Using the event log

Chapter 12: Logging and Reporting > Using the event log

Using the event log

The Event Log table displays logs related to system-wide status and administrator activity.

Figure 59 shows the Event log table. By default, the log is filtered to display configuration changes, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

Configuration—Configuration changes.
Admin—Administrator actions.
System—System operations, warnings, and errors.
User—Authentication results logs.
Health Check—Health check results and client certificate validation check results.
SLB—Notifications, such as connection limit reached.
LLB—Notifications, such as bandwidth thresholds reached.
GLB—Notifications, such as the status of associated local SLB and virtual servers.
Firewall—Notifications, such as SNAT source IP pool is using all of its addresses.

Figure 59: Event log

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data.

You can use the Download link to download the logs. Filters are applied to the set that is collected for download.

Table 106: Filter settings
Category Filters	Data Filters
Configuration	Date Time Priority (Log Level) User Action
System	Date Time Priority (Log Level) Submod User Action Status
Admin	Date Time Priority (Log Level) User Action Status
User	Date Time Log Level User Action Status
Health Check	Date Time Priority (Log Level) Module Policy Group Member Status
SLB, LLB, GLB, Firewall	Date Time Priority (Log Level) Module Policy Group Member Status Action

The last column in each table includes a link to log details.

Before you begin:

You must have Read-Write permission for Log & Report settings.

To view and filter the log:

Go to Log & Report > Log Browsing.

The log page displays the Event Logs tab.

Select the category of interest.
Click Filter Settings to display the filter tools.
Use the tools to filter on key columns and values.
Click OK to apply the filter and redisplay the log.

to list the log columns for the event log types in the order in which they appear in the log.

Table 107: Event log — Config
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=15:50:37	Log time.
log_id	log_id=0000000085	Log ID.
type	type=event	Log type.
subtype	subtype=config	Log subtype.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522000	Message ID.
user	user=admin	User that performed the operation.
ui	ui=GUI(172.30.144.8)	User interface from which the operation was performed.
action	action=add	Administrator action: add, edit, delete.
cfgpath	cfgpath=firewall qos-queue	Configuration that was changed.
cfgobj	cfgobj=name	Configuration setting changed.
cfgattr	cfgattr=queue	Configuration value changed.
logdesc	logdesc=Change the configuration	A column added for compatibility with FortiAnalyzer.
msg	msg=added a new entry 'queue' for "firewall qos-queue" on domain "root"	Log message.

Table 108: Event log — System
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=16:00:09	Log time.
log_id	log_id=0003000011	Log ID.
type	type=event	Log type.
subtype	subtype=system	Log subtype.
pri	pri=error	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522008	Message ID.
submod	submod=update	System submodule.
user	user=none	None.
ui	ui=none	None.
action	action=update	System action, such as (firmware) update, HA join and leave, and the like.
status	status=failure	Status message: success or failure.
logdesc	logdesc=Update FortiGuard	A column added for compatibility with FortiAnalyzer.
msg	msg=	Log message (if any).

Table 109: Event log — Admin
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=15:44:38	Log time.
log_id	log_id=0001016834	Log ID.
type	type=event	Log type.
subtype	subtype=admin	Log subtype.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=521996	Message ID.
user	user=admin	User that performed the operation.
ui	ui=GUI(172.30.144.8)	User interface from which the operation was performed.
action	action=logout	System action.
status	statue=success	Status message: success or failure.
reason	reason=none	Reason string (if any).
logdesc	logdesc=Admin login	A column added for compatibility with FortiAnalyzer.
msg	msg=User admin logout from GUI(172.30.144.8).	Log message.

Table 110: Event log — User
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=15:44:38	Log time.
log_id	log_id=0001016834	Log ID.
type	type=event	Log type.
subtype	subtype=user	Log subtype.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=521996	Message ID.
user	user=user1	User name
usergrp	usergrp=customerABC	User group.
policy	policy=membersOnly	Authentication policy.
action	action=login	System action.
status	statue=success	Status message: success or failure.
reason	reason=none	Reason string (if any).
logdesc	logdesc=	A column added for compatibility with FortiAnalyzer.
msg	msg=User admin logout from GUI(172.30.144.8).	Log message.

Table 111: Event log — Health Check
Column	Example	Description
date	date=2015-12-30	Log date.
time	time=12:07:47	Log time.
log_id	log_id=2002502	Log ID.
type	type=event	Log type.
subtype	subtype=health	Log subtype.
pri	pri=alert	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=35661161	Message ID.
module	smodule=slb	System module: slb, llb.
policy	policy=HTTPS_VIP	Virtual server configuration to which the event applies.
group	group=test2	Real server pool group or link group.
member	member=1	Real server member ID or gateway ID.
attrtype	attrtype=none	Attribute type (if any).
attrname	attrname=none	Attribute type (if any).
action	action=health_check	Type of message: health check.
status	status=failure	Health check result: success or failure.
logdesc	logdesc=SLB Virtual server change state	A column added for compatibility with FortiAnalyzer.
msg	msg=Virtual server HTTPS_VIP, status is down	Log message.

Table 112: Event log — SLB, LLB, GLB, Firewall
Column	Example	Description
date	date=2016-01-13	Log date.
time	time=08:30:12	Log time.
log_id	log_id=0005001704	Log ID.
type	type=event	Log type.
subtype	subtype=slb	Log subtype: dns (glb), slb, llb, fw.
pri	pri=alert	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=115208	Message ID.
policy	policy=L7vs_tcps	Policy to which the event applies—the virtual server configuration name, for example.
group	group=none	Real server pool group or link group.
member	member=none	Real server member ID or gateway ID.
attrtype	attrtype=none	Additional configuration attributes, if applicable.
attrname	attrname=none	Additional configuration values, if applicable.
action	action=ssl	Module that took action.
status	status=failure	Status of action.
logdesc	logdesc=SLB SSL Handshake	A column added for compatibility with FortiAnalyzer.
msg	msg=Client 31.1.1.103 failed to establish SSL connection with VS 41.1.1.123	Log message.

The value "none" appears in logs when the value is irrelevant to the status or action. For example, a health check log for a virtual server shows "none" in the Group and Member columns even though its real server pool and members are known—these details are just not relevant. Likewise, a health check log for a real server pool member shows "none" in the Policy column even though its virtual server is known.