Monday, 19 May 2014

How-to: Seperate UTM security logs from traffic logs

With FortiOS 5.0 Fortinet had decided to consolidate all logs into the traffic log. This improves performance, and allows you to search for all logs (traffic and security) in the one screen.

While I can see the benefit and reasoning behind this, I prefer to have my security logs separated from my traffic ones since they are generally the kind that I would look through.

Thankfully Fortinet haven't disabled this feature and still allow you to configure the device to separate the security and traffic logs. We'll go through the steps required to enable this for each of the security profiles.

By default, all FortiGates will save all logs to the traffic log. Because of this you may not be able to see the security log menu.


To send security logs to their own files you'll need to enable the extended-utm-log option for each security profile. The exception to this rule is the IPS security profile, which has this on by default (that's why you may see Intrusion Protection already without having touched anything).

So to enable the extended-utm-log option you'll need to edit every security profile that you'd like to populate in the new security log files. This includes application, webfilter, email and data leak prevention and must be done via the CLI.

Below are the commands for each of the security profiles. I'm editing the 'default' profiles for each one, but you'll need to substitute the values with the ones you've created and are using in your policies. For example if I had created a 'block-skype' application sensor and wanted the logs to populate the security log then I would type edit block-skype instead of edit default below.

Application Control:

config application list
edit default
set extended-utm-log enable
set log enable
end

AntiVirus:

config antivirus profile
edit default
set extended-utm-log enable
set av-virus-log enable
end

AntiSpam:

config spamfilter profile
edit default
set extended-utm-log enable
set spam-log enable
end

Data Leak Prevention:

config dlp sensor
edit default
set extended-utm-log enable
set dlp-log enable
end

WebFilter:

config webfilter profile
edit default
set extended-utm-log enable
end

Remember you don't have to enable all of them, just the security profiles that you'd like to see separated from the main log. Once this is done the logs will be created after the first respective security event has occurred. For example, you won't see any AntiVirus logs show up until you've tried to download a virus to trigger it.

A quick way to populate each of the logs to confirm it's working is to use the diagnose log test command. This will create a few test logs for every log available and will populate your security log.


Sometimes you'll need to log out and back into your browser to properly refresh the screen and display the log.

In the end you should now see and be able to search for each of the security logs separately!



4 comments:

ANexus said...

Hello,

I try that and this working fine but in my forti and in your screenshot I don't see the "Application" Log.
Is normal ?

Thanks.

Allan Mouawad said...

It's because I didnt have a policy with application control enabled on it. Try to enable the application filter on a policy and enable logging, after a little while it should show up. I've created a blog post with a bit more details regarding the application logging here: http://alstechcorner.blogspot.com.au/2013/11/unable-to-see-any-applications-in-top.html

Unknown said...

Hi Allan,

Am unable to enable extended-utm-log
it shows Command fail. Return code -61

Kindly let me know if anything required to enable before running this

Regards
Trinath

Anonymous said...

i too get same error on fortigate 60D