Fortinet black logo

Handbook

Security Logs

Security Logs

The FortiView > Security Logs page provides you with graphical analysis tools to view and analyze the statistical data collected from Log & Report > Security Log. All security logs from Log & Report > Security Log can be accessed from FortiView > Security Logs except for logs related to the Firewall module.

There are two types of FortiView logs:

  • Security Log — displays a bar graph of the security log event count against a specific time-period, from where you can drill down to a detailed view of particular logs.

  • Aggregate Log — displays a doughnut chart and bar graph that provide an aggregate view of security logs within a selected time-frame.

Security Log

From the Security Log tab, you can generate a bar graph of the log count and time-period of your choosing. The default selection is ALL, which generates a second bar graph of the log count of all security logs by category.

To view and filter the security log data:
  1. Navigate to the settings along the top of the window.
  2. Select the Security Log Category. The table below lists the available log options and their associated security module.

    Security Log Category

    Security Module

    AV Detection Anti Virus
    HTTP Access Limit DoS Protection

    HTTP Connection Flood
    HTTP Request Flood
    IP Fragmentation Attack
    TCP Access Flood
    TCP Slow Data Attack

    TCP SYN Flood

    GEO Blocklist

    Geo IP Blocklist

    IP Reputation

    IP Reputation

    Intrusion Detection

    Intrusion Prevention System (IPS)

    Anti Defacement

    Web Application Firewall (WAF)

    API Gateway

    Bot Detection

    Brute Force Login

    Cookie Security

    CORS Protection

    Credential Stuffing Defense

    CSRF Protection

    Data Leak Prevention

    SQL/XSS Inject Detection

    HTTP Input Validation

    HTTP Protocol Constraint

    JSON Validation

    OpenAPI Validation Detection

    SOAP Validation

    URL Protection

    Attacks(Signature)

    Web Scraping

    XML Validation

  3. Select the time-period from which the selected security logs should be included to generate the graph.
    You have the following options:
  • 1 Hour
  • 6 Hours
  • 1 Day
  • 1 Week
  • 1 Month
  • 1 Year

From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

The following table describes the columns for each security log.

Column

Description

Date Log date.
Time Log time.
Count

The Count column is only available for security logs related to DoS Protection, Geo IP Blocklist, and IP Reputation.

Rule match count.

Source Source IP address.
Destination Destination IP address.
Action Action type that was taken as a result.
Destination Destination IP address.

Service

The Service column is only available for security logs related to Anti Virus and IPS.

Specifies the service type.

Severity

The Service column is only available for security logs related to Anti Virus, Geo IP Blocklist, IPS and WAF.

Specifies the security level.

Virus Category

The Virus Category column is only available for security logs related to Anti Virus.

Specifies the virus category.

Rule Name

The Rule Name column is only available for security logs related to IPS.

Specifies the security rule name.

WAF Subcategory

The WAF Subcategory column is only available for security logs related to WAF.

Specifies the Web Application Firewall subcategory.

Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

For WAF related security logs, the following actions may be performed directly from the log details:

  • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

  • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

  • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

Aggregate Log

From the Aggregate Log tab, you can generate two graphs, a doughnut chart of the security logs by date and a horizontal bar graph of the security logs by category. these graphs provide an aggregate view of security logs within the time-period of your choosing.

To view and filter the aggregate log data:
  1. Navigate to the settings along the top of the window.
  2. Select the security logs from the following options:
  • IP Reputation — Traffic logged by the IP Reputation feature.
  • DDoS — Traffic logged by the DoS Protection feature.
  • WAF — Traffic logged by the Web Application Firewall feature.
  • GEO — Traffic logged by the Geo IP block list feature.
  • AV — Traffic logged by the Anti Virus module.
  • IPS — Traffic logged by the IPS feature.
  • Select the time-frame from the following options:
    • 3 Days
    • 5 Days
    • 7 Days

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description

    Date Log date.
    Time Log time.
    Count

    The Count column is only available for DDoS, GEO, and IP Reputation.

    Rule match count.

    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for AV and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to AV, GEO, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to AV.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.

    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

    Security Logs

    The FortiView > Security Logs page provides you with graphical analysis tools to view and analyze the statistical data collected from Log & Report > Security Log. All security logs from Log & Report > Security Log can be accessed from FortiView > Security Logs except for logs related to the Firewall module.

    There are two types of FortiView logs:

    • Security Log — displays a bar graph of the security log event count against a specific time-period, from where you can drill down to a detailed view of particular logs.

    • Aggregate Log — displays a doughnut chart and bar graph that provide an aggregate view of security logs within a selected time-frame.

    Security Log

    From the Security Log tab, you can generate a bar graph of the log count and time-period of your choosing. The default selection is ALL, which generates a second bar graph of the log count of all security logs by category.

    To view and filter the security log data:
    1. Navigate to the settings along the top of the window.
    2. Select the Security Log Category. The table below lists the available log options and their associated security module.

      Security Log Category

      Security Module

      AV Detection Anti Virus
      HTTP Access Limit DoS Protection

      HTTP Connection Flood
      HTTP Request Flood
      IP Fragmentation Attack
      TCP Access Flood
      TCP Slow Data Attack

      TCP SYN Flood

      GEO Blocklist

      Geo IP Blocklist

      IP Reputation

      IP Reputation

      Intrusion Detection

      Intrusion Prevention System (IPS)

      Anti Defacement

      Web Application Firewall (WAF)

      API Gateway

      Bot Detection

      Brute Force Login

      Cookie Security

      CORS Protection

      Credential Stuffing Defense

      CSRF Protection

      Data Leak Prevention

      SQL/XSS Inject Detection

      HTTP Input Validation

      HTTP Protocol Constraint

      JSON Validation

      OpenAPI Validation Detection

      SOAP Validation

      URL Protection

      Attacks(Signature)

      Web Scraping

      XML Validation

    3. Select the time-period from which the selected security logs should be included to generate the graph.
      You have the following options:
    • 1 Hour
    • 6 Hours
    • 1 Day
    • 1 Week
    • 1 Month
    • 1 Year

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description

    Date Log date.
    Time Log time.
    Count

    The Count column is only available for security logs related to DoS Protection, Geo IP Blocklist, and IP Reputation.

    Rule match count.

    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for security logs related to Anti Virus and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to Anti Virus, Geo IP Blocklist, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to Anti Virus.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.

    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF related security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

    Aggregate Log

    From the Aggregate Log tab, you can generate two graphs, a doughnut chart of the security logs by date and a horizontal bar graph of the security logs by category. these graphs provide an aggregate view of security logs within the time-period of your choosing.

    To view and filter the aggregate log data:
    1. Navigate to the settings along the top of the window.
    2. Select the security logs from the following options:
    • IP Reputation — Traffic logged by the IP Reputation feature.
    • DDoS — Traffic logged by the DoS Protection feature.
    • WAF — Traffic logged by the Web Application Firewall feature.
    • GEO — Traffic logged by the Geo IP block list feature.
    • AV — Traffic logged by the Anti Virus module.
    • IPS — Traffic logged by the IPS feature.
  • Select the time-frame from the following options:
    • 3 Days
    • 5 Days
    • 7 Days

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description

    Date Log date.
    Time Log time.
    Count

    The Count column is only available for DDoS, GEO, and IP Reputation.

    Rule match count.

    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for AV and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to AV, GEO, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to AV.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.

    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.