Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

Fortiweb syslog 2 Hour different

Hello @All,

 

we using Graylog to get syslog messages from our Fortiweb over TLS.

For example: on Fortiweb I see the Log Entry in Attack Log at 12:34:54 Local time

On Graylog: the same comes with timestamp: 2022-07-27 14:34:54.000 and the Log detail are showing:full_message<185>date=2022-07-27 time=12:34:54

 

What I need to do to get the right timestamp?

 

Many thanks in advance

TBC

1 Solution
TBC
Contributor

Hello @All,

I could resolve the problem. I have to change the Log Format to "CEF" instant of "default".

Now everything is working!

 

Many thanks and a nice weekend

TheBob

View solution in original post

8 REPLIES 8
Yurisk
Valued Contributor

Probably at some side (Fortiweb or Graylog) the time zone is not set/set incorrectly. For Fortiweb it should be here: https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/780143/setting-the-system-tim... 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Debbie_FTNT
Staff
Staff

Hey TBC,

in addition to what Yurisk suggested, you can consider the following:

- one or the other may be logging in UTC timezone, not local timezone, for some reason

- the raw logs might contain a unix timestamp (it would be a number like this: 1659008084 or 1659008084000), which is seconds (or milliseconds) since January 1, 1970. You can convert that to a readable date via websites like this: https://www.epochconverter.com/ That might provide insight if Greylog or FortiWeb is logging in UTC instead of local time.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
TBC
Contributor

Hello Debbie and Yuri,

many thanks for your replay!

 

On Graylog I have time zone Europe/Berlin and all of my other systems, also fortigate, are showing the right time in graylog and in the system itself.

On Firtweb I have the same time settings like on fortigate and the time in graylog is wrong!

For me, it looks like there is a bug on Fortiweb.

 

Is there anything else what I can check?

 

Many thanks

TBC

 

TBC
Contributor

Hello @All,

 

any news about that?

Many thanks!

TBC

Yurisk
Valued Contributor

You haven't mentioned what timestamps you see in the Fortiweb logs itself - if timing is wrong, then indeed something confuses the FOrtiweb in time, if in Fortiweb GUI you see correct times, then it is most probably sending correct logs to the Graylog but there something goes wrong. 

 

Oother ideas would be to check logs on the CLI, and if you are sending logs to Gray log unencrypted, sniff the outgoing log traffic from FWB to the Graylog and look at the packet contents for the timestamp.

Resources:

https://docs.fortinet.com/document/fortiweb/6.4.1/cli-reference/561209/log#diagnose_541289846_166639... 

 

https://docs.fortinet.com/document/fortiweb/6.4.1/cli-reference/195396/network-sniffer

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
TBC

Hello Yuri,

on Fortiweb Gui i See that one:

TBC_0-1660025846314.png

 

date=2022-08-09 time=08:00:25 log_id=11005901 msg_id=000000100944 device_id=FVVM04TM21001049 vd="root" timezone="(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna" timezone_dayst="GMTa-2" type=event subtype="system" pri=notice trigger_policy="N/A" user=daemon ui=daemon action=update status=success msg="Fortiweb virus engine is already up-to-date" 

 

 

On Graylog I see the same two hours different:

TBC_1-1660025891465.png

full_message<189>date=2022-08-09 time=04:00:27 log_id=11005901 msg_id=000000100850 device_id=FVVM04TM21001049 vd="root" timezone="(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna" timezone_dayst="GMTa-2" type=event subtype="system" pri=notice trigger_policy="N/A" user=daemon ui=daemon action=update status=success msg="Fortiweb virus extend signature is already up-to-date"

 

Same Log but two hour different. I use the same Graylog instance for Fortigate without any problems. So for me, that one is a problem on Fortweb!

 

All my systems show the correct time in Graylog, except Fortiweb!
The command "dia log all start" unfortunately can not be executed despite admin user:
# diagnose
debug debug
hardware hardware
index index
network network
policy policy
system system
test test

 

Sounds for me that Fortiweb has some problems with logging because for me, it looks like Fortiweb sends the Logfiles 2 hours later.

 

I just saw in sniffertrace how the data from exactly 2 hours ago are sent!

 

How can we solve the problem because logging is one of the most important thing.

 

Many thanks

TBC

Yurisk
Valued Contributor

If you mean that Fortiweb sends logs already with the wrong timestamps, then not much you can do (provided it is connected to NTP, and synchronized), except open a ticket with TAC.  As there is not much of a debug process for time stamping logs. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
TBC
Contributor

Hello @All,

I could resolve the problem. I have to change the Log Format to "CEF" instant of "default".

Now everything is working!

 

Many thanks and a nice weekend

TheBob

Labels
Top Kudoed Authors