FortiView

Customizing the log view

The log message list can show raw or formatted, real time or historical logs. The columns in the log message list can be customized to show only relevant information in your preferred order.

Log display

By default, historical formatted logs are shown in the log message list. You can change the view to show raw logs and both raw and formatted real time logs.

To view real time logs, in the log message list, select Tools, then select Real-time Log from the drop-down menu. To return to the historical log view, select Tools, then select Historical Log from the drop-down menu.

To view raw logs, in the log message list, select View, then select Display Raw from the drop-down menu, Figure 95. To return to the formatted log view, select Tools, then select Display Formatted from the drop-down menu.

Figure 95:Log view (raw display)

This page displays the following information and options:

 Refresh Select to refresh the log view.

This option is only available when viewing historical logs.

 Search Enter a search term to search the log messages. See “To perform a text search:” on page 139. Select GO in the toolbar to apply the filter.

Latest Search         Select the latest search icon to repeat previous searches, select favorite searches, or quickly add filters to your search. The filters available will vary based on device and log type.

 Clear Search Select to clear search filters.
 Help Hover your mouse over the help icon, for example search syntax. See “Examples” on page 140.
Device Select the device or log array in the drop-down list. Select Manage Log Arrays in the Tools menu to create, edit, or delete log arrays.
Time Period Select a time period from the drop-down list. Options include: Last 30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, or Custom, . See “To customize the time period:” on page 140.

This option is only available when viewing historical logs.

 GO Select to apply the time period and limit to the displayed log entries. A progress bar is displayed in the lower toolbar.

Create Custom View Select to create a new custom view. You can select to create multiple custom views in log view. Each custom view can display a select device or log array with specific filters and time period. See “To create a new custom view:” on page 138.

This option is only available when viewing historical logs.

 Pause  Resume Pause or resume real-time log display. These two options are only available when viewing real-time logs.
Tools The tools button provides options for changing the manner in which the logs are displayed, and search options. You can manage log arrays and it also provides an option for downloading logs, see “Download log messages” on page 141.
 Real-time Log

Historical Log

Select to change view from Real-time Log to Historical Log.
 Display Formatted Select to change view from raw log display to formatted log display.
 Download Select to download logs. A download dialog box is displayed. Select the log file format, compress with gzip, the pages to include and select Apply to save the log file to the management computer.

This option is only available when viewing historical logs in formatted display.

 Manage Log Arrays Select to create new, edit, and delete log arrays. Once you have created a log array, you can select the log array in the Device drop-down menu in the Log View toolbar.
Case Sensitive

Search

Select to enable case sensitive search.
Detailed Information Detailed information on the log message selected in the log message list. The item is not available when viewing raw logs.
Status Bar Displays the log view status as a percentage.
Pagination Adjust the number of logs that are listed per page and browse through the pages.
Limit Select the maximum number of log entries to be displayed from the drop-down list. Options include: 1000, 5000, 10000, 50000, or All.

The selected log view will affect the other options that are available in the View drop-down menu. Real-time logs cannot be downloaded, and raw logs to not have the option to customize the columns.

Columns

The columns displayed in the log message list can be customized and reordered as needed. Filters can also be applied to the data in a column.

To customize the displayed columns:

  1. In the log message list, right-click on a column heading.

The Column Settings pop-up menu opens.

Figure 96:Column settings pop-up

  1. Select a column to hide or display, select Reset to Default to reset to the default columns, or select More Columns to open the Column Settings

Figure 97:Column settings window

  1. In the Column Settings window, multiple columns can be added or removed as required, and the order of the displayed columns can be adjusted by dragging and dropping the column names.
  2. To reset to the default columns, select Reset to Default.
  3. Select OK to apply your changes.

To filter column data:

  1. In the log message list, select Tools, then select Enable Column Filter from the drop-down menu to enable column filters.
  2. In the heading of the column you need to filter, select the filter icon, . The filter icon will only be shown on columns that can filtered.

The Filter Settings dialog box opens.

Figure 98:Filter settings

  1. Enable the filter, then enter the required information to filter the selected column.

The filter settings will vary based on the selected column.

  1. Select Apply to apply the filter to the data.

The column’s filter icon will turn green when the filter is enabled, . Downloading the current view will only download the log messages that meet the current filter criteria.

Custom views

Select Create Custom View in the toolbar to create a new custom log view. Use Custom View to save a custom search, device selection, and time period so that you can select this view at any time to view results without having to re-select these criteria.

To create a new custom view:

  1. In the Log View pane, select a log type.
  2. Enter a search term, select a device or devices, select a time period, limit the number of logs to display as needed, then select Custom View.

The Create New Custom View dialog box is displayed.

Figure 99:Create new custom view

  1. Enter a name for the new custom view. All other fields are read-only.

The new custom view is saved to the Custom View folder in the ADOM.

To edit a custom view:

  1. In the Log View pane, select the Custom View folder in the tree menu.
  2. Select the custom view you would like to edit.
  3. Edit the custom search, devices, time period, limit the number of logs to display, and select

GO.

  1. Right-click the name of the custom view and select Save to save your changes.

To rename a custom view:

  1. In the Log View pane, select an ADOM, and select the Custom View folder.
  2. Right-click the name of the custom view and select Rename in the menu.

The Rename Custom View dialog box opens.

  1. Edit the name and select OK to save your changes.

To delete a custom view:

  1. In the Log View pane, select an ADOM, and select the Custom View folder.
  2. Right-click the name of the custom view and select Delete in the menu.
  3. Select OK in the confirmation dialog box to delete the view.

Searching log messages

Log messages can be searched based on a text string and/or time period. Recent searches can be quickly repeated, a time period can be specified or customized, and the number of displayed logs can be limited. A text string search can be case sensitive or not as required.

To perform a text search:

  1. In the log message list, select Tools, then either select or deselect Case Sensitive Search from the drop-down menu to enable or disable case sensitivity in the search string.
  2. In the log message list, enter a text string in the search field in the following ways:
    • Manually type in the text that you are searching for. Wildcard characters are accepted.
    • Right-click on the element in the list that you would like to add to the search and select to search for strings that either match or don’t match that value.
    • Select a previous search or default filter, using the history icon, . The available filters will vary depending on the selected log type and displayed columns.

Figure 100:Search history

  • Paste a saved search into the search field.
  1. Select GO to search the log message list.

To customize the time period:

  1. In the log message list, open the time period drop-down menu, and select ...

The Custom Timeframe dialog box opens.

Figure 101:Custom timeframe

  1. Specify the desired time period using the From and To fields, or select Any Time to remove any time period from the displayed data.
  2. Select Apply to create the custom time period.

A calendar icon, , will be shown next to the time period drop-down list. Select it to adjust the custom time period settings.

  1. Select GO to apply your settings to the log message list.
Examples

To view example text search strings, hover your cursor over the help icon, .

Figure 102:Example searches

  • The first example will search for log messages with a source IP address of 172.16.86.11 and a service of HTTP. Because it is not specified, the and operator is assumed, meaning that both conditions must be met for the log message to be included in the search results.
  • The second example will search for any log messages with source IP addresses that start with either 172.16 or 172.18. Notice the use of the * The use of the or operator means that either condition can be met for the log message to be included in the search results.
  • The third example will search for any log message that do not have a source IP address of 172.16.86.11 and a service of HTTP. The use of the and operator means that both conditions must be met for the log message to be excluded from the search results.

Download log messages

Log messages can be downloaded to the management computer as a text or CSV file. Real time logs cannot be downloaded.

To download log messages:

  1. In the log message list, select Tools, then select Download.

The Download dialog box opens.

Figure 103:Download log messages

  1. Select a log format from the drop down list, either Text or CSV.
  2. Select Compress with gzip to compress the downloaded file.
  3. Select Current Page to download only the current log message page, or All Pages to download all of the pages in the log message list.
  4. Select Apply to download the log messages to the management computer.

Log arrays

Log Array has been relocated to Log View in the FortiView tab from the Device Manager tab. Upon upgrading to FortiAnalyzer v5.2.0 and later, all previously configured log arrays will be imported. In FortiAnalyzer v5.0.6 and earlier, when creating a Log Array with both devices and VDOMs, you need to select each device and VDOM to add it to the Log Array. In FortiAnalyzer v5.2.0 and later, when selecting to add a device with VDOMs, all VDOMs are automatically added to the Log Array.

To create a new log array:

  1. In the Log View pane, select the Tools button, and select Manage Log Arrays.

The Manage Log Arrays dialog box opens.

  1. Select Create New in the dialog box toolbar.

The Create New Log Array dialog box opens.

Figure 104:Create new log array

  1. Enter the following:
Name Enter a unique name for the log array.
Comments Enter optional comments for the log array.
Devices Select the add icon, , and select devices and VDOMs to add to the log array. Select OK in the device selection window.
  1. Select OK to create the new log array.
  2. Select the close icon, , to close the Manage Log Arrays dialog box.

To edit a log array:

  1. In the Log View pane, select Tools, and select Manage Log Arrays.

The Manage Log Arrays dialog box is displayed.

  1. Select a log array entry and select Edit in the toolbar.

The Edit Log Array dialog box is displayed.

  1. Edit the log array name, comments, and devices as needed.
  2. Select OK to save the log array.
  3. Select the close icon, , to close the Manage Log Arrays dialog box.

To delete a log array:

  1. In the Log View pane, select Tools, and select Manage Log Arrays.

The Manage Log Arrays dialog box is displayed.

  1. Select the log array entry and select Delete in the toolbar.
  2. Select OK in he confirmation dialog box to delete the log array.
  3. Select the close icon, , to close the Manage Log Arrays dialog box.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiAnalyzer and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.