Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hankn
New Contributor

How to log successful logins?

Newbie question:

I see all failed login attempts in the event log.

How do I enable Fortigate 6.4.2 so that it logs all successful login attempts?

 

Thanks,

Hank

7 REPLIES 7
lobstercreed
Valued Contributor

You should see successful logins in the event log as well.  I'm not sure where you're looking exactly, but I can see them by going to Log & Report -> Events -> System Events and looking for "Admin login successful" in the Log Description field.

hankn

That is exactly where I am looking but all I see is unsuccessful login attempts.

Running 6.2.4

Even Add Filter doesn't show an option to see successful logins (see attachment).

 

lobstercreed
Valued Contributor

Under Log & Report -> Log Settings, look at the bottom in the Log Settings section and see if Event Logging is set to "All" or some other value.  I don't know what it needs to be, but mine is "All".

hankn
New Contributor

Yes I have everything being logged. 

See attachment.

Just no successful logins being recorded.

lobstercreed
Valued Contributor

Try choosing "All" instead of "Customize" -- your screenshot is not how mine (working) is set.

 

Like I said, I'm not sure which of those items under Customize should have it...I would think  "System activity event" would cover it, but maybe there's a difference between those categories and whatever else "All" includes.

 

If that doesn't do the trick though, then you might want to just open a TAC case about it.

Yurisk
Valued Contributor

That's unusual, I don't have Fortigate 30 to test, but on other models at least successful loging is being logged as well. May be worth opening a ticket with TAC.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
emnoc
Esteemed Contributor III

I would 1st review the logging and look for the login action

 

 

e.g ( assume memory log is the source if not set the source ) 

 

execute log  filter  category 1

execute log  filter  field action  login

execute log display

 

to set the source 

 

FGT100D_PELNYC # execute log filter device Available devices: 0: memory 1: fortianalyzer 2: fortianalyzer-cloud 3: forticloud

 

Your log should look similar to  the below;

 

1: date=2020-08-31 time=23:14:10 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1598940850657894953 tz="-0700" logdesc="Admin login successful" sn="1598340950" user="kfelix" ui="ssh(x.x.x.x)" method="ssh" srcip=x.x.x.x dstip=y.y.y.y action="login" status="success" reason="none" profile="super_admin" msg="Administrator kfelix logged in successfully from ssh(x.x.x.x)"

 

If your using syslog just look for the log or use tcpdump and look at the log data  and the login event 

 

For log filters reference my earlier posted blogs

 

http://socpuppet.blogspot.com/2016/08/using-execute-log-filters-to-monitor.html

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors