Fortinet white logo
Fortinet white logo

Administration Guide

Security Events log page

Security Events log page

The Log & Report UTM log subtypes have been combined into the Security Events log page. The Security Events log page includes:

  • A Summary tab that displays the five most frequent events for all of the enabled UTM security events.

  • A Details tab that displays individual, detailed logs for each UTM type.

Clicking on an event in the Summary tab will bring users to the Details tab with the appropriate filters automatically applied.

Note

Disk logging and historical FortiView must be enabled for the Summary tab to display valid data. See Log settings and targets for more information.

To review security events in the GUI:
  1. Go to Log & Report > Security Events.

    The Summary tab displays up to five top events for each enabled, non-empty security event cards.

  2. On the right-side of the screen, select the time range from the dropdown list.

    The non-empty security event cards will list up to five top entries within the time range set.

    Note

    Data is retrieved from FortiView with the 5 minutes range updated first. When selecting either the 1 hour or 24 hours time range, there may be a delay to update top security event entries.

  3. Review the details of security events:

    • Click the security event card name.

      The Details tab displays all event entries for the selected type of security event. The security event type can be changed in the top-right dropdown list.

    • Click a top event entry in a security event card.

      The Details tab displays security events with filters for the selected event entry and time filter. The security event type can be changed in the top-right dropdown list.

Up to 100 top security event entries can be listed in the CLI using the diagnose fortiview result security-log command.

To list security events in the CLI:
# diagnose fortiview result security-log [<filters>]
To list security events in the CLI with no filters applied:
# diagnose fortiview result security-log 

    data(1646862300-1646948701):
    0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 | 
    1). logcat-2 | logcatname-virus | logid-0211008192 | eventname-virus_test3 | eventname_field-virus | action-passthrough | count-1 | 
    2). logcat-2 | logcatname-virus | logid-0212008448 | eventname-filename | eventname_field-virus | action-passthrough | count-1 | 
    3). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 | 
    4). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 | 
    5). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 | 
    6). logcat-4 | logcatname-ips | logid-0419016384 | eventname-Eicar.Virus.Test.File | eventname_field-attack | action-dropped | count-3 | 
    7). logcat-4 | logcatname-ips | logid-0422016400 | eventname-test_botnet | eventname_field-attack | action-detected | count-1 | 
    8). logcat-7 | logcatname-anomaly | logid-0720018432 | eventname-tcp_syn_flood | eventname_field-attack | action-clear_session | count-1 | 
    9). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Storage.Backup | eventname_field-appcat | action-pass | count-9 | 
    10). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Video/Audio | eventname_field-appcat | action-pass | count-3 | 
    11). logcat-10 | logcatname-app-ctrl | logid-1059028672 | eventname-im | eventname_field-appcat | action-pass | count-1 | 
    12). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-P2P | eventname_field-appcat | action-pass | count-1 | 
    13). logcat-15 | logcatname-dns | logid-1501054400 | eventname-Domain blocked because it is in the domain-filter list | eventname_field-logid | action-block | count-1 | 
    14). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 | 
    15). logcat-16 | logcatname-ssh | logid-1600061002 | eventname-SSH shell command is detected | eventname_field-logid | action-passthrough | count-1 | 
    16). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 | 
    17). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 | 
    18). logcat-8 | logcatname-voip | logid-0814044032 | eventname-Logid_44032 | eventname_field-logid | action-permit | count-1 | 
    19). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |
To list blocked security events in the CLI:
# diagnose fortiview result security-log action=blocked

    data(1646862600-1646949001):
    0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 | 
    1). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 | 
    2). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 | 
    3). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 | 
    4). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 | 
    5). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 | 
    6). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 | 
    7). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 | 

Security Events log page

Security Events log page

The Log & Report UTM log subtypes have been combined into the Security Events log page. The Security Events log page includes:

  • A Summary tab that displays the five most frequent events for all of the enabled UTM security events.

  • A Details tab that displays individual, detailed logs for each UTM type.

Clicking on an event in the Summary tab will bring users to the Details tab with the appropriate filters automatically applied.

Note

Disk logging and historical FortiView must be enabled for the Summary tab to display valid data. See Log settings and targets for more information.

To review security events in the GUI:
  1. Go to Log & Report > Security Events.

    The Summary tab displays up to five top events for each enabled, non-empty security event cards.

  2. On the right-side of the screen, select the time range from the dropdown list.

    The non-empty security event cards will list up to five top entries within the time range set.

    Note

    Data is retrieved from FortiView with the 5 minutes range updated first. When selecting either the 1 hour or 24 hours time range, there may be a delay to update top security event entries.

  3. Review the details of security events:

    • Click the security event card name.

      The Details tab displays all event entries for the selected type of security event. The security event type can be changed in the top-right dropdown list.

    • Click a top event entry in a security event card.

      The Details tab displays security events with filters for the selected event entry and time filter. The security event type can be changed in the top-right dropdown list.

Up to 100 top security event entries can be listed in the CLI using the diagnose fortiview result security-log command.

To list security events in the CLI:
# diagnose fortiview result security-log [<filters>]
To list security events in the CLI with no filters applied:
# diagnose fortiview result security-log 

    data(1646862300-1646948701):
    0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 | 
    1). logcat-2 | logcatname-virus | logid-0211008192 | eventname-virus_test3 | eventname_field-virus | action-passthrough | count-1 | 
    2). logcat-2 | logcatname-virus | logid-0212008448 | eventname-filename | eventname_field-virus | action-passthrough | count-1 | 
    3). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 | 
    4). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 | 
    5). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 | 
    6). logcat-4 | logcatname-ips | logid-0419016384 | eventname-Eicar.Virus.Test.File | eventname_field-attack | action-dropped | count-3 | 
    7). logcat-4 | logcatname-ips | logid-0422016400 | eventname-test_botnet | eventname_field-attack | action-detected | count-1 | 
    8). logcat-7 | logcatname-anomaly | logid-0720018432 | eventname-tcp_syn_flood | eventname_field-attack | action-clear_session | count-1 | 
    9). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Storage.Backup | eventname_field-appcat | action-pass | count-9 | 
    10). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Video/Audio | eventname_field-appcat | action-pass | count-3 | 
    11). logcat-10 | logcatname-app-ctrl | logid-1059028672 | eventname-im | eventname_field-appcat | action-pass | count-1 | 
    12). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-P2P | eventname_field-appcat | action-pass | count-1 | 
    13). logcat-15 | logcatname-dns | logid-1501054400 | eventname-Domain blocked because it is in the domain-filter list | eventname_field-logid | action-block | count-1 | 
    14). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 | 
    15). logcat-16 | logcatname-ssh | logid-1600061002 | eventname-SSH shell command is detected | eventname_field-logid | action-passthrough | count-1 | 
    16). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 | 
    17). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 | 
    18). logcat-8 | logcatname-voip | logid-0814044032 | eventname-Logid_44032 | eventname_field-logid | action-permit | count-1 | 
    19). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |
To list blocked security events in the CLI:
# diagnose fortiview result security-log action=blocked

    data(1646862600-1646949001):
    0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 | 
    1). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 | 
    2). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 | 
    3). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 | 
    4). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 | 
    5). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 | 
    6). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 | 
    7). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |