Fortinet black logo

Administration Guide

System Events log page

The Log & Report > System Events page includes:

  • A Summary tab that displays the top five most frequent events in each type of event log and a line chart to show aggregated events by each severity level. Clicking on a peak in the line chart will display the specific event count for the selected severity level.

  • A Logs tab that displays individual, detailed log views for event type.

The Summary tab includes the following enhancements:

  • Event list footers show a count of the events that relate to the type.

  • A count of the total events is shown at the top of the Summary. Hovering over the count shows the number of events with a time stamp.

  • Hovering over the Total Events By Level shows the shows the number of events with a time stamp.

  • Clicking on any event type title opens the Logs page for that event type filtered by the selected time span.

    For example, clicking VPN Events opens the following page:

  • Clicking on any event entry opens the Logs page for that event type filtered by the selected time span and log description.

    For example, in the General System Events box, clicking Admin logout successful opens the following page:

Note

Disk logging and historical FortiView must be enabled for the Summary tab to display valid data. See Log settings and targets for more information.

A time frame can be selected from the dropdown.

The line chart will display all of the system events, and the non-empty event cards will list up to five Top Event entries within the time frame set.

Note

Data is retrieved from FortiView with the 5 minutes range updated first. When selecting either the 1 hour or 24 hours time range, there may be a delay to update Top Event entries.

Up to 100 Top Event entries can be listed in the CLI using the diagnose fortiview result event-log command.

To view filtered log information:
  1. Go to Log & Report > System Events.

  2. Select the Logs tab.

  3. Hover over the leftmost column and click the gear icon. A list of column you can filter is displayed.

  4. Select the columns you want displayed.

  5. Click Apply. The selected columns are displayed.

  6. Click the filter icon for the column you want to filter. The filter dialog is displayed and the number of logs for each filter type is listed.

  7. Select the filters you want and click Apply. The logs that match the set filters are displayed and the filter is listed in the search bar.

  8. Select the log you want to see more information on.

  9. Click Details. The Log Details pane is displayed.

To list system events in the CLI:
# diagnose fortiview result event-log

    data(1646760000-1646846401):
    0). subtype-ha | eventname-HA device interface failed | level-warning | count-1 | 
    1). subtype-system | eventname-DHCP statistics | level-information | count-40 | 
    2). subtype-system | eventname-Super admin left VDOM | level-information | count-13 | 
    3). subtype-system | eventname-Admin performed an action from GUI | level-warning | count-5 | 
    4). subtype-system | eventname-Super admin entered VDOM | level-information | count-4 | 
    5). subtype-system | eventname-Global setting changed | level-notice | count-3 | 
    6). subtype-system | eventname-Attribute configured | level-information | count-2 | 
    7). subtype-system | eventname-Clear active sessions | level-warning | count-2 | 
    8). subtype-system | eventname-Disk log rolled | level-notice | count-2 | 
    9). subtype-system | eventname-Log rotation requested by FortiCron | level-notice | count-1 | 
    10). subtype-system | eventname-Report generated successfully | level-notice | count-1 | 
    11). subtype-system | eventname-Test | level-warning | count-1 | 
    12). subtype-system | eventname-VDOM added | level-notice | count-1 | 
    13). subtype-user | eventname-Authentication failed | level-notice | count-1 | 
    14). subtype-user | eventname-Authentication lockout | level-warning | count-1 | 
    15). subtype-user | eventname-FortiGuard override failed | level-warning | count-1 | 

The data is collected from FortiView for the last 24 hours by default. To specify a specific time range, customize the time filter using the diagnose fortiview time command.

To filter the time range of system events in the CLI:
# diagnose fortiview time <arg1> <arg2>

Where <arg1> is the start time in YYYY-MM-DD HH:MM:SS and <arg2> is the end time in YYYY-MM-DD HH:MM:SS.

The Log & Report > System Events page includes:

  • A Summary tab that displays the top five most frequent events in each type of event log and a line chart to show aggregated events by each severity level. Clicking on a peak in the line chart will display the specific event count for the selected severity level.

  • A Logs tab that displays individual, detailed log views for event type.

The Summary tab includes the following enhancements:

  • Event list footers show a count of the events that relate to the type.

  • A count of the total events is shown at the top of the Summary. Hovering over the count shows the number of events with a time stamp.

  • Hovering over the Total Events By Level shows the shows the number of events with a time stamp.

  • Clicking on any event type title opens the Logs page for that event type filtered by the selected time span.

    For example, clicking VPN Events opens the following page:

  • Clicking on any event entry opens the Logs page for that event type filtered by the selected time span and log description.

    For example, in the General System Events box, clicking Admin logout successful opens the following page:

Note

Disk logging and historical FortiView must be enabled for the Summary tab to display valid data. See Log settings and targets for more information.

A time frame can be selected from the dropdown.

The line chart will display all of the system events, and the non-empty event cards will list up to five Top Event entries within the time frame set.

Note

Data is retrieved from FortiView with the 5 minutes range updated first. When selecting either the 1 hour or 24 hours time range, there may be a delay to update Top Event entries.

Up to 100 Top Event entries can be listed in the CLI using the diagnose fortiview result event-log command.

To view filtered log information:
  1. Go to Log & Report > System Events.

  2. Select the Logs tab.

  3. Hover over the leftmost column and click the gear icon. A list of column you can filter is displayed.

  4. Select the columns you want displayed.

  5. Click Apply. The selected columns are displayed.

  6. Click the filter icon for the column you want to filter. The filter dialog is displayed and the number of logs for each filter type is listed.

  7. Select the filters you want and click Apply. The logs that match the set filters are displayed and the filter is listed in the search bar.

  8. Select the log you want to see more information on.

  9. Click Details. The Log Details pane is displayed.

To list system events in the CLI:
# diagnose fortiview result event-log

    data(1646760000-1646846401):
    0). subtype-ha | eventname-HA device interface failed | level-warning | count-1 | 
    1). subtype-system | eventname-DHCP statistics | level-information | count-40 | 
    2). subtype-system | eventname-Super admin left VDOM | level-information | count-13 | 
    3). subtype-system | eventname-Admin performed an action from GUI | level-warning | count-5 | 
    4). subtype-system | eventname-Super admin entered VDOM | level-information | count-4 | 
    5). subtype-system | eventname-Global setting changed | level-notice | count-3 | 
    6). subtype-system | eventname-Attribute configured | level-information | count-2 | 
    7). subtype-system | eventname-Clear active sessions | level-warning | count-2 | 
    8). subtype-system | eventname-Disk log rolled | level-notice | count-2 | 
    9). subtype-system | eventname-Log rotation requested by FortiCron | level-notice | count-1 | 
    10). subtype-system | eventname-Report generated successfully | level-notice | count-1 | 
    11). subtype-system | eventname-Test | level-warning | count-1 | 
    12). subtype-system | eventname-VDOM added | level-notice | count-1 | 
    13). subtype-user | eventname-Authentication failed | level-notice | count-1 | 
    14). subtype-user | eventname-Authentication lockout | level-warning | count-1 | 
    15). subtype-user | eventname-FortiGuard override failed | level-warning | count-1 | 

The data is collected from FortiView for the last 24 hours by default. To specify a specific time range, customize the time filter using the diagnose fortiview time command.

To filter the time range of system events in the CLI:
# diagnose fortiview time <arg1> <arg2>

Where <arg1> is the start time in YYYY-MM-DD HH:MM:SS and <arg2> is the end time in YYYY-MM-DD HH:MM:SS.