Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Common troubleshooting methods for issues that Logs cannot be displayed on GUI

This section summarizes the common troubleshooting methods for log related issues such as Attack/Traffic/Event logs not generated or displayed on GUI. The following sections will use these methods to actually locate specific issues step by step.

1. Check if the security level in log disk is configured properly on CLI or GUI.

   Take below configuration for example, only the log messages with a severity of Warning or higher will be recorded.

FortiWeb # show full-configuration log disk

config log disk

  set status enable

  set severity warning

  set diskfull overwrite

end

图像

Please note: Log level of traffic log is Notification and log level of attack log is Alert.

2. Double check if log options are enabled correctly:

    • Make sure global log options are enabled via GUI or CLI as below:

      FortiWeb # show full log event-log

      config log event-log

        set status enable

      end

      FortiWeb # show full log traffic-log

      config log traffic-log

        set status enable

      end

      FortiWeb # show full log attack-log

      config log attack-log

        set status enable

      end

    • On 6.4.16, 7.0.0 and later releases, traffic log is disabled by default and can be enabled or disabled per server-policy policy via CLI:

      FortiWeb # show full-configuration server-policy policy

      config server-policy policy

        edit "SP_01"

          set tlog enable

        next

    3. Check if logd, indexd and mysqld work normally in backend:

    Sometimes logs fail to be displayed are caused by log related daemons instability such as coredump.

    There are several ways to judge if these three daemons every restarted abnormally:

    • Check the PID number of related daemons. The PID of logd and mysqld are usually a small 4-digit one like below, so if the PID becomes a big number, it may indicate the daemon ever restarted.
    • Check the PID of the 3 daemons several times to make sure they are stable (PID is not changing). If the PID of the daemons is changing, it indicates the daemon ever restarted or the administrator ever executed “execute db rebuild”.

      # ps | grep logd

      1479 root      4508 S    /bin/syslogd -n -b 99 -s 500

      1480 root      4508 S    /bin/klogd -n

      1502 root      308m S    /bin/logd    #1502 is the PID of logd

      1729 shell     4508 R    grep logd

      # ps | grep indexd

      2133 shell     4508 S    grep indexd

      18411 root     55840 S    /bin/indexd    #18411 is PID of indexd

      # ps | grep mysqld

      1584 root      773m S    /bin/mysqld --defaults-file=/data/etc/mysql/my-fortiweb.cnf --skip-grant-tables --user=root    #1584 is PID of mysqld

      2139 root         0 Z    [mysqld_monitor.]

      2328 shell     4508 S    grep mysqld

    • Another way is to check .NMON files. The PID of daemons are recorded in each .NMON file > TOP.

      Please refer to Retrieving system logs in backend system to see how to analyze .NMON files.

    • If you find logd daemon of kernel coredump files, please download them and deliver to R&D for further investigationAnother way is to check.

      Please note: logd coredump need to be enabled with the following command in backend shell: (please refer to "Run backend shell commands' in this guide)

      /# touch /var/log/debug/logrpt_core_flag

      Please refer to "Customize & Download debug logs” in this guide to see how to download coredump files.

    4. Use diagnose commands to check logds outputs:

        “diagnose debug application logd” is very useful to help find the cause for log related issues.

        Hereby we’ll provide several specific case/examples:

      • When no useful log is printed out when diagnose is enabled, it usually means no logs are sent to logd by other function modules.

        FortiWeb # diagnose debug application logd 7

        FortiWeb # diagnose debug timestamp enable

        FortiWeb # diagnose debug enable

         

        ##When either the global traffic-log or per server-policy traffic log option is disabled, there will be no useful diagnose information:

        VM_01 # [Logd][11-22-16:29:12][INFO][_log_try_push][436]: log try push 10 times

         

        ##If traffic log is enabled, there will be diagnose info like below:

        VM_01 # [Logd][11-22-16:39:27][INFO][_log_process][383]: ###### Recv a traffic log

        [Logd][11-22-16:39:27][INFO][log_format_local_msg][512]: log_id=30001000, msg_id=000000001063, subtype=https, url=/

        [Logd][11-22-16:39:27][INFO][log_format_local_msg][578]: Local Detail = v011xxxxdate=2021-11-22 time=16:39:27 log_id=30001000 msg_id=000000001063 device_id=FVVM04TM21000715 vd="root" timezone="(GMT-7:00)Mountain Time(US&Canada)" timezone_dayst="GMTb+7" type=traffic subtype="https" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy="SP_02_RS_SSL" original_src=172.30.213.248 src=172.30.213.248 src_port=3067 dst=10.159.37.11 dst_port=443 http_request_time=0 http_response_time=0 http_request_bytes=82 http_response_bytes=927 http_method=get http_url="/" http_agent="curl/7.78.0" http_retcode=200 msg="HTTPS get request from 172.30.213.248:3067 to 10.159.37.11:443" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="Pool_HTTPS" http_host="test.vm02.com:8002" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=B039BB143F81FCEBE2C39ACC361EE9411534 cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

        [Logd][11-22-16:39:27][WARNING!][log_format_msg][1718]: No srv need to send

        [Logd][11-22-16:39:27][INFO][_log_process][403]: Begin to write disk.

        [Logd][11-22-16:39:27][INFO][_log_process][409]: Begin to write packet.

        [Logd][11-22-16:39:27][INFO][_log_add_pkt][545]: packet log cache 1 logs stored

        [Logd][11-22-16:39:27][INFO][_log_process][412]: Process done.

        [Logd][11-22-16:39:27][INFO][log_disk_push][988]: push tlog 915

        [Logd][11-22-16:39:27][INFO][_log_write_disk][622]: Open existing log file '/var/log/fwlog/root/disklog/tlog(2021-11-22-16:39:27).log' with link

        [Logd][11-22-16:39:27][INFO][write_cache_to_file][277]: cur cnt: 3 start pos = 1744,len = 915,currnet len = 2659

        [Logd][11-22-16:39:27][INFO][write_cache_to_file][337]: Write log item Traffic log 1 msg_id 000000001063 start offset : 2659 length : 915

        [Logd][11-22-16:39:27][INFO][write_cache_to_file][347]: cur_log_cnt : 4,cache type = Traffic log cache count : 1

      • Sometimes one may be not sure about the severity of specific attack/traffic logs, you can use the diagnose commands to debug:

        FortiWeb # diagnose debug application logd 7

        FortiWeb # diagnose debug timestamp enable

        FortiWeb # diagnose debug enable

         

        Sample diagnose output:

        [Logd][10-18-12:47:02][WARNING!][log_disk_write][921]: Disk log rejected! t:2, s:1, 4 < 5? h->category : 2

        [Cause] The traffic log level is notification but disk log severity is set as Warning, so logs are not recorded to local disk.

        [Explanation] Both t:2 & h->category : 2 mean traffic log; s:1 means log is enabled to write to disk; 4 < 5 means current severity level is 5 (Notification), while the current log severity is 4 (Warning).

      5. Check backend logs:

          Usually diagnose output will show most useful debug information, while sometimes we need to double check or find the root cause via more detailed backend logs or counters.

      • /var/log/dlog_indexd

        We can use realtime output with “tail -f” or “grep” with keywords such as “can't connect”, “error” or “mysqld segment fault” to check if there are any obvious defaults in dlog_indexd.

         

        Example 1:

        “MySQL server has gone away” means mysql server used by logd cannot be connected, so logs cannot be recorded successfully.

        /# tail -f /var/log/dlog_indexd

            /var/log/fwlog/root/disklog/alog(2021-11-15-14:01:53).log has no mapping entry

        11-16-16:48:28.157212! 2818: dlog_indexer.c(3569)@__mapping_get_tname:

            mysqlerr 2 0: MySQL server has gone away

        11-16-16:48:28.157218! 2818: dlog_indexer.c(3508)@__mapping_get_maxid:

            mysqlerr 1 8: MySQL server has gone away

        11-16-16:48:28.157228! 2818: dlog_indexer.c(2210)@_create_log_tab

         

        Example 2:

        /# cat /var/log/dlog_indexd | grep mysql

            cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

            cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

            cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

         

      • /var/log/mysql/error.log

        Similarly, we can also check if there is any fault in this log file:

        /# cat /var/log/dlog_indexd | grep mysql

            cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

            cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

            cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

         

      • /var/log/fwlog/root/disklog

        All attack/event/traffic logs will be written to harddisk after logd received and handled logs sent by other modules. Outputs in this file will help to check if logs have been written to the local disk successfully.

        /var/log/fwlog/root/disklog# ls -l

        -rw-r--r--    1 root     0           417601 Nov 22 22:27 alog(2021-11-22-22:26:09).log

        lrwxrwxrwx    1 root     0               57 Nov 22 22:26 alog.log -> /var/log/fwlog/root/disklog/alog(2021-11-22-22:26:09).log

        -rw-r--r--    1 root     0           459145 Nov 23 10:27 elog(2021-11-22-14:34:23).log

        lrwxrwxrwx    1 root     0               57 Nov 22 14:34 elog.log -> /var/log/fwlog/root/disklog/elog(2021-11-22-14:34:23).log

        -rw-r--r--    1 root     0         46946294 Nov 22 23:13 tlog(2021-11-22-15:59:23).log

        -rw-r--r--    1 root     0         45953552 Nov 22 23:55 tlog(2021-11-22-23:13:38).log

        lrwxrwxrwx    1 root     0               57 Nov 22 23:13 tlog.log -> /var/log/fwlog/root/disklog/tlog(2021-11-22-23:13:38).log

        #One can just check the soft link for the latest logs.

         

        /var/log/fwlog/root/disklog# tail -f tlog.log

        v011xxxxdate=2021-11-23 time=10:37:11 log_id=30001000 msg_id=000000102564 device_id=FVVM04TM21000715 vd="root" timezone="(GMT-7:00)Mountain Time(US&Canada)" timezone_dayst="GMTb+7" type=traffic subtype="https" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy="SP_01" original_src=172.30.213.98 src=172.30.213.98 src_port=1941 dst=10.159.26.123 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=82 http_response_bytes=923 http_method=get http_url="/" http_agent="curl/7.78.0" http_retcode=200 msg="HTTPS get request from 172.30.213.98:1941 to 10.159.26.123:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="Pool_Single" http_host="test.vm01.com:7002" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=03AFBEAE2124AE47968CB4271208410FF9A8 cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

      6. Check log related backend counters:

      Logd will receive, handle, index and display logs sent by the system processes or specific function modules on GUI, while in abnormal situations it fails to do so. Then it’s useful to double check with two backend counters for attack/event/traffic logs.

      /# cd /proc/miglog/

      /proc/miglog# ls

      alog  dlog  elog  tlog

      /proc/miglog# ls alog/

      brief          queue_max_len

      /proc/miglog# ls elog/

      brief          queue_max_len

      /proc/miglog# ls tlog/

      brief          queue_max_len

      /proc/miglog# ls dlog/    #dlog is for debug only; just ignore it

      brief          queue_max_len

       

      /proc/miglog/tlog# cat queue_max_len

      163840        #The log queue length; usually fixed

      /proc/miglog/tlog# cat brief

      total 4

      enqueued 4    #New logs are sent from other process/module; one new HTTP/HTTPS session usually increase this count by 1

      dequeued 4    #New logs received are processed by logd; should be the same as enq

      overflow 0        #Not 0 means log overflows caused by too many logs generated; one may need check current CPS or disable traffic logs

      error 0        #kernel errors that cause logging failures

      7. Use “execute db rebuild” to rebuild log database :

      Use this command to rebuild the FortiWeb appliance’s internal database that it uses to store log messages. Please note there are some behavior differences between 6.x and later releases:

      • On 6.x builds, db rebuild also erases databases for ML, while on 7.0.0 and later builds, this operation will only clean and rebuild databases for disklog; you can execute redis rebuild to clean ML databases.

      • Historical traffic/attack/eventlogs will not be cleared, while one needs to wait several minutes for log index rebuilding - the time is based on log amount;

      • In HA mode, executing db rebuild on primary appliance will take effect on all secondary appliances simultaneously on 6.x builds, whereas on 7.0.0 and later builds, rebuilding just impacts local box instead of the whole HA groups.

      • With 6.x builds, executing this command will trigger FortiWeb system reboot, while with 7.0.0 and later, this command will not lead to system reboot.

        6.x old builds: (Reboot system)

        FortiWeb# exec db rebuild

        This operation will clean and rebuild database for disklog, and will clean database for ML and Client Management, and it will reboot the system!

        Do you want to continue? (y/n)y

        rebuilding the database......

         

        FortiWeb# Connection closing...Socket close.

        FortiWeb starts to reboot...

         

        6.3.16, 7.0.0 and later: (Not reboot system)

        FortiWeb # execute db rebuild

        This operation will clean and rebuild database for disklog.

        Do you want to continue? (y/n)y

        rebuilding the database......

         

        FortiWeb #

      8. Use “execute formatlogdisk” to clear the logs from the FortiWeb appliance’s hard disk and reformat the disk.

          This operation is more dangerous than “execute db rebuild” because it formats the whole log disk /var/log, so all logs and databases used by varied modules stored on this disk will be cleared.

          One point here is, signatures will be cleared so they will be downloaded again after system reboot. (proxyd restart will re-create the signature database)

      FortiWeb # execute formatlogdisk

      This operation will clear all logs on the Hard Disk and take a few minutes depending on the disk size!!

      Please backup system configuration and restore it after format operation, otherwise openapi data will be lost!

       

      Do you want to continue? (y/n)y

       

      /# df -h

      Filesystem                Size      Used Available Use% Mounted on

      /dev/root               472.5M    355.6M    117.0M  75% /

      none                      1.1G    176.0K      1.1G   0% /tmp

      none                      3.8G      2.9M      3.8G   0% /dev/shm

      /dev/sda2               362.4M    270.0M     72.8M  79% /data

      /dev/sda3                90.6M     56.0K     85.6M   0% /home

      /dev/sda4                30.5G    604.4M     28.4G   2% /var/log

      Common troubleshooting methods for issues that Logs cannot be displayed on GUI

      This section summarizes the common troubleshooting methods for log related issues such as Attack/Traffic/Event logs not generated or displayed on GUI. The following sections will use these methods to actually locate specific issues step by step.

      1. Check if the security level in log disk is configured properly on CLI or GUI.

         Take below configuration for example, only the log messages with a severity of Warning or higher will be recorded.

      FortiWeb # show full-configuration log disk

      config log disk

        set status enable

        set severity warning

        set diskfull overwrite

      end

      图像

      Please note: Log level of traffic log is Notification and log level of attack log is Alert.

      2. Double check if log options are enabled correctly:

        • Make sure global log options are enabled via GUI or CLI as below:

          FortiWeb # show full log event-log

          config log event-log

            set status enable

          end

          FortiWeb # show full log traffic-log

          config log traffic-log

            set status enable

          end

          FortiWeb # show full log attack-log

          config log attack-log

            set status enable

          end

        • On 6.4.16, 7.0.0 and later releases, traffic log is disabled by default and can be enabled or disabled per server-policy policy via CLI:

          FortiWeb # show full-configuration server-policy policy

          config server-policy policy

            edit "SP_01"

              set tlog enable

            next

        3. Check if logd, indexd and mysqld work normally in backend:

        Sometimes logs fail to be displayed are caused by log related daemons instability such as coredump.

        There are several ways to judge if these three daemons every restarted abnormally:

        • Check the PID number of related daemons. The PID of logd and mysqld are usually a small 4-digit one like below, so if the PID becomes a big number, it may indicate the daemon ever restarted.
        • Check the PID of the 3 daemons several times to make sure they are stable (PID is not changing). If the PID of the daemons is changing, it indicates the daemon ever restarted or the administrator ever executed “execute db rebuild”.

          # ps | grep logd

          1479 root      4508 S    /bin/syslogd -n -b 99 -s 500

          1480 root      4508 S    /bin/klogd -n

          1502 root      308m S    /bin/logd    #1502 is the PID of logd

          1729 shell     4508 R    grep logd

          # ps | grep indexd

          2133 shell     4508 S    grep indexd

          18411 root     55840 S    /bin/indexd    #18411 is PID of indexd

          # ps | grep mysqld

          1584 root      773m S    /bin/mysqld --defaults-file=/data/etc/mysql/my-fortiweb.cnf --skip-grant-tables --user=root    #1584 is PID of mysqld

          2139 root         0 Z    [mysqld_monitor.]

          2328 shell     4508 S    grep mysqld

        • Another way is to check .NMON files. The PID of daemons are recorded in each .NMON file > TOP.

          Please refer to Retrieving system logs in backend system to see how to analyze .NMON files.

        • If you find logd daemon of kernel coredump files, please download them and deliver to R&D for further investigationAnother way is to check.

          Please note: logd coredump need to be enabled with the following command in backend shell: (please refer to "Run backend shell commands' in this guide)

          /# touch /var/log/debug/logrpt_core_flag

          Please refer to "Customize & Download debug logs” in this guide to see how to download coredump files.

        4. Use diagnose commands to check logds outputs:

            “diagnose debug application logd” is very useful to help find the cause for log related issues.

            Hereby we’ll provide several specific case/examples:

          • When no useful log is printed out when diagnose is enabled, it usually means no logs are sent to logd by other function modules.

            FortiWeb # diagnose debug application logd 7

            FortiWeb # diagnose debug timestamp enable

            FortiWeb # diagnose debug enable

             

            ##When either the global traffic-log or per server-policy traffic log option is disabled, there will be no useful diagnose information:

            VM_01 # [Logd][11-22-16:29:12][INFO][_log_try_push][436]: log try push 10 times

             

            ##If traffic log is enabled, there will be diagnose info like below:

            VM_01 # [Logd][11-22-16:39:27][INFO][_log_process][383]: ###### Recv a traffic log

            [Logd][11-22-16:39:27][INFO][log_format_local_msg][512]: log_id=30001000, msg_id=000000001063, subtype=https, url=/

            [Logd][11-22-16:39:27][INFO][log_format_local_msg][578]: Local Detail = v011xxxxdate=2021-11-22 time=16:39:27 log_id=30001000 msg_id=000000001063 device_id=FVVM04TM21000715 vd="root" timezone="(GMT-7:00)Mountain Time(US&Canada)" timezone_dayst="GMTb+7" type=traffic subtype="https" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy="SP_02_RS_SSL" original_src=172.30.213.248 src=172.30.213.248 src_port=3067 dst=10.159.37.11 dst_port=443 http_request_time=0 http_response_time=0 http_request_bytes=82 http_response_bytes=927 http_method=get http_url="/" http_agent="curl/7.78.0" http_retcode=200 msg="HTTPS get request from 172.30.213.248:3067 to 10.159.37.11:443" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="Pool_HTTPS" http_host="test.vm02.com:8002" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=B039BB143F81FCEBE2C39ACC361EE9411534 cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

            [Logd][11-22-16:39:27][WARNING!][log_format_msg][1718]: No srv need to send

            [Logd][11-22-16:39:27][INFO][_log_process][403]: Begin to write disk.

            [Logd][11-22-16:39:27][INFO][_log_process][409]: Begin to write packet.

            [Logd][11-22-16:39:27][INFO][_log_add_pkt][545]: packet log cache 1 logs stored

            [Logd][11-22-16:39:27][INFO][_log_process][412]: Process done.

            [Logd][11-22-16:39:27][INFO][log_disk_push][988]: push tlog 915

            [Logd][11-22-16:39:27][INFO][_log_write_disk][622]: Open existing log file '/var/log/fwlog/root/disklog/tlog(2021-11-22-16:39:27).log' with link

            [Logd][11-22-16:39:27][INFO][write_cache_to_file][277]: cur cnt: 3 start pos = 1744,len = 915,currnet len = 2659

            [Logd][11-22-16:39:27][INFO][write_cache_to_file][337]: Write log item Traffic log 1 msg_id 000000001063 start offset : 2659 length : 915

            [Logd][11-22-16:39:27][INFO][write_cache_to_file][347]: cur_log_cnt : 4,cache type = Traffic log cache count : 1

          • Sometimes one may be not sure about the severity of specific attack/traffic logs, you can use the diagnose commands to debug:

            FortiWeb # diagnose debug application logd 7

            FortiWeb # diagnose debug timestamp enable

            FortiWeb # diagnose debug enable

             

            Sample diagnose output:

            [Logd][10-18-12:47:02][WARNING!][log_disk_write][921]: Disk log rejected! t:2, s:1, 4 < 5? h->category : 2

            [Cause] The traffic log level is notification but disk log severity is set as Warning, so logs are not recorded to local disk.

            [Explanation] Both t:2 & h->category : 2 mean traffic log; s:1 means log is enabled to write to disk; 4 < 5 means current severity level is 5 (Notification), while the current log severity is 4 (Warning).

          5. Check backend logs:

              Usually diagnose output will show most useful debug information, while sometimes we need to double check or find the root cause via more detailed backend logs or counters.

          • /var/log/dlog_indexd

            We can use realtime output with “tail -f” or “grep” with keywords such as “can't connect”, “error” or “mysqld segment fault” to check if there are any obvious defaults in dlog_indexd.

             

            Example 1:

            “MySQL server has gone away” means mysql server used by logd cannot be connected, so logs cannot be recorded successfully.

            /# tail -f /var/log/dlog_indexd

                /var/log/fwlog/root/disklog/alog(2021-11-15-14:01:53).log has no mapping entry

            11-16-16:48:28.157212! 2818: dlog_indexer.c(3569)@__mapping_get_tname:

                mysqlerr 2 0: MySQL server has gone away

            11-16-16:48:28.157218! 2818: dlog_indexer.c(3508)@__mapping_get_maxid:

                mysqlerr 1 8: MySQL server has gone away

            11-16-16:48:28.157228! 2818: dlog_indexer.c(2210)@_create_log_tab

             

            Example 2:

            /# cat /var/log/dlog_indexd | grep mysql

                cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

                cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

                cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

             

          • /var/log/mysql/error.log

            Similarly, we can also check if there is any fault in this log file:

            /# cat /var/log/dlog_indexd | grep mysql

                cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

                cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

                cannot connect mysql, try walk around (ret:0), mysqlerr 1:Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)

             

          • /var/log/fwlog/root/disklog

            All attack/event/traffic logs will be written to harddisk after logd received and handled logs sent by other modules. Outputs in this file will help to check if logs have been written to the local disk successfully.

            /var/log/fwlog/root/disklog# ls -l

            -rw-r--r--    1 root     0           417601 Nov 22 22:27 alog(2021-11-22-22:26:09).log

            lrwxrwxrwx    1 root     0               57 Nov 22 22:26 alog.log -> /var/log/fwlog/root/disklog/alog(2021-11-22-22:26:09).log

            -rw-r--r--    1 root     0           459145 Nov 23 10:27 elog(2021-11-22-14:34:23).log

            lrwxrwxrwx    1 root     0               57 Nov 22 14:34 elog.log -> /var/log/fwlog/root/disklog/elog(2021-11-22-14:34:23).log

            -rw-r--r--    1 root     0         46946294 Nov 22 23:13 tlog(2021-11-22-15:59:23).log

            -rw-r--r--    1 root     0         45953552 Nov 22 23:55 tlog(2021-11-22-23:13:38).log

            lrwxrwxrwx    1 root     0               57 Nov 22 23:13 tlog.log -> /var/log/fwlog/root/disklog/tlog(2021-11-22-23:13:38).log

            #One can just check the soft link for the latest logs.

             

            /var/log/fwlog/root/disklog# tail -f tlog.log

            v011xxxxdate=2021-11-23 time=10:37:11 log_id=30001000 msg_id=000000102564 device_id=FVVM04TM21000715 vd="root" timezone="(GMT-7:00)Mountain Time(US&Canada)" timezone_dayst="GMTb+7" type=traffic subtype="https" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy="SP_01" original_src=172.30.213.98 src=172.30.213.98 src_port=1941 dst=10.159.26.123 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=82 http_response_bytes=923 http_method=get http_url="/" http_agent="curl/7.78.0" http_retcode=200 msg="HTTPS get request from 172.30.213.98:1941 to 10.159.26.123:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="Pool_Single" http_host="test.vm01.com:7002" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=03AFBEAE2124AE47968CB4271208410FF9A8 cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

          6. Check log related backend counters:

          Logd will receive, handle, index and display logs sent by the system processes or specific function modules on GUI, while in abnormal situations it fails to do so. Then it’s useful to double check with two backend counters for attack/event/traffic logs.

          /# cd /proc/miglog/

          /proc/miglog# ls

          alog  dlog  elog  tlog

          /proc/miglog# ls alog/

          brief          queue_max_len

          /proc/miglog# ls elog/

          brief          queue_max_len

          /proc/miglog# ls tlog/

          brief          queue_max_len

          /proc/miglog# ls dlog/    #dlog is for debug only; just ignore it

          brief          queue_max_len

           

          /proc/miglog/tlog# cat queue_max_len

          163840        #The log queue length; usually fixed

          /proc/miglog/tlog# cat brief

          total 4

          enqueued 4    #New logs are sent from other process/module; one new HTTP/HTTPS session usually increase this count by 1

          dequeued 4    #New logs received are processed by logd; should be the same as enq

          overflow 0        #Not 0 means log overflows caused by too many logs generated; one may need check current CPS or disable traffic logs

          error 0        #kernel errors that cause logging failures

          7. Use “execute db rebuild” to rebuild log database :

          Use this command to rebuild the FortiWeb appliance’s internal database that it uses to store log messages. Please note there are some behavior differences between 6.x and later releases:

          • On 6.x builds, db rebuild also erases databases for ML, while on 7.0.0 and later builds, this operation will only clean and rebuild databases for disklog; you can execute redis rebuild to clean ML databases.

          • Historical traffic/attack/eventlogs will not be cleared, while one needs to wait several minutes for log index rebuilding - the time is based on log amount;

          • In HA mode, executing db rebuild on primary appliance will take effect on all secondary appliances simultaneously on 6.x builds, whereas on 7.0.0 and later builds, rebuilding just impacts local box instead of the whole HA groups.

          • With 6.x builds, executing this command will trigger FortiWeb system reboot, while with 7.0.0 and later, this command will not lead to system reboot.

            6.x old builds: (Reboot system)

            FortiWeb# exec db rebuild

            This operation will clean and rebuild database for disklog, and will clean database for ML and Client Management, and it will reboot the system!

            Do you want to continue? (y/n)y

            rebuilding the database......

             

            FortiWeb# Connection closing...Socket close.

            FortiWeb starts to reboot...

             

            6.3.16, 7.0.0 and later: (Not reboot system)

            FortiWeb # execute db rebuild

            This operation will clean and rebuild database for disklog.

            Do you want to continue? (y/n)y

            rebuilding the database......

             

            FortiWeb #

          8. Use “execute formatlogdisk” to clear the logs from the FortiWeb appliance’s hard disk and reformat the disk.

              This operation is more dangerous than “execute db rebuild” because it formats the whole log disk /var/log, so all logs and databases used by varied modules stored on this disk will be cleared.

              One point here is, signatures will be cleared so they will be downloaded again after system reboot. (proxyd restart will re-create the signature database)

          FortiWeb # execute formatlogdisk

          This operation will clear all logs on the Hard Disk and take a few minutes depending on the disk size!!

          Please backup system configuration and restore it after format operation, otherwise openapi data will be lost!

           

          Do you want to continue? (y/n)y

           

          /# df -h

          Filesystem                Size      Used Available Use% Mounted on

          /dev/root               472.5M    355.6M    117.0M  75% /

          none                      1.1G    176.0K      1.1G   0% /tmp

          none                      3.8G      2.9M      3.8G   0% /dev/shm

          /dev/sda2               362.4M    270.0M     72.8M  79% /data

          /dev/sda3                90.6M     56.0K     85.6M   0% /home

          /dev/sda4                30.5G    604.4M     28.4G   2% /var/log