Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
condor
New Contributor

FGT310B without local (memory) logging.

 

  Hi, i have FGT310B (v5.2.3,build670 (GA)) and i can't see the memory logs.

FGT310B (setting) # show full-configuration 
config log memory setting
    set status enable
    set diskfull overwrite
end

FGT310B (setting) # show full
config log setting
    set resolve-ip disable
    set resolve-port enable
    set log-user-in-upper disable
    set fwpolicy-implicit-log disable
    set fwpolicy6-implicit-log disable
    set log-invalid-packet disable
    set local-in-allow enable
    set local-in-deny-unicast enable
    set local-in-deny-broadcast disable
    set local-out enable
    set daemon-log disable
    set neighbor-event disable
    set brief-traffic-format disable
    set user-anonymize disable
end

And I want to see in syslog server (both: server and memory)

FGT310B (setting) # show
config log syslogd setting
    set status enable
    set server "192.168.x.x"
    set facility audit
end

Any ideas?

Thank you very much.

Condor.

2 Solutions
Carlos_A_Almeida

Sorry Condor, I misread your original post. You are already sending your logs do syslog.

 

Try to run those commands: 

# this will show stats about log creation

diag log kernel-stats

 

# this will create some testing logs

diag log test

 

and run diag log kernel-stats again to see if had some increase. And check your syslog to see if those logs are there.

 

View solution in original post

ede_pfau
Esteemed Contributor III

'facility' is not the same as 'logging level'. It's just a label to signify the source to the logging device.

Check the CLI options for 'config log memory settings' and 'config log memory filter'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
11 REPLIES 11
Carlos_A_Almeida
New Contributor III

Hello, your Fortigate hasn't a local disk.

 

FGT310B Module: "Flexible expansion options for four additional NP-accelerated ports or HDD for local logging and archiving"

 

Your options are: Fortianalyzer, Forticloud or an external syslog server.

condor

Thanks for reply Carlos,

Ok, memory don't work without disk. I sending my logs to 192.168.x.x. How could i know that the logs send out from the Fortigate if i cant see logs?

Any ideas?Thanks.

Carlos_A_Almeida

Sorry Condor, I misread your original post. You are already sending your logs do syslog.

 

Try to run those commands: 

# this will show stats about log creation

diag log kernel-stats

 

# this will create some testing logs

diag log test

 

and run diag log kernel-stats again to see if had some increase. And check your syslog to see if those logs are there.

 

ede_pfau
Esteemed Contributor III

AFAIK memory logging is independent of hard disk and should work in any FGT.

You do have to select 'memory' as the log source in the WebGUI (upper right corner IIRC).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
condor
New Contributor

Hi, so i run these cmds.

 

FGT310B # diag log kernel-stats
fgtlog: 1
fgtlog 0: total-log=4942, failed-log=0

FGT310B # diag log test
generating a system event message with level - warning
generating an infected virus message with level - warning
generating a blocked virus message with level - warning
generating a URL block message with level - warning
generating a DLP message with level - warning
generating an IPS log message
generating an anomaly log message
generating an application control IM message with level - information
generating an IPv6 application control IM message with level - information
generating deep application control logs with level - information
generating an antispam message with level - notification
generating an allowed traffic message with level - notice
generating a multicast traffic message with level - notice
generating a ipv6 traffic message with level - notice
generating a wanopt traffic log message with level - notification
generating a HA event message with level - warning
generating netscan log messages with level - notice
generating a VOIP event message with level - information
generating a DNS event message with level - information
generating authentication event messages
generating a Forticlient message with level - information
generating a NAC QUARANTINE message with level - notification
generating a URL block message with level - warning

FGT310B # diag log kernel-stats
fgtlog: 1
fgtlog 0: total-log=5051, failed-log=0

 

 

But, i can see the system log:

I don't know why i cant see traffic?! what is wrong.

 

Thanks.

 

 

 

 

ede_pfau
Esteemed Contributor III

Traffic logs are only generated if you lower the logging level to 'information'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
condor

Hi zhunissov4, thats already configured:

 

ede_pfau, i always use "information" log's level, but in these version only exist these levels:

FGT310B (setting) # set facility kernel      Kernel messages. user        Random user-level messages. mail        Mail system. daemon      System daemons. auth        Security/authorization messages. syslog      Messages generated internally by syslog. lpr         Line printer subsystem. news        Network news subsystem. uucp        Network news subsystem. cron        Clock daemon. authpriv    Security/authorization messages (private). ftp         FTP daemon. ntp         NTP daemon. audit       Log audit. alert       Log alert. clock       Clock daemon. local0      Reserved for local use. local1      Reserved for local use. local2      Reserved for local use. local3      Reserved for local use. local4      Reserved for local use. local5      Reserved for local use. local6      Reserved for local use. --More--          local7      Reserved for local use.

 

 

thanks

 

 

 

 

 

[link]https://s31.postimg.org/tx27bl47v/Forti_log04.png[/link]

ede_pfau
Esteemed Contributor III

'facility' is not the same as 'logging level'. It's just a label to signify the source to the logging device.

Check the CLI options for 'config log memory settings' and 'config log memory filter'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
condor

Hi, ede_pfau, you found the solution. Here is the configuration of : config log memory filter

FGT310B (filter) # show full-configuration
config log memory filter
    set severity warning
    set forward-traffic enable
    set local-traffic disable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set netscan-discovery enable
    set netscan-vulnerability enable
    set voip enable
end
So i make the commands:
    set severity information
    set local-traffic enable
I can't recieve logs on server but maybe is a NAT problem. Thanks to all for help.

Labels
Top Kudoed Authors