Tag Archives: Log messages

Log messages

Log messages

Log messages are recorded by the FortiGate unit, giving you detailed information about the network activity. Each log message has a unique number that helps identify it, as well as containing fields; these fields, often called log fields, organize the information so that it can be easily extracted for reports.

These log fields are organized in such a way that they form two groups: the first group, made up of the log fields that come first, is called the log header. The log header contains general information, such as the unique log identification and date and time that indicates when the activity was recorded. The log body is the second group, and contains all the other information about the activity. There are no two log message bodies that are alike, however, there may be fields common to most log bodies, such as the srcintf or identidix log fields.

The log header also contains information about the log priority level which is indicated in the level field. The priority level indicates the immediacy and the possible repercussions of the logged action. For example, if the field contains ‘alert’, you need to take immediate action with regards to what occurred. There are six log priority levels.

The log severity level is the level at and above which the FortiGate unit records logs. The log severity level is defined by you when configuring the logging location. The FortiGate unit will log all messages at and above the priority level you select. For example, if you select Error, the unit will log only Error, Critical, Alert, and Emergency level messages.

 

Log priority levels

Levels                     Description

0 – Emergency         The system has become unstable.

1 – Alert                    Immediate action is required.

2 – Critical                Functionality is affected.

3 – Error                    An error condition exists and functionality could be affected.

4 – Warning              Functionality could be affected.

5 – Notification        Information about normal events.

6 – Information        General information about system operations.

 

The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.

Example log header fields

Log header

date=(20100803)                      The year, month and day of when the event occurred in yyyy-mm-dd format.

Log header

time=(12:55:06)                          The hour, minute and second of when the event occurred in the format hh:mm:ss.

log_id=(2457752353)                 A five or ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.

type=(dlp)                                   The section of system where the event occurred.

subtype=(dlp)                            The subtype category of the log message.

level=(notice)                             The priority level of the event. See the table above.

vd=(root)                                    The name of the virtual domain where the action/event occurred in. If no vir- tual domains exist, this field always contains root.

 

Example log body fields

Log body

policyid=(1)                                The ID number of the firewall policy that applies to the session or packet.

Any policy that is automatically added by the FortiGate will have an index number of zero.

identidx=(0)

The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it dis- plays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.

sessionid=(311)                         The serial number of the firewall session of which the event happened.

srcip=(10.10.10.1)                      The source IP address.

srcport=(1190)                           The source port number.

srcintf=(internal)                       The source interface name.

dstip=(192.168.1.122)                The destination IP address.

dstport=(80)                               The destination port number.

dstintf=(wan1)                            The destination interface name.

service=(https)                          The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.

status=(detected)                      The action the FortiGate unit took.

 

Log body

hostname=(example.com)        The home page of the web site.

url=(/image/trees_pine_

forest/)

msg=(data leak detected (Data Leak Prevention Rule matched)

The URL address of the web page that the user was viewing.

Explains the FortiGate activity that was recorded. In this example, the data leak that was detected matched the rule, All-HTTP, in the DLP sensor.

rulename=(AllHTTP)                The name of the DLP rule within the DLP sensor.

action=(logonly)

The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no action type is specified, this field dis- play log-only.

severity=(1)                                The level of severity for that specific rule.

Logs from other devices, such as the FortiAnalyzer unit and Syslog server, contain a slightly different log header. For example, when viewing FortiGate log messages on the FortiAnalyzer unit, the log header contains the following log fields when viewed in the Raw format:

itime=1302788921 date=20110401 time=09:04:23 devname=FG50BH3G09601792 device_

id=FG50BH3G09601792 log_id=0100022901 type=event subtype=system level=notice vd=root The log body contains the rest of the information of the log message, and this information is unique to the log message itself.

For detailed information on all log messages, see the FortiGate Log Message Reference.

 

Explanation of a debug log message

Debug log messages are only generated if the log severity level is set to Debug. The Debug severity level is the lowest log severity level and is rarely used. This severity level usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are generated by all types of FortiGate features.

The following is an example of a debug log message:

date=2010-01-25 time=17:25:54 logid=9300000000 type=webfilter subtype=urlfilter level=debug msg=“found in cache”

 

Example of a Debug log message

Debug log

date=(20100125)                      The year, month and day of when the event occurred in the format yyyy- mm-dd.

time=(17:25:54)                          The hour, minute and second of when the event occurred in the format hh:mm:ss.

 

Debug log

logid=(93000000000)                 A ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.

type=(webfilter)                         The section of system where the event occurred. There are eleven log types in FortiOS 4.0.

subtype=(urlfilter)                     The subtype of the log message. This represents a policy applied to the

FortiGate feature in the firewall policy.

level=(debug)                            The priority level of the event. There are six priority levels to specify.

msg=(found in cache”)           Explains the activity or event that the FortiGate unit recorded.

 

Viewing log messages and archives

Depending on the log device, you may be able to view logs within the web-based manager or CLI on the FortiGate unit. If you have configured a FortiAnalyzer unit, local hard disk, or system memory, you can view log messages from within the web-based manager or CLI. If you have configured either a Syslog or WebTrends server, you will not be able to view log messages from the web-based manager or CLI. There is also no support for viewing log messages stored on a FortiCloud server, from the FortiGate unit’s web-based manager or CLI.

You do not have to view log messages from only the web-based manager. You can view log messages from the CLI as well, using the execute log display command. This command allows you to see specific log messages that you already configured within the execute log filter command. The execute log filter command configures what log messages you will see, how many log messages you can view at one time (a maximum of 1000 lines of log messages), and the type of log messages you can view. For more information about viewing log messages in the CLI, see “Viewing logs from the CLI”.

There are two log viewing options in FortiOS: Format and Raw. The Raw format displays logs as they appear within the log file. You can view log messages in the Raw format using the CLI or a text editor, such as Notepad. Format is in a more human-readable format, and you can easily filter information when viewing log messages this way. The Format view is what you see when viewing logs in the web-based manager.

When you download the log messages from within the log message page (for example, Log & Report > Traffic Log > Forward Traffic), you are downloading log messages in the Raw format.

 

Viewing log messages in detail

From any log page, you can view detailed information about the log message in the log viewer table, located (by default) at the bottom of the page. Each page contains this log viewer table. The Log Viewer Table can contain the Archive tab, which allows you to see the archived version of the log message. The Archive tab only displays the archived log’s details if archiving is enabled and logs are being archived by the FortiGate unit, but archived logs will also be recorded when using a FortiAnalyzer unit or the FortiCloud service.

When you are viewing traffic log messages, some of the categories (such as ‘Application Name’) have entries that can be selected to open a dialog box containing FortiGuard information about the entry. From within the dialog box, you can select the Reference link and go directly to the corresponding FortiGuard page, which contains additional information.

Viewing logs in Raw format allows you to view all log fields at once, as well as have a log file available regardless of whether you are archiving logs or not. You download the log file by selecting Download Raw Log. The log file is named in the following format: <log_type><log_location><log_date/time>.<log_number>.log. For example, SystemEventLog-disk-2012-09-19T12_13_46.933949.log, which is an event log. The time period is the day and month of when the log was downloaded, not the time period of the log messages within the file itself.

 

Quarantine

Within the Log & Report menu, you can view detailed information about each quarantined file. The information can either be sorted or filtered, depending on what you want to view.

You must enable quarantine settings within an antivirus profile and the destination must be configured in the CLI using the config antivirus quarantine command. The destination can be either a FortiAnalyzer unit or local disk.

Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service.

On Log & Report > Security Log > Quarantine, the file quarantine list displays the following information about each quarantined file.

 

Quarantine page

Lists all files that are considered quarantined by the unit. On this page you can filter information so that only specific files are displayed on the page.

 

GUI Item                                   Description

Source                                        Either FortiAnalyzer or Local Disk, depending where you configure to quarantined files to be stored.

Sort by                                        Sort the list. Choose from: Status, Service, File Name, Date, TTL, or

Duplicate Count. Select Apply to complete the sort.

Filter                                           Filter the list. Choose either Status (infected, blocked, or heuristics) or Ser– vice (IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is con- figurable through the CLI only.

If your unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the Security Features chapter of the FortiOS Handbook.

Apply                                          Select to apply the sorting and filtering selections to the list of quarantined files.

Delete                                         Select to delete the selected files.

Page Controls                           Use the controls to page through the list.

GUI Item                                   Description

Remove All Entries                   Removes all quarantined files from the local hard disk.

This icon only appears when the files are quarantined to the hard disk.

 

File Name

The file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quar- antined file. The file is stored on the FortiGate hard disk with the following naming convention:

<32bit_CRC>.<processed_filename>

For example, a file named Over Size.exe is stored as 3fc155d2.over- size.exe.

Date                                            The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if duplicates are quarantined.

Service

The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).

Status                                         The reason the file was quarantined: infected, heuristics, or blocked.

Status Description                    Specific information related to the status, for example, “File is infected with

“W32/Klez.h”” or “File was stopped by file block pattern.”

DC                                               Duplicate count. A count of how many duplicates of the same file were quar- antined. A rapidly increasing number can indicate a virus outbreak.

TTL

Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL.

The TTL information is not available if the files are quarantined on a FortiAnalyzer unit.

Upload status                            Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.

This option is available only if the FortiGate unit has a local hard disk.

Download

Select to download the corresponding file in its original format.

This option is available only if the FortiGate unit has a local hard disk.

Submit                                        Select to upload a suspicious file to Fortinet for analysis.

This option is available only if the FortiGate unit has a local hard disk.

 

 

Customizing the display of log messages on the web-based manager

Customizing log messages on the web-based manager allows you to remove or add columns from the page and filter the information that appears. For example, you can view only log messages that appeared on December 4, between the hours of 8:00 and 8:30 am.

1. Select the submenu in Log & Report in which you want to customize the display of log messages, such as Lo& Report > Traffic Log > Forward Traffic.

2. Right click on the title bar at the top of any column, and uncheck a column title such as Date/Time to remove it from the interface. Check other columns to add them to the interface. When you are finished, click outside the menu and the page will refresh with the new column settings in place.

3. Choose a column you’d like to filter, and select the funnel icon next to the title of the column. For example, select the funnel in the Src (Source) column. In the text field, enter the source IP address 1.1.1.1 and then select the check box beside NOT.

This filters out the all log messages that have the 1.1.1.1 source IP address in the source IP log field, such as the ones generated when running log tests in the CLI.

4. Select OK to save the customize settings, and then view the log messages on the page.

Log messages that originate from the 1.1.1.1 source address will no longer appear in the list.

 

How to download log messages and view them from on a computer

After recording some activity, you can download log messages to view them from a computer. This is can be very useful when in a remote location, or if you want to view log messages at your convenience, or to view packet logs or traffic logs.

1. In Log & Report, select the submenu that you want to download log messages from.

For example, Log & Report > Traffic Log> Forward Traffic.

2. Select the Download Raw Log option and save the log file to your computer.

The log file will be downloaded like any other file. Log file names contain their log type and date in the name, so it is recommended to create a folder in which to archive your log messages, as they can be sorted easily.

3. Open a text editor such as Notepad, open the log file, and then scroll to view all the log messages.

You can easily search or scroll through the logs to see the information that is available.