Viewing log messages

Monitoring your system : Logging : Viewing log messages

You can use the web UI to view and download locally stored log messages. (You cannot use the web UI to view log messages that are stored remotely on Syslog or FortiAnalyzer devices.)

Depending on the type of log, some log messages cannot be viewed from the web UI.

Table 55: Availability of each log type via the web UI
Storage method	Log type
Storage method	Event	Traffic	Attack
Local disk	Yes	Yes	Yes
Local memory	Yes	No	No
Syslog server	Yes	Yes	Yes
FortiAnalyzer	Yes	Yes	Yes
ArcSight (SIEM)	Yes	Yes	Yes

Log messages are in human-readable format, where each column’s name, such as Source (src in Raw view), indicates its contents.

To assist you in forensics and troubleshooting false positives, if the request matched an attack signature, the part of the packet that matched is highlighted in yellow.

An attack’s origin is not always the same as the IP that appears in your logs. Network address translation (NAT) at various points between a web browser and your web servers can mask the original IP address of the attacker. Depending on your configuration of Use X-Header to Identify Original Client’s IP, attack logs’ Source column may contain the IP address of the client according to X-Forwarded-For: or a similar header in the HTTP layer, not the SRC field in the IP header. In that case, the corresponding traffic log’s Source column will not match, since it reflects the IP layer. (Typically in that scenario, the connection has been relayed by a load balancer or proxy, and therefore the IP would be that of the load balancer, which is not the real origin of the attack.) Relatedly, if Shared IP is enabled, FortiWeb will attempt to differentiate innocent clients that share the same public address with an attacker according to the IP layer SRC field due to NAT.

Not all attack detections will be logged. In some cases, only one entry will be logged when there are many attack instances. See “Log rate limits”. Relatedly, server information disclosure detections will not be logged if you have configured Action to be Erase, no Alert. See “Blocking known attacks & data leaks”.

To view log messages

1. Go to one of the log types:

• Log&Report > Log Access > Attack

• Log&Report > Log Access > Event

• Log&Report > Log Access > Traffic

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “Permissions”.

Columns and appearance varies slightly by the log type. For details on structure or interpretations of and troubleshooting suggestions for individual log messages, see the FortiWeb Log Reference.

Initially, the page displays the most recent log messages for that log type. Contents of the Message column may vary by your selection of Raw or Formatted view.


	In FortiWeb HA clusters, log messages are recorded on their originating appliance. If you notice a gap in the logs, a failover may have occurred. Logs during that period will be stored on the other appliance. To view those logs, switch to the other appliance.

Table 56: Log&Report > Log Access > Event


Button	Description
Refresh	Click to update the page with any logs that have been recorded since you previously loaded the page.
Column Settings	Click to display or hide the columns that correspond to log fields, or change the order in which they appear on the page. For more information, see “Displaying & arranging log columns”.
Raw or Formatted	Click to toggle between a Raw and Formatted view of the log information. The raw view displays the log message as it actually appears in the log file. The formatted view displays the log message in a columnar format. Click to switch the log information view to that opposite of what is currently displayed. For details on both view types, see “Switching between Raw & Formatted log views”.
Clear All Filters	Click this icon to clear all log view filters. For details on log view filters, see “Filtering log messages”.
Log Management	Click to download, delete, or view the contents of a log file.

Table 57: Log&Report > Log Access > Attack


Button	Description
Refresh	Click to update the page with any logs that have been recorded since you previously loaded the page.
Column Settings	Click this icon to display or hide the columns that correspond to log fields, or change the order in which they appear on the page. For more information, see “Displaying & arranging log columns”.
Raw or Formatted	Click to toggle between a Raw and Formatted view of the log information. The raw view displays the log message as it actually appears in the log file. The formatted view displays the log message in a columnar format. Click to switch the log information view to that opposite of what is currently displayed. For details on both view types, see “Switching between Raw & Formatted log views”.
Clear All Filters	Click this icon to clear all log view filters. For details on log view filters, see “Filtering log messages”.
Log Message Aggregation	Click to arrange the attack logs into specific categories. For more information, see “Coalescing similar attack log messages”.
Log Search	Click to search attack logs using simple or advanced search criteria. For more information, see “Searching attack logs”.
Log Management	Click to download, delete, or view the contents of a log file.


	Not all detected attacks may be blocked, redirected, or sanitized. For example, while using auto-learning, you can configure protection profiles with an action of Alert (log but not deny), allowing the connection to complete in order to gather full auto-learning data. To determine whether or not an attack attempt was permitted to reach a web server, show the Action column. For details, see “Displaying & arranging log columns”. Additionally, if the FortiWeb appliance is operating in offline protection mode or transparent inspection mode, due to asynchronous inspection where the attack may have reached the server before it was detected by FortiWeb, you should also examine the server itself.

Table 58: Log&Report > Log Access > Traffic


Button	Description
Refresh	Click to update the page with any logs that have been recorded since you previously loaded the page.
Column Settings	Click to display or hide the columns that correspond to log fields, or change the order in which they appear on the page. For more information, see “Displaying & arranging log columns”.
Raw or Formatted	Click to toggle between a Raw and Formatted view of the log information. The raw view displays the log message as it actually appears in the log file. The formatted view displays the log message in a columnar format. Click to switch the log information view to that opposite of what is currently displayed. For details on both view types, see “Switching between Raw & Formatted log views”.
Clear All Filters	Click this icon to clear all log view filters. For details on log view filters, see “Filtering log messages”.
Log Management	Click to download, delete, or view the contents of a log file.

2. If you want to view log messages in a rotated log file, click Log Management.

A page appears, listing each of the log files for that type that are stored on the local hard drive.

3. Mark the check box next to the file whose log messages you want to view.

4. Click View.

The page refreshes, displaying log messages in that file.