Log Settings

This page includes configuration information for attack logs and traffic logs. For information on audit logs, please see Audit Logs Export.

• Attack Log Alerts

• Exporting traffic logs

• Sensitive Data Masking

• Retention and Periodic clean

Attack Log Alerts

Enable to receive Attack Log alerts for this application. To export Attack logs, please navigate to Threat Analytics > Settings.

1. Navigate to Log Settings.

2. Enable Attack Log Alerts.

3. Select the Mode, which determines the set of configuration options available for defining your attack log alert settings.

   1. If you selected Basic, configure the following:

      Threat Level	Set the lowest threat level you want to receive notifications for. Low: Receive notifications for all threat analytics events. Moderate: Receive notifications for Moderate and High threat events. High: Receive notifications for High threat events. Critical: Receive notifications for Critical threat events.
      Notification Recipient	Default: Select to send attack log alerts to the email address already associated with this application. Custom: Enter up to 10 email addresses to receive these notifications, separated by commas.

   2. If you selected Advanced, click Create Alert and configure the following:

      Name	The internal name by which this set of notification rules is displayed.
      Threat Score	Set the lowest threat score you want to receive notifications for. The system calculates a threat score every 5 minutes by aggregating attack scores based on their severity. For instance, if there are two critical attacks (score of 50 each) and one high-level attack (score of 30) within this timeframe, the total threat score is calculated as 50*2+30=130. Threat Scores and their corresponding severity levels: 1 (low) 100 (medium) 400 (high) 700 (critical)
      Notification Recipient	Default: Select to send attack log alerts to the email address already associated with this application. Custom: Enter up to 10 email addresses to receive these notifications, separated by commas.
      Filter Overview	Click Add Filter to define more conditions for attack logs that should trigger alerts. In the left-most dropdown, select an attribute: Source IP User Agent URL Threat Main Type Threat Sub Type Signature ID Use the Operator and Value fields to specify the condition. Click Save Filter before adding another filter.

4. Click Save to apply changes.

Exporting traffic logs

Traffic logs record traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. FortiAppSec Cloud's Web UI doesn't show traffic logs, but you can export traffic logs to AWS S3 or Azure Blob bucket in real time for long-term storage, analysis, or alerting.

Log timestamps may differ between the portal and exported files. Traffic Logs are recorded and exported in UTC. The portal automatically converts them to your local time, so portal times may differ from exported files. Attack logs include a time zone and are also converted to your local time in the portal. Most analysis tools (e.g., FortiAnalyzer, FortiSIEM) handle this conversion as well.

1. Go to Log Settings.
2. Enable Traffic Log Export.
3. Configure the following settings.

   Server Type	Select whether to export the logs to AWS S3 or Azure Blob.
   AWS S3
   Bucket name	Enter the AWS S3 bucket name.
   Region	Enter the region code, for example, ap-southeast-1.
   Access Key ID	Enter the access key ID of the S3 bucket.
   Secret Key ID	Enter the secret key ID of the S3 bucket.
   Folder	Enter the folder to store the traffic log.
   Azure Blob
   Storage Account Name	Enter the Azure Blob storage account name
   Account Access Key	Enter the Account Access Key for your storage account.
   Container Name	Enter the name of the blob container to which you would like to export your traffic logs.

   To use an S3 bucket for traffic export, the IAM role must have the following permissions enabled: s3:PutObject s3:GetObject s3:GetBucketLocation

4. Click Save.

To prevent log poisoning, it's recommended to set filters on your S3 bucket to allow only the traffic from FortiAppSec Cloud. The source IPs from FortiAppSec Cloud are as follows: 3.226.2.163 3.123.68.65 We also recommend adding the source IP addresses of traffic log exporting centers into the filter, corresponding to the region of your application. AWS: Region Logstash IP ap-east-1: Asia Pacific (Hong Kong) 16.162.29.183 ap-south-1: Asia Pacific (Mumbai) 15.207.118.191 ap-southeast-1.prod: Asia Pacific (Singapore) 18.142.59.230 ap-southeast-2: Asia Pacific (Sydney) 13.238.126.108 ap-southeast-3: Jakarta 108.137.118.125 ca-central-1: Canada (Central) 52.60.181.20 eu-central-1: Europe (Frankfurt) 3.64.92.136 3.79.38.161 eu-west-1: Europe (Ireland) 54.220.37.1 eu-west-2: Europe (London) 18.171.94.215 eu-west-3: Europe (Paris) 15.237.205.81 eu-south-1: Europe (Milan) 35.152.101.76 il-central-1: AWS Israel (Tel Aviv) 51.17.180.108 sa-east-1:L South America (Sao Paulo) 15.229.167.39 us-east-1: US East (N.Virginia) 44.215.25.31 44.216.53.179 us-east-2: US East (Ohio) 3.19.8.134 us-west-1: US West (N. California) 54.177.53.242 us-west-2: US West (Oregon) 34.208.62.10 Azure: Region Logstash IP Logstash Private IP Australia East 20.188.247.221 10.22.1.52 Brazil South (São Paulo State) 191.234.179.164 10.35.1.52 Canada Central 52.237.13.214 10.37.1.52 East US 52.191.198.64 10.3.1.57 East US 2 20.10.187.167 104.208.237.249 40.123.43.190 10.4.1.167 10.4.1.166 10.4.1.134 Qatar Central 20.173.78.67 10.39.1.40 South Africa North 4.221.143.107 10.40.1.10 West Europe 20.73.191.71 10.9.1.58 West US 2 40.125.64.146 10.15.1.58 Google Cloud: Region Logstash IP europe-west3 (Frankfurt) 35.242.250.207 europe-west8 (Milan) 34.154.63.237 me-west1 (Tel Aviv) 34.165.47.110 us-east1 (South Carolina) 34.74.77.198 us-west1 (Oregon) 34.127.22.16

Sensitive Data Masking

Configure Sensitive Data Masking as part of Log Settings to mask information deemed sensitive in log message fields, such as passwords or credit card numbers. The Sensitive Data Masking settings are applied at the application level, with each application able to support up to 8 sensitive data rules.

To create a sensitive data rule:

1. Go to Log Settings.
2. Enable Sensitive Data Masking.
3. Click +Sensitive Data Rule.
4. Configure the following settings.

   Type	Select the type of data the rule will apply to. URL Cookie Parameter Header
   Name	Type a regular expression that matches all and only the input names whose values you want to obscure. To create a regular expression, see Frequently used regular expressions. This field is not required if URL data type is selected.
   Value	Type a regular expression that matches all and only input values that you want to obscure. To create a regular expression, see Frequently used regular expressions.

5. Click OK.

Retention and Periodic clean

All logs are periodically cleaned at the beginning of each month.

Please see table below for the retention information on each type of log:

Category	Features	Retention
Incident	Dashboard - Incidents	60 days
	Dashboard - Top Incidents by Severity
	Threat Analytics - Incidents
Attack log	Threat Analytics -Attack log	60 days
	FortiView ThreatView
	Dashboard - OWASP Top 10 Threats
	Dashboard - Threat Level History
	Dashboard - Top Known Threats
Traffic log	Dashboard - Traffic Statistics by Country	60 days
	Traffic Summary
Audit log	Audit log	90 days
On-Premise Device Attack log	Threat Analytics - Attack log (on-premise device only)	60 days, or until storage capacity (20 GB × number of devices) is reached, whichever threshold is met first.
Diagnostics Report	Diagnostics	90 days