Report of config changes

Author
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
2014/08/28 06:22:02 (permalink)
0

Report of config changes

Hi,

we have an FortiAnalyzer 400B running FortiOS 5.0.7 and want to create reports off configuration changes on our FortiGates (e.g. add/delete/edit firewall rules).

The problem I have is that I can' t select events with subtype ' config' on the Analyzer. In general: I can' t see any events of subtype ' config' on the FortiAnalyzer. And yes, we have activated the Event Logging of " Configuration change event" on the FortiGate and see those events in the event log of the FortiGate.

Any ideas on how to resolve this problem?

Regards,
Olav

#1
AtiT
Platinum Member
  • Total Posts : 479
  • Scores: 42
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
RE: Report of config changes 2014/08/28 06:38:41 (permalink)
0
Hi,
I think that no subtype config is in event logs. For example policy changes are system subtypes. Search for " firewall" in message column:



Attached Image(s)


AtiT
--------------------
NSE 8, CCNP R+S
#2
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
RE: Report of config changes 2014/08/28 07:28:29 (permalink)
0
Hi AtiT,

thank your for the fast reply!

Unfortunately I can' t see any events concerning firewall changes when I search for " firewall" in the message column.
How can I verify that those messages are transfered from the FortiGate to the FortiAnalyzer? Is there a debug command on the CLI which I can use?

Olav
#3
FatalHalt
Gold Member
  • Total Posts : 128
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
RE: Report of config changes 2014/08/28 08:59:05 (permalink)
0
On the firewall, go to the Log & Report tab, Log config, Log Settings.

Make sure you have Event Logging enabled, and for this specific need you want to make sure you have System Activity event checked (and possibly user activity event).
#4
jlozen
Bronze Member
  • Total Posts : 27
  • Scores: 1
  • Reward points: 0
  • Joined: 2014/07/10 17:47:30
  • Status: offline
RE: Report of config changes 2014/08/28 11:12:56 (permalink)
0
What version of FortiOS are you running on the FortiGate? If the FortiGate is has been " upgraded" to 5.2 they changed a bunch of stuff with policies and logging so that might be throwing a wrench into the gears of your FortiAnalyzer.

I' ve been having all kinds of various issues with logging and our devices running 5.2. Our FortiAnalyzer is stuck on v5.0-build4037 131010 (GA) since we use the AWS instance and can' t update the firmware until amazon releases a new AMI
#5
AtiT
Platinum Member
  • Total Posts : 479
  • Scores: 42
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
RE: Report of config changes 2014/08/29 00:54:16 (permalink)
0
Hi Olav,
I have FAZ on v5.07 and FGT on v5.0.9. What is your FGT OS version?

On 5.0.7 (probably similar on other versions) check the output of the command:

get log eventfilter

If you have VDOMS on FG check it under the VDOM. (the same as in the GUI - see the reponse from FatalHalt)

Do you have any logs in the Event log?
You can also try to test the logging with command:

diagnose log test
If you have VDOMs on FG check it under the VDOM. It should generate some logs into the log database. Do you see them?

AtiT
--------------------
NSE 8, CCNP R+S
#6
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
RE: Report of config changes 2014/08/29 02:34:52 (permalink)
0
Hi everybody and thank you all for your answers!

we are running 4.3 Patch 15 on our FortiGate 800C cluster.
Event logging ist enabled on the FGT (see image).

On CLI I can see the eventfilter activated and the test events from the command " diagnose log test" are tansfered to the analyzer. These events show up in the " Security" branch of the FAZ Log View section. Config changes are still not visible on the FortiAnalyzer.


< Message edited by Olav -- 8/29/2014 2:36:58 AM >

Attached Image(s)

#7
Warren_Olson_FTNT
Gold Member
  • Total Posts : 131
  • Scores: 3
  • Reward points: 0
  • Joined: 2014/06/05 06:57:10
  • Status: offline
RE: Report of config changes 2014/08/29 06:08:39 (permalink)
0
Olav,

You' re looking in the Event logs section of FAZ correct? Make sure you disable any/all column filters, and also check " config log fortianalyzer filter" and make sure everything is set to enable...
#8
TuncayBAS
Gold Member
  • Total Posts : 221
  • Scores: 20
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
RE: Report of config changes 2014/08/29 07:14:27 (permalink)
0
if you want to get the report.

Dataset :

select from_dtime(dtime) as date, f_user, msg, devid from ###(select dtime, `user` as f_user, ui, msg,devid from $log
where $filter and logid in (’44547′,’32212′) order by dtime desc)### t order by dtime desc






< Message edited by yaba -- 8/29/2014 7:15:01 AM >

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#9
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
RE: Report of config changes 2014/08/29 07:45:06 (permalink)
0
Hi Warren,

yes, I' m looking in the Events log section of the FAZ and there are no column filters activ. When I open the elog.log over Log View \ <ADOM> \ Log Browse I can' t see any entiries about config changes, which must be in there.

I have also checked config log fortianalyzer filter - everything is enabled.


Hi Tuncay,

thanks for your very much for your query, it is very useful for what I want to do with these log messages!

I have set up a Dataset with your query and the Test result is the following. There are no entries found in the log!

I am clueless. I will open a ticket for support on this.

Cheers, Olav


< Message edited by Olav -- 8/29/2014 7:45:57 AM >

Attached Image(s)

#10
TuncayBAS
Gold Member
  • Total Posts : 221
  • Scores: 20
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
RE: Report of config changes 2014/08/29 07:59:33 (permalink)
0
please run code CLI screen

execute sql-query-dataset root event-Config-Changes_3 All_FortiGates faz " 2014-08-01 00:00:00" " 2014-08-30 23:59:59"

I think the error will be written to the screen

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#11
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
RE: Report of config changes 2014/08/29 08:09:05 (permalink)
0
will test it on monday. Have to leave now for weekend :-)

Thanks and nice weekend!!!
#12
TuncayBAS
Gold Member
  • Total Posts : 221
  • Scores: 20
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
RE: Report of config changes 2014/08/29 08:17:00 (permalink)
0
ok. nice weekend

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#13
AtiT
Platinum Member
  • Total Posts : 479
  • Scores: 42
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
RE: Report of config changes 2014/09/01 01:02:46 (permalink)
0
Hi Olav,
As you are not able to see config logs in the files under Log browse I suggest the following:

Using Putty or SecureCRT etc. connect to the FAZ and log all the outputs from CLI to a file and try to log the log packets like:
FortiAnalyzer-VM # diagnose sniffer packet any ' host FG-IP-address'
<verbose> 1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
choose 2:
1) diagnose sniffer packet any ' host FG-IP-address' 2
2) do some changes for example on the fireall policy
3) stop the sniffer with CTRL+C
4) logout from FAZ CLI
5) search config messages in the file like this:


73.224726 193.86.250.182.2474 -> 193.85.199.90.514: psh 3083017352 ack 1113124487
0x0000 4500 0124 ffcd 4000 3d06 f848 c156 fab6 E..$..@.=..H.V..
0x0010 c155 c75a 09aa 0202 b7c3 1c88 4258 ee87 .U.Z........BX..
0x0020 8018 1f68 f868 0000 0101 080a 0a45 09c6 ...h.h.......E..
0x0030 1179 024b 1700 0100 000d 65a1 0000 00f0 .y.K......e.....
0x0040 0700 0000 0000 00e4 ef07 00dc 000a c446 ...............F
0x0050 4754 3830 4333 3931 3036 3135 3639 3201 GT80C39106xxxxx.
0x0060 4c41 425f 4c55 5804 726f 6f74 0454 0425 LAB_LUX.root.T.%
0x0070 4a00 b301 0006 0000 0000 ae03 0100 7573 J.............us
0x0080 6572 3d22 746f 7468 6122 2075 693d 2247 er=" totha" .ui=" G
0x0090 5549 2836 322e 3136 382e 3330 2e34 3329 UI(x.x.x.x)
0x00a0 2220 6163 7469 6f6e 3d45 6469 7420 6366 " .action=Edit.cf
0x00b0 6774 6964 3d32 3033 3138 3637 2063 6667 gtid=2031867.cfg
0x00c0 7061 7468 3d22 6669 7265 7761 6c6c 2e70 path=" firewall.p
0x00d0 6f6c 6963 7922 2063 6667 6f62 6a3d 2233 olicy"
.cfgobj=" 3
0x00e0 3322 2063 6667 6174 7472 3d22 6170 706c 3" .cfgattr=" appl
0x00f0 6963 6174 696f 6e2d 6c69 7374 5b41 432d ication-list[AC-
0x0100 3e4e 4153 5d22 206d 7367 3d22 4564 6974 >NAS]" .msg=" Edit
0x0110 2066 6972 6577 616c 6c2e 706f 6c69 6379 .firewall.policy

0x0120 2033 3322 .33"

This way cou can check whether the config messages are sent to FAZ or not.
Probably there is a better way to check it.
< Message edited by AtiT -- 9/1/2014 1:03:42 AM >

AtiT
--------------------
NSE 8, CCNP R+S
#14
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
RE: Report of config changes 2014/09/01 02:50:29 (permalink)
0
Hello Tuncay, I' ve tested the sql-query-dataset on the CLI and there was no data as well.

Hello AtiT,
I have also tested with sniffing the trsffic FGT --> FAZ
I can' t find anything in the log from my config change, which I made while sniffing.

Will reboot my Fortigate as soon as possible...
I will post the result here when done.
< Message edited by Olav -- 9/1/2014 2:51:56 AM >

FCNSP, FCESP
AirITSystems
#15
Olav
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/05/11 00:24:45
  • Location: Hannover / Germany
  • Status: offline
RE: Report of config changes 2014/09/03 23:34:36 (permalink)
0
After rebooting the cluster the behaviour is the same as before - no log entries about config changes on the FAZ.

Now I have opened a support ticket at Fortinet...
#16
Jump to:
© 2021 APG vNext Commercial Version 5.5