Log files and types
As the log messages are being recorded, log messages are also being put into different log files. The log file contains the log messages that belong to that log type, for example, traffic log messages are put in the traffic log file.
When downloading the log file from within Log & Report, the file name indicates the log type and the device on which it is stored, as well as the date, time, and a unique id for that log.
This name is in the format <logtype> – <logdevice> – <date> T <time> . <id>.log. For example, AntiVirusLog-disk-2012-09-13T11_07_57.922495.log.
Below, each of the different log files are explained. Traffic and Event logs come in multiple types, but all contain the base type such as ‘Event’ in the filename.
Log Types based on network traffic
Log Type Description
Traffic The traffic logs records all traffic to and through the FortiGate interface. Dif- ferent categories monitor different kinds of traffic, whether it be forward, local, or sniffer.
The event logs record management and activity events within the device in particular areas: System, Router, VPN, User, Endpoint, HA, WAN Opt./Cache, and WiFi. For example, when an administrator logs in or logs out of the web-based manager, it is logged both in System and in User events.
Antivirus The antivirus log records virus incidents in Web, FTP, and email traffic.
Web Filter The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs.
Application Control The application log records application usage, monitoring or blocking as configured in the security profiles.
Intrusion The intrusion log records attacks that are detected and prevented by the FortiGate unit.
Email Filter The email filter log records blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic.
Vulnerability Scan The Vulnerability Scan (Netscan) log records vulnerabilities found during the scanning of the network.
Data Leak Prevention The Data Leak Prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a com- pany does not want entering their network.
VoIP The VoIP log records VoIP traffic and messages. It only appears if VoIP is enabled on the Administrator Settings page.
Log database and datasets
The log database, also known as the SQL log database, is used to store logs on FortiGate units that have a built- in hard disk. The log database uses Structured Query Lanaguage (SQL), specifically it uses SQLite which is an embedded Relational Database Management System (RDBMS).
If you have disabled SQL logging and have factory defaults on the FortiGate unit, and then you upgrade the firmware, the upgrade will automatically disable SQL logging. When this occurs, you must re-enable SQL logging manually.
The FortiGate unit creates a database table for each log type, when log data is recorded. If the FortiGate unit is not recording log data, it does not create log tables for that device.
The command syntax, get report database schema, allows you to view all the tables, column names and types that are available to use when creating SQL statements for datasets.
If you want to view the size of the database, as well as the log database table entries, use the get log sql status command. This command displays the amount of free space that is available as well as the first and last log database entry time and date.
The output of the get log sql status command contains information similar to the following:
Database size: 294912
Free size in database: 0
Database Page Size: 8192
Entry number: Event: 49
First entry time: 2012-09-10 11:41:02
Last entry time: 2012-09-13 02:59:59
The log database is not only used to store logs, but also used to extract the information for reports. Reports are built from datasets, which are SQL statements that tell the FortiGate unit how to extract the information from the database. You can create your own datasets; however, SQL knowledge is required. Default datasets are
available for reports.
Notifications about network activity
Alert email messages provide notification about activities or events logged. These email messages also provide notification about log severities that are recorded, such as a critical or emergency.
You can send alert email messages to up to three email addresses. Alert messages are also logged and can be viewed from the Event Log menu, in the System Event log file.
You can use the alert email feature to monitor logs for log messages, and to send email notification about a specific activity or event logged. For example, if you require notification about administrators logging in and out, you can configure an alert email that is sent whenever an administrator logs in and out. You can also base alert email messages on the severity levels of the logs. The FortiGate unit does not currently support SSL/TLS connections for SMTP servers, so you must choose an SMTP server that does not need SSL/TLS when configuring the SMTP server settings.
Before configuring alert email, you must configure at least one DNS server if you are configuring with an Fully Qualified Domain Server (FQDN). The FortiGate unit uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server. You can also specify an IP address.
The default minimum log severity level is Alert. If the FortiGate unit collects more than one log message before an interval is reached, the FortiGate unit combines the mes- sages and sends out one alert email.
How to configure email notifications
The following explains how to configure an alert email notification for IPsec tunnel errors, firewall authentication failure, configuration changes and FortiGuard license expiry.
1. In System > Config > Advanced, under Email Service, configure the SMTP server.
The SMTP server settings allow the FortiGate unit to know exactly where the email will be sent from, as well as who to send it to. The SMTP server must be a server that does not support SSL/TLS connections; if the SMTP server does, the alert email configuration will not work. The FortiGate unit does not currently support SSL/TLS connections for SMTP servers.
2. In Log & Report > Log Config > Alert E-mail, enter the source email in the Email From field, and up to three target addresses in the Email To fields.
3. Below the email entry, you can configure the email responses. By default, the Send alert email for the following is enabled. Select the check boxes beside IPsec tunnel errors, Configuration changes and Firewall authentication failure.
These alerts will be sent to the email address specified when the trigger occurs. For example, a user attempts to connect to the branch office of the company but cannot; the FortiGate unit detects an IPsec tunnel error, records the event, and then sends the notice to the email address specified in the SMTP server settings.
4. Select FortiGuard license expiry time: and then enter 10 so that the email notification will be sent ten days prior to the FortiGuard license expiration.
You can choose up to 100 days prior to when the license will expire. The default time is 15 days. By using this alert email notification, you can easily know when to send an re-registration request long before the expiry
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos