Using the security log
The Security Log table displays logs related to security features.
By default, the log is filtered to display IP Reputation logs, and the table lists the most recent records first.
You can use the following category filters to review logs of interest:
- IP Reputation—Traffic logged by the IP Reputation feature
- DoS—Traffic logged by the SYN Flood feature
- WAF—Traffic logged by the WAF feature
- Geo—Traffic logged by the Geo IP block list feature
- AV—Traffic logged by the AV feature
Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:
- Date
- Time
- Proto
- Service
- Src
- Src_port
- Dst
- Dst_port
- Vs Name
- Action
The last column in each table includes a link to log details.
Before you begin:
- You must have Read-Write permission for Log & Report settings.
To view and filter the log:
- Go to Log & Report > Log Browsing.
- Click the Security Logs tab to display the attack log.
- Click Filter Settings to display the filter tools.
- Use the tools to filter on key columns and values.
- Click OK to apply the filter and redisplay the log.
IP Reputation log to Geo IP log list the log columns in the order in which they appear in the log.
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=ip_reputation | Log subtype: ip_reputation. |
pri | pri=warning | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=13065998 | Message ID. |
count | count=1 | For IP reputation, count=1. |
severity | severity=high | Rule severity. |
proto | proto=6 | Protocol. |
service | service=http | Service. |
src | src=4.4.4.4 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=2.2.2.2 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=vs1 | Virtual server name. |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg
|
Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=synflood | Log subtype: synflood. |
pri | pri=warning | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=13065998 | Message ID. |
count | count=1 | For DoS, number of timeouts sent per destination. |
severity | severity=high | Always “high” for DoS. |
proto | proto=0 | Protocol. |
service | service=http | Service. |
src | src=173.177.99.94 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=10.61.2.100 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=unknown | For DoS, policy=unknown. |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg | Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2015-07-22 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0202008074 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=waf | Log subtype: waf. |
pri | pri=alert | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=1512 | Message ID. |
count | count=1 | Rule match count. |
severity | severity=low | Rule severity. |
proto | proto=6 | Protocol. |
service | service=http | Service. |
src | src=1.1.1.1 | Source IP address. |
src_port | src_port=34352 | Source port. |
dst | dst=2.2.2.2 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=vs1 | Virtual server name. |
action | action=pass | Policy action. |
sigid | sigid=1 | Attack signature ID. |
subcat | subcat=waf_subtype | WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect. |
http_host | http_host=192.168.1.140:8080 | HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ... . |
http_url | http_url=/bigdata | URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ... . |
pkt_hdr | pkt_hdr=header | Contents of the packet header that matched the attack signature. |
srccountry | srccountry=Australia | Location of the source IP address. |
dstcountry | dstcountry=France | Location of the destination IP address. |
msg | msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule"" | Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
type | type=attack | Log type: attack. |
subtype | subtype=geo | Log subtype: geo. |
pri | pri=warning | Log level. |
vd | vd=root | Virtual domain. |
msg_id | msg_id=13065998 | Message ID. |
count | count=1 | Rule match count. |
severity | severity=high | Rule severity. |
proto | proto=0 | Protocol. |
service | service=http | Service. |
src | src=173.177.99.94 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=10.61.2.100 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
policy | policy=vs1 | Virtual server name. |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg | Security rule name, category, subcategory, and description of the attack. |
Column | Example | Description |
---|---|---|
date | date=2014-12-02 | Log date. |
time | time=10:27:01 | Log time. |
log_id | log_id=0200004230 | Log ID. |
msg_id | message id=362301459 | Message ID |
virus category | virus category=N/A | Virus Category. |
count | count=1 | Rule match count. |
severity | severity=high | Rule severity. |
proto | proto=0 | Protocol. |
service | service=http | Service. |
src | src=173.177.99.94 | Source IP address. |
src_port | src_port=49301 | Source port. |
dst | dst=10.61.2.100 | Destination IP address. |
dst_port | dst_port=80 | Destination port. |
type | type=attack | Type |
subtype | subtype=av | Sub Type |
action | action=deny | Policy action. |
srccountry | srccountry=cn | Location of the source IP address. |
dstcountry | dstcountry=us | Location of the destination IP address. |
msg | msg=msg | Security rule name, category, subcategory, and description of the attack. |
sign_id | sign_id=0 | Signature ID |
virus_id | virus_id=0 | Virus ID |
av_anatype | av_anatype=analytics | AV AnaType |
url | url=none | URL |
virus/botnet | virus/botnet=N/A | Virus/Botnet |
Submitted to FortiSandbox | Submitted_to_Fortisandbox=no | Submitted to FortiSandBox |
quar file name | quar_file_name=N/A | Quar File Name |
Proto Method | proto_method=none | Proto Method |
AV Profile | av_profile=AV1 | AV Profile |
FortiSandbox Checksum | B08663FD9FC147D6ADBB3D70DCEC1271A4288C71D887D44811D93E366D91AD2C |