Fortinet black logo

Administration Guide

Home FortiRecorder 6.0.0 Administration Guide

Analyzing Logging

6.0.0
7.2.0
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0
Copy Link
Copy Doc ID f41cea3c-ee48-11eb-97f7-00505692583a:879480

Analyzing Logging

Log messages record important events on your FortiRecorder system for extensive monitoring over extended periods of time.

To configure logging, see the Configuring Log Settings section.

Understanding and using logs

FortiRecorder appliances can log many different activities including:

  • camera recording events
  • administrator-triggered events including logouts and configuration changes
  • system-triggered events including system failures and HA activity

You can select a priority level that log messages must meet in order to be recorded.

The FortiRecorder appliance can save log messages to its memory, or to a remote location such as a Syslog server or FortiAnalyzer appliance. For more information, see “Configuring logging”.

Caution

Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

To download a log file

  1. Go to one of the log types, such as Monitor > Log > Event.
  2. Right click a desired log.
  3. Select Export to Table. FortiRecorder converts the log entry to a .csv file.

Checking log threat levels

Each log message contains a Severity (pri) field that indicates the severity of the event that caused the log message, such as pri=warning.

Level (0 is greatest)

Name

Description

0

Emergency

The system has become unusable.

1

Alert

Immediate action is required.

2

Critical

Functionality is affected.

3

Error

An error condition exists and functionality could be affected.

4

Warning

Functionality could be affected.

5

Notification

Information about normal events.

6

Information

General information about system operations.

For each location where the FortiRecorder appliance can store log files (disk, Syslog or FortiAnalyzer), you can define a severity threshold. The FortiRecorder appliance stores all log messages equal to or exceeding the log severity level selected.

For example, select Error and the FortiRecorder appliance stores log messages whose log severity level is Error, Critical, Alert, and Emergency.

Caution

Avoid recording log messages using low log severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

Displaying and organizing logs

You can display, hide, and re-order the display of logs.

To display or hide columns in logs

  1. Go to one of the log types, such as Monitor > Log > Event.
  2. Select the Configure View drop-down menu.
  3. Select Show/Hide columns.

  4. Enable or disable the desired columns.
  5. Select OK.

To arrange the columns and rows

  1. Select and drag the column into the desired position.
  2. Hover your mouse cursor over one of the column headings. An arrow will appear on the right side of the heading. Click the arrow to display a drop-down menu, then select either Sort Ascending or Sort Descending to cause the rows to be sorted from either first to last, or last to first, based upon the contents of that column.
  3. Column settings will not usually persist when changing pages, nor from session to session. If you want to keep the settings, you must select Save View from the Configure View drop-down menu.

Searching logs

When viewing attack logs, you can locate a specific log using the event log search function.

To search for a specific log

  1. Go to one of the log types, such as Monitor > Log > Event.
  2. Select Search.

  3. Enter the following settings:

    Setting Name

    Description

    Keyword

    Type the word or phrase to search. The word may appear in any of the fields of the log message (e.g. Action and/or Message) or in any part of that field’s value. If entering multiple words, they must occur uninterrupted in that exact order.

    For example, entering admin as a keyword will include results such as User admin2 logout from GUI(172.16.1.15) where part of the word appears in the middle of the log message. However, entering User logout would not yield any results, because in the log messages, those two words are always interrupted by the name of the account, and therefore do not exactly match your search key phrase.

    This setting is optional.

    Message

    Type all or part of the exact value of the Message (msg) field of the log messages that you want to find.

    This setting is optional.

    Subtype

    Enter the subtype, such as admin or system.

    Match condition

    Select whether your match criteria are specified exactly (Contain) or you have indicated multiple possible matches using an asterisk in Keyword (Wildcard).

    Time

    Select the date and time range that contains the attack log that you are searching for.

    This setting is optional.

    Note: The date fields default to the current date. Ensure the date fields are set to the actual date range that you want to search.
  4. Select Search.

Reviewing logs

The event log section displays every administrative event that occurs on the FortiRecorder system, such as unsuccessful login attempts and system failures.

Camera log displays the start and stop recording events, factory rests, and various other camera-related events on the FortiRecorder system.

Detection log displays instances of camera detections, such as motion detection.

Assistant log displays all operations related to voice-controlled assistants, such as Amazon Alexa.

You can use the web UI to view and download locally stored log messages. (You cannot use the web UI to view log messages that are stored remotely on Syslog or FortiAnalyzer devices.) Log messages are in human-readable format, where each log field’s name, such as Message (msg field when viewing a raw, downloaded log file), indicates its contents.

To view log messages

  1. Go to Monitor > Log > Event. Columns and appearance varies slightly by the log type.
  2. Select the level of severity and type of log you are searching for from the Level and Type drop-down menus.
  3. Double-click the row of a log file for a more detailed description of the log entry.

Contents of the log section (some settings are only available in certain log types:

Setting Name

Description

Level

Select a severity level to hide log messages that are below this threshold (see “Checking log threats”).

Subtype

Select a subcategory (corresponding to the Subtype column) to hide log messages whose subtype field does not match.

Go to line

Type the index number of the log message (corresponding to the # column) that you want to jump to in the display.

Search

Click to find log messages matching specific criteria.

Back

Click to return to the list of log files stored on FortiRecorder’s hard drive.

Save View

Click to keep your current log view settings for subsequent views and sessions.

#

The index number of the log message within the log file.

By default, the rows are sorted by time-stamp in descending order, starting with the most recent log message.

Note: In the current log file, each log’s index number changes as new log messages are added, pushing older logs further down the stack. To find the same log message later, remember its time-stamp and Message, not its #.

Date

The date on which the log message was recorded.

When in raw format, this is the log’s date field.

Time

The time at which the log message was recorded.

When in raw format, this is the log’s time field.

Action

The action the camera performed, such as stopping and starting recording.

Subtype

The category of the log message, such as admin for events such as authentication or configuration changes, or system for events such as disk consumption or connection failures.

When in raw format, this is the log’s subtype field.

Log ID

A dynamic log identifier within the system, not predictable, indicative of the cause nor necessarily a unique identifier.

When in raw format, this is the log’s log_id field.

Detection Type/Subtype

The particular kind of detection the camera registered, such as motion.

Message

The log message that describes the specific occurrence of a recordable event.
Previous
Next

Analyzing Logging

Log messages record important events on your FortiRecorder system for extensive monitoring over extended periods of time.

To configure logging, see the Configuring Log Settings section.

Understanding and using logs

FortiRecorder appliances can log many different activities including:

  • camera recording events
  • administrator-triggered events including logouts and configuration changes
  • system-triggered events including system failures and HA activity

You can select a priority level that log messages must meet in order to be recorded.

The FortiRecorder appliance can save log messages to its memory, or to a remote location such as a Syslog server or FortiAnalyzer appliance. For more information, see “Configuring logging”.

Caution

Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

To download a log file

  1. Go to one of the log types, such as Monitor > Log > Event.
  2. Right click a desired log.
  3. Select Export to Table. FortiRecorder converts the log entry to a .csv file.

Checking log threat levels

Each log message contains a Severity (pri) field that indicates the severity of the event that caused the log message, such as pri=warning.

Level (0 is greatest)

Name

Description

0

Emergency

The system has become unusable.

1

Alert

Immediate action is required.

2

Critical

Functionality is affected.

3

Error

An error condition exists and functionality could be affected.

4

Warning

Functionality could be affected.

5

Notification

Information about normal events.

6

Information

General information about system operations.

For each location where the FortiRecorder appliance can store log files (disk, Syslog or FortiAnalyzer), you can define a severity threshold. The FortiRecorder appliance stores all log messages equal to or exceeding the log severity level selected.

For example, select Error and the FortiRecorder appliance stores log messages whose log severity level is Error, Critical, Alert, and Emergency.

Caution

Avoid recording log messages using low log severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

Displaying and organizing logs

You can display, hide, and re-order the display of logs.

To display or hide columns in logs

  1. Go to one of the log types, such as Monitor > Log > Event.
  2. Select the Configure View drop-down menu.
  3. Select Show/Hide columns.

  4. Enable or disable the desired columns.
  5. Select OK.

To arrange the columns and rows

  1. Select and drag the column into the desired position.
  2. Hover your mouse cursor over one of the column headings. An arrow will appear on the right side of the heading. Click the arrow to display a drop-down menu, then select either Sort Ascending or Sort Descending to cause the rows to be sorted from either first to last, or last to first, based upon the contents of that column.
  3. Column settings will not usually persist when changing pages, nor from session to session. If you want to keep the settings, you must select Save View from the Configure View drop-down menu.

Searching logs

When viewing attack logs, you can locate a specific log using the event log search function.

To search for a specific log

  1. Go to one of the log types, such as Monitor > Log > Event.
  2. Select Search.

  3. Enter the following settings:

    Setting Name

    Description

    Keyword

    Type the word or phrase to search. The word may appear in any of the fields of the log message (e.g. Action and/or Message) or in any part of that field’s value. If entering multiple words, they must occur uninterrupted in that exact order.

    For example, entering admin as a keyword will include results such as User admin2 logout from GUI(172.16.1.15) where part of the word appears in the middle of the log message. However, entering User logout would not yield any results, because in the log messages, those two words are always interrupted by the name of the account, and therefore do not exactly match your search key phrase.

    This setting is optional.

    Message

    Type all or part of the exact value of the Message (msg) field of the log messages that you want to find.

    This setting is optional.

    Subtype

    Enter the subtype, such as admin or system.

    Match condition

    Select whether your match criteria are specified exactly (Contain) or you have indicated multiple possible matches using an asterisk in Keyword (Wildcard).

    Time

    Select the date and time range that contains the attack log that you are searching for.

    This setting is optional.

    Note: The date fields default to the current date. Ensure the date fields are set to the actual date range that you want to search.
  4. Select Search.

Reviewing logs

The event log section displays every administrative event that occurs on the FortiRecorder system, such as unsuccessful login attempts and system failures.

Camera log displays the start and stop recording events, factory rests, and various other camera-related events on the FortiRecorder system.

Detection log displays instances of camera detections, such as motion detection.

Assistant log displays all operations related to voice-controlled assistants, such as Amazon Alexa.

You can use the web UI to view and download locally stored log messages. (You cannot use the web UI to view log messages that are stored remotely on Syslog or FortiAnalyzer devices.) Log messages are in human-readable format, where each log field’s name, such as Message (msg field when viewing a raw, downloaded log file), indicates its contents.

To view log messages

  1. Go to Monitor > Log > Event. Columns and appearance varies slightly by the log type.
  2. Select the level of severity and type of log you are searching for from the Level and Type drop-down menus.
  3. Double-click the row of a log file for a more detailed description of the log entry.

Contents of the log section (some settings are only available in certain log types:

Setting Name

Description

Level

Select a severity level to hide log messages that are below this threshold (see “Checking log threats”).

Subtype

Select a subcategory (corresponding to the Subtype column) to hide log messages whose subtype field does not match.

Go to line

Type the index number of the log message (corresponding to the # column) that you want to jump to in the display.

Search

Click to find log messages matching specific criteria.

Back

Click to return to the list of log files stored on FortiRecorder’s hard drive.

Save View

Click to keep your current log view settings for subsequent views and sessions.

#

The index number of the log message within the log file.

By default, the rows are sorted by time-stamp in descending order, starting with the most recent log message.

Note: In the current log file, each log’s index number changes as new log messages are added, pushing older logs further down the stack. To find the same log message later, remember its time-stamp and Message, not its #.

Date

The date on which the log message was recorded.

When in raw format, this is the log’s date field.

Time

The time at which the log message was recorded.

When in raw format, this is the log’s time field.

Action

The action the camera performed, such as stopping and starting recording.

Subtype

The category of the log message, such as admin for events such as authentication or configuration changes, or system for events such as disk consumption or connection failures.

When in raw format, this is the log’s subtype field.

Log ID

A dynamic log identifier within the system, not predictable, indicative of the cause nor necessarily a unique identifier.

When in raw format, this is the log’s log_id field.

Detection Type/Subtype

The particular kind of detection the camera registered, such as motion.

Message

The log message that describes the specific occurrence of a recordable event.
Previous
Next