System Logs
The system log records the following:
- Configuration changes (CLI or GUI)
- Key commands
- Events and operations
- Errors
The CLI command show log lists the entire log. To view the system log files from the Web UI, click Maintenance > Syslog > View Syslog Files.
Figure 78: Syslog Files Table
Facility Name can be one of these eight sources of information:
Facility | Messages contain… |
Security | Creation and violation of security configuration, including User logins and Captive Portal activity |
QoS | Quality of Service messages for both creation and violation of QoS rules created on this controller |
System WNC | Rogue AP syslog messages |
NMS | Network Manager Server syslog messages |
Mobility | Handoff or redirect messages |
Bulk Update | Any use of the bulk update commands available from the GUI are noted here. The Bulk Update function, accessed from the AP Configuration, Wireless Interfaces Configuration, and Antenna Property pages, updates a group of selected APs. Bulk Update works the same in each of these areas, but the items to be updated are specific to the page where the bulk update is being initiated. |
Facility | Messages contain… |
Upgrade | Any use of the CLI command upgrade |
Per-user Firewall | Creation and violation of per-user firewalls |
Select one of the Facilities listed in the above chart and then click View Syslog to see these details:
Figure 79: Security System Log Details
Entry | Meaning |
Line | Line number of the syslog file where the entry is located |
Priority | Severity of the entry. Possible priorities are: debug, info, notice, warning, error, err, crit, alert, emerg, panic. |
Entry | Meaning |
Mnemonic | Three-letter mnemonic assigned to the entry:
CAP = Captive Portal RED = redirect FOR = forward WAU = WebAuth user authentication WST = Web Server Event WPW = Web UI user password administration |
Time | Date and time when the entry was logged. |
Record | The details of the syslog event depend on the category of the message:
Security: User logins, Captive Portal activity QoS: Creation and violation of QoS rules System WNC: Rogue activity NMS: If this controller is part of Network Manager, all activity initiated by the Network Manager Server Mobility: This consists primarily of RED (redirect) messages Bulk Update: AP updates done in groups Upgrade: FortiWLC (SD) upgrades Per-User Firewall: Creation and violation of firewalls |
To search for information on any column of a Facility screen like the one in Figure 79, do the following. In the box at the top of any column (Line, Priority, Mnemonic, Time, Record), provide search data to filter the messages. You then see only messages that fit that filter. For Priority, you see messages of the selected priority level and higher; for example, a search for debug shows every message because debug is the lowest priority level. A search for info shows the messages info and higher: notice, warning, error, err, crit, alert emerg, panic (highest priority).
You can also click the calendar icon above the Time column to enter a specific date or time to filter syslog messages in this category.
Station Log Events
Station log event messages are displayed in this format:
[object name, field name <old value: new value>, field name <old value: new value> …]”
Log Category : “nms”, Priority : ‘info”, Mnemonic : “CONFIG”
The following chart describes some common station log events.
Event | Condition That Triggers Event | Interpretation |
| 00:0f:8f:9d:d3:23 | Station Assign
| <AID=1> assigned to <AP_ID=31><ESSID=swhanessid><BSSID=00:0c:e6:9d:4f:be > |
A mobile station is assigned to AP::ESSID::BSSID. | A mobile station is assigned to the BSSID. Once a mobile station is assigned to AP::ESSID::BSSID, the mobile proceeds to the next stage, 802.11 authentication and association. The AID value is assigned to the station if it goes through 802.11 authentication/ association. |
| 00:0f:8f:9d:d3:23 | Station Assign
| <AID=1> Assign Removed From <AP_ID=31><ESSID=swhanessid><BSSID=00:0c:e6:9d:4f:be > |
A mobile station’s assignment state is removed from AP::ESSID::BSSID. | A mobile station cannot proceed to the next stage, assignment. The most common cause is that a mobile station did not proceed to the 802.11 authentication or association stage within the Station Assignment Aging Time. |
00:16:6f:3b:17:a9|IP Address Discovered| <Old IP discovery
Method=none><Old IP=0.0.0.0<New IP discovery Method=dynamic><New IP=10.101.66.25> |
A Mobile station’s discovery method or IP address changes and the system accepts the new IP address. | The new IP field indicates an IP address being used by a station. |
00:16:6f:3b:17:a9|IP Address Discovered| <IP = 10.101.64.100> fails due to one of local IPs | A Mobile station is detected trying to use the controller’s IP address. | The system blocks IP traffic from the station using the IP address. |
00:16:6f:3b:17:a9|IP Address Discovered| ip update not performed. <Client IP=10.101.64.1> is used
by a wired station <00:0e:84:85:33:00> |
A Mobile station is detected trying to use the IP used by a wired station whose MAC address is shown. | The system blocks IP traffic from the station using the IP address. |
Syslog Message | Description |
AP DOWN CLEAR Access Point <ap-id> is up | Access Point ap-id was added to the WLAN. The coverage is extended. Action: None |
AP DOWN CRITICAL Access Point <ap-id> is down | Access Point ap-id was removed from WLAN. Expect loss of service in some areas.
Action: If this event is unexpected, check the network connectivity between the access point and the controller. |
AP rebooted by admin | Access Point has been manually rebooted.
Action: None |
AP Software Version Mismatch | The software version on the AP does not match that on the Controller. This message can be generated because the auto-AP upgrade feature is disabled.
Action: To resolve this condition, the AP must be upgraded manually with the upgrade ap command to ensure continued functionality. |
CAP <user>@<a.b.c.d> logged in <OK|FAILED> | The specified Captive Portal user has logged in successfully (OK) or has been refused login (FAILED). |
Controller rebooted by admin | Controller has been manually rebooted. |
AP Boot Image Version Mismatch | The boot image version on the AP does not match that required for the version of the AP software.
Action: The boot image must be upgraded using the upgrade ap command with the boot image option before attempting to upgrade the AP software version. |
AP Initialization Failure | The AP failed to initialize properly.
Action: Check that the AP network cables are properly connected. Check that the version of the AP boot image matches the version of the AP software, and that the AP software version matches the software version of the controller. If the AP still fails to initialize after these checks, contact Fortinet Customer Support. |
AP Temperature | The AP temperature has exceeded the maximum threshold. |
Syslog Message | Description |
Hardware Diagnostic | The AP failed the hardware diagnostic checks.
Action: Contact Fortinet Customer Support. |
ROGUE AP DETECTED CLEAR STATION mac=<mac-address> bss=<bssid> ch=<channel-id> reported by AP <ap-id> | A station previously reported as rogue is not detected any longer by any of the access points. |
ROGUE AP DETECTED CRITICAL STATION mac=<mac-address> bss=<bssid> ch=<channel-id> reported by AP <ap-id> | A station using an unknown BSSID as been detected.
Action: Check if the bssid belongs to another valid WLAN. If not, you may decide to turn on the rogue AP mitigation feature. |
Radio Card Failure | The AP radio card has failed. Contact Fortinet Customer Support. |
WLAN services started on controller | FortiWLC (SD) processes have been started on the controller. |
WLAN services stopped on controller | FortiWLC (SD) processes have been stopped. |
WST:WS Serving… | Web server new event message. |
WPW :<user>@<a.b.c.d> changed password <OK | FAILED> | The specified FortiWLC (SD) user has either successfully changed their password (OK) or was unable to change the password (FAILED). |
MAC Filtering Station Log Events
Seven events are defined for MAC Filtering log events.
Event | Condition That Triggers Event | Interpretation |
| 00:66:77:c2:03:01 | Mac Filtering |
Mac in permit list – accept client |
A station, 00:66:77:c2:03:01, is in the ACL Allow Access List, and a Permit List Enabled is on. | A mobile station goes to the next stage or assignment. |
| 00:66:77:c2:04:01 | Mac Filtering |
Mac not in permit list – reject client |
A station, 00:66:77:c2:04:01, is not in the ACL Allow Access List, and Permit List Enabled is on. RADIUS authentication is disabled. | A mobile station cannot proceed to the next stage or assignment. |
Event | Condition That Triggers Event | Interpretation |
| 00:66:77:c2:03:01 | Mac Filtering |
Mac not in deny list – accept client |
A station, 00:66:77:c2:03:01, is not in the ACL Deny Access List and Deny List Enabled is on. RADIUS authentication is disabled. | A mobile station goes to the next stage or assignment. |
| 00:66:77:c2:04:01 | Mac Filtering |
Mac in deny list – reject client |
The station 00:66:77:c2:04:01 is in the ACL Deny Access List and Deny List Enabled is on. RADIUS authentication is disabled. | A mobile station can’t proceed to the next stage or assignment. |
| 00:66:77:c2:03:01 | Mac Filtering |
Sent RADIUS request |
RADIUS authentication is enabled and a RADIUS authentication request message is sent. | A RADIUS request message is sent for an authentication. |
| 00:66:77:c2:02:01 | Mac Filtering | RADIUS authentication succeeded (vlan 0) | RADIUS authentication is enabled, and a RADIUS accept response message is received. | A mobile station goes to the next stage or assignment. |
| 00:66:77:c2:02:06 | Mac Filtering |
RADIUS authentication failed |
RADIUS authentication is enabled, and a RADIUS reject response message is received. | A mobile station cannot proceed to the next stage or assignment. |
Key Exchange Station Log Events
Key exchange is a security method in which cryptographic keys are exchanged between users. A station goes through this stage of connection when any of these are enabled: WPA, WPA2, WPA PSK, WPA2 PSK, MIXED or MIXED_PSK.
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9 |1X Authentication |M1 <msg
type=EAPOL_KEY> PTK sent |
The system sends a first key exchange message. | This is common for WPA, WPA2, WPA
PSK, WPA2 PSK, MIXED or MIXED_PSK. The system tries transmission up to 4 times and then aborts the key exchange transaction if it doesn’t receive an M2 message by sending 802.11 deauth. |
M2 <pkt type=EAPOL_KEY> MIC
Verified |
The system receives a key exchange message, M2, from a station, and MIC is verified correctly. | This is common for WPA, WPA2, WPA PSK, WPA2 PSK, MIXED or MIXED_PSK. |
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9 |1X Authentication | M3 <msg
type=EAPOL_KEY> WPA PTK Negotiation sent |
The system sends a third key exchange message for WPA or WPA-PSK modes. | The system tries transmission up to 4 times, and then aborts the key exchange transaction if it doesn’t receive M2 message by sending 802.11 deauth. |
00:16:6f:3b:17:a9 |1X Authentication | M4 <pkt type=EAPOL_KEY> <key type=Unicast Key> Key Pairwise | The system receives a fourth key exchange message from a station for WPA or WPA-PSK modes. | The system tries transmission up to 4 times, and then aborts the key exchange transaction if it doesn’t receive M2 message by sending 802.11 deauth. |
00:16:6f:3b:17:a9 |1X Authentication | M5 <msg
type=EAPOL_KEY> WPA GTK Rekey Negotiation sent |
The system sends a fifth key exchange message for WPA or WPA-PSK modes. | |
00:16:6f:3b:17:a9 |1X Authentication | M6 <pkt type=EAPOL_KEY>
<key type=Group Key> |
The system receives a sixth key exchange message from a station for WPA or WPA-PSK modes. | This is the last message of a key exchange for WPA or WPA-PSK. It indicates a successful key exchange. A station can proceed to the next stage. |
00:16:6f:3b:17:a9 |1X Authentication | M3 <msg
type=EAPOL_KEY> WPA2 PTK Negotiation sent |
The system sends a third key exchange message for WPA2 or WPA2-PSK modes. | The system tries transmission up to 4 times and then aborts the key exchange transaction if it doesn’t receive M2 message by sending 802.11 deauth. |
00:16:6f:3b:17:a9 |1X Authentication | M4 <pkt type=EAPOL_KEY> <key type=Unicast Key> Key Pairwise | The system receives a fourth key exchange message from a station for WPA2 or WPA2-PSK modes. | This is a last message of a key exchange for WPA2 or WPA2-PSK. It indicates a successful key exchange.
A station can proceed to a next stage. |
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9 |1X Authentication |Sending Station Disconnect,
Reason : MIC Failure, Auth Type 802.1X |
The message sent by a station results in a MIC failure. | For WPA-PSK, or WPA2-PSK, the wrong passphrase or password leads to this failure. When the MIC failure occurs, a the system sends a 802.11 deauth to the station. |
00:16:6f:3b:17:a9 |1X Authentication |Sending Station Disconnect,
Reason : 4-way Handshake Timeout, Auth Type 802.1X |
The key exchange aborts due to no response from a client. | The system tries to transmit a key exchange message up to 6 times with one second intervals. If the station does not respond, it aborts the key exchange. |
Authentication Station Log Events
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9 |802.11 State |state change <old=Unauthenticated><new=Authenti-
cated><AP=00:0c:e6:04:fc:ad><B SSID=00:0c:e6:0a:ca:6e> |
A station successfully completes the 802.11 authentication phase on AP::BSSID. | |
00:16:6f:3b:17:a9 |802.11 State |state change <old=Unauthenticated><new=Authenti-
cated><AP=00:0c:e6:04:fc:ad><B SSID=00:0c:e6:0a:ca:6e> |
A station successfully completes the 802.11 association phase on AP::BSSID. |
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9 |802.11 State |state change <old=Associated><new=Unauthenti-
cated><AP=00:0c:e6:04:fc:c0><B SSID=00:0c:e6:d8:84:14> |
A station’s 802.11 state changes from Associated to Unauthenticated. | A state change from associated to unauthenticated can happen because:
Station ages out. The default aging out period is 30 minutes. The aging out period of 802.11 associated stations is different from the aging out period of an assigned stations. Station voluntarily leaves a currently associated BSSID by sending a 802.11 deauthentication frame. Station moves from BSSIDOLD to BSSIDNEW. The associated state of BSSIDOLD is automatically cleared up. In the multi-controller environment, a station moves from ControllerOLD to ControllerNEW and the two controllers are in the same subnet; the associated state of the station in ControllerOLD is automatically cleared up. 1x/WPA/WPA2 authentication fails due to either RADIUS reject, a message timeout, or an unknown reason. A key exchange fails due to timeout or MIC failure. |
00:16:6f:3b:17:a9 |802.11 State
|<AID=1> handoff <OLD- _AP_ID=3><NEW_AP_ID=4><BS SID=00:0c:e6:30:47:17> |
Station is handed off from an AP to another AP. | This event is generated only if a mobile station is associated to the ESS of a Virtual Cell or a Virtual Port. The abbreviations mean the following:
AID: Association ID OLD_AP_ID: AP servicing the station before the handoff NEW_AP_ID: AP servicing the station after the handoff BSSID: Parent BSSID in the Virtual Cell or Virtual Port. |
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9 |802.11 State |Received Deauth frame from station <Deauth reason: authentication leave><deauth packet RSSI = 62><AID=3><BSSID=00:0c:e6:f9: 01:01> | Station sends 802.11 de-authentication frame. | Station decided to leave the ESS/
BSS. This is only supported by AP400. |
00:16:6f:3b:17:a9 |802.11 State | Received Disassoc frame from station <Disassoc reason: association leave><deauth packet RSSI
= 57><AID=3><BSSID=00:0c:e6:f9: 01:01> |
Station sends 802.11 dis-association frame. | Station decided to disassociate. This is only supported by AP400. |
1X/WPA/WPA2 Authentication Station Log Events
DHCP Station Log Events
Event | Condition That Triggers Event | Interpretation |
|00:16:6f:3b:17:a9 | 1X Authentication |<auth
method=WPA2_EAP>:<pkt type=EAPOL_START> recvd <ESSID=vcellwpa2> <BSSID=22:01:0f:3b:17:a9> |
The system receives
EAPOL_START message from a station associated to an ESSID::BSSID pair. |
There are two auth methods;
WAP2_EAP or WPA_EAP. The standard states that this message is optional. |
|00:16:6f:3b:17:a9 | 1X Authentication | <EAP code=request> <EAP ID=1> <EAP type=Identity> sent | The system sends an EAP Identity Request to the station. | The system tries this message up to four times with one second intervals. As authentication proceeds, the EAP ID increases by one. |
|00:16:6f:3b:17:a9 | 1X Authentication |<pkt type=EAP_PACKET> <EAP code=response><EAP ID=1> | The system receives an EAP
Response message from a station. |
The EAP ID of the response must match the EAP ID of request. |
00:16:6f:3b:17:a9|1X Authentication| RADIUS <msg
code=access_request><msg ID=178> sent <ip=192.168.101.17>:<port=1812> |
The system forwards a station’s request to the RADIUS Server IP::Port | As authentication proceeds, the message ID increases by one. |
00:16:6f:3b:17:a9|1X Authentication| <pkt type=EAP_PACKET> <EAP code=request><EAP ID=2>
<info=relay eap-request from RADIUS> sent |
The system forward a RADIUS Server’s request to a station. | |
00:16:6f:3b:17:a9|1X Authentication| <pkt type=EAP_PACKET> <EAP code=success><EAP ID=13>
<info=relay eap-request from RADIUS> sent |
The system receives RADIUS
Accept message, and send EAP SUCCESS message to a mobile. |
This is the last message of an authentication. A key exchange stage immediately follows if WAP or WAP2 is used. |
00:16:6f:3b:17:a9|1X Authentication| Backend Authentication Timeout | A message forwarded to a RADIUS server is timed out. |
Event | Condition That Triggers Event | Interpretation | ||
00:16:6f:3b:17:a9|1X Authentication| Sending EAP Failure to station, (identifier 1) | An EAP failure message is sent to a station. | Three cases trigger this event:
A RADIUS message times out An EAP message to a station times out A RADIUS Server sends a reject message |
||
00:16:6f:3b:17:a9|1X Authentication| RADIUS Access-Reject received | The system receives a RADIUS Reject message from a RADIUS server. | |||
00:16:6f:3b:17:a9|1X Authentication| Backend Authentication Failure | The system receives a RADIUS Reject message from a RADIUS server. | |||
Event | Condition That Triggers Event | Interpretation | ||
00:16:6f:3b:17:a9|DHCP | <msg_type=DIS-
COVER><server_ip=255.255.255.255 ><server_mac=ff:ff:ff:ff:ff:ff><client_ip=0.0.0.0 |
The system receives a DHCP message from a station. | The message displays a server’s IP and MAC, and a client’s IP.
DHCP message types displayed are DISCOVER, REQUEST, or RELEASE. |
||
00:16:6f:3b:17:a9|DHCP |<msg_type=OFFER><server_ip=10.101.64.1
><server_- mac=00:0e:84:85:33:00><offered_ip= 10.101.66.25> |
The system receives a DHCP message from a DHCP server. | The message displays a server’s IP and MAC, and a client’s offered IP.
DHCP message types displayed are OFFER, ACK, NACK or INFORM. |
||
Captive Portal Station Log Event
Event | Condition That Triggers Event | Interpretation |
00:16:6f:3b:17:a9|CP User Authentication| <User=vijay> authenticated <ipaddr=10.101.66.25> | The system gets a RADIUS Accept message. | A user is authenticated successfully. |
“station-log issues” command works but will not accept any of the arguments. 4200 controller running 8.4.1 software.