Troubleshooting Tip: Syslog and log trouble shooting via CLI

nsubramanian · ‎12-16-2019

Description
This article describes how to perform a syslog/log test and check the resulting log entries.

Solution
Perform a log entry test from the FortiGate CLI is possible using the 'diag log test' command.
This will create various test log entries on the unit hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device or to the unit System Dashboard (System -> Status).

Example of output (output may vary depending on the FortiOS version):

# diag log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning

The following list the various test log entries (output may vary depending on the FortiOS version):

Below one can see the output for category which are highlighted in 'bold' case.

# execute log filter category
Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

Traffic (output form FortiOS 5.6.5)

# execute log filter category traffic

# execute log display
11: date=2018-07-26 time=16:51:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1532616695 srcip=7.1.1.1 srcport=10016 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" sessionid=10006 proto=6 action="accept" policyid=1 policytype="policy" service="tcp/20" dstcountry="France" srccountry="United States" trandisp="noop" appid=35421 app="Dropbox_File.Download" appcat="Storage.Backup" apprisk="medium" applist="default" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction="allow" countapp=1 devtype="iPad" osname="Apple" osversion="ver" mastersrcmac="07:01:01:01:01:01" srcmac="07:01:01:01:01:01" srcserver=0 dstdevtype="Android Phone" dstosname="Android" dstosversion="ver" masterdstmac="02:02:02:02:02:02" dstmac="02:02:02:02:02:02" dstserver=0 utmref=65491-194

Traffic (output form FortiOS 5.4)

# execute log filter category 1

# execute log display
200 logs found.
10 logs returned
1: date=2018-07-26 time=17:24:25 logid=0107045056 type=event subtype=endpoint level=notice vd=SOUTH-WEB logdesc="FortiClient license limit reached" action=add status=error license_limit=10 reason="License Number Exceeded" repeat=1 msg="FortiClient license maximum has been reached."

2: date=2018-07-26 time=17:24:24 logid=0102043020 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FortiGuard override successful" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=success reason="reason" scope=user expiry="Sun Jan 11 02:00:00 1970" oldwprof="old_profile" profile="new_profile" msg="User user added webfilter override entry scope_data from 1.1.1.1"

3: date=2018-07-26 time=17:24:24 logid=0102043018 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override failed" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="User user failed authentication when creating a FortiGuard Web Filtering override from 1.1.1.1"

4: date=2018-07-26 time=17:24:24 logid=0102043019 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override table full" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="FortiGuard Web Filtering override table is full"

5: date=2018-07-26 time=17:24:24 logid=0102043012 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FSSO authentication successful" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" authproto="user(1.1.1.1)" action=FSS0-auth status=success reason="reason" msg="AD group adgroup user user succeeded in authentication"

6: date=2018-07-26 time=17:24:24 logid=0102043013 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FSSO authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" authproto="user(1.1.1.1)" action=FSS0-auth status=failure reason="reason" msg="AD group adgroup user user failed in authentication"

7: date=2018-07-26 time=17:24:24 logid=0102043016 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="NTLM authentication successful" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" group="usergroup" authproto="HTTP(1.1.1.1)" action=NTLM-auth status=success reason="reason" msg="AD group adgroup user user successed in authentication"

8: date=2018-07-26 time=17:24:24 logid=0102043017 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="NTLM authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" adgroup="adgroup" group="usergroup" authproto="HTTP(1.1.1.1)" action=NTLM-auth status=failure reason="reason" msg="AD group adgroup user user failed in authentication"

9: date=2018-07-26 time=17:24:24 logid=0102043008 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="Authentication success" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" group="usergroup" authproto="HTTP(1.1.1.1)" action=authentication status=success reason="reason" msg="User user succeeded in authentication"

10: date=2018-07-26 time=17:24:24 logid=0102043009 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="Authentication failed" srcip=1.1.1.1 dstip=2.2.2.2 policyid=3 user="user" group="usergroup" authproto="HTTP(1.1.1.1)" action=authentication status=failure reason="reason" msg="User user failed in authentication""

Web Filter (output form FortiOS 5.6.5)

# execute log filter category 3

# execute log display
4 logs found.
4 logs returned.

1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

4: date=2018-07-26 time=16:51:34 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616694 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

DNS

# execute log filter category dns

# execute log display
2 logs found.
2 logs returned.

1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

A possible root cause is that the login options for the syslog server may not be all enabled.
This must be configured from the CLI, with the following command :

# config log syslogd filter
     get                                                   <----- To display the current config, which looks like this in FortiOS 4.0MR2.
     app-ctrl            : enable
     attack              : enable
     dlp                 : enable
     email               : enable
     forward-traffic     : enable
     invalid-packet      : enable
     local-traffic       : enable
     netscan             : enable
     severity            : information
     traffic             : enable
     virus               : enable
     voip                : enable
     web                 : enable
     analytics           : enable
     anomaly             : enable
     app-ctrl-all        : enable
     blocked             : enable
     discovery           : enable
     dlp-all             : enable
     dlp-docsource       : enable
     email-log-google    : enable
     email-log-imap      : enable
     email-log-msn       : enable
     email-log-pop3      : enable
     email-log-smtp      : enable
     email-log-yahoo     : enable
     ftgd-wf-block       : enable
     ftgd-wf-errors      : enable
     infected            : enable
     multicast-traffic   : enable
     oversized           : enable
     scanerror           : enable
     signature           : enable
   suspicious          : enable
     switching-protocols : enable
     url-filter          : disable
     vulnerability       : enable
     web-content         : enable
     web-filter-activex : enable
     web-filter-applet   : enable
     web-filter-command-block: enable
     web-filter-cookie   : enable
     web-filter-ftgd-quota: enable
     web-filter-ftgd-quota-counting: enable
     web-filter-ftgd-quota-expired: enable
     web-filter-script-other: enable

Use the command 'set <option> enable/disable' to enable or disable any of the items in the list.

Example :

set url-filter enable
end

A login test can be made with the following CLI command : '# diagnose log test'