Fortinet black logo

CLI Reference

log attack log

log attack-log

Use this command to configure recording of attack log messages on the local FortiWeb disk.

You must enable disk log storage and select log severity levels using log disk before any attack logs can be stored on disk.

Also use this command to define specific packet payloads to retain when storing attack logs.

Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance. Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For details, see network sniffer.

If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the payload that triggered the log message.

You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by applying sensitivity rules that detect and obscure sensitive information. For details, see log sensitive.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log attack-log

set status {enable | disable}

set http-parse-error-output {enable | disable}

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

set no-ssl-error {enable | disable}

set http2-parse-error-output {enable | disable}

set log attack-log

end


Variable Description Default

status {enable | disable}

Enable to record attack log messages on the disk.

To record attack logs, disk log storage must be enabled, and the severity levels selected using the log disk command.

enable

http-parse-error-output {enable | disable}

Enable while debugging only, to log errors of the HTTP protocol parser. disable

packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

Select one or more detected attack types or validation failures. FortiWeb keeps packet payloads from its HTTP parser buffer with their associated attack log message.

Separate each attack type with a space. To add or remove a packet payload type, re-type the entire space-delimited list with the new option included or omitted.

Some options have historical names. Correlations with current feature names are:

  • custom-protection-rule—Custom signature detection (not predefined)

To empty this list and keep no packet payloads, effectively disabling the feature, enter unset packet-log.

No default

no-ssl-error {enable | disable}

Enable to stop FortiWeb from logging SSL errors.

This setting is useful when you use high-level security settings, which generate a high volume of these types of errors.

disable

http2-parse-error-output {enable | disable}

Enable while debugging only, to log errors of the HTTP/2 protocol parser.

enable

Example

This example enables log storage on the hard disk and sets information as the minimum severity level that a log message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that may have been enabled before, because it completely replaces the list each time it is configured.

config log disk

set status enable

set severity information

end

config log attack-log

set status enable

set packet-log custom-protection-rule

end

Related topics

log attack-log

Use this command to configure recording of attack log messages on the local FortiWeb disk.

You must enable disk log storage and select log severity levels using log disk before any attack logs can be stored on disk.

Also use this command to define specific packet payloads to retain when storing attack logs.

Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance. Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For details, see network sniffer.

If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the payload that triggered the log message.

You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by applying sensitivity rules that detect and obscure sensitive information. For details, see log sensitive.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log attack-log

set status {enable | disable}

set http-parse-error-output {enable | disable}

set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

set no-ssl-error {enable | disable}

set http2-parse-error-output {enable | disable}

set log attack-log

end


Variable Description Default

status {enable | disable}

Enable to record attack log messages on the disk.

To record attack logs, disk log storage must be enabled, and the severity levels selected using the log disk command.

enable

http-parse-error-output {enable | disable}

Enable while debugging only, to log errors of the HTTP protocol parser. disable

packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | http-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

Select one or more detected attack types or validation failures. FortiWeb keeps packet payloads from its HTTP parser buffer with their associated attack log message.

Separate each attack type with a space. To add or remove a packet payload type, re-type the entire space-delimited list with the new option included or omitted.

Some options have historical names. Correlations with current feature names are:

  • custom-protection-rule—Custom signature detection (not predefined)

To empty this list and keep no packet payloads, effectively disabling the feature, enter unset packet-log.

No default

no-ssl-error {enable | disable}

Enable to stop FortiWeb from logging SSL errors.

This setting is useful when you use high-level security settings, which generate a high volume of these types of errors.

disable

http2-parse-error-output {enable | disable}

Enable while debugging only, to log errors of the HTTP/2 protocol parser.

enable

Example

This example enables log storage on the hard disk and sets information as the minimum severity level that a log message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that may have been enabled before, because it completely replaces the list each time it is configured.

config log disk

set status enable

set severity information

end

config log attack-log

set status enable

set packet-log custom-protection-rule

end

Related topics