Security Events
The Log & Report > Security Events log page includes:
-
A Summary tab that displays the five most frequent events for all of the enabled UTM security events. Clicking on a peak in the line chart will display the specific event count for the selected severity level. You can also filter the log viewer with specific time frames.
-
A Logs tab that displays individual, detailed logs for each UTM type. You can change the type of event log in the top-right, dropdown list. You can apply a custom time frame using the Date/Time filter. When the Date/Time filter is applied, the time frame will be disabled and set to custom. To select a new time frame, you must first remove the existing filter by clicking the X in the search bar or selecting Remove in the Filter dialog.
Clicking on an event in the Summary tab will bring users to the Logs tab with the appropriate filters automatically applied.
Disk logging and historical FortiView must be enabled for the Summary tab to display valid data. |
To review security events in the GUI:
-
Go to Log & Report > Security Events.
The Summary tab displays up to five top events for each enabled, non-empty security event cards.
-
On the right-side of the screen, select the time range from the dropdown list.
The non-empty security event cards will list up to five top entries within the time range set.
Data is retrieved from FortiView with the 5 minutes range updated first. When selecting either the 1 hour or 24 hours time range, there may be a delay to update top security event entries.
-
Review the details of security events:
-
Click the security event card name.
The Logs tab displays all event entries for the selected type of security event. You can change the type of event log in the top-right, dropdown list.
-
Click a top event entry in a security event card.
The Logs tab displays security events with filters for the selected event entry and time filter. The security event type can be changed in the top-right dropdown list. A custom time frame can be applied using the Date/Time filter. If the Date/Time filter is applied, the time frame will be disabled and set to custom. To select a new time frame, you must first remove the existing filter by clicking the X in the search bar or selecting Remove in the Filter dialog.
-
Up to 100 top security event entries can be listed in the CLI using the diagnose fortiview result security-log
command.
To list security events in the CLI:
# diagnose fortiview result security-log [<filters>]
To list security events in the CLI with no filters applied:
# diagnose fortiview result security-log data(1646862300-1646948701): 0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 | 1). logcat-2 | logcatname-virus | logid-0211008192 | eventname-virus_test3 | eventname_field-virus | action-passthrough | count-1 | 2). logcat-2 | logcatname-virus | logid-0212008448 | eventname-filename | eventname_field-virus | action-passthrough | count-1 | 3). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 | 4). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 | 5). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 | 6). logcat-4 | logcatname-ips | logid-0419016384 | eventname-Eicar.Virus.Test.File | eventname_field-attack | action-dropped | count-3 | 7). logcat-4 | logcatname-ips | logid-0422016400 | eventname-test_botnet | eventname_field-attack | action-detected | count-1 | 8). logcat-7 | logcatname-anomaly | logid-0720018432 | eventname-tcp_syn_flood | eventname_field-attack | action-clear_session | count-1 | 9). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Storage.Backup | eventname_field-appcat | action-pass | count-9 | 10). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-Video/Audio | eventname_field-appcat | action-pass | count-3 | 11). logcat-10 | logcatname-app-ctrl | logid-1059028672 | eventname-im | eventname_field-appcat | action-pass | count-1 | 12). logcat-10 | logcatname-app-ctrl | logid-1059028704 | eventname-P2P | eventname_field-appcat | action-pass | count-1 | 13). logcat-15 | logcatname-dns | logid-1501054400 | eventname-Domain blocked because it is in the domain-filter list | eventname_field-logid | action-block | count-1 | 14). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 | 15). logcat-16 | logcatname-ssh | logid-1600061002 | eventname-SSH shell command is detected | eventname_field-logid | action-passthrough | count-1 | 16). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 | 17). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 | 18). logcat-8 | logcatname-voip | logid-0814044032 | eventname-Logid_44032 | eventname_field-logid | action-permit | count-1 | 19). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |
To list blocked security events in the CLI:
# diagnose fortiview result security-log action=blocked data(1646862600-1646949001): 0). logcat-2 | logcatname-virus | logid-0211008192 | eventname-EICAR_TEST_FILE | eventname_field-virus | action-blocked | count-1 | 1). logcat-3 | logcatname-webfilter | logid-0318012800 | eventname- | eventname_field-catdesc | action-blocked | count-2 | 2). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Information Technology | eventname_field-catdesc | action-blocked | count-1 | 3). logcat-3 | logcatname-webfilter | logid-0316013056 | eventname-Malicious Websites | eventname_field-catdesc | action-blocked | count-1 | 4). logcat-17 | logcatname-ssl | logid-1700062300 | eventname-SSL connection is blocked due to the server certificate is blocklisted | eventname_field-logid | action-blocked | count-1 | 5). logcat-16 | logcatname-ssh | logid-1601061010 | eventname-SSH channel is blocked | eventname_field-logid | action-blocked | count-1 | 6). logcat-12 | logcatname-waf | logid-1200030248 | eventname-Web application firewall blocked application by signature | eventname_field-logid | action-blocked | count-1 | 7). logcat-5 | logcatname-emailfilter | logid-0513020480 | eventname-SPAM notification | eventname_field-logid | action-blocked | count-1 |