How to check attack logs in FortiWeb
Attack logs keep records of the violations of attack policies, such as server information disclosure, attack signature matches, Dos protection, HTTP protocol constraint, etc.
1. A log for a php injection sample is as below. You can see the attack types, matched pattern, Signature ID and Message. Different attack log types may have particular fields.
2. For some types of logs such as signature, you can create an exception rule or do some other operation by clicking the Message field of attack logs.
3. When you encounter SSL handshake issues, you can disable Ignore SSL Errors in Log&Report > Log Config > Other Log Settings, then check SSL failures in attack log messages:
4. Avoid recording log messages using low log severity thresholds
Using low log severity thresholds may cause several negative effects:
- Frequent local hard disk writing thus likely cause premature failure.
- Frequent disk I/O may also cause high CPU usage.
- If syslogs are configured to send to remote log servers, it may also cause heavy network traffic.
This principle applies to attack log, event log, and traffic log.
5. Log rate limit for Dos protection
When FortiWeb is defending your network against a DoS attack, log messages will likely be repetitive and may actually be distracting from other unrelated attacks.
To optimize logging performance and help you to notice important new information, FortiWeb will only make one log entry for these repetitive events in a specific time range. It will not log every occurrence, but only record identical log messages during an ongoing attack.
FortiWeb # show full system advanced
config system advanced
set max-dos-alert-interval 180 #default value
Type the maximum amount of time that FortiWeb will converge into a single log message during a DoS attack or padding oracle attack.