Using the traffic log

Chapter 12: Logging and Reporting > Using the traffic log

Using the traffic log

The Traffic Log table displays logs related to traffic served by the FortiADC deployment.

Figure 61 shows the Traffic log table. By default, the log is filtered to display Server Load Balancing - Layer 4 traffic logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

SLB Layer 4—Traffic served by virtual servers of type Layer 4
SLB HTTP—Traffic served by virtual servers with HTTP profiles
SLB TCPS—Traffic served by virtual servers with TCPS profiles
SLB RADIUS—Traffic served by virtual servers with RADIUS profiles
SLB RDP—Traffic served by virtual servers with RDP profiles
SLB SIP—Traffic served by virtual servers with SIP profiles
GLB—Traffic served by global load balancing policies

Figure 61: Traffic log

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

Date
Time
Proto
Service
Src
Src_port
Dst
Dst_port
Policy
Action

The last column in each table includes a link to log details.

Before you begin:

You must have Read-Write permission for Log & Report settings.

To view and filter the log:

Go to Log & Report > Log Access > Traffic Logs to display the traffic log.
Click Filter Settings to display the filter tools.
Use the tools to filter on key columns and values.
Click Apply to apply the filter and redisplay the log.

Table 117 to Table 122 list the log columns in the order in which they appear in the log.

Table 117: SLB Layer 4 and SLB TCPS logs
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_tcps	Log subtype: slb_layer4, slb_tcps.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=55	Session duration.
ibytes	ibytes=138	Bytes in.
obytes	obytes=303	Bytes out.
proto	proto=6	Protocol.
service	service=tcps	Service.
src	src=31.1.1.103	Source IP address in traffic received by FortiADC.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=443	Destination port.
trans_src	trans_src=31.1.1.103	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=5534	Source port in packet sent from FortiADC.
trans_dst	trans_dst=21.1.1.101	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=443	Destination port in packet sent from FortiADC.
policy	policy=L7vs	Virtual server name.
action	action=none	For most logs, action=none.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

Table 118: SLB HTTP logs
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_http	Log subtype: slb_http.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=55	Session duration.
ibytes	ibytes=138	Bytes in.
obytes	obytes=303	Bytes out.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=31.1.1.103	Source IP address in traffic received by FortiADC.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=443	Destination port.
trans_src	trans_src=31.1.1.103	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=5534	Source port in packet sent from FortiADC.
trans_dst	trans_dst=21.1.1.101	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=443	Destination port in packet sent from FortiADC.
policy	policy=L7vs	Virtual server name.
action	action=none	For most logs, action=none.
http_method	http_method=get	HTTP method.
http_host	http_host=10.61.2.100	Host IP address.
http_agent	http_agent=curl/7.29.0	HTTP agent.
http_url=	http_url=/ip.php	Base URL.
http_qry	http_qry=unknown	URL parameters after the base URL.
http_cookie	http_cookie=unknown	Cookie name.
http_retcode	http_retcode=200	HTTP return code.
user	user=user1	User name.
usergrp	usergrp=companyABC	User group.
auth_status	auth_status=success	Authentication success/failure.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

Table 119: SLB RADIUS log
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_radius.	Log subtype: slb_radius.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=55	Session duration.
ibytes	ibytes=138	Bytes in.
obytes	obytes=303	Bytes out.
proto	proto=6	Protocol.
service	service=radius	Service.
src	src=31.1.1.103	Source IP address in traffic received by FortiADC.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=443	Destination port.
trans_src	trans_src=31.1.1.103	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=5534	Source port in packet sent from FortiADC.
trans_dst	trans_dst=21.1.1.101	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=443	Destination port in packet sent from FortiADC.
policy	policy=L7vs	Virtual server name.
action	action=none	For RADIUS, action=auth or acct.
user	user=user1	RADIUS accounting username.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

Table 120: SLB RDP logs
Column	Example	Description
date	date=2016-03-18	Log date.
time	time=11:48:29	Log time.
log_id	log_id=107005800	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_rdp	Log subtype: slb_rdp.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=1321705	Message ID.
duration	duration=2	Session duration.
ibytes	ibytes=92	Bytes in.
obytes	obytes=400	Bytes out.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=192.168.1.1	Source IP address in traffic received by FortiADC.
src_port	src_port=37869	Source port.
dst	dst=192.168.1.142	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=8080	Destination port.
trans_src	trans_src=2.2.2.2	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=58661	Source port in packet sent from FortiADC.
trans_dst	trans_dst=2.2.2.10	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=80	Destination port in packet sent from FortiADC.
policy	policy=vs-l7	Virtual server name.
action	action=none	For most logs, action=none.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=r_22210	Real server configured name.

Table 121: SLB SIP logs
Column	Example	Description
date	date=2016-01-29	Log date.
time	time=18:06:48	Log time.
log_id	log_id=0106001134	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_sip	Log subtype: slb_sip.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=154799	Message ID.
duration	duration=1	Session duration.
ibytes	ibytes=44346	Bytes in.
obytes	obytes=2.2.2.10	Bytes out.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=N/A	Source IP address in traffic received by FortiADC.
src_port	src_port=43672	Source port.
dst	dst=192.168.1.142	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=8080	Destination port.
trans_src	trans_src=2.2.2.2	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=80	Source port in packet sent from FortiADC.
trans_dst	trans_dst=N/A	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=none	Destination port in packet sent from FortiADC.
policy	policy=invite	Virtual server name.
action	action=sip: bob@1.1.1.1 v2.0	Invite sent to.
sip_method	sip_method=from: alice@2.2.2.2	Invite sent from.
sip_uri	sip_uri=to: server@3.3.3.3	SIP server IP address.
sip_from	sip_from=callid:1111111	SIP call ID.
sip_to	sip_to=200
sip_callid	sip_callid=Reserved	Reserved.
sip_retcode	sip_retcode=Reserved	Reserved.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

Table 122: GLB log
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=dns	Log subtype: dns.
pri	pri=information	Log severity.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
proto	proto=6	Protocol.
src	src=31.1.1.103	Source IP address.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address.
dst_port	dst_port=443	Destination port.
policy	policy=policy	Global load balancing policy name.
action	action=none	For most logs, action=none.
fqdn	fqdn=pool.ntp.org	FQDN from client request.
resip	resip=4.53.160.75	DNS response IP address.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.