Hot!How to log successful logins?

Author
hankn
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/26 11:29:21
  • Status: offline
2020/08/26 11:31:49 (permalink)
0

How to log successful logins?

Newbie question:
I see all failed login attempts in the event log.
How do I enable Fortigate 6.4.2 so that it logs all successful login attempts?
 
Thanks,
Hank
#1

7 Replies Related Threads

    lobstercreed
    Gold Member
    • Total Posts : 292
    • Scores: 35
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: How to log successful logins? 2020/08/30 11:24:36 (permalink)
    0
    You should see successful logins in the event log as well.  I'm not sure where you're looking exactly, but I can see them by going to Log & Report -> Events -> System Events and looking for "Admin login successful" in the Log Description field.
    #2
    hankn
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/26 11:29:21
    • Status: offline
    Re: How to log successful logins? 2020/08/30 12:04:44 (permalink)
    0
    That is exactly where I am looking but all I see is unsuccessful login attempts.
    Running 6.2.4
    Even Add Filter doesn't show an option to see successful logins (see attachment).
     

    Attached Image(s)

    #3
    lobstercreed
    Gold Member
    • Total Posts : 292
    • Scores: 35
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: How to log successful logins? 2020/08/30 17:25:01 (permalink)
    0
    Under Log & Report -> Log Settings, look at the bottom in the Log Settings section and see if Event Logging is set to "All" or some other value.  I don't know what it needs to be, but mine is "All".
    #4
    hankn
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/26 11:29:21
    • Status: offline
    Re: How to log successful logins? 2020/08/30 21:51:24 (permalink)
    0
    Yes I have everything being logged. 
    See attachment.
    Just no successful logins being recorded.

    Attached Image(s)

    #5
    lobstercreed
    Gold Member
    • Total Posts : 292
    • Scores: 35
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: How to log successful logins? 2020/08/31 08:13:17 (permalink)
    0
    Try choosing "All" instead of "Customize" -- your screenshot is not how mine (working) is set.
     
    Like I said, I'm not sure which of those items under Customize should have it...I would think  "System activity event" would cover it, but maybe there's a difference between those categories and whatever else "All" includes.
     
    If that doesn't do the trick though, then you might want to just open a TAC case about it.
    #6
    Yurisk
    Silver Member
    • Total Posts : 100
    • Scores: 22
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: How to log successful logins? 2020/08/31 22:33:23 (permalink)
    0
    That's unusual, I don't have Fortigate 30 to test, but on other models at least successful loging is being logged as well. May be worth opening a ticket with TAC.
     
    #7
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: How to log successful logins? 2020/08/31 23:19:57 (permalink)
    5 (1)
    I would 1st review the logging and look for the login action
     
     
    e.g ( assume memory log is the source if not set the source ) 
     
    execute log  filter  category 1
    execute log  filter  field action  login
    execute log display
     
    to set the source 
     
    FGT100D_PELNYC # execute log filter device
    Available devices:
    0: memory
    1: fortianalyzer
    2: fortianalyzer-cloud
    3: forticloud
     
    Your log should look similar to  the below;
     

    1: date=2020-08-31 time=23:14:10 logid="0100032001" type="event" subtype="system" level="information" vd="root" eventtime=1598940850657894953 tz="-0700" logdesc="Admin login successful" sn="1598340950" user="kfelix" ui="ssh(x.x.x.x)" method="ssh" srcip=x.x.x.x dstip=y.y.y.y action="login" status="success" reason="none" profile="super_admin" msg="Administrator kfelix logged in successfully from ssh(x.x.x.x)"
     
    If your using syslog just look for the log or use tcpdump and look at the log data  and the login event 
     
    For log filters reference my earlier posted blogs
     
    http://socpuppet.blogspot.com/2016/08/using-execute-log-filters-to-monitor.html
     
    Ken Felix
     
    post edited by emnoc - 2020/08/31 23:21:32

    PCNSE 
    NSE 
    StrongSwan  
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5