Description
This article describes the demonstration of the filter on the logs for secret launching from CLI.
FortiPAM provides rich logs for troubleshooting, auditing, and tracing both from GUI and CLI.
Scope
FortiPAM.
Solution
1) Log in to CLI by selecting the CLI icon from the GUI right-upper toolbar, or ssh to the interface IP of the FortiPAM.
2) From CLI, input the below command to check the available filter options:
PAM_12 # exec log filter ? <- Use '?' for available options.
category: Category.
device: Device to get a log from.
dump: Dump current filter settings.
field: Filter by field.
free-style: Filter by freestyle expression.
ha-member: HA member.
local-search-mode: local log search mode
max-checklines: Maximum number of lines to check.
pre-fetch-pages: Number of pages to check in advance under on-demand log search mode.
reset: Reset filter.
start-line: Start line to display.
view-lines: Lines per view.
PAM_12 # exec log filter category
<category> Category name, press enter for options.
PAM_12 # exec log filter category <- Press 'enter' for options, instead of '?'.
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
23: secret
PAM_12 #
From the above options, it is possible to see that category 23 is for secret. Input '23' in the following category.
PAM_12 # exec log filter category 23 <- '23' for secret.
PAM_12 # exec log display <- Display secret logs.
239 logs found.
10 logs returned.
5.3% of logs has been searched.
1: date=2023-04-04 time=10:55:28 eventtime=1680630929110036277 tz="-0700" logid="2301064601" type="secret" subtype="pwd-chg" eventtype="pwd-chg" dstip=10.59.112.200 dstport=636 action="success" agent="Timer" operation="password-verification" apptype="ad-ldap" secretid=65 secret="RDP_10.59.112.204" account="xxx" changer="Active Directory LDAPS" uuid="7b2a947e-785c-3731-91ed-51ec5deed890" msg="Password verification succeeded."
2: date=2023-04-04 time=10:53:28 eventtime=1680630809111252682 tz="-0700" logid="2301064601" type="secret" subtype="pwd-chg" eventtype="pwd-chg" dstip=10.59.112.200 dstport=636 action="success" agent="Timer" operation="password-verification" apptype="ad-ldap" secretid=65 secret="RDP_10.59.112.204" account="xxx" changer="Active Directory LDAPS" uuid="7b2a947e-785c-3731-91ed-51ec5deed890" msg="Password verification succeeded."
3: date=2023-04-04 time=10:52:29 eventtime=1680630749173311861 tz="-0700" logid="2301064601" type="secret" subtype="pwd-chg" eventtype="pwd-chg" dstip=10.59.112.103 dstport=222 action="success" agent="Timer" operation="password-verification" apptype="ssh-pwd" secretid=39 secret="ed2" account="xxx" changer="SSH Password (Unix)" uuid="00000000-0000-0000-0000-000000000000" msg="Password verification succeeded."
... ...
3) If it is wanted to filter the above secret logs based on some fields of the log entry, use the filter 'field'.
PAM_12 # exec log filter field
<name> Field name, press enter for options.
PAM_12 # exec log filter field <- Press 'enter' for available options.
Available fields:
timestamp
account
action
agent
apptype
changer
date
devid
dstintf
dstintfrole
dstip
dstport
duration
eventtime
eventtype
expirytime
job
jobtype
launcherid
launchername
level
logid
msg
operation
requestid
secret
secretid
sessionid
srcintf
srcintfrole
srcip
srcport
starttime
subtype
tier
time
tokenid
type
tz
user
uuid
vd
videoindex
PAM_12 #
PAM_12 # exec log filter field action "video-start"
PAM_12 # exec log display
32 logs found.
10 logs returned.
1: date=2023-03-31 time=16:23:59 eventtime=1680305039451188245 tz="-0700" logid="2300064600" type="secret" subtype="secret" eventtype="secret" sessionid=907690456 tokenid=1804222933 videoindex=1185 srcip=172.16.197.254 srcport=53613 srcintf="port1" srcintfrole="undefined" dstip=10.59.112.11 dstport=443 dstintf="unknown-0" dstintfrole="undefined" action="video-start" agent="browser" operation="uploading" apptype="ssh" launcherid=3 launchername="Web SSH" secretid=301 secret="SSH_key&pass" account="xxx" uuid="785c8584-3630-bc8d-9ded-515c7830365c" user="yyy" msg="Uploading."
2: date=2023-03-31 time=16:23:41 eventtime=1680305021851196212 tz="-0700" logid="2300064600" type="secret" subtype="secret" eventtype="secret" sessionid=907690452 tokenid=1803567567 videoindex=1185 srcip=172.16.197.254 srcport=53595 srcintf="port1" srcintfrole="undefined" dstip=10.59.112.11 dstport=443 dstintf="unknown-0" dstintfrole="undefined" action="video-start" agent="forticlient" operation="uploading" apptype="ssh" launcherid=1 launchername="PuTTY" secretid=301 secret="SSH_key&pass" account="xxx" uuid="785c8584-3630-bc8d-9ded-515c7830365c" user="yyy" msg="Uploading."
3: date=2023-03-31 time=16:18:10 eventtime=1680304690820441892 tz="-0700" logid="2300064600" type="secret" subtype="secret" eventtype="secret" sessionid=907690427 tokenid=1781809587 videoindex=1185 srcip=172.16.197.254 srcport=52776 srcintf="port1" srcintfrole="undefined" dstip=10.59.112.11 dstport=443 dstintf="unknown-0" dstintfrole="undefined" action="video-start" agent="forticlient" operation="uploading" apptype="ssh" launcherid=1 launchername="PuTTY" secretid=301 secret="SSH_key&pass" account="xxx" uuid="785c8584-3630-bc8d-9ded-515c7830365c" user="yyy" msg="Uploading."
... ...
PAM_12 #
For the filterable fields and the values, it can be referred to from the GUI as illustrated below:
In this example, it is wanted to filter the secret logs based on the action field.
- Select '+‘ to display the filterable fields.
- Select the 'Action' in this example.
- Select the action tag 'Video Start'.
- The action value can be seen from the input box, which is 'video-start' in this example.
- Input 'video-start' in the command from CLI:
# exec log filter field action "video-start"
