Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Audit logs

Audit logs report system-level events such as user login, server creation. You can view the audit logs through Global > Audit Logs . A maximum of 10,000 audit logs are displayed per each filter.
An audit log is saved for three months. After that it will be deleted.

To configure the log display settings:
  1. Go to Global > Audit Logs.
  2. Configure the following settings.
Reload Click to update the page with any logs that have been recorded since you previously loaded the page.
Add Filter Click to create a filter based on log message fields. Only messages that are in the most recent 100,000 messages and match the criteria in the filter are displayed. When you search by time, all messages with the selected date are displayed.
To export audit logs to log server:
  1. Go to Global > Audit Logs.
  2. Enable Audit Logs Export.
  3. Configure the following settings.

    Server Type

    Select whether to export the logs to a log server or an ElasticSearch service.

    See the following instructions for SysLog and ElasticSearch.

    SysLog

    IP/Domain and Port Enter the IP/Domain and Port of the log server.
    Protocol Select the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Custom Certificate and Key
    • Off: FortiWeb Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiWeb Cloud.
    • On: Manually enter the SSL certificate.

    Available only if you select SSL in Protocol.

    Client Certificate Fill in the Certificate field.
    Available only if you enabled Custom Certificate and Key.
    Private Key Fill in the Private Key field.
    Available only if you enabled Custom Certificate and Key.
    Password Enter the password of the private key.
    Available only if you enabled Custom Certificate and Key.
    Log Format
    • Default: Export logs in default format.
    • Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others.
    • Splunk: Export logs to Splunk log server.
    • CEF:0 (ArcSight): Export logs in CEF:0 format.
    • Microsoft Azure OMS: Export logs in Microsoft Azure OMS format.
    • LEEF1.0(QRadar): Export logs in LEEF1.0 format.
    Log Facility Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    ElasticSearch

    ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

    Address and Port

    Enter the address and port to access your ElasticSearch service.

    The default port for ElasticSearch service is 9200.

    User Name

    Enter the user name of the ElasticSearch service.

    Password

    Enter the password of the ElasticSearch service user.

  4. Click SAVE. The system exports newly generated audit logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:

  • 3.226.2.163
  • 3.123.68.65

Audit logs

Audit logs report system-level events such as user login, server creation. You can view the audit logs through Global > Audit Logs . A maximum of 10,000 audit logs are displayed per each filter.
An audit log is saved for three months. After that it will be deleted.

To configure the log display settings:
  1. Go to Global > Audit Logs.
  2. Configure the following settings.
Reload Click to update the page with any logs that have been recorded since you previously loaded the page.
Add Filter Click to create a filter based on log message fields. Only messages that are in the most recent 100,000 messages and match the criteria in the filter are displayed. When you search by time, all messages with the selected date are displayed.
To export audit logs to log server:
  1. Go to Global > Audit Logs.
  2. Enable Audit Logs Export.
  3. Configure the following settings.

    Server Type

    Select whether to export the logs to a log server or an ElasticSearch service.

    See the following instructions for SysLog and ElasticSearch.

    SysLog

    IP/Domain and Port Enter the IP/Domain and Port of the log server.
    Protocol Select the protocol used for log transfer.

    Server Certificate Verification

    When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.

    Custom Certificate and Key
    • Off: FortiWeb Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiWeb Cloud.
    • On: Manually enter the SSL certificate.

    Available only if you select SSL in Protocol.

    Client Certificate Fill in the Certificate field.
    Available only if you enabled Custom Certificate and Key.
    Private Key Fill in the Private Key field.
    Available only if you enabled Custom Certificate and Key.
    Password Enter the password of the private key.
    Available only if you enabled Custom Certificate and Key.
    Log Format
    • Default: Export logs in default format.
    • Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others.
    • Splunk: Export logs to Splunk log server.
    • CEF:0 (ArcSight): Export logs in CEF:0 format.
    • Microsoft Azure OMS: Export logs in Microsoft Azure OMS format.
    • LEEF1.0(QRadar): Export logs in LEEF1.0 format.
    Log Facility Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

    ElasticSearch

    ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

    Address and Port

    Enter the address and port to access your ElasticSearch service.

    The default port for ElasticSearch service is 9200.

    User Name

    Enter the user name of the ElasticSearch service.

    Password

    Enter the password of the ElasticSearch service user.

  4. Click SAVE. The system exports newly generated audit logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:

  • 3.226.2.163
  • 3.123.68.65