Description

This article describes how to perform a syslog/log test and check the resulting log entries.

Solution

Perform a log entry test from the FortiGate CLI is possible using the 'diag log test' command.
This will create various test log entries on the unit hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device or to the unit System Dashboard (System -> Status).

Example of output (output may vary depending on the FortiOS version):

diag log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning

The following lists the various test log entries (output may vary depending on the FortiOS version):

Below, the output is shown for categories which are highlighted in 'bold' case.

execute log filter category
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

Traffic (output may vary depending on the FortiOS version):

execute log filter category traffic

# execute log display
1: date=2025-08-07 time=16:46:32 eventtime=1754599592148565782 tz="-0400" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::1138:3d58:686e:bf53 srcport=63385 srcintf="port1" srcintfrole="undefined" dstip=ff02::1:3 dstport=5355 dstintf="root" dstintfrole="undefined" sessionid=1066244 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5355" trandisp="noop" app="udp/5355" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 msg="Connection Failed"

Traffic logs (output may vary depending on the FortiOS version):

execute log filter category 1

execute log display

187 logs found.
10 logs returned.
27.6% of logs has been searched.

1: date=2025-08-07 time=16:46:13 eventtime=1754599574198656264 tz="-0400" logid="0100044546" type="event" subtype="system" level="information" vd="root" logdesc="Attribute configured" user="admin" ui="GUI(172.25.188.116)" action="Edit" cfgtid=129237135 cfgpath="log.disk.setting" cfgattr="status[disable->enable]" msg="Edit log.disk.setting "

2: date=2025-08-07 time=16:44:51 eventtime=1754599490454674787 tz="-0400" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(172.25.188.116)" action="Edit" cfgtid=129237127 cfgpath="system.admin" cfgobj="admin" cfgattr="gui-dashboard:17[widget:1[fortiview-timeframe[hour->day]]]" msg="Edit system.admin admin"

3: date=2025-08-07 time=16:34:30 eventtime=1754598870709222798 tz="-0400" logid="0100022813" type="event" subtype="system" level="notice" vd="root" logdesc="Scanunit reloaded AV Database" action="update" msg="scanunit=manager pid=2072 cause='signal' AV database reload requested 1 times by updated (pid 2077) successful"

4: date=2025-08-07 time=16:34:10 eventtime=1754598850666361050 tz="-0400" logid="0100041000" type="event" subtype="system" level="notice" vd="root" logdesc="FortiGate update succeeded" status="update" msg="Fortigate scheduled update fcni=yes fdni=yes fsci=yes ffdb_full(7.04285) from 173.243.141.6:443"

5: date=2025-08-07 time=16:31:40 eventtime=1754598700853357093 tz="-0400" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1754598700" user="admin" ui="jsconsole" method="jsconsole" srcip=172.25.188.116 dstip=10.9.11.81 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Web Filter logs (output may vary depending on the FortiOS version):

execute log filter category 3

execute log display
4 logs found.
4 logs returned.

1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

4: date=2018-07-26 time=16:51:34 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616694 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

DNS logs (output may vary depending on the FortiOS version):

execute log filter category dns

execute log display
2 logs found.
2 logs returned.

1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

One possible root cause is that the login options for the syslog server may not all be enabled.
This must be configured from the CLI, with the following command:

config log syslogd filter
     get                                                   <----- To display the current config, which looks like this in FortiOS 4.0MR2.
     app-ctrl            : enable
     attack              : enable
     dlp                 : enable
     email               : enable
     forward-traffic     : enable
     invalid-packet      : enable
     local-traffic       : enable
     netscan             : enable
     severity            : information
     traffic             : enable
     virus               : enable
     voip                : enable
     web                 : enable
     analytics           : enable
     anomaly             : enable
     app-ctrl-all        : enable
     blocked             : enable
     discovery           : enable
     dlp-all             : enable
     dlp-docsource       : enable
     email-log-google    : enable
     email-log-imap      : enable
     email-log-msn       : enable
     email-log-pop3      : enable
     email-log-smtp      : enable
     email-log-yahoo     : enable
     ftgd-wf-block       : enable
     ftgd-wf-errors      : enable
     infected            : enable
     multicast-traffic   : enable
     oversized           : enable
     scanerror           : enable
     signature           : enable
     suspicious          : enable
     switching-protocols : enable
     url-filter          : disable
     vulnerability       : enable
     web-content         : enable
     web-filter-activex  : enable
     web-filter-applet   : enable
     web-filter-command-block: enable
     web-filter-cookie   : enable
     web-filter-ftgd-quota: enable
     web-filter-ftgd-quota-counting: enable
     web-filter-ftgd-quota-expired: enable
     web-filter-script-other: enable

Use the command 'set <option> enable/disable' to enable or disable any of the items in the list.

Example:

set url-filter enable
end

A login test can be made with the following CLI command:

diagnose log test

Related article:

Technical Tip: FortiGate and syslog communication check