Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff

Created on ‎03-15-2024 12:53 AM

Article Id 303904

Troubleshooting Tip: Using Events and Audit logs to identify configuration changes or new issues

Description

 

This article describe how to use events and audit logs in cases when a new issue arises on an existing setup that was previously working normally. This also applies for an intermittent issue that appear at specific time only.

 

Scope

 

FortiNAC.

 

Solution

 

Events and Alarms:

The event can be filtered on the required time period covering only the time when the issue happened. The results can also be exported in different file formats, the CSV format could be a best fit in case it need to be uploaded in TAC support ticket:

 

dates-event.PNG

 

This will help while searching in the large log files (ex. output.master or output.nessus) for specific keywords and the correct timestamp when this issue actually happened. Generating a log-snapshot of FNAC as soon as the issue happens, increases the chances that the log files will cover the same time window with the incident present in the event logs. Depending on network activity or debugs enabled, the log files can be quickly filled up and may cover only a short period of time.

 

The example below shows a correlation between the information shown in the GUI and same event recorded also in the master log file. The information shown in the GUI is stored separately in the DB.

 

FGT-events.png

 

The logs in output master will show a more extended view of this events, in case when specific debugs are enabled more information will be available.

 

yams.TelnetServer INFO :: 2024-03-08 10:48:22:239 :: #441 :: Warning: failed to create an SSH2 session for FGT-61E at 192.168.255.0

-

org.apache.http.conn.ConnectTimeoutException: Connect to 192.168.255.0:443 [/192.168.255.0] failed: connect timed outyams SEVERE :: 2024-03-08 10:49:24:761 :: #332 :: at org.apache.http.impl.connefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
yams SEVERE :: 2024-03-08 10:49:24:761 :: #332 :: at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
yams SEVERE :: 2024-03-08 10:49:24:761 :: #332 :: at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)

-

yams INFO :: 2024-03-08 10:49:34:768 :: #332 :: CommonMib getArpCacheSNMP error: 2 0 reading 1.3.6.1.2.1.4.22.1.2 from device 192.168.255.0

-

yams.TelnetServer INFO :: 2024-03-08 10:50:41:776 :: #332 :: Warning: failed to create an SSH2 session for FGT-61E at 192.168.255.0

 

Note: 

In case when more information is needed related to the event generation process itself, a logger can be enabled:

 

diagnose debug logger set fine yams.ScriptProfile

 

Many events will show by default but other events can also be enabled from the Management tab:

 

enable-disable.PNG

 

Audit Logs:

The audit logs are more focused on the changes done on the configuration and will cover every change done in the system since the initial deployment:

 

audit logs.PNG

 

These logs are helpful to track the changes done on the system. To export the content in case it's need to be uploaded in TAC support ticket, the Legacy View needs to be firstly enabled in System > Feature Visibility:

 

feature visibility.PNG

 

and than with a similar view like Event viewer the content can be now exported:

 

audit-export.png

375
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.