Explanation of a debug log message – FortiOS 6

Explanation of a debug log message

Debug log messages are only generated if the log severity level is set to Debug. The Debug severity level is the lowest log severity level and is rarely used. This severity level usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are generated by all types of FortiGate features.

The following is an example of a debug log message:

date=2010-01-25 time=17:25:54 logid=9300000000 type=webfilter subtype=urlfilter level=debug msg=“found in cache”

Example of a Debug log message

Debug log  
date=(2010-01-25) The year, month and day of when the event occurred in the format yyyymm-dd.
time=(17:25:54) The hour, minute and second of when the event occurred in the format hh:mm:ss.
logid=(93000000000) A ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.
type=(webfilter) The section of system where the event occurred. There are eleven log types in FortiOS 4.0.
subtype=(urlfilter) The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.
level=(debug) The priority level of the event. There are six priority levels to specify.
msg=(“found in cache”) Explains the activity or event that the FortiGate unit recorded.

Viewing log messages and archives

Depending on the log device, you may be able to view logs within the web-based manager or CLI on the FortiGate unit. If you have configured a FortiAnalyzer unit, local hard disk, or system memory, you can view log messages from within the web-based manager or CLI. If you have configured either a Syslog or WebTrends server, you will not be able to view log messages from the web-based manager or CLI. There is also no support for viewing log messages stored on a FortiCloud server, from the FortiGate unit’s web-based manager or CLI.

You do not have to view log messages from only the web-based manager. You can view log messages from the CLI as well, using the execute log display command. This command allows you to see specific log messages that you already configured within the execute log filter command. The execute log filter command configures what log messages you will see, how many log messages you can view at one time (a maximum of 1000 lines of log messages), and the type of log messages you can view. For more information about viewing log messages in the CLI, see “Viewing logs from the CLI”.

There are two log viewing options in FortiOS: Format and Raw. The Raw format displays logs as they appear within the log file. You can view log messages in the Raw format using the CLI or a text editor, such as Notepad. Format is in a more human-readable format, and you can easily filter information when viewing log messages this way. The Format view is what you see when viewing logs in the web-based manager.

When you download the log messages from within the log message page (for example, Log & Report > Forward Traffic), you are downloading log messages in the Raw format.

Viewing log messages in detail

From any log page, you can view detailed information about the log message in the log viewer table, located (by default) at the bottom of the page. Each page contains this log viewer table. The Log Viewer Table can contain the Archive tab, which allows you to see the archived version of the log message. The Archive tab only displays the archived log’s details if archiving is enabled and logs are being archived by the FortiGate unit, but archived logs will also be recorded when using a FortiAnalyzer unit or the FortiCloud service.

When you are viewing traffic log messages, some of the categories (such as ‘Application Name’) have entries that can be selected to open a dialog box containing FortiGuard information about the entry. From within the dialog box, you can select the Reference link and go directly to the corresponding FortiGuard page, which contains additional information.

Viewing logs in Raw format allows you to view all log fields at once, as well as have a log file available regardless of whether you are archiving logs or not. You download the log file by selecting Download Log. The log file is named in the following format: <log_type><log_location><log_date/time>.<log_number>.log. For example, SystemEventLog-disk-2012-09-19T12_13_46.933949.log, which is an event log. The time period is the day and month of when the log was downloaded, not the time period of the log messages within the file itself.

Quarantine

Within the Log & Report menu, you can view detailed information about each quarantined file. The information can either be sorted or filtered, depending on what you want to view.

You must enable quarantine settings within an antivirus profile and the destination must be configured in the CLI using the config antivirus quarantine command. The destination can be either a FortiAnalyzer unit or local disk.

Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service.

The file quarantine list displays the following information about each quarantined file.

Quarantine page

Lists all files that are considered quarantined by the unit. On this page you can filter information so that only specific files are displayed on the page.

GUI Item   Description
Source   Either FortiAnalyzer or Local Disk, depending where you configure to quarantined files to be stored.
Sort by   Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate Count. Select Apply to complete the sort.

 

GUI Item Description
Filter Filter the list. Choose either Status (infected, blocked, or heuristics) or

Service (IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is configurable through the CLI only.

If your unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the Security Features chapter of the FortiOS Handbook.

Apply Select to apply the sorting and filtering selections to the list of quarantined files.
Delete Select to delete the selected files.
Page Controls Use the controls to page through the list.
Remove All Entries Removes all quarantined files from the local hard disk.

This icon only appears when the files are quarantined to the hard disk.

File Name The file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quarantined file. The file is stored on the FortiGate hard disk with the following naming convention:

<32bit_CRC>.<processed_filename>

For example, a file named Over Size.exe is stored as 3fc155d2.oversize.exe.

Date The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if duplicates are quarantined.
Service The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,

SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).

Status The reason the file was quarantined: infected, heuristics, or blocked.
Status Description Specific information related to the status, for example, “File is infected with “W32/Klez.h”” or “File was stopped by file block pattern.”
DC Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak.
GUI Item Description
TTL Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL.

The TTL information is not available if the files are quarantined on a FortiAnalyzer unit.

Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.

This option is available only if the FortiGate unit has a local hard disk.

Download Select to download the corresponding file in its original format.

This option is available only if the FortiGate unit has a local hard disk.

Submit Select to upload a suspicious file to Fortinet for analysis.

This option is available only if the FortiGate unit has a local hard disk.

Customizing the display of log messages on the web-based manager

Customizing log messages on the web-based manager allows you to remove or add columns from the page and filter the information that appears. For example, you can view only log messages that appeared on December 4, between the hours of 8:00 and 8:30 am.

  1. Select the submenu in Log & Report in which you want to customize the display of log messages, such as Log & Report > Forward Traffic.
  2. Right click on the title bar at the top of any column, and uncheck a column title such as Date/Time to remove it from the interface. Check other columns to add them to the interface. When you are finished, click outside the menu and the page will refresh with the new column settings in place.
  3. Choose a column you’d like to filter, and select the funnel icon next to the title of the column. For example, select the funnel in the Src (Source) column. In the text field, enter the source IP address 1.1.1.1 and then select the check box beside NOT.

This filters out the all log messages that have the 1.1.1.1 source IP address in the source IP log field, such as the ones generated when running log tests in the CLI.

  1. Select OK to save the customize settings, and then view the log messages on the page.

Log messages that originate from the 1.1.1.1 source address will no longer appear in the list.

How to download log messages and view them from on a computer

After recording some activity, you can download log messages to view them from a computer. This is can be very useful when in a remote location, or if you want to view log messages at your convenience, or to view packet logs or traffic logs.

  1. In Log & Report, select the submenu that you want to download log messages from.

For example, Log & Report > Forward Traffic.

 

files and types

  1. Select the Download Log option and save the log file to your computer.

The log file will be downloaded like any other file. Log file names contain their log type and date in the name, so it is recommended to create a folder in which to archive your log messages, as they can be sorted easily.

  1. Open a text editor such as Notepad, open the log file, and then scroll to view all the log messages. You can easily search or scroll through the logs to see the information that is available.
This entry was posted in Administration Guides, Fortinet, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.