Fortinet black logo

User Guide

Audit logs

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:367276
Download PDF

Audit logs

Audit logs report system-level events such as user login, server creation. You can view the audit logs through Global > Log & Report > Audit Logs . A maximum of 10,000 audit logs are displayed per each filter.
An audit log is saved for three months. After that it will be deleted.

To configure the log display settings:
  1. Go to Global > Log & Report > Audit Logs.
  2. Configure the following settings.
Reload Click to update the page with any logs that have been recorded since you previously loaded the page.
Add Filter Click to create a filter based on log message fields. Only messages that are in the most recent 100,000 messages and match the criteria in the filter are displayed. When you search by time, all messages with the selected date are displayed.
To view before&after comparison:

Audit logs provide details on the configuration changes with before&after information.

For the logs on configuration updates, the log item is a clickable link, as shown below.

By clicking on the link, a before&after comparison view will display. You can click the Diffs or All at the top right corner to show only the differences or expand the whole configuration.

To export audit logs to log server:
  1. Go to Global > System Settings > Settings.
  2. Enable Audit Logs Export.
  3. Configure the following settings.

    Server Type

    Select whether to export the logs to a log server or an ElasticSearch service.

    See the following instructions for SysLog and ElasticSearch.

    SysLog

    IP/Domain and PortEnter the IP/Domain and Port of the log server.
    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Custom Certificate and Key
    • Off: FortiWeb Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiWeb Cloud.
    • On: Manually enter the SSL certificate.

    Available only if you select SSL in Protocol.

    Client CertificateFill in the Certificate field.
    Available only if you enabled Custom Certificate and Key.
    Private KeyFill in the Private Key field.
    Available only if you enabled Custom Certificate and Key.
    PasswordEnter the password of the private key.
    Available only if you enabled Custom Certificate and Key.
    Log Format
    • Default: Export logs in default format.
    • Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others.
    • Splunk: Export logs to Splunk log server.
    • CEF:0 (ArcSight): Export logs in CEF:0 format.
    • Microsoft Azure OMS: Export logs in Microsoft Azure OMS format.
    • LEEF1.0(QRadar): Export logs in LEEF1.0 format.
    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    ElasticSearch

    ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

    Address and Port

    Enter the address and port to access your ElasticSearch service.

    The default port for ElasticSearch service is 9200.

    User Name

    Enter the user name of the ElasticSearch service.

    Password

    Enter the password of the ElasticSearch service user.

  4. Click SAVE. The system exports newly generated audit logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:

  • 3.226.2.163
  • 3.123.68.65

Audit logs

Audit logs report system-level events such as user login, server creation. You can view the audit logs through Global > Log & Report > Audit Logs . A maximum of 10,000 audit logs are displayed per each filter.
An audit log is saved for three months. After that it will be deleted.

To configure the log display settings:
  1. Go to Global > Log & Report > Audit Logs.
  2. Configure the following settings.
Reload Click to update the page with any logs that have been recorded since you previously loaded the page.
Add Filter Click to create a filter based on log message fields. Only messages that are in the most recent 100,000 messages and match the criteria in the filter are displayed. When you search by time, all messages with the selected date are displayed.
To view before&after comparison:

Audit logs provide details on the configuration changes with before&after information.

For the logs on configuration updates, the log item is a clickable link, as shown below.

By clicking on the link, a before&after comparison view will display. You can click the Diffs or All at the top right corner to show only the differences or expand the whole configuration.

To export audit logs to log server:
  1. Go to Global > System Settings > Settings.
  2. Enable Audit Logs Export.
  3. Configure the following settings.

    Server Type

    Select whether to export the logs to a log server or an ElasticSearch service.

    See the following instructions for SysLog and ElasticSearch.

    SysLog

    IP/Domain and PortEnter the IP/Domain and Port of the log server.
    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Custom Certificate and Key
    • Off: FortiWeb Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiWeb Cloud.
    • On: Manually enter the SSL certificate.

    Available only if you select SSL in Protocol.

    Client CertificateFill in the Certificate field.
    Available only if you enabled Custom Certificate and Key.
    Private KeyFill in the Private Key field.
    Available only if you enabled Custom Certificate and Key.
    PasswordEnter the password of the private key.
    Available only if you enabled Custom Certificate and Key.
    Log Format
    • Default: Export logs in default format.
    • Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others.
    • Splunk: Export logs to Splunk log server.
    • CEF:0 (ArcSight): Export logs in CEF:0 format.
    • Microsoft Azure OMS: Export logs in Microsoft Azure OMS format.
    • LEEF1.0(QRadar): Export logs in LEEF1.0 format.
    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    ElasticSearch

    ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

    Address and Port

    Enter the address and port to access your ElasticSearch service.

    The default port for ElasticSearch service is 9200.

    User Name

    Enter the user name of the ElasticSearch service.

    Password

    Enter the password of the ElasticSearch service user.

  4. Click SAVE. The system exports newly generated audit logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:

  • 3.226.2.163
  • 3.123.68.65