Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. One late evening one of the clients asked if I can check something in their Fortigate.
To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run show log and get log commands … and got logging configuration settings on the firewall. But where are the logs?
Here:
FGT# execute log display
Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.Step 1 – know what is served
Run this first to see what you will be presented and what not:
FGT-ugly # execute log filter dump
category: traffic // each type of log is called category , see later
device: memory // from where logs are to be read
roll: 0 // archived version
start-line: 1 // on which line of the logs to start presenting
view-lines: 700 // how many lines to show
Step 2 – I want Event logs now !
FGT# execute log filter category // this way you can see all available log categories
Available categories: 0: traffic 1: event 2: utm-virus 3: utm-webfilter 4: utm-ips 5: utm-emailfilter 7: utm-anomaly 8: utm-voip 9: utm-dlp10: utm-app-ctrl12: utm-waf15: utm-dns16: utm-ssh17: utm-ssl19: utm-file-filter20: utm-icap22: utm-sctp-filter23: forti-switch24: utm-virtual-patch25: utm-casb FGT# execute log filter category 1 // enable only Event log
NOTE: Filtering is all about showing logs - no actual logs are being hidden/deleted and such. We are just filtering hwat lohs to be shown in the current session.
Left is how many lines to show at once:
FGT# execute log filter view-lines <number 5 – 1000> // Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit #execute log display starting line is increased for the next time by the number of lines shown.To conclude it all I enabled logging in Putty through which I connected to the firewall and run:
FGT# execute log display
3011 logs found. 1000 logs returned. 1: 2010-07-13 19:10:58 log_id=0143040704 type=event subtype=his-performance pri=information vd="root" action=perf-stats cpu=0 mem=10 total_session=4 msg="Performance statistics" 2: 2010-07-1319:05:58 log_id=0143040704 type=event subtype=his-performance pri=information vd="root" action=perf-stats cpu=0 mem=10 total_session=7 msg="Performance statistics" 3: 2010-07-1319:01:28 log_id=0104032001 type=event subtype=admin vd=root pri=information user="admin" ui=https(21.14.127.14) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from https(21.14.127.14)" 4: 2010-07-1319:00:58 log_id=0143040704 type=event subtype=his-performance pri=information vd="root" action=perf-stats cpu=0 mem=10 total_session=5 msg="Performance statistics" 5: 2010-07-1318:55:58 log_id=0143040704 type=event subtype=his-performance pri=information vd="root" action=perf-stats cpu=0 mem=10 total_session=8 msg="Performance statistics" 6: 2010-07-1318:54:09 log_id=0104032003 type=event subtype=admin vd=root pri=information user="admin" ui=https(21.14.127.14) action=logout status=success reason=timeout msg="Administrator admin timed out on httpsTo reset log filters back to defaults: execute log filter reset.
Reference of all log messages Fortigate :
FortiGate_Log_Message_Reference
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
