Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.3 Administration Guide
    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Filtering messages

    Filtering messages

    You can apply filters to the message list. Filters are not case-sensitive by default. If available, select Tools > Case Sensitive Search to create case-sensitive filters.

    Filtering messages using filters in the toolbar

    1. Go to the appropriate Log View.
    2. In the toolbar, make other selections, such as devices and time period.
    3. From the More dropdown, you can toggle between a Case Sensitve Search and a Case Insensitive Search.
    4. In the table header, click the settings icon to select the available columns in the table.

      When a column is added, it is automatically added in the sequence displayed in the list. The added column is highlighted in the table when added for reference. You can drag and drop the columns to rearrage their display order.

    5. In the search bar, add filters for the table:

      Toggling between Filter Mode and Text Mode

      From the dropdown next to the search bar, select Filter Mode or Text Mode. The filter criteria is maintained when toggling between the modes. See below for more information about these modes.

      Filter Mode

      Click Add Filter to select a filter from the dropdown list. Then select an operator (=, !=, <, >, >=, <=, ~, or !~) and a value for the filter; you can begin typing a value to select it from the list. Click Apply to add the filter.

      Click the Add Filter again to add another filter. It will be added with an AND relationship to the previous filter; click the AND totoggle between AND (all filters are met) and OR (one of the filters are met).

      When adding a filter, only displayed columns are available in the dropdown list. To add more columns, click the settings icon in the table header.

      Text Mode

      In text mode search, enter the search criteria (log field names, operators, and values).

      Remove filters

      After entering filters, you can click the "x" at the left side of the search bar to remove the filters.

      Search operators and syntax

      Click the help icon at the right end of the Add Filter box to view search operators and syntax. See also Filter search operators and syntax.

      CLI string “freestyle” search

      Searches the string within the indexed fields configured using the CLI command: config ts-index-field.

      For example, if the indexed fields have been configured using these CLI commands:

      config system sql

      config ts-index-field

      edit "FGT-traffic"

      set value "app,dstip,proto,service,srcip,user,utmaction"

      next

      end

      end

      Then if you type “Skype” in the Add Filter box, FortiAnalyzer searches for “Skype” within these indexed fields: app,dstip,proto,service,srcip,user and utmaction.

      You can combine freestyle search with other search methods, for example: Skype user=David.

      Note

      UUID logging must be enabled in FortiGate/FortiOS to filter FortiGate traffic logs by object name, including Source Object and Destination Object. See the FortiGate/FortiOS Administration Guide for more information about UUID logging.

    Filtering messages using the right-click menu

    In the log message table view, right-click an entry to select a filter criteria from the menu. Depending on the column you right-clicked, Log View uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

    You can perform the following filter actions from the right-click menu:

    • Add a filter entry with an AND condition, such as AND event_type=traffic

    • Add a filter entry with an AND negate condition, such as AND event_type!=traffic

    • Add a filter entry with an OR condition, such as OR event_type=traffic

    • Add a filter entry with an OR negate condition, such as OR event_type!=traffic

    • Replace all filters with the selected entry, such as event_type=utm

    • Replace all filters with the selected negate, such as event_type!=utm

    If no filter is used before right-click filtering, the new filter will be added no matter which option is selected in the right-click menu.

    To see log field name of a filter/column, right-click the column of a log entry and select a context-sensitive filter. The Add Filter box shows log field name.

    Context-sensitive filters are available for each log field in the log details pane. See Viewing message details.

    Filtering messages using smart action filters

    For Log View windows that have an Action column, the Action column displays smart information according to policy (log field action) and utmaction (UTM profile action).

    The Action column displays a green checkmark Accept icon when both policy and UTM profile allow the traffic to pass through, that is, both the log field action and UTM profile action specify allow to this traffic.

    The Action column displays a red X Deny icon and the reason when either the log field action or UTM profile action deny the traffic.

    If the traffic is denied due to policy, the deny reason is based on the policy log field action.

    If the traffic is denied due to UTM profile, the deny reason is based on the FortiView threattype from craction. craction shows which type of threat triggered the UTM action. The threattype, craction, and crscore fields are configured in FortiGate in Log & Report. For more information, see the FortiOS - Log Message Reference in the Fortinet Document Library.

    A filter applied to the Action column is always a smart action filter.

    note icon

    The smart action filter uses the FortiGate UTM profile to determine what the Action column displays. If the FortiGate UTM profile has set an action to allow, then the Action column will display that line with a green Accept icon, even if the craction field defines that traffic as a threat. The green Accept icon does not display any explanation.

    In the scenario where the craction field defines the traffic as a threat but the FortiGate UTM profile has set an action to allow, that line in the Log View Action column displays a green Accept icon. The green Accept icon does not display any explanation.

    Filter search operators and syntax

    Operators or symbols

    Syntax

    And

    Find log entries containing all the search terms. Connect the terms with a space character, or “and”. Examples:

    1. user=henry group=sales

    2. user=henry and group=sales

    Or

    Find log entries containing any of the search terms. Separate the terms with “or” or a comma “,”. Examples:

    1. user=henry or srcip=10.1.0.15

    2. user=henry,linda

    Not

    Find log entries that do NOT contain the search terms. Add “-” before the field name. Example:

    -user=henry

    >, <

    Find log entries greater than or less than a value, or within a range. This operator only applies to integer fields. Example:

    policyid>1 and policyid<10

    IP subnet, range, subnet list search

    Find log entries within a certain IP subnet, IP range, subnet list, or subnet group. Examples:

    1. srcip=192.168.1.0/24

    2. srcip=10.1.0.1-10.1.0.254

    3. srcip=SubnetGrp_Name_A

    4. srcip=Subnet_Name_A

    To create a subnet list or subnet group, see Subnets.

    Wildcard search

    You can use wildcard searches for all field types. Examples:

    1. srcip=192.168.1.*

    2. policyid=1*

    3. user=*

    Note

    Log View also supports the regex (regular expresion) syntax.

    Filtering FortiClient log messages in FortiGate traffic logs

    For FortiClient endpoints registered to FortiGate devices, you can filter log messages in FortiGate traffic log files that are triggered by FortiClient.

    To filter FortiClient log messages:

    1. Go to Log View > Logs > Fortient Logs > FortiGate > Traffic.

    2. In the Add Filter box, type fct_devid=*. A list of FortiGate traffic logs triggered by FortiClient is displayed.

    3. In the message log list, select a FortiGate traffic log to view the details.

    4. Click the FortiClient tab, and double-click a FortiClient traffic log to see details.

      The FortiClient tab is available only when the FortiGate traffic logs reference FortiClient traffic logs.

    Filtering for event logs generated when FortiManager installs configuration to FortiSASE

    When FortiManager is configured to manage FortiSASE, event logs will be generated by FortiOS when configuration is installed to FortiSASE. The log output from FortiOS will include the FortiManager device name as well as the admin username.

    To filter for logs generated when FortiManager installs configuration to FortiSASE:

    1. Log View > Logs > Fortient Logs > FortiGate

    2. From the Event dropdown, select FortiSASE.

      The Remote Device Name column displays the FortiManager device name.

      The Remote Admin column displays the FortiManager admin username.

    Previous
    Next

    Filtering messages

    Filtering messages

    You can apply filters to the message list. Filters are not case-sensitive by default. If available, select Tools > Case Sensitive Search to create case-sensitive filters.

    Filtering messages using filters in the toolbar

    1. Go to the appropriate Log View.
    2. In the toolbar, make other selections, such as devices and time period.
    3. From the More dropdown, you can toggle between a Case Sensitve Search and a Case Insensitive Search.
    4. In the table header, click the settings icon to select the available columns in the table.

      When a column is added, it is automatically added in the sequence displayed in the list. The added column is highlighted in the table when added for reference. You can drag and drop the columns to rearrage their display order.

    5. In the search bar, add filters for the table:

      Toggling between Filter Mode and Text Mode

      From the dropdown next to the search bar, select Filter Mode or Text Mode. The filter criteria is maintained when toggling between the modes. See below for more information about these modes.

      Filter Mode

      Click Add Filter to select a filter from the dropdown list. Then select an operator (=, !=, <, >, >=, <=, ~, or !~) and a value for the filter; you can begin typing a value to select it from the list. Click Apply to add the filter.

      Click the Add Filter again to add another filter. It will be added with an AND relationship to the previous filter; click the AND totoggle between AND (all filters are met) and OR (one of the filters are met).

      When adding a filter, only displayed columns are available in the dropdown list. To add more columns, click the settings icon in the table header.

      Text Mode

      In text mode search, enter the search criteria (log field names, operators, and values).

      Remove filters

      After entering filters, you can click the "x" at the left side of the search bar to remove the filters.

      Search operators and syntax

      Click the help icon at the right end of the Add Filter box to view search operators and syntax. See also Filter search operators and syntax.

      CLI string “freestyle” search

      Searches the string within the indexed fields configured using the CLI command: config ts-index-field.

      For example, if the indexed fields have been configured using these CLI commands:

      config system sql

      config ts-index-field

      edit "FGT-traffic"

      set value "app,dstip,proto,service,srcip,user,utmaction"

      next

      end

      end

      Then if you type “Skype” in the Add Filter box, FortiAnalyzer searches for “Skype” within these indexed fields: app,dstip,proto,service,srcip,user and utmaction.

      You can combine freestyle search with other search methods, for example: Skype user=David.

      Note

      UUID logging must be enabled in FortiGate/FortiOS to filter FortiGate traffic logs by object name, including Source Object and Destination Object. See the FortiGate/FortiOS Administration Guide for more information about UUID logging.

    Filtering messages using the right-click menu

    In the log message table view, right-click an entry to select a filter criteria from the menu. Depending on the column you right-clicked, Log View uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

    You can perform the following filter actions from the right-click menu:

    • Add a filter entry with an AND condition, such as AND event_type=traffic

    • Add a filter entry with an AND negate condition, such as AND event_type!=traffic

    • Add a filter entry with an OR condition, such as OR event_type=traffic

    • Add a filter entry with an OR negate condition, such as OR event_type!=traffic

    • Replace all filters with the selected entry, such as event_type=utm

    • Replace all filters with the selected negate, such as event_type!=utm

    If no filter is used before right-click filtering, the new filter will be added no matter which option is selected in the right-click menu.

    To see log field name of a filter/column, right-click the column of a log entry and select a context-sensitive filter. The Add Filter box shows log field name.

    Context-sensitive filters are available for each log field in the log details pane. See Viewing message details.

    Filtering messages using smart action filters

    For Log View windows that have an Action column, the Action column displays smart information according to policy (log field action) and utmaction (UTM profile action).

    The Action column displays a green checkmark Accept icon when both policy and UTM profile allow the traffic to pass through, that is, both the log field action and UTM profile action specify allow to this traffic.

    The Action column displays a red X Deny icon and the reason when either the log field action or UTM profile action deny the traffic.

    If the traffic is denied due to policy, the deny reason is based on the policy log field action.

    If the traffic is denied due to UTM profile, the deny reason is based on the FortiView threattype from craction. craction shows which type of threat triggered the UTM action. The threattype, craction, and crscore fields are configured in FortiGate in Log & Report. For more information, see the FortiOS - Log Message Reference in the Fortinet Document Library.

    A filter applied to the Action column is always a smart action filter.

    note icon

    The smart action filter uses the FortiGate UTM profile to determine what the Action column displays. If the FortiGate UTM profile has set an action to allow, then the Action column will display that line with a green Accept icon, even if the craction field defines that traffic as a threat. The green Accept icon does not display any explanation.

    In the scenario where the craction field defines the traffic as a threat but the FortiGate UTM profile has set an action to allow, that line in the Log View Action column displays a green Accept icon. The green Accept icon does not display any explanation.

    Filter search operators and syntax

    Operators or symbols

    Syntax

    And

    Find log entries containing all the search terms. Connect the terms with a space character, or “and”. Examples:

    1. user=henry group=sales

    2. user=henry and group=sales

    Or

    Find log entries containing any of the search terms. Separate the terms with “or” or a comma “,”. Examples:

    1. user=henry or srcip=10.1.0.15

    2. user=henry,linda

    Not

    Find log entries that do NOT contain the search terms. Add “-” before the field name. Example:

    -user=henry

    >, <

    Find log entries greater than or less than a value, or within a range. This operator only applies to integer fields. Example:

    policyid>1 and policyid<10

    IP subnet, range, subnet list search

    Find log entries within a certain IP subnet, IP range, subnet list, or subnet group. Examples:

    1. srcip=192.168.1.0/24

    2. srcip=10.1.0.1-10.1.0.254

    3. srcip=SubnetGrp_Name_A

    4. srcip=Subnet_Name_A

    To create a subnet list or subnet group, see Subnets.

    Wildcard search

    You can use wildcard searches for all field types. Examples:

    1. srcip=192.168.1.*

    2. policyid=1*

    3. user=*

    Note

    Log View also supports the regex (regular expresion) syntax.

    Filtering FortiClient log messages in FortiGate traffic logs

    For FortiClient endpoints registered to FortiGate devices, you can filter log messages in FortiGate traffic log files that are triggered by FortiClient.

    To filter FortiClient log messages:

    1. Go to Log View > Logs > Fortient Logs > FortiGate > Traffic.

    2. In the Add Filter box, type fct_devid=*. A list of FortiGate traffic logs triggered by FortiClient is displayed.

    3. In the message log list, select a FortiGate traffic log to view the details.

    4. Click the FortiClient tab, and double-click a FortiClient traffic log to see details.

      The FortiClient tab is available only when the FortiGate traffic logs reference FortiClient traffic logs.

    Filtering for event logs generated when FortiManager installs configuration to FortiSASE

    When FortiManager is configured to manage FortiSASE, event logs will be generated by FortiOS when configuration is installed to FortiSASE. The log output from FortiOS will include the FortiManager device name as well as the admin username.

    To filter for logs generated when FortiManager installs configuration to FortiSASE:

    1. Log View > Logs > Fortient Logs > FortiGate

    2. From the Event dropdown, select FortiSASE.

      The Remote Device Name column displays the FortiManager device name.

      The Remote Admin column displays the FortiManager admin username.

    Previous
    Next