Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Olav
New Contributor

Created on ‎08-28-2014 06:22 AM

Report of config changes

Hi, we have an FortiAnalyzer 400B running FortiOS 5.0.7 and want to create reports off configuration changes on our FortiGates (e.g. add/delete/edit firewall rules). The problem I have is that I can' t select events with subtype ' config' on the Analyzer. In general: I can' t see any events of subtype ' config' on the FortiAnalyzer. And yes, we have activated the Event Logging of " Configuration change event" on the FortiGate and see those events in the event log of the FortiGate. Any ideas on how to resolve this problem? Regards, Olav
FCNSP, FCESP AirITSystems
FCNSP, FCESP AirITSystems
46299
0 Kudos
15 REPLIES 15
AtiT
Valued Contributor

Created on ‎08-28-2014 06:38 AM

Hi, I think that no subtype config is in event logs. For example policy changes are system subtypes. Search for " firewall" in message column:

AtiT

AtiT
Preview file
20 KB
10261
0 Kudos
Olav
New Contributor

Created on ‎08-28-2014 07:28 AM

Hi AtiT, thank your for the fast reply! Unfortunately I can' t see any events concerning firewall changes when I search for " firewall" in the message column. How can I verify that those messages are transfered from the FortiGate to the FortiAnalyzer? Is there a debug command on the CLI which I can use? Olav
FCNSP, FCESP AirITSystems
FCNSP, FCESP AirITSystems
10262
0 Kudos
FatalHalt
Contributor II

Created on ‎08-28-2014 08:59 AM

On the firewall, go to the Log & Report tab, Log config, Log Settings. Make sure you have Event Logging enabled, and for this specific need you want to make sure you have System Activity event checked (and possibly user activity event).
10262
0 Kudos
jlozen
New Contributor

Created on ‎08-28-2014 11:12 AM

What version of FortiOS are you running on the FortiGate? If the FortiGate is has been " upgraded" to 5.2 they changed a bunch of stuff with policies and logging so that might be throwing a wrench into the gears of your FortiAnalyzer. I' ve been having all kinds of various issues with logging and our devices running 5.2. Our FortiAnalyzer is stuck on v5.0-build4037 131010 (GA) since we use the AWS instance and can' t update the firmware until amazon releases a new AMI
10262
0 Kudos
AtiT
Valued Contributor
In response to jlozen

Created on ‎08-29-2014 12:54 AM

Hi Olav, I have FAZ on v5.07 and FGT on v5.0.9. What is your FGT OS version? On 5.0.7 (probably similar on other versions) check the output of the command: get log eventfilter If you have VDOMS on FG check it under the VDOM. (the same as in the GUI - see the reponse from FatalHalt) Do you have any logs in the Event log? You can also try to test the logging with command: diagnose log test If you have VDOMs on FG check it under the VDOM. It should generate some logs into the log database. Do you see them?

AtiT

AtiT
10262
0 Kudos
Olav
New Contributor

Created on ‎08-29-2014 02:34 AM

Hi everybody and thank you all for your answers! we are running 4.3 Patch 15 on our FortiGate 800C cluster. Event logging ist enabled on the FGT (see image). On CLI I can see the eventfilter activated and the test events from the command " diagnose log test" are tansfered to the analyzer. These events show up in the " Security" branch of the FAZ Log View section. Config changes are still not visible on the FortiAnalyzer.
FCNSP, FCESP AirITSystems
FCNSP, FCESP AirITSystems
Preview file
149 KB
10262
0 Kudos
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-29-2014 06:08 AM

Olav, You' re looking in the Event logs section of FAZ correct? Make sure you disable any/all column filters, and also check " config log fortianalyzer filter" and make sure everything is set to enable...
10262
0 Kudos
TuncayBAS
Contributor II

Created on ‎08-29-2014 07:14 AM

if you want to get the report. Dataset : 
 select from_dtime(dtime) as date, f_user, msg, devid from ###(select dtime, `user` as f_user, ui, msg,devid from $log 
 where $filter and logid in (’44547′,’32212′) order by dtime desc)### t order by dtime desc

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
10262
0 Kudos
Olav
New Contributor

Created on ‎08-29-2014 07:45 AM

Hi Warren, yes, I' m looking in the Events log section of the FAZ and there are no column filters activ. When I open the elog.log over Log View \ <ADOM> \ Log Browse I can' t see any entiries about config changes, which must be in there. I have also checked config log fortianalyzer filter - everything is enabled. Hi Tuncay, thanks for your very much for your query, it is very useful for what I want to do with these log messages! I have set up a Dataset with your query and the Test result is the following. There are no entries found in the log! I am clueless. I will open a ticket for support on this. Cheers, Olav
FCNSP, FCESP AirITSystems
FCNSP, FCESP AirITSystems
Preview file
48 KB
10262
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.