Log types

FortiWeb Manager provides three types of logs. You can select the log type to view related logs.

Attack Logs
Traffic Logs
Event Logs

Attack logs

Attack logs record attacks or intrusion attempts against the web servers protected by the FortiWeb appliance. This pane includes the following information:

Date/Time	The date/time when the log is generated.
Device Name	The name of the managed device.
Threat Level	The level of the threat.
Action	The actions that FortiWeb has taken.
Source	The source IP address of the client where the attack comes from.
Destination	The destination IP address where the attack happens.
HTTP Host	The HTTP host name.
Method	The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Main Type	The signature detection category.
Sub Type	The specific type of signature in the category.

Click any log item, and you can see the Log Details page.

When the Main Type is Signature Detection, two additional buttons appear on the Log Details page.

Click Signature View and you can see the signature details as below:

Click Add Exception, configure the settings below to add the signature exception rule per specific log to different group policies at the same time.

Signature Policy Name	Click to select the group signature policy.
Disable Signature	Enable if you do not want to detect such attacks.
Alert Only	Enable this option if you want to receive only logs or alert email about detections, but do not want to block matching requests.
Add Exception	Enable this option if you want to exempt specific host name/URL combinations. The following fields can be configured only when Add Exception option is enabled.
URI	String Match—Value is a literal URL, and it starts with a forward slash (/). Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to, and it does not require a forward slash ( / ). This field is automatically configured as default value. Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.
HOST	String Match—Value is a literal host name. Regular Expression Match—Value is a regular expression that matches all and only the hosts that the exception applies to. This field is automatically configured as default value.
Full URL	String Match—Value is a literal URL. Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to.
HTTP Method	Select the methods to include or exclude from the signature exemption. Include—FortiWeb does not perform a signature scan for requests that include the specified HTTP methods. Exclude—FortiWeb only performs signature scans for requests that include the specified HTTP methods.
Client IP	Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request. Equal—FortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP. Not Equal—FortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
Parameter	String Match—Name is the literal name of a cookie. Regular Expression Match—Name is a regular expression that matches all and only the name of the cookie that exception applies to. Specify the name of the cookie and cookie value.
Cookie	String Match—Name is the literal name of a parameter. Regular Expression Match—Name is a regular expression that matches all and only the name of the parameter that exception applies to. Specify the name of the parameter and parameter value.

After you finish the settings, click Push to apply the signature exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring signature exception rules.

When the Main Type is HTTP Protocol Constraints, one additional button Add Exception appears on the Log Details page.

Click Add Exception, configure the settings below to add the HTTP constraint exception rule per specific log.

HTTP Protocol Constraint Policy Name	Click to select group HTTP protocol constraint policy.
URL Pattern	String Match—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ). Regular Expression Match—such as `^/*.php`, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in the Host drop-down list.
Host	Enter the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.
Source IP	Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
Protocol Constraint(s)	Select the protocol constraint(s) that you want to add to the exception rule according to the table below.

After you finish the settings, click Push to apply the HTTP constraint exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring HTTP protocol constraint exceptions.

Traffic logs

Traffic logs record the traffic flowing through your FortiWeb device, such as HTTP/HTTTPS requests and responses. This pane includes the following information:

Date/Time	The date/time when the log is generated.
Device Name	The name of the managed device.
Source	The source ID address of the client where the attack comes from.
Destination	The destination IP address where the attack happens.
Service	The web service used, such as HTTP, HTTPS.
Method	The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Return Code	The HTTP response codes returned from the web server.
Message	The detailed traffic log information.

Event logs

Event logs display administrative events, such as downloading a backup copy of the configuration, and hardware failures. This pane includes the following information:

Date/Time	The date/time when the log is generated.
Device Name	The name of the managed device.
Level	The level of the log, critical, information, and notice.
User Interface	The interface the user uses, deamon, GUI or sshd.
Action	The action items that FortiWeb has taken.
Message	The detailed action information of FortiWeb.

Note: Log View can not show logs of managed devices that fail to communicate with FortiWeb Manager, and a red down arrow indicates such devices on Device Manager page.

You can schedule automatic deletion of event logs from System Settings > File Management. Check the box for event logs, and set the time periods and deletion time accordingly.

If you enter a comment when you reboot or shut down a FortiWeb Manager device from Status > Status page, you can view such log.

Log types

FortiWeb Manager provides three types of logs. You can select the log type to view related logs.

Attack Logs
Traffic Logs
Event Logs

Attack logs

Attack logs record attacks or intrusion attempts against the web servers protected by the FortiWeb appliance. This pane includes the following information:

Date/Time	The date/time when the log is generated.
Device Name	The name of the managed device.
Threat Level	The level of the threat.
Action	The actions that FortiWeb has taken.
Source	The source IP address of the client where the attack comes from.
Destination	The destination IP address where the attack happens.
HTTP Host	The HTTP host name.
Method	The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Main Type	The signature detection category.
Sub Type	The specific type of signature in the category.

Click any log item, and you can see the Log Details page.

When the Main Type is Signature Detection, two additional buttons appear on the Log Details page.

Click Signature View and you can see the signature details as below:

Click Add Exception, configure the settings below to add the signature exception rule per specific log to different group policies at the same time.

Signature Policy Name	Click to select the group signature policy.
Disable Signature	Enable if you do not want to detect such attacks.
Alert Only	Enable this option if you want to receive only logs or alert email about detections, but do not want to block matching requests.
Add Exception	Enable this option if you want to exempt specific host name/URL combinations. The following fields can be configured only when Add Exception option is enabled.
URI	String Match—Value is a literal URL, and it starts with a forward slash (/). Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to, and it does not require a forward slash ( / ). This field is automatically configured as default value. Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.
HOST	String Match—Value is a literal host name. Regular Expression Match—Value is a regular expression that matches all and only the hosts that the exception applies to. This field is automatically configured as default value.
Full URL	String Match—Value is a literal URL. Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to.
HTTP Method	Select the methods to include or exclude from the signature exemption. Include—FortiWeb does not perform a signature scan for requests that include the specified HTTP methods. Exclude—FortiWeb only performs signature scans for requests that include the specified HTTP methods.
Client IP	Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request. Equal—FortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP. Not Equal—FortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
Parameter	String Match—Name is the literal name of a cookie. Regular Expression Match—Name is a regular expression that matches all and only the name of the cookie that exception applies to. Specify the name of the cookie and cookie value.
Cookie	String Match—Name is the literal name of a parameter. Regular Expression Match—Name is a regular expression that matches all and only the name of the parameter that exception applies to. Specify the name of the parameter and parameter value.

When the Main Type is HTTP Protocol Constraints, one additional button Add Exception appears on the Log Details page.

Click Add Exception, configure the settings below to add the HTTP constraint exception rule per specific log.

HTTP Protocol Constraint Policy Name	Click to select group HTTP protocol constraint policy.
URL Pattern	String Match—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ). Regular Expression Match—such as `^/*.php`, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in the Host drop-down list.
Host	Enter the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.
Source IP	Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
Protocol Constraint(s)	Select the protocol constraint(s) that you want to add to the exception rule according to the table below.

Traffic logs

Traffic logs record the traffic flowing through your FortiWeb device, such as HTTP/HTTTPS requests and responses. This pane includes the following information:

Date/Time	The date/time when the log is generated.
Device Name	The name of the managed device.
Source	The source ID address of the client where the attack comes from.
Destination	The destination IP address where the attack happens.
Service	The web service used, such as HTTP, HTTPS.
Method	The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Return Code	The HTTP response codes returned from the web server.
Message	The detailed traffic log information.

Event logs

Event logs display administrative events, such as downloading a backup copy of the configuration, and hardware failures. This pane includes the following information:

Date/Time	The date/time when the log is generated.
Device Name	The name of the managed device.
Level	The level of the log, critical, information, and notice.
User Interface	The interface the user uses, deamon, GUI or sshd.
Action	The action items that FortiWeb has taken.
Message	The detailed action information of FortiWeb.

Note: Log View can not show logs of managed devices that fail to communicate with FortiWeb Manager, and a red down arrow indicates such devices on Device Manager page.

You can schedule automatic deletion of event logs from System Settings > File Management. Check the box for event logs, and set the time periods and deletion time accordingly.

If you enter a comment when you reboot or shut down a FortiWeb Manager device from Status > Status page, you can view such log.

FortiWeb Manager Administration Guide

Log types

Log types

Attack logs

Traffic logs

Event logs

Log types

Attack logs

Traffic logs

Event logs