=user expiry="Sun Jan 11 02:00:00 1970" oldwprof="old_profile" profile="new_profile" msg="User user added webfilter override entry scope_data from 1.1.1.1"

3: date=2018-07-26 time=17:24:24 logid=0102043018 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override failed" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="User user failed authentication when creating a FortiGuard Web Filtering override from 1.1.1.1"

4: date=2018-07-26 time=17:24:24 logid=0102043019 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override table full" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="FortiGuard Web Filtering override table is full"

5: date=2018-07-26 time=17:24:24 logid=0102043012 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FSSO authentication successful" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" authproto="user(1.1.1.1)" action=FSS0-auth status=success reason="reason" msg="AD group adgroup user user succeeded in authentication"

6: date=2018-07-26 time=17:24:24 logid=0102043013 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FSSO authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" authproto="user(1.1.1.1)" action=FSS0-auth status=failure reason="reason" msg="AD group adgroup user user failed in authentication"

7: date=2018-07-26 time=17:24:24 logid=0102043016 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="NTLM authentication successful" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" group="usergroup" authproto="HTTP(1.1.1.1)" action=NTLM-auth status=success reason="reason" msg="AD group adgroup user user successed in authentication"

8: date=2018-07-26 time=17:24:24 logid=0102043017 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="NTLM authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" group="usergroup" authproto="HTTP(1.1.1.1)" action=NTLM-auth status=failure reason="reason" msg="AD group adgroup user user failed in authentication"

9: date=2018-07-26 time=17:24:24 logid=0102043008 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="Authentication success" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" group="usergroup" authproto="HTTP(1.1.1.1)" action=authentication status=success reason="reason" msg="User user succeeded in authentication"

10: date=2018-07-26 time=17:24:24 logid=0102043009 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="Authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" group="usergroup" authproto="HTTP(1.1.1.1)" action=authentication status=failure reason="reason" msg="User user failed in authentication""
Web Filter (output form FortiOS 5.6.5)
# execute log filter category 3

# execute log display
4 logs found.
4 logs returned.

1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

4: date=2018-07-26 time=16:51:34 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616694 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"
DNS
# execute log filter category dns

# execute log display
2 logs found.
2 logs returned.

1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0
A possible root cause is that the login options for the syslog server may not be all enabled.
This must be configured from the CLI, with the following command :
# config log syslogd filter
     get                                                   <----- To display the current config, which looks like this in FortiOS 4.0MR2.
     app-ctrl            : enable
     attack              : enable
     dlp                 : enable
     email               : enable
     forward-traffic     : enable
     invalid-packet      : enable
     local-traffic       : enable
     netscan             : enable
     severity            : information
     traffic             : enable
     virus               : enable
     voip                : enable
     web                 : enable
     analytics           : enable
     anomaly             : enable
     app-ctrl-all        : enable
     blocked             : enable
     discovery           : enable
     dlp-all             : enable
     dlp-docsource       : enable
     email-log-google    : enable
     email-log-imap      : enable
     email-log-msn       : enable
     email-log-pop3      : enable
     email-log-smtp      : enable
     email-log-yahoo     : enable
     ftgd-wf-block       : enable
     ftgd-wf-errors      : enable
     infected            : enable
     multicast-traffic   : enable
     oversized           : enable
     scanerror           : enable
     signature           : enable
     suspicious          : enable
     switching-protocols : enable
     url-filter          : disable
     vulnerability       : enable
     web-content         : enable
     web-filter-activex  : enable
     web-filter-applet   : enable
     web-filter-command-block: enable
     web-filter-cookie   : enable
     web-filter-ftgd-quota: enable
     web-filter-ftgd-quota-counting: enable
     web-filter-ftgd-quota-expired: enable
     web-filter-script-other: enable
Use the command 'set <option> enable/disable' to enable or disable any of the items in the list.

Example :
set url-filter enable
end
A login test can be made with the following CLI command : '# diagnose log test'

Labels:
31634
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.