log attack-log
Use this command to configure recording of attack log messages on the local FortiWeb disk.
You must enable disk log storage and select log severity levels using log disk before any attack logs can be stored on disk. |
Also use this command to define specific packet payloads to retain when storing attack logs.
Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance. Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For details, see network sniffer.
If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the payload that triggered the log message.
You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by applying sensitivity rules that detect and obscure sensitive information. For details, see log sensitive.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the loggrp
area. For details, see Permissions.
Syntax
set HTTP-parse-error-output {enable | disable}
set no-ssl-error {enable | disable}
set HTTP2-parse-error-output {enable | disable}
end
Variable | Description | Default |
Enable to record attack log messages on the disk. To record attack logs, disk log storage must be enabled, and the severity levels selected using the log disk command. |
enable
|
|
Enable while debugging only, to log errors of the HTTP protocol parser. | disable
|
|
packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | HTTP-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection} |
Select one or more detected attack types or validation failures. FortiWeb keeps packet payloads from its HTTP parser buffer with their associated attack log message. Separate each attack type with a space. To add or remove a packet payload type, re-type the entire space-delimited list with the new option included or omitted. Some options have historical names. Correlations with current feature names are:
To empty this list and keep no packet payloads, effectively disabling the feature, enter |
No default
|
Enable to stop FortiWeb from logging SSL errors. This setting is useful when you use high-level security settings, which generate a high volume of these types of errors. |
disable
|
|
Enable while debugging only, to log errors of the HTTP/2 protocol parser. |
|
Example
This example enables log storage on the hard disk and sets information
as the minimum severity level that a log message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that may have been enabled before, because it completely replaces the list each time it is configured.
config log disk
set status enable
set severity information
end
config log attack-log
set status enable
set packet-log custom-protection-rule
end