FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
serge_FTNT
Staff
Staff

Article

Description How to perform a syslog/log test and check the resulting log entries.
Components

FortiGate units running FortiOS firmware version 4.00 MR3, 5.4 and 5.6

Steps or Commands

You can perform a log entry test from the FortiGate CLI using the "diag log test" command. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System> Status).

 

Example of output (output may vary depending on the FortiOS version) :

fgt200a # diag log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning

 

The following list the various test log entries (output may vary depending on the FortiOS version) :

below one can see the output for category which are highlighted in 'bold' case

FGT # execute log filter category
Available categories:
 0: traffic
 1: event
 
2: utm-virus
 3: utm-webfilte
r
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

Traffic (output form FortiOS 5.6.5)

FGTv5.6.5 # execute log filter category traffic

FGTv5.6.5 # execute log display

11: date=2018-07-26 time=16:51:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1532616695 srcip=7.1.1.1 srcport=10016 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" sessionid=10006 proto=6 action="accept" policyid=1 policytype="policy" service="tcp/20" dstcountry="France" srccountry="United States" trandisp="noop" appid=35421 app="Dropbox_File.Download" appcat="Storage.Backup" apprisk="medium" applist="default" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction="allow" countapp=1 devtype="iPad" osname="Apple" osversion="ver" mastersrcmac="07:01:01:01:01:01" srcmac="07:01:01:01:01:01" srcserver=0 dstdevtype="Android Phone" dstosname="Android" dstosversion="ver" masterdstmac="02:02:02:02:02:02" dstmac="02:02:02:02:02:02" dstserver=0 utmref=65491-194

Event

FGTv5.4 (SOUTH-WEB) # execute log filter category 1

FGTv5.4 (SOUTH-WEB) # execute log display
200 logs found.
10 logs returned

1: date=2018-07-26 time=17:24:25 logid=0107045056 type=event subtype=endpoint level=notice vd=SOUTH-WEB logdesc="FortiClient license limit reached" action=add status=error license_limit=10 reason="License Number Exceeded" repeat=1 msg="FortiClient license maximum has been reached."

2: date=2018-07-26 time=17:24:24 logid=0102043020 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FortiGuard override successful" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=success reason="reason" scope=user expiry="Sun Jan 11 02:00:00 1970" oldwprof="old_profile" profile="new_profile" msg="User user added webfilter override entry scope_data from 1.1.1.1"

3: date=2018-07-26 time=17:24:24 logid=0102043018 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override failed" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="User user failed authentication when creating a FortiGuard Web Filtering override from 1.1.1.1"

4: date=2018-07-26 time=17:24:24 logid=0102043019 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override table full" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="FortiGuard Web Filtering override table is full"

5: date=2018-07-26 time=17:24:24 logid=0102043012 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FSSO authentication successful" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" authproto="user(1.1.1.1)" action=FSS0-auth status=success reason="reason" msg="AD group adgroup user user succeeded in authentication"

6: date=2018-07-26 time=17:24:24 logid=0102043013 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FSSO authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" authproto="user(1.1.1.1)" action=FSS0-auth status=failure reason="reason" msg="AD group adgroup user user failed in authentication"

7: date=2018-07-26 time=17:24:24 logid=0102043016 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="NTLM authentication successful" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" group="usergroup" authproto="HTTP(1.1.1.1)" action=NTLM-auth status=success reason="reason" msg="AD group adgroup user user successed in authentication"

8: date=2018-07-26 time=17:24:24 logid=0102043017 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="NTLM authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" group="usergroup" authproto="HTTP(1.1.1.1)" action=NTLM-auth status=failure reason="reason" msg="AD group adgroup user user failed in authentication"

9: date=2018-07-26 time=17:24:24 logid=0102043008 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="Authentication success" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" group="usergroup" authproto="HTTP(1.1.1.1)" action=authentication status=success reason="reason" msg="User user succeeded in authentication"

10: date=2018-07-26 time=17:24:24 logid=0102043009 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="Authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" group="usergroup" authproto="HTTP(1.1.1.1)" action=authentication status=failure reason="reason" msg="User user failed in authentication""


Web Filter (output form FortiOS 5.6.5)

FGT # execute log filter category 3
FGT # execute log display
4 logs found.
4 logs returned.


1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

4: date=2018-07-26 time=16:51:34 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616694 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

 

DNS

FGT # execute log filter category dns

FGT # execute log display
2 logs found.
2 logs returned.

1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

 

Contributors