Fortinet white logo
Fortinet white logo

User Guide

Log Settings

Log Settings

Exporting attack logs

To export the attack logs to a log server:
  1. Go to Log Settings.
  2. Enable Attack Log Export.
  3. Click Add Log Server.
  4. Configure the following settings.

    Name

    Enter a name for the log server.

    Server Type

    Select whether to export the logs to a log server, an ElasticSearch service, FortiAnalyzer, or FortiSIEM.

    See the following instructions for SysLog, ElasticSearch, FortiAnalyzer, and FortiSIEM

    SysLog

    IP/Domain and PortEnter the IP/Domain and Port of the log server.
    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Custom Certificate and Key
    • Off: FortiWeb Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiWeb Cloud.
    • On: Manually enter the SSL certificate.

    Available only if you select SSL in Protocol.

    Client Certificate

    Fill in the Certificate field.

    Available only if you enabled Custom Certificate and Key.

    Private KeyFill in the Private Key field.
    Available only if you enabled Custom Certificate and Key.
    PasswordEnter the password of the private key.
    Available only if you enabled Custom Certificate and Key.
    Log Format
    • Default: Export logs in default format.
    • Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others.
    • Splunk: Export logs to Splunk log server.
    • CEF:0 (ArcSight): Export logs in CEF:0 format.
    • Microsoft Azure OMS: Export logs in Microsoft Azure OMS format.
    • LEEF1.0(QRadar): Export logs in LEEF1.0 format.

    Log Severity

    Select the severity level of the logs. All the exported logs will be attached with the selected severity level.

    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    ElasticSearch

    ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

    Address and Port

    Enter the address and port to access your ElasticSearch service.

    The default port for ElasticSearch service is 9200.

    User Name

    Enter the user name of the ElasticSearch service.

    Password

    Enter the password of the ElasticSearch service user.

    FortiAnalyzer

    FortiAnalyzer is a powerful log management, analytics, and reporting platform that provides centralized logging and analysis, plus end-to-end visibility.

    *Please note that while FortiAnalyzer is supported, FortiAnalyzer Cloud is not.

    IP/Domain and PortEnter the IP/Domain and Port of the log server.
    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Log Format Preview

    This box shows a preview of the log format, and is not editable.

    Log Severity

    Select the severity level of the logs. All the exported logs will be attached with the selected severity level.

    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    FortiSIEM

    IP/Domain and Port

    Enter the IP/Domain and Port of the log server.

    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Log Format Preview

    This box shows a preview of the log format, and is not editable.

    Log Severity

    Select the severity level of the logs. All the exported logs will be attached with the selected severity level.

    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.
  5. Click OK. The system exports newly generated attack logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:

  • 3.226.2.163
  • 3.123.68.65

Configuring attack log alert

FortiWeb Cloud monitors the attack logs every five minutes, and sends alert email based on the set threat level. You can also customize a more complex rule for the alert email.

To configure an attack log alert:
  1. Go to Log Settings.
  2. Enable Attack Log Alerts.
  3. For Mode, when you select Basic, configure the following settings

    Threat Level

    The attacks of different threat levels are marked with the following values:

    • Critical: 50
    • High: 30
    • Medium: 10
    • Low: 5

    The system counts the threat score every 5 minutes. For example, if there are 2 critical attacks and 1 high threat level attack in 5 minutes, the threat score is 50*2+30=130.

    Basic

    In basic mode, an alert email will be sent if the threat score is accumulated higher than the following value in 5 minutes:

    • 1 (low)
    • 100 (medium)
    • 400 (high)
    • 700 (critical)

    For example, if you set the Threat Level to medium, and the threat score is 130, then an alert email will be sent.

    Notification Recipient

    • Default—The alert email will be sent to the email address that is used to register your account.
    • Custom—Specify the email addresses to receive the alert.

    Custom Recipient

    Enter the email addresses. Separate multiple email addresses with ",".

    Available only if you select Custom for Notification Recipient.

  4. For Mode, when you select Advanced, click +Create Alert to customize a more complex rule. You can create at most five rules.
  5. Configure the following settings.

    Name

    Enter a name for the alert rule.

    Threat Score

    Specify a threat score for the attack log.

    The attacks of different threat levels are marked with the following values:

    • Critical: 50
    • High: 30
    • Medium: 10
    • Low: 5

    The system counts the threat score every 5 minutes. For example, if there are 2 critical attacks and 1 high threat level attack in 5 minutes, the threat score is 50*2+30=130.

    If the actual threat score is higher than the score value you set, an alert email will be sent.

    Notification Recipient

    • Default—The alert email will be sent to the email address that is used to register your account.
    • Custom—Specify the email addresses to receive the alert.

    Custom Recipient

    Enter the email addresses. Separate multiple email addresses with ",".
    Available only if you select Custom for Notification Recipient.

  6. For Filter Overview, click Add Filter to create a filter based on attack log messages. Only messages that match the criteria in the filter will be calculated on the threat score.
  7. Click OK.

Exporting traffic logs

Traffic logs record traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. FortiWeb Cloud's Web UI doesn't show traffic logs, but you can export traffic logs to AWS S3 or Azure Blob bucket in real time for long-term storage, analysis, or alerting.

Please note that at this time, FortiWeb Cloud does not support exporting traffic logs to OCI (Oracle Cloud Infrastructure).

  1. Go to Log Settings. w
  2. Enable Traffic Log Export.
  3. Configure the following settings.

    Server Type

    Select whether to export the logs to AWS S3 or Azure Blob.

    AWS S3

    Bucket name

    Enter the AWS S3 bucket name.

    Region

    Enter the region code, for example, ap-southeast-1.

    Access Key IDEnter the access key ID of the S3 bucket.
    Secret Key IDEnter the secret key ID of the S3 bucket.

    Prefix / Folder

    Enter the prefix / folder to store the traffic log.

    Azure Blob

    Storage Account Name

    Enter the Azure Blob storage account name

    Account Access Key

    Enter the Account Access Key for your storage account.

    Container Name

    Enter the name of the blob container to which you would like to export your traffic logs.

  4. Click Save.

To prevent log poisoning, it's recommended to set filters on your S3 bucket to allow only the traffic from FortiWeb Cloud. The source IPs from FortiWeb Cloud are as follows:

  • 3.226.2.163

  • 3.123.68.65

We also recommend adding the source IP addresses of traffic log exporting centers into the filter, corresponding to the region of your application.

AWS:

ap-east-1: Asia Pacific (Hong Kong) 16.162.29.183
ap-south-1: Asia Pacific (Mumbai) 15.207.118.191
ap-southeast.prod: Asia Pacific (Singapore) 18.142.59.230
ap-southeast-2: Asia Pacific (Sydney) 13.238.126.108
ca-central-1: Canada (Central)

52.60.181.20

eu-central-1: Europe (Frankfurt)

3.64.92.136

3.79.38.161

eu-west-1: Europe (Ireland) 54.220.37.1
eu-west-2: Europe (London) 18.171.94.215
eu-west-3: Europe (Paris) 15.237.205.81

eu-south-1: Europe (Milan)

35.152.101.76

il-central-1: AWS Israel (Tel Aviv) 51.17.180.108
sa-east-1:L South America (Sao Paulo) 15.229.167.39
us-east-1: US East (N.Virginia)

44.215.25.31

44.216.53.179

us-east-2: US East (Ohio) 3.19.8.134
us-west-1: US West (N. California) 54.177.53.242
us-west-2: US West (Oregon) 34.208.62.10

Azure:

Australia East 4.196.242.12
Canada Central 20.104.248.13
Central US

20.9.90.86

40.83.6.169

East US 20.228.131.15
East US 2

172.203.55.132

172.177.166.112

172.176.82.138

West US 2 20.114.37.228
West Europe 40.118.51.192
Brazil South (São Paulo State) 20.197.180.231

Google Cloud:

europe-west3 (Frankfurt)

34.89.191.169

europe-west8 (Milan)

34.154.9.107

us-east1 (South Carolina)

34.73.79.95

us-west1 (Oregon)

34.83.110.1

Sensitive Data Masking

Configure Sensitive Data Masking as part of Log Settings to mask information deemed sensitive in log message fields, such as passwords or credit card numbers. The Sensitive Data Masking settings are applied at the application level, with each application able to support up to 16 sensitive data rules.

To create a sensitive data rule:
  1. Go to Log Settings.
  2. Enable Sensitive Data Masking.
  3. Click +Sensitive Data Rule.
  4. Configure the following settings.
    Type

    Select the type of data the rule will apply to.

    • URL

    • Cookie

    • Parameter

    • Header

    Name

    Type a regular expression that matches all and only the input names whose values you want to obscure. To create a regular expression, see Frequently used regular expressions.

    This field is not required if URL data type is selected.

    Value

    Type a regular expression that matches all and only input values that you want to obscure. To create a regular expression, see Frequently used regular expressions.

  5. Click OK.

Retention and Periodic clean

All logs are periodically cleaned at the beginning of each month.

Please see table below for the retention information on each type of log:

Category

Features

Retention

Incident

Dashboard - Incidents

90 days

Dashboard - Top Incidents by Severity

Threat Analytics - Incidents

Attack log

Threat Analytics -Attack log

60 days

FortiView

Dashboard - OWASP Top 10 Threats

Dashboard - Threat Level History

Dashboard - Top Known Threats

Traffic log

Dashboard - Traffic Statistics by Country

60 days

Traffic Summary

Audit log

Audit log

60 days

On-Premise Device Attack log

Threat Analytics - Attack log (on-premise device only)

90 days

Log Settings

Log Settings

Exporting attack logs

To export the attack logs to a log server:
  1. Go to Log Settings.
  2. Enable Attack Log Export.
  3. Click Add Log Server.
  4. Configure the following settings.

    Name

    Enter a name for the log server.

    Server Type

    Select whether to export the logs to a log server, an ElasticSearch service, FortiAnalyzer, or FortiSIEM.

    See the following instructions for SysLog, ElasticSearch, FortiAnalyzer, and FortiSIEM

    SysLog

    IP/Domain and PortEnter the IP/Domain and Port of the log server.
    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Custom Certificate and Key
    • Off: FortiWeb Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiWeb Cloud.
    • On: Manually enter the SSL certificate.

    Available only if you select SSL in Protocol.

    Client Certificate

    Fill in the Certificate field.

    Available only if you enabled Custom Certificate and Key.

    Private KeyFill in the Private Key field.
    Available only if you enabled Custom Certificate and Key.
    PasswordEnter the password of the private key.
    Available only if you enabled Custom Certificate and Key.
    Log Format
    • Default: Export logs in default format.
    • Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others.
    • Splunk: Export logs to Splunk log server.
    • CEF:0 (ArcSight): Export logs in CEF:0 format.
    • Microsoft Azure OMS: Export logs in Microsoft Azure OMS format.
    • LEEF1.0(QRadar): Export logs in LEEF1.0 format.

    Log Severity

    Select the severity level of the logs. All the exported logs will be attached with the selected severity level.

    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    ElasticSearch

    ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

    Address and Port

    Enter the address and port to access your ElasticSearch service.

    The default port for ElasticSearch service is 9200.

    User Name

    Enter the user name of the ElasticSearch service.

    Password

    Enter the password of the ElasticSearch service user.

    FortiAnalyzer

    FortiAnalyzer is a powerful log management, analytics, and reporting platform that provides centralized logging and analysis, plus end-to-end visibility.

    *Please note that while FortiAnalyzer is supported, FortiAnalyzer Cloud is not.

    IP/Domain and PortEnter the IP/Domain and Port of the log server.
    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Log Format Preview

    This box shows a preview of the log format, and is not editable.

    Log Severity

    Select the severity level of the logs. All the exported logs will be attached with the selected severity level.

    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    FortiSIEM

    IP/Domain and Port

    Enter the IP/Domain and Port of the log server.

    ProtocolSelect the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Log Format Preview

    This box shows a preview of the log format, and is not editable.

    Log Severity

    Select the severity level of the logs. All the exported logs will be attached with the selected severity level.

    Log FacilitySelect the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.
  5. Click OK. The system exports newly generated attack logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:

  • 3.226.2.163
  • 3.123.68.65

Configuring attack log alert

FortiWeb Cloud monitors the attack logs every five minutes, and sends alert email based on the set threat level. You can also customize a more complex rule for the alert email.

To configure an attack log alert:
  1. Go to Log Settings.
  2. Enable Attack Log Alerts.
  3. For Mode, when you select Basic, configure the following settings

    Threat Level

    The attacks of different threat levels are marked with the following values:

    • Critical: 50
    • High: 30
    • Medium: 10
    • Low: 5

    The system counts the threat score every 5 minutes. For example, if there are 2 critical attacks and 1 high threat level attack in 5 minutes, the threat score is 50*2+30=130.

    Basic

    In basic mode, an alert email will be sent if the threat score is accumulated higher than the following value in 5 minutes:

    • 1 (low)
    • 100 (medium)
    • 400 (high)
    • 700 (critical)

    For example, if you set the Threat Level to medium, and the threat score is 130, then an alert email will be sent.

    Notification Recipient

    • Default—The alert email will be sent to the email address that is used to register your account.
    • Custom—Specify the email addresses to receive the alert.

    Custom Recipient

    Enter the email addresses. Separate multiple email addresses with ",".

    Available only if you select Custom for Notification Recipient.

  4. For Mode, when you select Advanced, click +Create Alert to customize a more complex rule. You can create at most five rules.
  5. Configure the following settings.

    Name

    Enter a name for the alert rule.

    Threat Score

    Specify a threat score for the attack log.

    The attacks of different threat levels are marked with the following values:

    • Critical: 50
    • High: 30
    • Medium: 10
    • Low: 5

    The system counts the threat score every 5 minutes. For example, if there are 2 critical attacks and 1 high threat level attack in 5 minutes, the threat score is 50*2+30=130.

    If the actual threat score is higher than the score value you set, an alert email will be sent.

    Notification Recipient

    • Default—The alert email will be sent to the email address that is used to register your account.
    • Custom—Specify the email addresses to receive the alert.

    Custom Recipient

    Enter the email addresses. Separate multiple email addresses with ",".
    Available only if you select Custom for Notification Recipient.

  6. For Filter Overview, click Add Filter to create a filter based on attack log messages. Only messages that match the criteria in the filter will be calculated on the threat score.
  7. Click OK.

Exporting traffic logs

Traffic logs record traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. FortiWeb Cloud's Web UI doesn't show traffic logs, but you can export traffic logs to AWS S3 or Azure Blob bucket in real time for long-term storage, analysis, or alerting.

Please note that at this time, FortiWeb Cloud does not support exporting traffic logs to OCI (Oracle Cloud Infrastructure).

  1. Go to Log Settings. w
  2. Enable Traffic Log Export.
  3. Configure the following settings.

    Server Type

    Select whether to export the logs to AWS S3 or Azure Blob.

    AWS S3

    Bucket name

    Enter the AWS S3 bucket name.

    Region

    Enter the region code, for example, ap-southeast-1.

    Access Key IDEnter the access key ID of the S3 bucket.
    Secret Key IDEnter the secret key ID of the S3 bucket.

    Prefix / Folder

    Enter the prefix / folder to store the traffic log.

    Azure Blob

    Storage Account Name

    Enter the Azure Blob storage account name

    Account Access Key

    Enter the Account Access Key for your storage account.

    Container Name

    Enter the name of the blob container to which you would like to export your traffic logs.

  4. Click Save.

To prevent log poisoning, it's recommended to set filters on your S3 bucket to allow only the traffic from FortiWeb Cloud. The source IPs from FortiWeb Cloud are as follows:

  • 3.226.2.163

  • 3.123.68.65

We also recommend adding the source IP addresses of traffic log exporting centers into the filter, corresponding to the region of your application.

AWS:

ap-east-1: Asia Pacific (Hong Kong) 16.162.29.183
ap-south-1: Asia Pacific (Mumbai) 15.207.118.191
ap-southeast.prod: Asia Pacific (Singapore) 18.142.59.230
ap-southeast-2: Asia Pacific (Sydney) 13.238.126.108
ca-central-1: Canada (Central)

52.60.181.20

eu-central-1: Europe (Frankfurt)

3.64.92.136

3.79.38.161

eu-west-1: Europe (Ireland) 54.220.37.1
eu-west-2: Europe (London) 18.171.94.215
eu-west-3: Europe (Paris) 15.237.205.81

eu-south-1: Europe (Milan)

35.152.101.76

il-central-1: AWS Israel (Tel Aviv) 51.17.180.108
sa-east-1:L South America (Sao Paulo) 15.229.167.39
us-east-1: US East (N.Virginia)

44.215.25.31

44.216.53.179

us-east-2: US East (Ohio) 3.19.8.134
us-west-1: US West (N. California) 54.177.53.242
us-west-2: US West (Oregon) 34.208.62.10

Azure:

Australia East 4.196.242.12
Canada Central 20.104.248.13
Central US

20.9.90.86

40.83.6.169

East US 20.228.131.15
East US 2

172.203.55.132

172.177.166.112

172.176.82.138

West US 2 20.114.37.228
West Europe 40.118.51.192
Brazil South (São Paulo State) 20.197.180.231

Google Cloud:

europe-west3 (Frankfurt)

34.89.191.169

europe-west8 (Milan)

34.154.9.107

us-east1 (South Carolina)

34.73.79.95

us-west1 (Oregon)

34.83.110.1

Sensitive Data Masking

Configure Sensitive Data Masking as part of Log Settings to mask information deemed sensitive in log message fields, such as passwords or credit card numbers. The Sensitive Data Masking settings are applied at the application level, with each application able to support up to 16 sensitive data rules.

To create a sensitive data rule:
  1. Go to Log Settings.
  2. Enable Sensitive Data Masking.
  3. Click +Sensitive Data Rule.
  4. Configure the following settings.
    Type

    Select the type of data the rule will apply to.

    • URL

    • Cookie

    • Parameter

    • Header

    Name

    Type a regular expression that matches all and only the input names whose values you want to obscure. To create a regular expression, see Frequently used regular expressions.

    This field is not required if URL data type is selected.

    Value

    Type a regular expression that matches all and only input values that you want to obscure. To create a regular expression, see Frequently used regular expressions.

  5. Click OK.

Retention and Periodic clean

All logs are periodically cleaned at the beginning of each month.

Please see table below for the retention information on each type of log:

Category

Features

Retention

Incident

Dashboard - Incidents

90 days

Dashboard - Top Incidents by Severity

Threat Analytics - Incidents

Attack log

Threat Analytics -Attack log

60 days

FortiView

Dashboard - OWASP Top 10 Threats

Dashboard - Threat Level History

Dashboard - Top Known Threats

Traffic log

Dashboard - Traffic Statistics by Country

60 days

Traffic Summary

Audit log

Audit log

60 days

On-Premise Device Attack log

Threat Analytics - Attack log (on-premise device only)

90 days