Security Events log page
The Log & Report > Security Events log page includes:
-
A Summary tab that displays the five most frequent events for all of the enabled UTM security events.
-
A Logs tab that displays individual, detailed logs for each UTM type.
The Summary tab includes the following enhancements:
-
Event list footers show a count of the events that relate to the type.
-
A count of the total events is shown at the top of the Summary. Hovering over the count shows the number of events with a time stamp.
-
Clicking on any event type title opens the Logs page for that event type filtered by the selected time span.
For example, clicking Application Control opens the following page:
The security event type can be changed in the top-right dropdown list.
-
Clicking on any event entry opens the Logs page for that event type filtered by the selected time span and log description.
For example, in the Application Control box, clicking Network.Service opens the following page:
|
Disk logging and historical FortiView must be enabled for the Summary tab to display valid data. See Log settings and targets for more information. |
A time frame can be selected from the dropdown.
The non-empty security event cards will list up to five top entries within the time range set.
|
|
Data is retrieved from FortiView with the 5 minutes range updated first. When selecting either the 1 hour or 24 hours time range, there may be a delay to update top security event entries. Logs sourced from the Disk have different time frames available for filtering. See Viewing event logs. |
Up to 100 top security event entries can be listed in the CLI using the diagnose fortiview result security-log command.
To list security events in the CLI:
# diagnose fortiview result security-log [<filters>]
To list security events in the CLI with no filters applied:
# diagnose fortiview result security-log
data(1646862300-1646948701):
0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 |
1). logcat-2 | logcatname-virus | logid-0211008192 | eventname-virus_test3 | eventname_field-virus | action-passthrough | count-1 |
2). logcat-2 | logcatname-virus | logid-0212008448 | eventname-filename | eventname_field-virus | action-passthrough | count-1 |
3). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 |
4). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 |
5). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 |
6). logcat-4 | logcatname-ips | logid-0419016384 | eventname-Eicar.Virus.Test.File | eventname_field-attack | action-dropped | count-3 |
7). logcat-4 | logcatname-ips | logid-0422016400 | eventname-test_botnet | eventname_field-attack | action-detected | count-1 |
8). logcat-7 | logcatname-anomaly | logid-0720018432 | eventname-tcp_syn_flood | eventname_field-attack | action-clear_session | count-1 |
9). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Storage.Backup | eventname_field-appcat | action-pass | count-9 |
10). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Video/Audio | eventname_field-appcat | action-pass | count-3 |
11). logcat-10 | logcatname-app-ctrl | logid-1059028672 | eventname-im | eventname_field-appcat | action-pass | count-1 |
12). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-P2P | eventname_field-appcat | action-pass | count-1 |
13). logcat-15 | logcatname-dns | logid-1501054400 | eventname-Domain blocked because it is in the domain-filter list | eventname_field-logid | action-block | count-1 |
14). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 |
15). logcat-16 | logcatname-ssh | logid-1600061002 | eventname-SSH shell command is detected | eventname_field-logid | action-passthrough | count-1 |
16). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 |
17). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 |
18). logcat-8 | logcatname-voip | logid-0814044032 | eventname-Logid_44032 | eventname_field-logid | action-permit | count-1 |
19). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |
To list blocked security events in the CLI:
# diagnose fortiview result security-log action=blocked
data(1646862600-1646949001):
0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 |
1). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 |
2). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 |
3). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 |
4). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 |
5). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 |
6). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 |
7). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |