Fortinet white logo
Fortinet white logo

Administration Guide

Log access

Log access

To view the log events table, go to Logging > Log Access > Logs.

The following options and information are available:

Refresh

Refresh the log list.

Simplified/ Full View

Simplified or full log view.

Downloads

Using Raw Log from the dropdown, export the FortiAuthenticator log to your computer as a text file named fac.log.

You can also download a full debug report for one of the following from the dropdown:

  • Summary
  • Authentication
  • Database
  • GUI
  • LDAP Sync
  • Accounting
  • Authorization
  • SSO
  • System
  • Push Authentication
  • REST API

Search by substring (e.g. username)

Enter a search term in the search field to search the log message list.

The search string must appear in the Message portion of the log entry to result in a match. To prevent each term in a phrase from matching separately, multiple keywords must be in quotes and be an exact match.

After the search is complete the number of positive matches is displayed next to the Search button, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all the log entries, and not just the previous search’s results.

Use the search bar to retrieve log records containing the specified substring (case-insensitive) in one of the following columns:

  • Short Message

  • Category

  • Sub Category

  • Log Type ID

  • User

  • Source IP

Time period

Select the clock icon and filter the log events table by selecting from the following available time periods:

  • Last hour

  • Last 8 hours

  • Last 24 hours

  • Last 7 days

  • Last month

  • Last 3 months

  • Last year

  • All

Reset table column widths

Select the reset icon to reset the table column widths to default.

ID

The log message’s ID.

Timestamp

The time the message was received.

Short Message

The log message itself, sometimes slightly shortened.

Level

The log severity level:

  • Emergency: The system has become unstable.
  • Alert: Immediate action is required.
  • Critical: Functionality is affected.
  • Error: An erroneous condition exists, and functionality is probably affected.
  • Warning: Functionality could be affected.
  • Notification: Information about normal events.
  • Information: General information about system operations.
  • Debug: Detailed information useful for debugging purposes.

Category

The log category, which is always Event. See Log access.

Sub Category

The log subcategory. See Log access.

Log Type ID

The log type ID.

Action

The action which created the log message, if applicable.

Status

The status of the action that created the log message, if applicable.

User

The user to whom the log message pertains.

Source IP

The source IP address of the relevant device if an authentication action fails.

To view log details:

From the log list, select the log whose details you need to view by clicking anywhere within the log’s row. The Log Details pane will open on the right side of the window.

After viewing the log details, select the close icon in the top right corner of the pane to close the details pane.

Sort the log messages

The log message table can be sorted by any column. To sort the log entries by a particular column, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Select the column heading again to sort the entries in descending order. Ascending or descending is displayed with an arrow next to the column title, an up arrow for ascending and down arrow for descending.

Log access

Log access

To view the log events table, go to Logging > Log Access > Logs.

The following options and information are available:

Refresh

Refresh the log list.

Simplified/ Full View

Simplified or full log view.

Downloads

Using Raw Log from the dropdown, export the FortiAuthenticator log to your computer as a text file named fac.log.

You can also download a full debug report for one of the following from the dropdown:

  • Summary
  • Authentication
  • Database
  • GUI
  • LDAP Sync
  • Accounting
  • Authorization
  • SSO
  • System
  • Push Authentication
  • REST API

Search by substring (e.g. username)

Enter a search term in the search field to search the log message list.

The search string must appear in the Message portion of the log entry to result in a match. To prevent each term in a phrase from matching separately, multiple keywords must be in quotes and be an exact match.

After the search is complete the number of positive matches is displayed next to the Search button, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all the log entries, and not just the previous search’s results.

Use the search bar to retrieve log records containing the specified substring (case-insensitive) in one of the following columns:

  • Short Message

  • Category

  • Sub Category

  • Log Type ID

  • User

  • Source IP

Time period

Select the clock icon and filter the log events table by selecting from the following available time periods:

  • Last hour

  • Last 8 hours

  • Last 24 hours

  • Last 7 days

  • Last month

  • Last 3 months

  • Last year

  • All

Reset table column widths

Select the reset icon to reset the table column widths to default.

ID

The log message’s ID.

Timestamp

The time the message was received.

Short Message

The log message itself, sometimes slightly shortened.

Level

The log severity level:

  • Emergency: The system has become unstable.
  • Alert: Immediate action is required.
  • Critical: Functionality is affected.
  • Error: An erroneous condition exists, and functionality is probably affected.
  • Warning: Functionality could be affected.
  • Notification: Information about normal events.
  • Information: General information about system operations.
  • Debug: Detailed information useful for debugging purposes.

Category

The log category, which is always Event. See Log access.

Sub Category

The log subcategory. See Log access.

Log Type ID

The log type ID.

Action

The action which created the log message, if applicable.

Status

The status of the action that created the log message, if applicable.

User

The user to whom the log message pertains.

Source IP

The source IP address of the relevant device if an authentication action fails.

To view log details:

From the log list, select the log whose details you need to view by clicking anywhere within the log’s row. The Log Details pane will open on the right side of the window.

After viewing the log details, select the close icon in the top right corner of the pane to close the details pane.

Sort the log messages

The log message table can be sorted by any column. To sort the log entries by a particular column, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Select the column heading again to sort the entries in descending order. Ascending or descending is displayed with an arrow next to the column title, an up arrow for ascending and down arrow for descending.