Event Log – FortiAnalyzer – FortiOS 6.2.3

Event Log

The Event Log pane provides an audit log of actions made by users on FortiAnalyzer. It allows you to view log messages that are stored in memory or on the internal hard disk drive. You can use filters to search the messages and download the messages to the management computer.

See the FortiAnalyzerLog Message Reference, available from the Fortinet Document Library, for more information about the log messages.

Go to System Settings > Event Log to view the local log list.

The following options are available:

Add Filter   Filter the event log list based on the log level, user, sub type, or message. See Event log filtering on page 202.
Last…   Select the amount of time to show from the available options, or select a custom time span or any time.
Column Settings Select which columns are enabled or disabled in the Event Log table.
Tools  
Raw Log /

Formatted Log

Click on Raw Log to view the logs in their raw state.

Click Formatted Log to view them in the formatted into a table.

Real-time Log / Historical Log Click to view the real-time or historical logs list.
Case Sensitive Search Enable or disable case sensitive searching.
Download Download the event logs in either CSV or the normal format to the management computer.
Pagination Browse the pages of logs and adjust the number of logs that are shown per page.

The following information is shown:

#                                                The log number.
Date/Time                                  The date and time that the log file was generated.
Device ID                                   The ID of the related device.
Sub Type                                   The log sub-type:

System manager event HA event
FG-FM protocol event Firmware manager event
Device configuration event FortiGuard service event
Global database event FortiClient manager event
Script manager event FortiMail manager event
Web portal event Debug I/O log event
Firewall objects event Configuration change event
Policy console event Device manager event
VPN console event Web service event
Endpoint manager event FortiAnalyzer event
Revision history event Log daemon event
Deployment manager event FIPS-CC event
Real-time monitor event Managered devices event

Log and report manager event

User                                          The user that the log message relates to.
Message                                   Log message details. A Session ID is added to each log message. The

username of the administrator is added to log messages wherever applicable for better traceability.

Event log filtering

The event log can be filtered using the Add Filter box in the toolbar.

To filter FortiView summaries using the toolbar:

  1. Specify filters in the Add Filter
    • Regular Search: In the selected summary view, click in the Add Filter box, select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters at a time, and connect them with an “or”.
    • Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box to switch to advanced search mode. In this mode, you type in the whole search criteria (log field names and values). Click the Switch to RegularSearch icon to return to regular search.
  2. Click Go to apply the filter.
This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Event Log – FortiAnalyzer – FortiOS 6.2.3

  1. Kevin Cook

    If you’re like me, and always use ADVANCED filters, you can set the default mode to advanced with the commands:
    config sys global
    set default-search-mode advanced

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.