[showmyads]Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. Can you imagine the terror of such situation ? Fear no more – forewarned is forearmed. Just grab the Fortigate CLI Reference PDF (all in all 754 pages) , learn it by heart then return to my blog . A year has passed quickly, ah ?
Now you are ready for the introduction. One late evening [ and I am sure all security/networking equipment long ago conspired with clients against us to cause troubles at abnormal/non-working hours only] one of the clients asked if I can check something. "No, not something critical but STILL can you check it NOW ..? " , of course ,why not ?
To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run #show log and #get log commands … and got logging configuration settings on the firewall. But where are the logs?
Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.
Step 1 – know what is served
Run this first to see what you will be presented and what not:
device: memory // from where logs are to be read
roll: 0 // archived version
start-line: 1 // on which line of the logs to start presenting
view-lines: 700 // how many lines to show
Step 2 – I want Event logs now !
10: application control
Left is how many lines to show at once .
number 5 – 1000 /// Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit # execute log display starting line is increased for the next time by the number of lines shown.
To conclude it all I enabled logging in Putty through which I connected to the firewall and run
1000 logs returned.
1: 2010-07-13 19:10:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=4 msg=”Performance statistics”
2: 2010-07-1319:05:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=7 msg=”Performance statistics”
3: 2010-07-1319:01:28 log_id=0104032001 type=event subtype=admin vd=root pri=information user=”admin” ui=https(184.108.40.206) action=login status=success reason=none profile=”super_admin” msg=”Administrator admin logged in successfully from https(220.127.116.11)”
4: 2010-07-1319:00:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=5 msg=”Performance statistics”
5: 2010-07-1318:55:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=8 msg=”Performance statistics”
6: 2010-07-1318:54:09 log_id=0104032003 type=event subtype=admin vd=root pri=information user=”admin” ui=https(18.104.22.168) action=logout status=success reason=timeout msg=”Administrator admin timed out on https
Reference of all log messages known to Fortigate firmware 4 :