Using Logs and Reports : Configuring remote log server settings for the DDoS attack log
 
Configuring remote log server settings for the DDoS attack log
The DDoS attack log remote server configuration applies to security event data. You configure individual remote log server configurations for each SPP.
Before you begin:
You must have Read-Write permission for Log & Report settings.
See also: “Configuring remote log server settings for event logs”.
To configure remote log settings for the DDoS attack log:
1. Go to Log & Report > Log Configuration > DDoS Attack Log Remote.
2. Complete the configuration as described in Table 56.
3. Save the configuration.
Figure 90: DDoS Attack Log remote logging configuration page
 
Table 56: DDoS Attack Log remote logging configuration guidelines
Settings
Guidelines
Name
Configuration name.
Enable
Select to enable sending DDoS attack logs to a remote server.
SPP
Select the SPP whose logs are stored in the remote location. You can specify only one remote log server for each SPP.
Address
IP address of the FortiAnalyzer/syslog server.
Port
Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514.
The following is an example of a DDoS attack syslog message:
Apr 24 13:22:08 192.168.205.202 devid=FI800B3913000004 date=2015-04-23 time=01:10:00 tz=PDT type=attack spp=0 evecode=1 evesubcode=14 description="IP Header checksum error" dir=1 sip=0.0.0.0 dip=10.10.0.1 subnet_name=VID0 subnet_comment=Dept_0 dropcount=684138
Table 57 identifies the fields in the DDoS attack syslog message.
Table 57: DDoS attack syslog fields
Field
Example
Syslog send timestamp
Apr 24 13:22:08
Syslog server IP address
192.168.205.202
Device ID
devid=FI800B3913000004
Log datestamp
date=2015-04-23
Log timestamp
time=01:10:00
Log time zone
tz=PDT
Log type
type=attack
SPP ID
spp=0
Event code
evecode=1
Event subcode
evesubcode=14
Event type
description="IP Header checksum error"
Direction (0=inbound, 1=outbound)
dir=1
Source IP address
sip=0.0.0.0
Destination IP address
dip=10.10.0.1
Subnet name
subnet_name=VID0
Subnet comment
subnet_comment=Dept_0
Drop count
dropcount=684138