FortiDeceptor – System Log

System Log

Use the Log pages to view and download FortiDeceptor system logs. You can put logs locally on FortiDeceptor or on a remote log server.

Logging Levels

FortiDeceptor log level can be Emergency (reserved), Alert, Critical, Error, Warning, Information, or Debug. The following table provides example logs for each log level.

Log Level Description Example Log Entry
Alert Immediate action is required. Suspicious URL visit domain.com from 192.12.1.12 to 42.156.162.21:80.
Critical Functionality is affected. System database is not ready. A program should have started to rebuild it and it shall be ready after a while.
Error An erroneous condition exists and functionality is probably affected. Errors that occur when deleting certificates.
Warning Functionality might be affected. Submitted file AVSInstallPack.exe is too large: 292046088.
Information General information about system operations. LDAP server information that was successfully updated.
Debug Detailed information for debugging. Launching job for file. jobid=2726271637747836543 filename=log

md5=ebe5ae2bec3b653c2970e8cec9f5f1d9 sha1=06ea6108d02513f0d278ecc8d443df86dac2885b sha256=d678da5fb9ea3ee20af779a4ae13c402585 ebb070edcf20091cb20509000f74b

Raw logs

You can download and save raw logs to the management computer by clicking Download Log. Raw logs are saved as a text file with the extension .log.gz. You can search the system log for more details.

Sample raw logs file content

itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Access path Description=samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH

AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22 Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh”

itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba”

itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Access path Description=samba Username=83samba Password=83samba”

Log Categories

Log > All Events show all logs.

The following options are available:

Download Log   Download the raw log file to the management computer.
History Logs   Enable to include historical logs in Log Search.
Refresh Refresh the log message list.
Filter Click Filter to add search filters. You can select different categories to search the logs. Search is not case sensitive.

The following information is displayed:

# Log number.
Date/Time Date and time the log message was created.
Level Level of the log message. For logging levels, see Logging Levels on page 46.
User The user to which the log message relates. User can be a specific user or system.
Message Detailed log message.

Log Servers

You can send FortiDeceptor logs to a remote syslog server or common event type (CEF) server. In Log > Log Servers, you can create new remote log servers, and edit and delete remote log servers. You can configure up to 30 remote log server entries.

The following options are available:

Create New Create a log server entry.
Edit Edit the selected log server entry.
Delete Delete the selected log server entry.

This page displays the following information:

Name Name of the server entry.
Server Type Server type: syslog or CEF.
Server Address Log server address.
Port Log server port number.
Status Log server status, Enabled or Disabled.

To create a server entry:

  1. Go to Log > Log Servers.
  2. Click Create New.
  3. Configure the following settings:
Name Name of the new server entry.
Type Select Syslog Protocol or Common Event Format.
Log Server Address Log server IP address or FQDN.
Port Port number. The default port is 514.
Status Enable or disable sending logs to the server.
Log Level Select the logging levels to forward to the log server. For logging levels, see Logging Levels on page 46.
  1. Click OK.

To edit or delete a log server

  1. Go to Log > Log Servers.
  2. Select an entry and click Edit or Delete.
This entry was posted in Administration Guides, FortiDeceptor on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.