Advanced logging
This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.
The following topics are included in this section:
- Configuring logging to multiple Syslog servers
- Using Automatic Discovery to connect to a FortiAnalyzer unit
- Activating a FortiCloud account for logging purposes
- Viewing log storage space
- Customizing and filtering log messages
- Viewing logs from the CLI
- Configuring NAC quarantine logging
- Logging local-in policies
- Tracking specific search phrases in reports
- Reverting modified report settings to default settings
Configuring logging to multiple Syslog servers
When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.
If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM.
To enable logging to multiple Syslog servers
1. Log in to the CLI.
2. Enter the following commands:
config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer>
set reliable {disable | enable}
set server <ip_address>
set status {disable | enable}
end
3. Enter the following commands to configure the second Syslog server:
config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>
set reliable {disable | enable}
set server <ip_address>
set status {disable | enable}
end
4. Enter the following commands to configure the third Syslog server:
config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>
set reliable {disable | enable}
set server <ip_address>
set status {disable | enable}
end
Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:
config log syslogd filter
set traffic {enable | disable}
set web {enable | disable}
set url-filter {enable | disable}
end
Using Automatic Discovery to connect to a FortiAnalyzer unit
Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.
To connect using automatic discovery
1. Log in to the CLI.
2. Enter the following command syntax:
config log fortianalyzer setting set status enable
set server <ip_address>
set gui-display enable
set address-mode auto-discovery end
If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.
The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.
Activating a FortiCloud account for logging purposes
When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the web-based manager, from the License Information widget located in System > Dashboard.
From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.
To activate a FortiCloud account for logging purposes:
The following assumes that you are already at System > Dashboard and that you have located the License Information widget.
1. In the License Information widget, select Activate in the FortiCloud section.
The Registration window appears. From this window, you create the login credentials that you will use to access the account.
2. Select Create Account and enter then information for the login credentials.
After entering the login credentials, you are automatically logged in to your FortiCloud account.
3. Check that the account has been activated by viewing the account status from the License Information widget. If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.
Viewing log storage space
The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.
The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:
diag sys logdisk usage
The following appears:
Total HD usage: 176MB/3011 MB Total HD logging space: 22583MB
Total HD logging space for each vdom: 22583MB
HD logging space usage for vdom “root”: 30MB/22583MB
Customizing and filtering log messages
When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Traffic Log > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.
Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title right- click menu.
Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.
To customize and filter log messages
The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:
- OS Name
- OS Version
- Policy ID
- Src (Source IP)
The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Traffic Log > Forward Traffic.
1. On the Forward Traffic page, right click anywhere on a column title.
2. Right click on a column title, and mouse over Column Settings to open the list.
3. Select each checkmarked title to uncheck it and remove them all from the displayed columns.
4. Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.
5. Click outside the menu, and wait for the page to refresh with the new settings in place.
6. Select the funnel icon next to the word Src in the title bar of the Src column.
7. Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.
8. Click Apply, and wait for the page to reload.
Viewing logs from the CLI
You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.
1. Log in to the CLI and then enter the following to configure the display of the DLP log messages.
execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20
The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.
2. Enter the following to view the log messages:
execute log display
The following appears below execute log display:
600 logs found
20 logs returned
along with the 20 DLP log messages.
Configuring NAC quarantine logging
NAC quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.
To configure NAC quarantine logging
1. Go to Policy & Objects > Policy > IPv4.
2. Select the policy that you want to apply the Antivirus profile to, and then select Edit.
3. Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.
4. Select OK.
5. Log in to the CLI.
6. Enter the following to enable NAC quarantine in the DLP sensor:
config antivirus profile edit <profile_name>
config nac-quar log enable end
Logging local-in policies
Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.
You can enable logging of local-in policies in the CLI, with the following commands:
config system global
set gui-local-in-policy enable end
The Local-In Policy page will then be available in Policy & Objects > Policy > Local In. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Config > Log Settings, under Local Traffic Logging.
When deciding what local-in policy traffic you want logged, consider the following:
Special Traffic
Traffic activity Traffic Direction Description
FortiGuard update annouce- ments
FortiGuard update requests
IN All push announcements of updates that are coming from the
FortiGuard system. For example, IPS or AV updates.
OUT All updates that are checking for antivirus or IPS as well as other
FortiGuard service updates.
Firewall authen- tication
IN The authentication made using either the web-based manager or CLI.
Traffic activity Traffic Direction Description
Central man- agement (a FortiGate unit being managed by a FortiMan- ager unit)
IN The access that a FortiManager has managing the FortiGate unit.
DNS IN All DNS traffic.
DHCP/DHCP Relay
IN All DHCP and/or DHCP Relay traffic.
HA (heart beat sync policy)
IN/OUT For high-end platforms with a backplane heart beat port.
|
WAN Opt/ Web
Cache
IN Any interface where WAN Opt is enabled.
WANOpt Tunnel IN This is recorded when HAVE_WANOPT is defined.
Traffic activity |
Traffic Direction |
Description |
SSL–VPN |
IN |
Any interface from a zone where the action in the policy is SSL VPN. |
IPSEC |
IN |
|
L2TP |
IN |
|
PPTP |
IN |
|
VPD |
IN |
This is recorded only when FortiClient is enabled. |
Web cache db test facility |
IN |
This is recorded only when WA_CS_REMOTE_TEST is defined. |
GDBserver |
IN |
This is recorded only when debug is enabled. |
Tracking specific search phrases in reports
It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.
You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.
1. Log in to the CLI and enter show webfilter profile default.
This provides details about the webfilter profile being used by the security policy. In this example, the details
(shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.
show webfilter profile default config webfilter profile
edit “default”
set comment “default web filtering” set inspection-mode flow-based
set options https-scan set post-action comfort
config web
set safe-search url end
config ftgd-wf config filters
edit 1
set action block set category 2
next edit 2
set action block set category 7
next edit 3
set action block set category 8
2. Enter the following command syntax so that logging and the keyword for the safe search will be included in logging.
config webfilter profile edit default
config web
set log-search enable
set keyword-match “fortinet” “easter” “easter bunny” end
end
3. To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter.
You can tell that the test works by going to Log & Report > Traffic Log > Forward Traffic and viewing the log messages.
Reverting modified report settings to default settings
If you need to go back to the original default report settings, you can easily revert to those settings in the Report menu. Reverting to default settings means that your previously modified report settings will be lost.
To revert back to default report settings, in Log & Report > Report > Local, select Customize, and then Restore Defaults from the top navigation. This may take a minute or two. You can also use the CLI command execute report-config reset to reset the report to defaults.
If you are having problems with report content being outdated or incorrect, especially after a firmware update, you can recreate the report database using your current log information with the CLI command execute report recreate-db.