yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Break free from the GUI dependency – checking Fortigate logs on the cli.

[showmyads]Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. Can you imagine the terror of such situation ? Fear no more – forewarned is forearmed. Just grab the Fortigate CLI Reference PDF (all in all 754 pages) , learn it by heart then return to my blog . A year has passed quickly, ah ?
Now you are ready for the introduction. One late evening [ and I am sure all security/networking equipment long ago conspired with clients against us to cause troubles at abnormal/non-working hours only] one of the clients asked if I can check something. "No, not something critical but STILL can you check it NOW ..? " , of course ,why not ?
To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run #show log and #get log commands … and got logging configuration settings on the firewall. But where are the logs?
Here:

FGT-ugly # execute log display

Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.
Step 1 – know what is served
Run this first to see what you will be presented and what not:

FGT-ugly # execute log filter dump
category: traffic // each type of log is called category , see later
device: memory // from where logs are to be read
roll: 0 // archived version
start-line: 1 // on which line of the logs to start presenting
view-lines: 700 // how many lines to show

Step 2 – I want Event logs now !

FGT-ugly# execute log filter category //this way you can see all available logs
Available categories:
10: application control
9: dlp
6: content
5: spam
4: ids
3: webfilter
2: virus
1: event
0: traffic
FGT-ugly# execute log filter category 1 // switch to Event log

Left is how many lines to show at once .

FGT-ugly # execute log filter view-lines

number 5 – 1000 /// Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit # execute log display starting line is increased for the next time by the number of lines shown.
To conclude it all I enabled logging in Putty through which I connected to the firewall and run

FGT-ugly# execute log display
3011 logs found.
1000 logs returned.
1: 2010-07-13 19:10:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=4 msg=”Performance statistics”
2: 2010-07-1319:05:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=7 msg=”Performance statistics”
3: 2010-07-1319:01:28 log_id=0104032001 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=login status=success reason=none profile=”super_admin” msg=”Administrator admin logged in successfully from https(21.14.127.14)”
4: 2010-07-1319:00:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=5 msg=”Performance statistics”
5: 2010-07-1318:55:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=8 msg=”Performance statistics”
6: 2010-07-1318:54:09 log_id=0104032003 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=logout status=success reason=timeout msg=”Administrator admin timed out on https

Reference of all log messages known to Fortigate firmware 4 :
http://docs.fortinet.com/fgt/archives/4.0/techdocs/FortiGate_Log_Message_Reference_01-400-82627-20090528.pdf"> FortiGate_Log_Message_Reference



1 Comment

  1. Good! I can’t find this in manual

Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑