Friday, January 27, 2017

finding traffic logs fortiOS

The fortigate device allows for disk logging when you have  disk. One of the issues Sec_Engineers has pertains to lack of disk_logging in the smaller units ( i.e SOHO units or anything from a 100 or smaller )


So a quick to know that your disk_logging is actually working is to  query  the disk via the fnsysctl ls hidden command

1:

The files are store in a /var/log/root/<name with "log" >

e.g ( traffic logs )



2:  now  the format of this  directory structure is simple

The  tlog.time-index  is a file that provide indexing information for transaction.

All logs are symbolic unix links

tlog.oldest will always match the  oldest logfile

tlog will always match  the newest file and current log file

fnsysctl cat /var/log/root/tlog  will display and confirm disklogging

critical logs files to beaware of

elog == system events  ( VPN auth, system auth, link monitors,etc....)

tlog ==  trafficlog   ( Fwpolicy traffic status )


3:  You can copy down the logs file by using a usb_mount device  and you will need super admin access todo this



4: Finally, you can roll logs via the execute log command


execute  log  roll  

5: to determine if the logs did roll and what logs, set a display filter and execute  the cli cmd



execute  log   filter reset
execute  log   filter cat 1
execute  log   filter field  logdesc "Disk log rolled"
execute  log   display










Ken Felix


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment