Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jlozen
New Contributor

What exactly is a " security event"

I' m trying to get more of a handle on all things logging and am searching for a bit of clarification on what specifically a " security event" is. The instance of security events I' m specifically referring to is if you go to Policy & Objects > Policy > IPv4 and create a new rule near the bottom under the " Logging Options" section there is a toggle for " Log Allowed Traffic" with that on you can select " Security Events" or " All Sessions" . What exactly is a " Security Event" and is there any way to configure or change what they are? Or if anyone could direct me to documentation that explains what all the events are I would appreciate that even more. Looking under Log & Report > Log Config > Log Settings > Event Logging there are 6 total options to choose from, most of which seem pretty self explanatory but not all. I' m using Firmware Version 5.2.0,build0589 on a FortiWiFi 20c
2 REPLIES 2
AtiT
Valued Contributor

Hi, I don' t know the 5.2 version but some time ago I made some test on version 5.0.x and it looks like this: 1) if no logging is enabled, the logs are clear - of course. 2) if you enable Log all sessions then everything is logged - it is also clear. 3) if you enable Security Events, no all sessions are logged. For example: You have enabled the Security events log on the firewall policy but you do not have any security profile enabled - no antivirus, no webfilter etc. In this case all the logs will be clear, the traffic log also. Let' s say you enable the antivirus profile only. During normal traffic nothing will be logged until a virus will be bloked by antivirus engine or the buffer size is to small for the downloaded file: Size limit exceeded (or something similar). Than you will see a log under the Security -> AntiVirus menu and also in the traffic log. So it means, that the Log Security Events option only logs events when some Security Profile is matched. I hope that this is the right answer, or someone can correct me.

AtiT

AtiT
emnoc
Esteemed Contributor III

agreed and that' s my understanding also. As far as documentation, you need to go to fortinet directly. If you click the " help" tab in the GUI it will take you to 5.0 which is not correct for 5.2 documentation. I' m providing you the main rebuilt page on fortinet website that lists the documentation. if you find any problems, missing cmd or incorrect documentation. Contact fortinet and update them. http://docs.fortinet.com/fortigate/admin-guides

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors