Description
A FortiGate is able to display by both the GUI and via CLI. This article explains how to display logs through CLI.
Scope
FortiGate.
Solution
To display log records use command:
#execute log display
But it would be better to define a filter giving the logs you need and that the command above should return.
Set different types of log filter options, the number of results and from what point in the collected logs it is to start displaying.
First steps might be to check current filter settings, or reset/clear those:
#execute log filter reset
#execute log filter dump <--- to show settings, example output bellow
category: traffic
device: disk
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
log search mode: on-demand
pre-fetch-pages: 2
Oftp search string:
Next step is to set source of the logs:
#execute log filter device
Since FortiOS 6.2 those available devices contain following extended set:
(which is same for FortiOS versions 6.2 / 6.4 and 7.0 )
Example output (can be different if disk logging is available):
Available devices:
0: memory
1: disk
2: fortianalyzer
3: fortianalyzer-cloud <--- added with FortiAnalyzer-cloud introduction
4: forticloud <--- moved one position down
Until FortiOS 6.2 listing was:
Example output (can be different if disk logging is available):
Available devices:
0: memory
1: disk
2: fortianalyzer
3: forticloud
#execute log filter device 0 <--- this will display logs from memory
Next step is to choose category of logs to display:
#execute log filter category
Available categories in FortiOS 7.0:
.. are the same as in FortiOS 6.2 (listed bellow), but adds following new categories:
20: utm-icapp
22: utm-sctp-filter
.. complete listing is:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
Available categories in FortiOS 6.4:
.. are the same as in FortiOS 6.2 (listed bellow), but adds following new category:
20: utm-icap
.. complete listing is:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
20: utm-icap
Available categories in FortiOS 6.2:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
Available categories in FortiOS 6.0:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
16: utm-ssh
Available categories in FortiOS 5.6:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
Available categories in FortiOS 5.4:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
The default log filter configuration looks like below.
Note.
The following outputs might look different on different FortiGate models depending on the hardware/VM, or w/o internal disk storage:
FortiOS 7.0, 7.2 and 7.4:
# show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set gtp enable
end
FortiOS 6.4:
# show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set gtp enable
set filter ''
set filter-type include
end
FortiOS 6.2:
# show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set dns enable
set ssh enable
set ssl enable
set cifs enable
set filter ''
set filter-type include
end
FortiOS 6.0:
# show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set dns enable
set ssh enable
set filter ''
set filter-type include
end
FortiOS 5.6:
# show full-configuration log memory filter
config log memory filter
set severity warning
set forward-traffic enable
set local-traffic disable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set dns enable
set filter ''
set filter-type include
end
FortiOS 5.4:
The log filter a FortiGate has the following options:
# show full-configuration log memory filter
config log memory filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ''
set filter-type include
end
For example, by using the following log filters FortiGate will display all utm-webfilter logs with the destination ip address 40.85.78.63:
# execute log filter category 3
# execute log filter field dstip 40.85.78.63
# execute log display
1 logs found.
1 logs returned.1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"
Alternatively, by using the following log filters FortiGate will display all utm-webfilter logs with destination ip address 40.85.78.63 that are not from September 13, 2019:
# execute log filter free-style "(date 2019-09-13 not) and (dstip 40.85.78.63)"
1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"
Other examples of using the free-style log filter:
# execute log filter free-style "srcip 172.16.1.1"
# execute log filter free-style "(srcip 172.16.1.1) or (dstip 172.16.1.2)"
# execute log filter free-style "(srcip 172.16.1.1) and (dstip 172.16.1.2)"
# execute log filter free-style "((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"
Also, it is possible to configure the following log filter commands:
# execute log filter
category Category.
device Device to get log from.
dump Dump current filter settings.
field Filter by field. Specify from 1to 5 values value1 [value2 ... value5] [not]
Use not to reverse the condition.
Each value can be an individual value or a value range.
For value range, "-" is used to separate two values.
For example, 2013/06/13-2013/06/14 is for a date range from Jun 13, 2013 to Jun 14, 2013
free-style Filter by free-style expression.
ha-member HA member.
max-checklines Maximum number of lines to check (maximum number of log entries that will be checked, 0 means all will be checked)
reset Reset filter.
start-line Start line to display (the log entry to start displaying from; so if set to 10, the 10th entry onward will be displayed)
view-lines Lines per view (the number of log entries that will be displayed, default 10)
Also, it is possible to work with the logs - roll, backup, delete local logs, list log details like occupied space/date/time of the log and more:
# execute log
backup Backup.
delete Delete local logs of one category.
delete-all Delete all local logs.
detail Display UTM log entries for a particular traffic log.
display Display filtered log entries.
filter Set filters we discused here.
flush-cache Write disk log cache of current category to disk in compressed format.
flush-cache-all Write disk log cache of all categories to disk in compressed format.
fortianalyzer FortiAnalyzer.
fortianalyzer-cloud FortiAnalyzer-cloud.
fortiguard FortiGuard.
list List current and rolled log files info.
raw-backup Raw-backup.
roll Roll log files now.
Related articles:
Viewing FortiGate log entries from the CLI (FortiOS 4.0)
Notes on Traffic log generation and logging support for ongoing sessions
