Let’s take some time to discuss how to filter and view logs if you are in the FortiGate CLI. I find dealing with logs in the CLI useful if you are on a lower-end model FortiGate or without a FortiAnalyzer.
Note: Depending on your FortiGate model, you might not have local hard drive storage so all of your logs are in memory. These usually include the Fortigate 70D and anything below it but the newest 51E and 61E do have storage options. Any easy way to tell if your model has a disk or not (besides researching their datasheets), is from the CLI, try to run the command “diag sys logdisk”. If it isn’t there, it doesn’t have one. Some more information on this below.
Types of Logs
In a FortiGate policy, there are three options for logging (below if from 5.4/5.6 FortiOS):
– logging all events (“ALL”)
– logging security events only (“UTM”)
– no logging (“DISABLE”)
Policy Logging options in FortiOS 5.6
There seems to be confusion, well there was for me, about what the 3 options actually do. “Disable” or “No Logging” is obvious, but logging “All” vs logging “Security Events” (or “UTM” in 5.4/5.6) would sometimes generate duplicate logs. My 60E doesn’t have a hard drive so logging to memory leaves little room. To save space, I didn’t want duplicate logs. In FortiOS, if a security profile like Web Filter or Application Control allows a packet, and the action is set to “MONITOR”, then this will create a security log of type=”utm” and action=”passthrough”.
Since I’m always rooting for the little guy, I want to point out something that frustrated me for a while. If you have a lower-end model and you try to view logs in the CLI or GUI out of the box, a majority of the time it will be blank. You have your policies allowing logs and globally logs are enabled, but still no logs show up so what the heck? First verify that you have logging to memory enabled:
FGT60E # sho log memory setting
config log memory setting
set status enable
By default, these disk-less FortiGates have the log severity setting to “warning” so you will only receive certain logs.
FGT60E # config log memory filter
FGT60E (filter) # get
severity : warning
forward-traffic : enable
local-traffic : disable
multicast-traffic : enable
sniffer-traffic : enable
anomaly : enable
voip : enable
dns : enable
filter-type : include
Change this to “informational” and you should see your logs start pouring in.
FGT60E # config log memory filter
FGT60E (filter) # set severity information
FGT60E (filter) # end
Top Level Options
Now let’s get into display the logs. Running an ‘#execute log ?’ command will give you the list of options for viewing logs directly on the FortiGate. As you can see here, you have the option of backing up logs to an external FTP server (5.2 code may be different). You can also delete logs, view compressed log files, roll files into said compressed files and display logs which we will discuss in detail here. Here is the complete list :
FGT90DLAB # execute log
backup Backup logs and report databases to local storage device.
delete Delete local logs of one category.
delete-all Delete all local logs.
detail Display utm log entries for a particular traffic log.
display Display filtered log entries.
flush-cache Write disk log cache of current category to disk in compressed format.
flush-cache-all Write disk log cache of all categories to disk in compressed format.
list List current and rolled log files info.
roll Roll log files now.
Most of these options are quite self-explanatory. The “backup” option is only available if you have a hard drive.
If you execute an ‘# execute log display’ command without any filter set, you will get a list of the last 10 logs (and every subsequent press of the “Enter” button will display the next 10). To change the amount of logs per screen display, use this command:
FGT60E # execute log filter view-lines (5 - 1000)
Examination of a traffic log shows all of the “fields” that can be sorted on (also handy for FortiAnalyzers and FortiManagers where you can build mysql queries on these fields). Here is an example of a log to cnet.com:
1: date=2017-10-28 time=07:24:33 logid="0000000013" type="traffic" subtype="forward"
level="notice" vd="root" logtime=1509189873 srcip=172.17.211.101 srcport=58959
srcintf="Wifi_172_17_211" srcintfrole="lan" dstip=22.214.171.124 dstport=80
dstintf="wan1" dstintfrole="wan" poluuid="fdb5c4b6-b852-51e7-7fd0-5dab0b77a5c3"
sessionid=993490 proto=6 action="close" policyid=6 policytype="policy" service="HTTP"
dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=x.x.x.x
transport=58959 duration=89 sentbyte=346 rcvdbyte=132 sentpkt=5 rcvdpkt=3 appcat="unscanned"
devtype="Windows PC" mastersrcmac="4c:bb:58:9c:ac:9b" srcmac="4c:bb:58:9c:ac:9b" srcserver=0
Filtering is where you can pull the relevant data from the logs instead of sorting through screen after screen. Here are some examples:
To view traffic with destination IP address of 126.96.36.199
FGT60E # execute log filter field dstip 188.8.131.52
FGT60E # execute log display
1 logs found.
1 logs returned.
1: date=2017-10-28 time=07:38:36 logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" logtime=1509190716
srcip=172.17.211.109 srcport=45253 srcintf="Wifi_172_17_211"
srcintfrole="lan" dstip=184.108.40.206 dstport=443 dstintf="wan1"
sessionid=996464 proto=6 action="close" policyid=1 policytype="policy"
service="HTTPS" dstcountry="United States" srccountry="Reserved"
trandisp="snat" transip=x.x.x.x transport=45253 duration=67
sentbyte=2758 rcvdbyte=6754 sentpkt=15 rcvdpkt=14 appcat="unscanned"
wanin=6018 wanout=1970 lanin=1970 lanout=1970 devtype="Media Streaming"
osname="Smart TV" osversion="Linux" mastersrcmac="5c:a3:9d:31:3d:fa"
So to filter on any of these fields above, you need to use the format of:
“execute log filter field fieldname argumen1 [argument2] [argument3]”
Here are some examples:
To only view traffic with the destination interface of wan1:
FGT60E # execute log filter field dstintf wan1
To only view traffic hitting a certain policy (one of my favorites):
FGT60E # execute log filter field policyid 1
To only view traffic with Linux OS’s
FGT60E # execute log filter field osversion Linux
You can have multiple fields as well:
FGT60E # execute log filter field srcip 172.17.211.102 172.17.211.104
Verify the current filter settings with:
FGT60E # execute log filter dump
field: srcip:[ 172.17.211.102, 172.17.211.104, ] negate: 0, exact: 0
field: vd:[ root, ] negate: 0, exact: 1
You can always clear your filter by resetting the filter:
FGT60E # execute log filter reset
The above examples showed how to display logs from type of category “traffic”. If you want to search on other categories like “events” or blocked “webfilter” traffic, use the “execute log filter category 3” command. Or , if you don’t want to remember these numbers, just type “execute log filter category” and hit “Enter”.
FGT60E # execute log filter category
So if you want to view my above example of traffic blocked by the webfilter:
FGT60E # execute log filter category 3
FGT60E # execute log filter field action block
FortiGates give you an option for looking at details of UTM logs, but I didn’t find any difference between executing a normal log display command and the detail log command (which you need the session id):
FGT60E # execute log detail 3 812020
There you have it, your intro to FortiGate CLI logs. I hope this was helpful. If you have any questions or want to know more, let me know in the comments.