Log View – FortiManager 5.2

Importing a log file

Imported log files can be useful when restoring data or loading log data for temporary use. For example, if you have older log files from a device, you can import these logs to the FortiManager unit so that you can generate reports containing older data.

Importing log files is also useful when changing your RAID configuration. Changing your RAID configuration reformats the hard disk, erasing the log files. If you back up the log files, after changing the RAID configuration, you can import the logs to restore them to the FortiManager unit.

To import a log file:

  1. Go to FortiView > Log View > Log Browse.
  2. Select Import in the toolbar. The Import Log File dialog box opens.
  3. Select the device to which the imported log file belongs from the Device field drop-down list, or select [Take From Imported File] to read the device ID from the log file. If you select [Take From Imported File] your log file must contain a device_id field in its log messages.
  4. In the File field, select Browse. and find to the log file on the management computer.
  5. Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page.
  6. Select OK. The upload time varies depending on the size of the file and the speed of the connection.

After the log file has been successfully uploaded, the FortiManager unit will inspect the file:

  • If the device_id field in the uploaded log file does not match the device, the import will fail. Select Return to attempt another import.
  • If you selected [Take From Imported File], and the FortiManager unit’s device list does not currently contain that device, a message appears after the upload. Select OK to import the log file and automatically add the device to the device list.
Downloading a log file

You can download a log file to save it as a backup or for use outside the FortiManager unit. The download consists of either the entire log file, or a partial log file, as selected by your current log view filter settings and, if downloading a raw file, the time span specified.

To download a log file:

  1. Go to FortiView > Log View > Log Browse.
  2. Select the specific log file that you need to download, then select Download from the toolbar. The Download Log File dialog box opens.
  3. Select the log file format, either text, Native, or CSV.
  4. Select Compress with gzip to compress the log file.
  5. Select Apply to download the log file.

If prompted by your web browser, select a location to where save the file, or open the file without saving.

FortiClient logs

The FortiManager unit can receive FortiClient logs uploaded through TCP port 514. FortiClient logs can be viewed in FortiView > Log View under the FortiGate device that FortiClient is registered to. Both traffic and event logs are available. Logs can be viewed in both historical and real-time views and in both formatted and raw log views.

In FortiManager v5.2.1 and later, log injection into the SQL database is supported for v5.2 or later licensed endpoints. Clients with the v5.0 license are able to send logs to FortiManager, but these logs will not be inserted into the SQL database.

FortiClient logs

The following information is displayed:

Traffic logs The following columns are supported by default for event logs: Date/Time, Device

ID, FGT Serial, Source, Source IP, Remote IP, Remote Name, URL, User, and Security Action. Click the log details icon to the left of the limit field to view additional log information.

Click the column header to set column settings. Select More Columns for additional columns.

Right-click the column field to apply a search filter. Not all columns support this feature.

Event logs The following columns are supported by default for event logs: Date/Time, Device ID, FGT Serial, User, Client Feature, Action, and Message. Click the log details icon to the left of the limit field to view additional log information.

Click the column header to set column settings. Select More Columns for additional columns.

Right-click the column field to apply a search filter. Not all columns support this feature.

Vulnerability Scan logs The following columns are supported by default for event logs: Date/Time, UID, Device ID, User, vulnname, vulnseverity, and Vulnerability Category. Click the log details icon to the left of the limit field to view additional log information. Click the column header to set column settings. Select More Columns for additional columns.

Right-click the column field to apply a search filter. Not all columns support this feature.

To download a FortiClient log file, select the desired log from the list, then select Download from the Tools menu. In the confirmation dialog box, select if you want to compress the log file with gzip, then select Apply to download the log file.

For more information, see the FortiClient Administration Guide.

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.