log attack-log
Use this command to configure recording of attack log messages on the local FortiWeb disk.
Also use this command to define specific packet payloads to retain when storing attack logs.
Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance. Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior for subsequent forensic analysis. (Alternatively, for more extensive packet logging, you can run a packet trace. See
“network sniffer”.)
If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the payload that triggered the log message.
You can view attack log packet payloads from the
Packet Log column using the web UI. For details, see the
FortiWeb Administration Guide.
Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by applying sensitivity rules that detect and obscure sensitive information. For details, see
“config log sensitive”.
To use this command, your administrator account’s access control profile must have either
w or
rw permission to the
loggrp area. For more information, see
“Permissions”.
Syntax
config log attack-log
end
Variable | Description | Default |
status {enable | disable} | Enable to record attack log messages on the disk. To record attack logs, disk log storage must be enabled, and the severity levels selected using the config log disk command. | enable |
http-parse-error-output {enable | disable} | Enable while debugging only, to log errors of the HTTP protocol parser. | disable |
packet-log {anti-virus-detection | cookie-poison | custom-access | custom-protection-rule | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-xml-format | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection} | Select one or more detected attack types or validation failures. FortiWeb keeps packet payloads from its HTTP parser buffer with their associated attack log message. Separate each attack type with a space. To add or remove a packet payload type, re-type the entire space-delimited list with the new option included or omitted. Some options have historical names. Correlations with current feature names are: • custom-protection-rule — Custom signature detection (not predefined) To empty this list and keep no packet payloads, effectively disabling the feature, type unset packet-log. | No default. |
Example
This example enables log storage on the hard disk and sets information as the minimum severity level that a log message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom protection rules along with their correlating attack logs. (Conversely, it disables any other packet payload retention that may have been enabled before, because it completely replaces the list each time it is configured.)
config log disk
set status enable
set severity information
end
config log attack-log
set status enable
set packet-log custom-protection-rule
end
Related topics