|
In some cases, Traffic is not showed in the FortiWeb's GUI although server policies are processing web traffic. A revision with FortiWeb CLI commands could help to solve the problem or see what could happen.
Important:
Check before if the used FortiWeb administrator account has Read/Write permissions in the 'Log & Report' access control in its administrator's access profile.
- Check if Traffic logs generation is enabled in the FWB general log settings:
show full log traffic-log | grep status
set status disable
If it is disabled, enable it with these commands:
config log traffic-log
set status enable
end
- Check if a specific server policy has enabled the Traffic logs:
config server-policy policy
edit "Server_Policy_Name" (Replace "Server_Policy_Name" with the name of specific server policy)
show full | grep tlog
set tlog disable
If it is disabled, enable it with these commands:
config server-policy policy
edit "Server_Policy_Name"
set tlog enable
next
end
- If the logs must be stored in the local hard disk, check if the disk's log storage is enabled. Go to Log&Report -> Log Config -> Global Log Settings and check if the Disk setting is enabled. If ALL traffic logs with any severity level must be saved, check the 'Log Level' is in Information:
This information could be checked in the CLI too:
show full log disk
set severity information
set status enable
end
- If the Traffic log setting is enabled (general and per policy) and the disk storage is enabled too, check if FortiWeb is saving the logs in the internal system folders. Check if FortiWeb has been saving recently the Traffic logs:
diag index all show
time span starts from 2024-10-14 21:36:23.000000
Total time span is 526014.238679 seconds
Currently processing/Last processed file '/var/log/fwlog/root/disklog/elog(2024-09-20-04:24:53).log'
event log processed ok: 52432, failed: 0
Currently processing/Last processed file '/var/log/fwlog/root/disklog/tlog(2024-09-24-11:23:36).log'
traffic log processed ok: 10648, failed: 0
Currently processing/Last processed file '/var/log/fwlog/root/disklog/alog(2024-09-29-08:11:58).log'
attack log processed ok: 2774, failed: 0
- If the Traffic logs folder (tlog) is shown with 0 logs, check again points 1 to 3. If the situation remains the same, restart the 'logd' process:
- Execute this command and verify the PID of process 'logd':
diag sys top
- Then execute the following command:
diag sys kill 11 "PID_logd" <----- Replace 'PID_logd' for PID of 'logd' process.
After that, check again if Traffic can be seen in the FortiWeb GUI.
- If Traffic logs are not visible yet, verify if the traffic has been generated by the FortiWeb. Execute the following commands and then pass web traffic through at least one of the configured server policies:
diag debug disable
diag debug reset
diag debug app logd 7
diag debug enable
FortiWeb # [Logd][10-20-23:26:23][INFO][_log_try_push][515]: log try push 10 times
[Logd][10-20-23:26:34][INFO][_log_try_push][515]: log try push 10 times
[Logd][10-20-23:26:43][INFO][log_check_db][743]: Database files of vdom root checked
[Logd][10-20-23:26:45][INFO][_log_try_push][515]: log try push 10 times
[Logd][10-20-23:26:49][INFO][_log_process][439]: ###### Recv a traffic log <----- A Traffic log was generated by FortiWeb.
[Logd][10-20-23:26:49][INFO][log_format_local_msg][718]: log_id=30000000, msg_id=000000089713, subtype=http, url=/
[Logd][10-20-23:26:49][INFO][log_format_local_msg][794]: Local Detail = v014xxxxdate=2024-10-20 time=23:26:49 log_id=30000000 msg_id=000000089713 device_id=FVVM01XX11000000 eventtime=1729484809977802690 vd="root" timezone="(GMT-5:00)Bogota,Lima,Quito" timezone_dayst="GMTa+5" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="WebServer-Access" original_src=10.114.114.2 src=10.114.114.2 src_port=54903 dst=10.40.50.200 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=409 http_response_bytes=3460 http_method=get http_url="/" http_agent="XXXXX" http_retcode=200 msg="HTTP get request from 10.114.114.2:54903 to 10.40.50.200:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="ServerPool-Web" http_host="172.20.200.35" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=EE614BF87775905C008E63C281CFAD1D4CE8 cipher_suite="none" x509_cert_subject="none"
After checking these points, if Traffic logs are not generated (or are not visible in the GUI) open a support case at support.fortinet.com to make an advance analysis.
|
