Configuring remote log server settings for DDoS attack log
The DDoS attack log remote server configuration applies to security event data. You configure individual remote log server configurations for each SPP.
You can set up two remote DDoS Attack Log Remote syslog servers per SPP.
Before you begin:
- You must have Read-Write permission for Log & Report settings.
See also: Configuring remote log server settings for event logs.
To configure remote log settings for the Attack Log Remote:
- Go to Log & Report > Log Configuration > Attack Log Remote.
- Click Add.
- Complete the configuration as described in the table below.
- Save the configuration.
Attack Log remote logging configuration page
Attack Log remote logging configuration guidelines
| Settings | Guidelines |
|---|---|
| Name | Configuration name. |
| Status | Select to enable sending DDoS attack logs to a remote server. |
| SPP | Select the SPP whose logs are stored in the remote location. You can specify only one remote log server for each SPP. |
| Address | IP address of the FortiAnalyzer/syslog server. |
| Port | Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514. |
|
Global ACL |
Enable for Global ACL only |
The following example shows a DDoS attack syslog message:
Oct 10 10:56:00 170.30.100.162 devid=FI-1KB3913000012 date=2018-10-10 time=10:56:00 tz=PDT type=attack spp=2 evecode=2 evesubcode=87 description="HTTP Method flood from source" dir=1 protocol=6 sip=41.1.61.9 dip=41.20.0.20 dport=80 dropcount=72 subnet_id=7 facility=Local0 level=Notice direction=inbound spp_name="2Two" subnet_name="Seven"
DDoS attack syslog fields
| Field | Example (from the sample message above) |
Details |
|---|---|---|
| Syslog send timestamp | Oct 10 10:56:00 | Local FortiDDoS time |
| Syslog client IP address |
170.30.100.162
|
FortiDDoS Source Management Port |
| FortiDDoS device ID | devid=FI-1KB3913000012 | Serial Number of the FortiDDoS |
| Log datestamp | date=2018-10-10 | FortiDDoS local date |
| Log timestamp | time=10:56:00 | FortiDDoS local time |
| Log time zone | tz=PDT | FortiDDoS local time zone |
| Log type | type=attack | Attack or Event Log |
| SPP ID | spp=2 | Name of the FortiDDoS Service Protection Profile |
| Event code | evecode=2 | See the Appendix – DDoS Attack Log Reference |
| Event subcode | evesubcode=87 | See the Appendix – DDoS Attack Log Reference |
| Event type | description="HTTP Method flood from source" | Event name - see the Appendix – DDoS Attack Log Reference |
| Direction ID (1=inbound, 0=outbound) | dir=1 | Direction of attack traffic - see 'Direction' below for textual direction. |
| Protocol | protocol=6 | Layer 3 Protocol |
| Source IP address | sip=41.1.61.9 | Only included if non-spoofed Source IP address |
| Protected IP address | dip=41.20.0.20 | Protected IP address included in the FortiDDoS SPP Policies |
| Associated port | dport=80 | TCP or UDP Port under attack if applicable |
| Drop count | dropcount=72 | Number of dropped packets over 1-minute (Interrupt) or 5-minutes (Periodic) - see the Appendix – DDoS Attack Log Reference. |
| Subnet ID | subnet_id=7 | Index number of the SPP Policy where the Protected IP is contained - see 'Subnet name' below. |
| Facility | facility=Local0 | Defined by the customer in SNMP configuration |
| Level | level=Notice | Default severity level |
| Direction | direction=inbound | Textual direction of the attack traffic |
| SPP name | spp_name="2Two" | Service Protection Profile name that contains the SPP Policy/subnet that further contains the Protected IP address under attack |
| Subnet name | subnet_name="Seven" | Configured name of the SPP Policy/subnet |
|
To configure with the CLI: config log setting ddos-attack-log-remote edit Attack_log_Syslog set status enable set spp default set ip-address 172.30.153.105 next end |