System Log
Use the Log pages to view and download FortiDeceptor system logs. You can put logs locally on FortiDeceptor or on a remote log server.
Logging Levels
FortiDeceptor log level can be Emergency (reserved), Alert, Critical, Error, Warning, Information, or Debug. The following table provides example logs for each log level.
| Log Level | Description | Example Log Entry |
| Alert | Immediate action is required. | Suspicious URL visit domain.com from 192.12.1.12 to 42.156.162.21:80. |
| Critical | Functionality is affected. | System database is not ready. A program should have started to rebuild it and it shall be ready after a while. |
| Error | An erroneous condition exists and functionality is probably affected. | Errors that occur when deleting certificates. |
| Warning | Functionality might be affected. | Submitted file AVSInstallPack.exe is too large: 292046088. |
| Information | General information about system operations. | LDAP server information that was successfully updated. |
| Debug | Detailed information for debugging. | Launching job for file. jobid=2726271637747836543 filename=log
md5=ebe5ae2bec3b653c2970e8cec9f5f1d9 sha1=06ea6108d02513f0d278ecc8d443df86dac2885b sha256=d678da5fb9ea3ee20af779a4ae13c402585 ebb070edcf20091cb20509000f74b |
Raw logs
You can download and save raw logs to the management computer by clicking Download Log. Raw logs are saved as a text file with the extension .log.gz. You can search the system log for more details.
Sample raw logs file content
itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22
Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22
Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22
Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445
Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445
Operation=Access path Description=samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445
Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH
AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22 Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh”
itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22
Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22
Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA
AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445
Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA
AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba”
itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA
AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Access path Description=samba Username=83samba Password=83samba”
Log Categories
Log > All Events show all logs.
The following options are available:
| Download Log | Download the raw log file to the management computer. | |
| History Logs | Enable to include historical logs in Log Search. | |
| Refresh | Refresh the log message list. | |
| Filter | Click Filter to add search filters. You can select different categories to search the logs. Search is not case sensitive. | |
The following information is displayed:
| # | Log number. |
| Date/Time | Date and time the log message was created. |
| Level | Level of the log message. For logging levels, see Logging Levels on page 46. |
| User | The user to which the log message relates. User can be a specific user or system. |
| Message | Detailed log message. |
Log Servers
You can send FortiDeceptor logs to a remote syslog server or common event type (CEF) server. In Log > Log Servers, you can create new remote log servers, and edit and delete remote log servers. You can configure up to 30 remote log server entries.
The following options are available:
| Create New | Create a log server entry. |
| Edit | Edit the selected log server entry. |
| Delete | Delete the selected log server entry. |
This page displays the following information:
| Name | Name of the server entry. |
| Server Type | Server type: syslog or CEF. |
| Server Address | Log server address. |
| Port | Log server port number. |
| Status | Log server status, Enabled or Disabled. |
To create a server entry:
- Go to Log > Log Servers.
- Click Create New.
- Configure the following settings:
| Name | Name of the new server entry. |
| Type | Select Syslog Protocol or Common Event Format. |
| Log Server Address | Log server IP address or FQDN. |
| Port | Port number. The default port is 514. |
| Status | Enable or disable sending logs to the server. |
| Log Level | Select the logging levels to forward to the log server. For logging levels, see Logging Levels on page 46. |
- Click OK.
To edit or delete a log server
- Go to Log > Log Servers.
- Select an entry and click Edit or Delete.