Created on 10-20-2020 02:24 AM Edited on 10-27-2023 05:19 AM By Jean-Philippe_P
Description
This article shows how to configure the extended logging option in UTM profiles.
Scope
For version 6.4.2.
Solution
Enable extended logging for the following UTM profiles:
When the extended-log option is enabled for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.
When the web-extended-all-action-log-enable option for the web filter profile is enabled, all HTTP header information for HTTP-allow traffic is logged.
Extended logging option in UTM profiles.
The extended-log option has been added to all UTM profiles, for example.
webfilter profile
config webfilter profile
edit "test-webfilter"
set extended-log enable
set web-extended-all-action-log enable
next
end
av profile
config antivirus profile
edit "av-proxy-test"
set extended-log enable
next
end
waf profile
config waf profile
edit "test-waf"
set extended-log enable
next
end
IPS profile
config ips sensor
edit test_profile
set extended-log enable
next
end
Syslog server mode.
The Syslog server mode changed to UDP, reliable, and legacy-reliable.
Set the mode to reliable to support extended logging, for example:
config log syslogd setting
set status enable
set server "<ip address>"
set mode reliable
set facility local6
end
Example of an extended log.
Following is an example extended log for a UTM log type with a web filter subtype for a reliable Syslog server.
The raw data field contains the extended log data.
Dec 18 15:40:15 10.6.30.254 date=2017-12-18 time=15:40:14
devname="600D-9" devid="FGT6HD3915800120" logid="0316013056"
type="utm"subtype="webfilter" eventtype="ftgd_blk"
level="warning" vd="vdom1" eventtime=1513640414 policyid=2
sessionid=440522 srcip=10.1.100.128 srcport=60995 srcintf="port2"
srcintfrole="lan" dstip=209.121.139.177 dstport=80 dstintf="port1"
dstintfrole="wan" proto=6 service="HTTP"
hostname="detectportal.firefox.com" profile="test-webfilter"
action="blocked" reqtype="direct" url="/success.txt" sentbyte=285
rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"
rawdata="Method=GET|User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:57.0)
Gecko/20100101 Firefox/57.0"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.