Newbie question:
I see all failed login attempts in the event log.
How do I enable Fortigate 6.4.2 so that it logs all successful login attempts?
Thanks,
Hank
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You should see successful logins in the event log as well. I'm not sure where you're looking exactly, but I can see them by going to Log & Report -> Events -> System Events and looking for "Admin login successful" in the Log Description field.
Under Log & Report -> Log Settings, look at the bottom in the Log Settings section and see if Event Logging is set to "All" or some other value. I don't know what it needs to be, but mine is "All".
Try choosing "All" instead of "Customize" -- your screenshot is not how mine (working) is set.
Like I said, I'm not sure which of those items under Customize should have it...I would think "System activity event" would cover it, but maybe there's a difference between those categories and whatever else "All" includes.
If that doesn't do the trick though, then you might want to just open a TAC case about it.
That's unusual, I don't have Fortigate 30 to test, but on other models at least successful loging is being logged as well. May be worth opening a ticket with TAC.
I would 1st review the logging and look for the login action
e.g ( assume memory log is the source if not set the source )
execute log filter category 1
execute log filter field action login
execute log display
to set the source
FGT100D_PELNYC # execute log filter device Available devices: 0: memory 1: fortianalyzer 2: fortianalyzer-cloud 3: forticloud
Your log should look similar to the below;
1: date=2020-08-31 time=23:14:10 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1598940850657894953 tz="-0700" logdesc="Admin login successful" sn="1598340950" user="kfelix" ui="ssh(x.x.x.x)" method="ssh" srcip=x.x.x.x dstip=y.y.y.y action="login" status="success" reason="none" profile="super_admin" msg="Administrator kfelix logged in successfully from ssh(x.x.x.x)"
If your using syslog just look for the log or use tcpdump and look at the log data and the login event
For log filters reference my earlier posted blogs
http://socpuppet.blogspot.com/2016/08/using-execute-log-filters-to-monitor.html
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.