Logging

To diagnose problems or track actions that the FortiWeb appliance performs as it receives and processes traffic, configure the FortiWeb appliance to record log messages.

Log messages can record attack, system, and/or traffic events. They are also the source of information for alert email and many types of reports.

When you configure protection profiles, many components include an Action option that determines the response to a detected violation. Actions combine with severity levels and trigger policies to determine whether and where a log message, message on the Attack Log Console widget, SNMP trap, and/or alert email will be generated.

Dialog showing actions, severity level, and triggers that affect logging

Before logging will occur, however, you must first enable and configure it.

About logs & logging

FortiWeb appliances can log many different network activities and traffic including:

Each type can be useful during troubleshooting or forensic investigation. For more information about log types, see Log types.

You can select a priority level that log messages must meet in order to be recorded. For more information, see Log severity levels.

For a detailed description of each FortiWeb log message, as well as log message structure, see the FortiWeb Log Message Reference.

The FortiWeb appliance can save log messages to its memory, or to a remote location such as a Syslog server or FortiAnalyzer appliance. For more information, see Configuring logging. The FortiWeb appliance can also use log messages as the basis for reports. For more information, see Reports.

The FortiWeb appliance also displays event and attack log messages on the dashboard. For more information, see Attack Log widget and Event Log Console widget.

See also

Log types

Each log message contains a Type (type) field that indicates its category, and in which log file it is stored.

FortiWeb appliances can record the following categories of log messages:

Log types
Log type Description
Event Displays administrative events, such as downloading a backup copy of the configuration, and hardware failures.
Traffic Displays traffic flow information, such as HTTP/HTTPS requests and responses.
Attack Displays attack and intrusion attempt events.

 

Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

Log severity levels

Each log message contains a Severity (pri) field that indicates the severity of the event that caused the log message, such as pri=warning.

Log severity levels

Level

(0 is greatest)

Name Description
0 Emergency The system has become unusable.
1 Alert Immediate action is required.
2 Critical Functionality is affected.
3 Error An error condition exists and functionality could be affected.
4 Warning Functionality could be affected.
5 Notification Information about normal events.
6 Information General information about system operations.

For each location where the FortiWeb appliance can store log files (disk, memory, Syslog or FortiAnalyzer), you can define a severity threshold. The FortiWeb appliance will store all log messages equal to or exceeding the log severity level you select.

For example, if you select Error, the FortiWeb appliance will store log messages whose log severity level is Error, Critical, Alert, and Emergency.

Avoid recording log messages using low log severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

For more information, see Configuring log destinations.

Log rate limits

When FortiWeb is defending your network against a DoS attack, the last thing you need is for performance to decrease due to logging, compounding the effects of the attack. By the nature of the attack, these log messages will likely be repetitive anyway. Similarly, repeated attack log messages when a client has become subject to a period block yet continues to send requests is of little value, and may actually be distracting from other, unrelated attacks.

To optimize logging performance and help you to notice important new information, within a specific time frame, FortiWeb will only make one log entry for these repetitive events. It will not log every occurrence. To adjust the interval at which FortiWeb will record identical log messages during an ongoing attack, see max-dos-alert-interval <seconds_int> in the FortiWeb CLI Reference.

Configuring logging

You can configure the FortiWeb appliance to store log messages either locally (that is, to the hard disk) and or remotely (that is, on a Syslog or ArcSight server or FortiAnalyzer appliance). Your choice of storage location may be affected by several factors, including the following.

For information on viewing locally stored log messages, see Viewing log messages.

To configure logging

1.  Set the severity level threshold that log messages must meet or exceed in order to be sent to each log storage device. If you will store logs remotely, also configure connectivity information such as the IP address. See Configuring log destinations, Configuring Syslog settings, Configuring FortiAnalyzer policies, and Configuring SIEM policies

2.  Group Syslog, FortiAnalyzer, and SIEM settings and select those groups in Trigger Action settings throughout the configuration of web protection features. See Configuring triggers.

3.  Enable logging in general. See Enabling log types, packet payload retention, & resource shortage alerts.

4.  If you want to log attacks, select an Alert option as the Action setting when configuring attack protection.

5.  Monitor your log messages via the web UI or through alert email for events that require action from network administrators. See Viewing log messages and Alert email. Configure reports that are derived from log data to review trends in your network. See Reports.

Enabling log types, packet payload retention, & resource shortage alerts

You can enable or disable logging for each log type, as well as configure system alert thresholds, and which policy violations should cause the appliance to retain the TCP/IP packet payload (HTTP headers and a portion of the HTTP body, if any) that can be viewed with its corresponding log message.

For more information on log types, see Log types.

To enable logging

1.  Go to Log&Report > Log Config > Other Log Settings.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Configure these settings:

Setting name Description
Enable Attack Log Enable to log violations of attack policies, such as server information disclosure and attack signature matches, if that feature is configured such that Action is set to Alert, Alert & Deny, or Alert & Erase.
Enable Traffic Log

Enable to log traffic events such as HTTP requests and responses, and the expiration of HTTP sessions.

Tip: Because resources for this feature increase as your traffic increases, if you do not need traffic data, disable this feature to improve performance and improve hardware life.

Enable Traffic Packet Log

Enable to retain the packet payloads of all HTTP request traffic.

Unlike attack packet payloads, only HTTP request traffic packets are retained (not HTTP responses), and only the first 4 KB of the payload from the buffer of FortiWeb’s HTTP parser.

Packet payloads supplement the log message by providing the actual request body, which may help you to fine-tune your regular expressions to prevent false negatives, or to examine changes to attack behavior for subsequent forensic analysis.

To view packet payloads, see Viewing packet payloads.

Tip: Retaining traffic packet payloads is resource intensive. To improve performance, only enable this option while necessary.

Enable Event Log Enable to log local events, such as administrator logins or rebooting the FortiWeb appliance.
Ignore SSL Errors Allows you to stop FortiWeb from logging SSL errors. This is useful when you use high-level security settings, which generate a high volume of these types of errors.
Retain Packet Payload For

Mark the check boxes of the attack types or validation failures to retain the buffer from FortiWeb’s HTTP parser. Packet retention is enabled by default for most types.

Packet payloads supplement the log message by providing part of the actual data that matched the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or to examine changes to attack behavior for subsequent forensic analysis.

To view packet payloads, see Viewing packet payloads.

If packet payloads could contain sensitive information, you may need to obscure those elements. For details, see Obscuring sensitive data in the logs.

Note: FortiWeb retains only the first 4 KB of data from the offending HTTP request payload that triggered the log message. If you require forensic analysis of, for example, buffer overflow attacks that would exceed this limit, you must implement it separately.

CPU Utilization Select a threshold level (60% to 99%) beyond which CPU usage triggers an event log entry.
Memory Utilization Select a threshold level (60% to 99%) beyond which memory usage triggers an event log entry.
Log Disk Utilization Select a threshold level (60% to 99%) beyond which log disk usage triggers an event log entry.
Trigger Action Select an trigger, if any, to use when memory usage or CPU usage reaches or exceeds its specified threshold.

3.  Click Apply.

See also

Configuring log destinations

You can choose and configure the storage methods for log information, and/or email alerts when logs have occurred.

Alert email can be enabled here, but must be configured separately first. See Alert email.

For logging accuracy, you should verify that the FortiWeb appliance’s system time is accurate. For details, see Setting the system time & date.

Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

 

You can also configure FortiWeb to send log information to an FTP or TFTP server in report form.
To configure log settings

1.  Go to Log&Report > Log Config > Global Log Settings.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Configure these settings:

Setting name Description
Disk

Enable to record log messages to the local hard disk on the FortiWeb appliance.

If the FortiWeb appliance is logging to its hard disk, you can use the web UI to view log messages stored locally on the FortiWeb appliance. For details, see Viewing log messages.

  Log Level

Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log severity levels.

Caution: Avoid recording log messages using low severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

  When log disk is full

Select what the FortiWeb appliance will do when the local disk is full and a new log message occurs, either:

  • Do not log — Discard the new log message.
  • Overwrite oldest logs — Delete the oldest log file in order to free disk space, then store the new log message in a new log file.
Syslog

Enable to store log messages remotely on a Syslog server.

Caution: Enabling Syslog could result in excessive log messages being recorded in Syslog.

Syslog entries are controlled by Syslog policies and trigger actions associated with various types of violations. If this option is enabled, but a trigger action is not selected for a specific type of violation, every occurrence of that violation will be transmitted to the Syslog server in the Syslog Policy field.

Note: Logs stored remotely cannot be viewed from the FortiWeb web UI.

  Syslog Policy Select the settings to use when storing log messages remotely. The Syslog settings include the address of the remote Syslog server and other connection settings. For more information see Configuring Syslog settings.
  Log Level Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log severity levels.
  Facility

Select the facility identifier that the FortiWeb appliance will use to identify itself when sending log messages to the first Syslog server.

To easily identify log messages from the FortiWeb appliance when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

FortiAnalyzer

Enable to store log messages remotely on a FortiAnalyzer appliance.

Compatibility varies. See the FortiAnalyzer Release Notes. For example, FortiAnalyzer 5.0.6 is tested compatible with FortiWeb 5.1.1 and 5.0.5.

Log entries to FortiAnalyzer are controlled by FortiAnalyzer policies and trigger actions associated with various types of violations. If this option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will be recorded to the FortiAnalyzer specified in FortiAnalyzer Policy.

Note: Before enabling this option, verify that log frequency is not too great. If logs are very frequent, enabling this option could decrease performance and cause the FortiWeb appliance to send many log messages to FortiAnalyzer.

Note: Logs stored remotely cannot be viewed from the FortiWeb web UI.

  FortiAnalyzer Policy Select the settings to use when storing log messages remotely. FortiAnalyzer settings include the address and other connection settings for the remote FortiAnalyzer. For more information see Configuring FortiAnalyzer policies.
  Log Level Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log severity levels.
SIEM

Enable to store log messages to a SIEM (security information and event management) server. According to the specified SIEM policy, the action will be one of the followings:

  • Store log messages remotely on an ArcSight server
  • Send log messages to Azure Event Hub (only available for FortiWeb-VM installed on Azure)

FortiWeb sends log entries to ArcSight and Azure Event Hub in CEF (Common Event Format) format.

If this option is enabled, but no trigger action is selected for a specific type of violation, FortiWeb records every occurrence of that violation to the resource specified by SIEM Policy.

Note: Before you enable this option, verify that log frequency is not too great. If logs are very frequent, enabling this option can decrease performance and cause the FortiWeb appliance to send many log messages to the resource.

Note: You cannot view logs stored remotely from the FortiWeb web UI.

  Log Level Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see Log severity levels.
  SIEM Policy Select the settings to use when storing log messages remotely. SIEM settings configure a connection to the storage resource. For more information see Configuring SIEM policies.

3.  Click Apply.

4.  Enable the log types that you want your log destinations to receive. See Enabling log types, packet payload retention, & resource shortage alerts.

See also

Obscuring sensitive data in the logs

You can configure the FortiWeb appliance to hide certain predefined data types, including user names and passwords, that could appear in the packet payloads accompanying a log message. You can also define and include your own sensitive data types, such as ages (relevant if you are required to comply with COPPA) or other identifying numbers, using regular expressions.

Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing ones.
To exclude custom sensitive data from log packet payloads

1.  Go to Log&Report > Log Config > Log Custom Sensitive Rule.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  On the top right side of the page, mark one or both of the following check boxes:

3.  Click Create New.

A dialog appears.

4.  In Name, type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.

5.  Select either General Mask (a regular expression that will match any substring in the packet payload) or Field Mask (a regular expression that will match only the value of a specific form input).

Field masks using asterisks are greedy: a match for the parameter’s value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator.

For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the Field Name username but not any of the parameters that follow it, you could enter the Field Value:

.*?(?=\&)

This would result in:

username****&age=13&origurl=%2Flogin

 

To test a regular expression, click the >> (test) button. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax).

6.  Click OK.

The expression appears in the list of regular expressions that define sensitive data that will be obscured in the logs.

When viewing new log messages, data types matching your expression are replaced with a string of asterisks.

Configuring Syslog settings

To store log messages remotely on a Syslog server, you first create the Syslog connection settings.

Syslog settings can be referenced by a trigger, which in turn can be selected as the trigger action in a protection profile, and used to send log messages to one or more Syslog servers whenever a policy violation occurs.

You can use each Syslog policy to configure connections to up to 3 Syslog servers.

Logs stored remotely cannot be viewed from the FortiWeb web UI. If you need to view logs from the web UI, also enable local storage. For details, see Enabling log types, packet payload retention, & resource shortage alerts.
To configure Syslog policies

1.  Before you can log to Syslog, you must enable it for the log type that you want to use as a trigger. For details, see Enabling log types, packet payload retention, & resource shortage alerts.

2.  Go to Log&Report > Log Policy > Syslog Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

3.  Click Create New.

A dialog appears.

4.  If the policy is new, in Policy Name, type the name of the policy as it will be referenced in the configuration.

5.  Click Create New.

6.  In IP Address, enter the address of the remote Syslog server.

7.  In Port, enter the listening port number of the Syslog server. The default is 514.

8.  Mark the Enable CSV Format check box if you want to send log messages in comma-separated value (CSV) format.

9.  Click OK.

10.  Repeat the Syslog server connection configuration for up to two more servers, if required.

11.  To verify logging connectivity, from the FortiWeb appliance, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

If the remote host does not receive the log messages, verify the FortiWeb appliance’s network interfaces (see Configuring the network interfaces) and static routes (see Adding a gateway), and the policies on any intermediary firewalls or routers. If ICMP is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.

See also

Configuring FortiAnalyzer policies

Before you can store log messages remotely on a FortiAnalyzer appliance, you must first create FortiAnalyzer connection settings.

Once you create FortiAnalyzer connection settings, it can be referenced by a trigger, which in turn can be selected as a trigger action in a protection profile, and used to record policy violations.

Logs stored remotely cannot be viewed from the web UI of the FortiWeb appliance. If you require the ability to view logs from the web UI, also enable local storage. For details, see Enabling log types, packet payload retention, & resource shortage alerts.
To configure FortiAnalyzer policies

1.  Before you can log to FortiAnalyzer, you must enable logging for the log type that you want to use as a trigger. For details, see Enabling log types, packet payload retention, & resource shortage alerts.

2.  Go to Log&Report > Log Policy > FortiAnalyzer Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

3.  Click Create New, and then complete the following settings:

Policy Name

Enter a unique name that other parts of the configuration can reference.

Do not use spaces or special characters. The maximum length is 35 characters.

IP Address Enter the IP address of the remote FortiAnalyzer appliance.
Encrypt Log Transmission Select to transmit logs to the FortiAnalyzer appliance using SSL.

4.  In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.

5.  In IP Address, type the address of the remote FortiAnalyzer appliance.

6.  Click OK.

7.  Confirm with the FortiAnalyzer administrator that the FortiWeb appliance was added to the FortiAnalyzer appliance’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer appliance. For details, see the FortiAnalyzer Administration Guide.

8.  To verify logging connectivity, from the FortiWeb appliance, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

If the remote host does not receive the log messages, verify the FortiWeb appliance’s network interfaces (see Configuring the network interfaces) and static routes (see Adding a gateway), and the policies on any intermediary firewalls or routers. If ICMP ECHO_RESPONSE (pong) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.

Configuring SIEM policies

Before you store log messages remotely on a SIEM resource, you create SIEM connection settings and add them to a trigger configuration. Then you select the trigger in a protection profile.

You cannot use the web UI to view logs stored remotely. To view logs from the web UI, also enable local storage. For details, see Enabling log types, packet payload retention, & resource shortage alerts.
To configure SIEM policies

1.  Before you can log to the resource, you enable logging for the log type that you want to use as a trigger. For details, see Enabling log types, packet payload retention, & resource shortage alerts.

2.  Go to Log&Report > Log Policy > SIEM Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

3.  For Policy Name, enter a unique name that other parts of the configuration can reference.

4.  Click Create New, and then do one of the following:

5.  Click OK.

6.  If required, add any additional resources to the policy.

7.  To verify logging connectivity, from the FortiWeb appliance, trigger a log message that matches the types and severity levels that you have chosen to store on the remote resource. Then, on the remote resource, confirm that it has received that log message.

If an ArcSight server does not receive the log messages, verify the FortiWeb appliance’s network interfaces (see Configuring the network interfaces) and static routes (see Adding a gateway), and the policies on any intermediary firewalls or routers. If ICMP ECHO_RESPONSE (pong) is enabled on the remote host, try using the execute traceroute command to determine the point where connectivity fails. For details, see the FortiWeb CLI Reference.

See also

Configuring FTP/TFTP policies

Before you send reports that contain log or other information to an FTP or TFTP server, you create FTP/TFTP connection settings and add them to a report configuration.

To configure FTP/TFTP policies

1.  Before you can create reports that contain logging information, you enable logging for the log type that you want to capture in a report. For details, see Enabling log types, packet payload retention, & resource shortage alerts.

2.  Go to Log&Report > Log Policy > FTP/TFTP Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

3.  Click Create New, and then complete the following settings:

FTP/TFTP Policy Name

Enter a unique name that other parts of the configuration can reference.

Do not use spaces or special characters. The maximum length is 35 characters.

Policy Type Select FTP or TFTP.
Server Enter the IP address of the FTP or TFTP server.
Authentication Specifies whether the server requires a user name and password for authentication, rather than allowing anonymous connections.

Available only if Policy Type is FTP.
Username Enter the user name that FortiWeb uses to authenticate with the server.

Available only if Authentication is selected.
Password Enter the password for the specified username.

Available only if Authentication is selected.
File Folder Specifies the location on the server where FortiWeb stores reports.

4.  Click OK.

5.  To verify logging connectivity, from the FortiWeb appliance, configure a report that uses this FTP/TFTP policy, and then run it (or wait for it to run at its scheduled time). Then, on the FTP or TFTP server, confirm that FortiWeb transmitted the report to the specified folder.

For more information on configuring FortiWeb to send a report to an FTP or TFTP server, see Selecting the report’s file type & delivery options.

See also

Configuring triggers

Triggers are sets of notification servers (Syslog, FortiAnalyzer, and alert email) that you can select in protection rules. The FortiWeb appliance will contact those servers when traffic violates the policy and therefore triggers logging and/or alert email.

You can also receive security event notification via SNMP. See SNMP traps & queries.

For example, if you create a trigger that contains email and Syslog settings, that trigger can be selected as the trigger action for specific violations of a protection profile’s sub-rules. Alert email and Syslog records will be created according to the trigger when a violation of that individual rule occurs.

To configure triggers

1.  Before you create a trigger, first create any settings it will reference, such as email, Syslog and/or FortiAnalyzer settings (see Configuring email settings, Configuring Syslog settings, and Configuring FortiAnalyzer policies).

2.  Go to Log&Report > Log Policy > Trigger Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

3.  Click Create New.

A dialog appears.

4.  In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.

5.  Pick an existing policy from one or more of the three email, Syslog or FortiAnalyzer setting drop-down lists. FortiWeb will use these notification devices for all protection rule violations that use this trigger.

6.  Click OK.

7.  To apply the trigger, select it in the Trigger Action setting in a web protection feature, such as a hidden field rule, or an HTTP constraint on illegal host names.

Viewing log messages

You can use the web UI to view and download locally stored log messages. (You cannot use the web UI to view log messages that are stored remotely on Syslog or FortiAnalyzer devices, an ArcSight SIEM Server, or Azure Security Center.)

Depending on the type of log, some log messages cannot be viewed from the web UI.

Log messages are in human-readable format, where each column’s name, such as Source (src in a raw (unformatted) view), indicates its contents.

To assist you in forensics and troubleshooting false positives, if the request matched an attack signature, the part of the packet that matched is highlighted.

An attack’s origin is not always the same as the IP that appears in your logs. Network address translation (NAT) at various points between a web browser and your web servers can mask the original IP address of the attacker. Depending on your configuration of Use X-Header to Identify Original Client’s IP, attack logs’ Source column may contain the IP address of the client according to X-Forwarded-For: or a similar header in the HTTP layer, not the SRC field in the IP header. In that case, the corresponding traffic log’s Source column will not match, since it reflects the IP layer. (Typically in that scenario, the connection has been relayed by a load balancer or proxy, and therefore the IP would be that of the load balancer, which is not the real origin of the attack.) Relatedly, if Shared IP is enabled, FortiWeb will attempt to differentiate innocent clients that share the same public address with an attacker according to the IP layer SRC field due to NAT.

Not all attack detections will be logged. In some cases, only one entry will be logged when there are many attack instances. See Log rate limits. Relatedly, server information disclosure detections will not be logged if you have configured Action to be Erase, no Alert. See Blocking known attacks & data leaks.

Viewing raw (unformatted) messages

When you view log messages using the web UI, the log message is displayed in columns, with graphics and other formatting. In some cases, it is useful to view the log message exactly as it appears in the log file, as a single line of text consisting of field-value pairs. Use one of the following methods to view a log message in its raw form:

Determining whether an attack that generated a message was blocked

Not all detected attacks may be blocked, redirected, or sanitized.

For example, while using auto-learning, you can configure protection profiles with an action of Alert (log but not deny), allowing the connection to complete in order to gather full auto-learning data.

You can use the Action column to determine whether or not an attack attempt was permitted to reach a web server. (This column is displayed by default. Right-click a column heading to select the columns to display.) Additionally, if the FortiWeb appliance is operating in offline protection mode or transparent inspection mode, due to asynchronous inspection where the attack may have reached the server before it was detected by FortiWeb, you should also examine the server itself.

To view log messages

1.  Go to one of the log types:

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

Columns and appearance varies slightly by the log type. For details on structure or interpretations of and troubleshooting suggestions for individual log messages, see the FortiWeb Log Reference.

Initially, the page displays the most recent log messages for that log type.

In FortiWeb HA clusters, log messages are recorded on their originating appliance. If you notice a gap in the logs, a failover may have occurred. Logs during that period will be stored on the other appliance. To view those logs, switch to the other appliance.
Button/setting Description
(Refresh button) Click to update the page with any logs that have been recorded since you previously loaded the page.
Add Filter Click to create a filter based on log message fields. Only messages that are in the most recent 100,000 messages and match the criteria in the filter are displayed. When you search by date and time, all messages with the selected date are displayed.
(drag and drop column heading) Change the order of columns.
(right-click column heading) Right-click a column heading to access settings that add or hide columns that correspond to log fields or remove any filters you have applied.
(Log Management button) Click to download, delete, or view the contents of a log file.
(Generate Log Detail PDF) Click to generate a detailed report of the selected attack log message in PDF format.

Available only for the attack log.
Log&Report > Log Access > Attack

2.  If you want to view log messages in a rotated log file, click Log Management.

A page appears, listing each of the log files for that type that are stored on the local hard drive.

3.  Mark the check box next to the file whose log messages you want to view.

4.  Click View.

The page displays the log messages in the file you selected.

Viewing a single log message as a table

When viewing attack log messages or traffic log messages, you can display the log message as a table in the frame beside the log view.

To view message details

1.  Go to either Log&Report > Log Access > Attack or Log&Report > Log Access > Traffic.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Click any log message.

The details appear beside the main log table. The arrow icon in the top-left of the details pane allows you to expand or collapse the pane.

 

Viewing packet payloads

If you enabled retention of packet payloads from FortiWeb’s HTTP parser for attack and traffic logs (see Enabling log types, packet payload retention, & resource shortage alerts), you can view a part of the payload as dissected by the HTTP parser, in table form, via the web UI.

Packet payload tables display the decoded packet payload associated with the log message that it caused. This supplements the log message by providing the actual data that triggered the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or aid in forensic analysis.

To view a packet payload

1.  Go to either Log&Report > Log Access > Attack or Log&Report > Log Access > Traffic.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  In the row corresponding to the log message whose packet payload you want to view, click the log message.

There may not be a Packet Log icon for every log message, such as for normal HTTP responses and attack types where you have not enabled packet payload retention.

In a frame to the right the log messages, the log message appears in table format, as well as the decoded HTTP headers and packet payload. Parameters and file uploads are in either the URL or (for HTTP POST requests) Data fields. Cookies can be either in the Cookie or Data fields.

See also

Downloading log messages

You can download logs that are stored locally (that is, on the FortiWeb appliance’s hard drive) to your management computer.

In the web UI, there are two different methods:

To download log messages matching a time period

1.  Go to Log&Report > Log Access > Download.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Configure these settings:

Setting name Description
Log Type Select one of the following log types to download
System Time Displays the date and time according to the FortiWeb appliance’s clock at the time that this page was loaded, or when you last clicked the Refresh button.
Start Time Choose the starting point for the log download by selecting the year, month and day as well as the hour, minute and second that defines the first of the log messages to download.
End Time Choose the end point for the log download by selecting the year, month and day as well as the hour, minute and second that defines the last of the log messages to download.

3.  Click Download.

If there are no log messages of that log type in that time period, a message appears:

no logs selected

Click Return and revise the time period or log type selection.

4.  If a file download dialog appears, choose the directory where you want to save the file.

Your browser downloads the log file in a .tgz compressed archive. Time required varies by the size of the log and the speed of the network connection.

To download a whole log file

1.  Go to one of the log types, such as Log&Report > Log Access > Event.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Click Log Management.

A page appears, listing each of the log files for that type that are stored on a local hard drive.

3.  Mark the check box next to the file that you want to download.

4.  Click Download.

A dialog appears.

5.  Select either Normal format (raw, plain text logs) or CSV format (comma-separated value).

Raw, unencrypted logs can be viewed with a plain text editor. CSV-formatted, unencrypted logs can be viewed with a spreadsheet application, such as Microsoft Excel or OpenOffice Calc.

6.  If you would like to password-encrypt the log files using 128-bit AES before downloading them, enable Encryption and type a password in Password.

Encrypted logs can be decrypted and viewed by archive viewers that support this encryption, such as 7zip 9.20 or WinRAR 5.0.

7.  Click OK.

8.  If a file download dialog appears, choose the directory where you want to save the file.

Your browser downloads the log file as a .log or .csv file, depending on which format you selected. Time required varies by the size of the log and the speed of the network connection.

Deleting log files

If you have downloaded log files to an external backup, or if you no longer require them, you can delete one or more locally stored log files to free disk space.

To delete a log file

1.  Go to one of the log types, such as Log&Report > Log Access > Event.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Click Log Management.

A page appears, listing each of the log files for that type that are stored on the local hard drive.

3.  Either:

To delete all log files, mark the check box in the column heading. All rows’ check boxes will become marked.

To delete some log files, mark the check box next to each file that you want to delete.

4.  Click Clear Log.

Coalescing similar attack log messages

FortiWeb can generate many types of attack log messages, including Custom Access Violation, Header Length Exceeded, IP Reputation Violation, and SQL Injection.

To make attack log messages easier to review, when the total number of attack types exceeds 32 in a single day, FortiWeb aggregates two types of messages — signature attacks and HTTP protocol constraints violations — in the Aggregated Attacks page. For messages generated by a threat score exceeding the threshold, FortiWeb generates one aggregated message for each day.

For more information on the signatures and constraints that generate the aggregated messages, see Blocking known attacks & data leaks, HTTP/HTTPS protocol constraints, and Configuring threat scoring.

Some attacks only generate one log message per interval while an attack is underway. They are effectively already coalesced. See Log rate limits and Viewing log messages.
To coalesce similar attack log messages

1.  Go to Log&Report > Log Access > Aggregated Attacks.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

2.  Each row of aggregated log messages is initially grouped into similar attack types, not primarily by day or time.

If you want to aggregate attacks by time instead, click Aggregate log by Date.

Each page in the display contains up to 7 dates’ worth of aggregated logs. To view dates before that time, click the arrow to go to the next page.

To expand a row in order to view individual items comprising it, click the blue arrow in the # column.

3.  To view a list of all log messages comprising that item, click the item’s row. Details appear in a pane to the right.