Hello @All,
we using Graylog to get syslog messages from our Fortiweb over TLS.
For example: on Fortiweb I see the Log Entry in Attack Log at 12:34:54 Local time
On Graylog: the same comes with timestamp: 2022-07-27 14:34:54.000 and the Log detail are showing:full_message<185>date=2022-07-27 time=12:34:54
What I need to do to get the right timestamp?
Many thanks in advance
TBC
Solved! Go to Solution.
Hello @All,
I could resolve the problem. I have to change the Log Format to "CEF" instant of "default".
Now everything is working!
Many thanks and a nice weekend
TheBob
Probably at some side (Fortiweb or Graylog) the time zone is not set/set incorrectly. For Fortiweb it should be here: https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/780143/setting-the-system-tim...
Hey TBC,
in addition to what Yurisk suggested, you can consider the following:
- one or the other may be logging in UTC timezone, not local timezone, for some reason
- the raw logs might contain a unix timestamp (it would be a number like this: 1659008084 or 1659008084000), which is seconds (or milliseconds) since January 1, 1970. You can convert that to a readable date via websites like this: https://www.epochconverter.com/ That might provide insight if Greylog or FortiWeb is logging in UTC instead of local time.
Hello Debbie and Yuri,
many thanks for your replay!
On Graylog I have time zone Europe/Berlin and all of my other systems, also fortigate, are showing the right time in graylog and in the system itself.
On Firtweb I have the same time settings like on fortigate and the time in graylog is wrong!
For me, it looks like there is a bug on Fortiweb.
Is there anything else what I can check?
Many thanks
TBC
You haven't mentioned what timestamps you see in the Fortiweb logs itself - if timing is wrong, then indeed something confuses the FOrtiweb in time, if in Fortiweb GUI you see correct times, then it is most probably sending correct logs to the Graylog but there something goes wrong.
Oother ideas would be to check logs on the CLI, and if you are sending logs to Gray log unencrypted, sniff the outgoing log traffic from FWB to the Graylog and look at the packet contents for the timestamp.
Resources:
https://docs.fortinet.com/document/fortiweb/6.4.1/cli-reference/195396/network-sniffer
Hello Yuri,
on Fortiweb Gui i See that one:
date=2022-08-09 time=08:00:25 log_id=11005901 msg_id=000000100944 device_id=FVVM04TM21001049 vd="root" timezone="(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna" timezone_dayst="GMTa-2" type=event subtype="system" pri=notice trigger_policy="N/A" user=daemon ui=daemon action=update status=success msg="Fortiweb virus engine is already up-to-date"
On Graylog I see the same two hours different:
full_message<189>date=2022-08-09 time=04:00:27 log_id=11005901 msg_id=000000100850 device_id=FVVM04TM21001049 vd="root" timezone="(GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna" timezone_dayst="GMTa-2" type=event subtype="system" pri=notice trigger_policy="N/A" user=daemon ui=daemon action=update status=success msg="Fortiweb virus extend signature is already up-to-date"
Same Log but two hour different. I use the same Graylog instance for Fortigate without any problems. So for me, that one is a problem on Fortweb!
All my systems show the correct time in Graylog, except Fortiweb!
The command "dia log all start" unfortunately can not be executed despite admin user:
# diagnose
debug debug
hardware hardware
index index
network network
policy policy
system system
test test
Sounds for me that Fortiweb has some problems with logging because for me, it looks like Fortiweb sends the Logfiles 2 hours later.
I just saw in sniffertrace how the data from exactly 2 hours ago are sent!
How can we solve the problem because logging is one of the most important thing.
Many thanks
TBC
If you mean that Fortiweb sends logs already with the wrong timestamps, then not much you can do (provided it is connected to NTP, and synchronized), except open a ticket with TAC. As there is not much of a debug process for time stamping logs.
Hello @All,
I could resolve the problem. I have to change the Log Format to "CEF" instant of "default".
Now everything is working!
Many thanks and a nice weekend
TheBob
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.