Advanced logging – FortiOS 6

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

  1. Log in to the CLI and enter show webfilter profile default.

This provides details about the webfilter profile being used by the security policy. In this example, the details (shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default config webfilter profile edit “default” set comment “default web filtering” set inspection-mode flow-based set options https-scan set post-action comfort config web set safe-search url

end config ftgd-wf config filters edit 1 set action block set category 2

next edit 2 set action block set category 7

next edit 3 set action block set category 8

  1. Enter the following command syntax so that logging and the keyword for the safe search will be included in logging.

config webfilter profile edit default config web set log-search enable

set keyword-match “fortinet” “easter” “easter bunny”

end

end

  1. To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter.

You can tell that the test works by going to Log & Report > Forward Traffic and viewing the log messages.

Interpreting and configuring FSSO syslog log messages

Interpreting and configuring FSSO syslog log messages

There are two syslog message formats: default and verbose. Verbose must be manually enabled as described below, but provides more general information.

Default syslog message format

The default FSSO syslog message format has no header, and is based on the specifications of RFC 3164. Messages only have two values, PRI (Priority) and MSG (Message), in the format of <PRI>MSG.

The content of PRI is as described in RFC 3164, but with specific parameters: the Facility value is always 1 (USER), unless ‘Log logons in separate log’ is enabled in the FSSO Collector Agent settings. In that case, those logon messages will have a Facility value of 4 or 10 (AUTH). The Severity value always matches the internal severity value of the log. PRI is enclosed in < > with no space following before MSG.

Verbose syslog message format

Verbose is a secondary message format that provides more information, including timestamp (with timezone).

In verbose mode, the log message follows the specifications of RFC 5424:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA/SD-ID MSG

PRI is formatted as described above in the default format.

Verbose FSSO syslog messages do not contain any data for MSGID, or STRUCTURED-DATA, so both of those two messages are recorded as a single hyphen character “-“.

APP-NAME always appears as “collectoragent”.

The other values are formatted as described in RFC 5424.

Enabling verbose syslog message mode

In order to enable the verbose syslog message mode, you must modify the registry on the PC that is hosting the FSSO Collector Agent.

In 64-bit Windows, locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent

In 32-bit Windows, locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent

Under this registry path, create a new DWORD (32bit) Value named syslog_using_rfc, and set its value to

1.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.