Searching the Network Analyzer logs, Keywords | Fortinet 3.0 MR7


Network Analyzer	Searching the Network Analyzer logs

Searching the Network Analyzer logs

You can search the Network Analyzer log files for matching text using two search types: Quick Search and Full Search.

You can use Quick Search to find results more quickly if your search terms are relatively simple and you only need to search indexed log fields. Indexed log fields are those that appear with a filter icon when browsing the logs in column view; unindexed log fields do not contain a filter icon for the column or do not appear in column view, but do appear in the raw log view. Quick Search keywords cannot contain:

•special characters such as single or double quotes (‘ or “) or question marks (?)

•wild card characters (*), or only contain a wild card as the last character of a keyword (logi*)

You can use Full Search if your search terms are more complex, and require the use of special characters or log fields not supported by Quick Search. Full Search performs an exhaustive search of all log fields, both indexed and unindexed, but is often slower than Quick Search.

Figure 8: Network Analyzer log search

Date	Select to search logs from a time frame, or select Specify and define a
	custom time frame by selecting the From and To date and times.
	From	Enter the date and select the time of the beginning of
		the custom time range.
		This option appears only when Date is Specify.
	To	Enter the date and select the time of the end of the
		custom time range.
		This option appears only when Date is Specify
Keyword(s)	Enter search terms which will be matched to yield log message search
	results. To specify that results must include all, any, or none of the
	keywords, select from Match.
Quick Search	Select to perform a Quick Search, whose Keywords cannot contain
	special characters and that searches only indexed fields.
Full Search	Select to perform a Full Search, whose Keywords may contain special
	characters, and searches all log message fields. The time of the search
	varies by the complexity of the search query and the amount of log
	messages to be searched.

FortiAnalyzer Version 3.0 MR7 Administration Guide

05-30007-0082-20080908

151

Image 161

Fortinet 3.0 MR7 manual Searching the Network Analyzer logs, Keywords, Quick Search, Full Search, 151

Contents

M I N I S T R a T I O N G U I D E FCC Class a Part 15 CSA/CUS TrademarksRegulatory compliance Contents Viewing session information Filtering session information Radius Server Administrator SettingsLog Receive Monitor Intrusion Activity Adding a route Log Content Archive 107Device Quarantine 131 Reports 113Alert 133 Network Analyzer 141 Managing firmware versions 169 Tools 157 Index 213 Appendix FortiAnalyzer reports in 3.0 MR7 185 About this document Introduction Fortinet documentation Describes how to install and set up the FortiAnalyzer unit Fortinet Tools and Documentation CD Customer service and technical supportFortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support High-end FortiAnalyzer units support additional What’s new for 3.0 MR7 FortiAnalyzerVersion 3.0 MR7 Administration Guide Power supply monitoring for FortiAnlayzer-2000A and 4000A MR7 new features and changesRegistered devices’ hard limits CLI displays the tasks in the upload queue Config log settings Set custom-field1-5 Report configuration enhancementsCustom fields for log messages Reports ReportHeadquarters-2008-05-26-1030 VoIP reportsAll other reports, for example Alert email configuration changes About administrative domains ADOMs Administrative Domains ADOMs About administrative domains ADOMs FortiAnalyzer Model Number of Administrative Domains To enable ADOMs Configuring ADOMsGo to System Admin Settings Enable Admin Domain Configuration Select OK Message appears Go to Global Configuration System Admin Settings To disable ADOMsTo add or edit an Adom Select OK FortiAnalyzer unit logs you out Assigning administrators to an Adom Accessing ADOMs as the admin administratorTo access an Adom To assign an administrator to an Adom System Information SystemDashboard To refresh a Dashboard widget Go to System Dashboard To rearrange a Dashboard widget Go to System Dashboard To include a Dashboard widget Go to System Dashboard TabsTo omit a Dashboard widget Go to System Dashboard To add a tab Go to System Dashboard RAID Monitor Double-click on the name of the tab and select the X symbolEnter a new name and press Enter To delete a tab Go to System Dashboard Rebuilding icon System Information 05-30007-0082-20080908 Setting the time Changing the firmware Changing the host nameLicense Information To change the host name Go to System Dashboard Viewing operational history System ResourcesRVS Plug-ins Device License Memory Usage Formatting the log disks System OperationTo format the log disks Go to System Dashboard Systems Operations area, select Format Log Disks Select OK Alert Message Console Resetting to the default configurationViewing alert console messages To view alert console messages Go to System Dashboard Viewing session information StatisticsSelect the delete icon Connections Report Engine Filtering session informationTo view the session information Go to System Dashboard Statistics area, next to Connections, select Details Type Log Receive MonitorTop N Period Display by Intrusion ActivityVirus Activity Virus Activity widget Top FTP Traffic Top Email Traffic, select Edit Top Email Traffic Top IM/P2P Traffic, select Edit in the title bar area Top IM/P2P Traffic Top Traffic, select Edit in the title bar area Top TrafficTo edit information for Top Traffic Go to System Dashboard Top Web Traffic, select Edit Top Web Traffic Interface Network Administrative Changing interface settingsStatus Modify About Fortinet Discovery Protocol To configure DNS settings Go to System Network DNSRouting Enter an IP address for a primary and secondary DNS server Select Create New Configure the following options AdminAdding a route To add a static route Go to System Network Routing Adding or editing an administrator account Access Profile Changing an administrator’s passwordAccess Profile Admin Domain Auth Group To add a group Go to System Admin Auth GroupNone Read Only To add a Radius server Go to System Admin Radius Server Administrator SettingsSelect Create New Configure the following and select OK Radius Server Monitor Network SharingAdding share users To add a user account Go to System Network Sharing User To add a user group Go to System Network Sharing Group Configuring Windows sharesAdding share groups Permissions Assigning user permissions Remote Clients Configuring NFS shares Automatic file deletion and local log settings ConfigDefault file permissions on NFS shares Log Level Allocated Disk Space MB FortiAnalyzer unit log settings Log Locally Configuring log aggregation FortiAnalyzer-800/800B FortiAnalyzer-400FortiAnalyzer-2000/2000A FortiAnalyzer-4000/4000A Configuring an aggregation server Configuring an aggregation clientConfiguring log forwarding To forward log events Go to System Config Log Forwarding To add an IP alias Go to System Config IP Alias Configuring IP aliasesTo edit an IP alias Go to System Config IP Alias To import the alias file Go to System Config IP Alias RAID levels Configuring RAIDIP alias ranges RAID Linear RAID 5 with hot spare Hot swapping hard disks FortiAnalyzer-800/800B disk drive configuration FortiAnalyzer-400 disk drive configuration FortiAnalyzer-4000 disk drive configuration To swap a hard disk Go to System Config RAIDFortiAnalyzer-2000/2000A disk drive configuration As well as from System Config RAID Configuring RAID on the FortiAnalyzer-400FortiAnalyzer-800/800B Level 1 Size GB Configuring Ldap connections Select Create New. Complete the following To define an Ldap server query Go to System Config Ldap Backup Back up the current configuration MaintenanceBackup & Restore FortiGuard Center 10.10.1.108889 Scheduled UpdateEvery Daily Maintenance Viewing the device list Device Show Add DeviceUnregistered Device Options Hardware Action Secure Connection Disk Space MB Used/Allocated To delete a device Go to Device All Device Maximum number of devices Unregistered vs. registered devices Configuring unregistered device connection attempt handling Or the following options for unknown device types Manually adding a device Device ID Device NameMode Member IDs Group Membership FortiGate Interface Specification When Allocated Disk Space is All Used Devices Privileges Classifying FortiGate network interfaces For more information, see Manually adding a device on Configure the FortiGate device Go to System Network To enable the FortiAnalyzer unit to reply to FDP packetsOn the FortiAnalyzer unit, go to Device All Hardware Model Blocking device connection attempts To unblock a device Go to Device All Blocked Device Configuring device groupsTo block a device Go to Device All Device To delete a device group Go to Device Group Device Group To configure a device group Go to Device Group Device GroupGroup Name Members Viewing current log messages LogViewing log messages Viewing historical log messages Column Settings Import Browsing log filesTo view historical logs Go to Log Log Viewer Historical Viewing log file contents To import a log file Go to Log Browse Importing a log file To download a whole log file Go to Log Browse Downloading a log fileTo download a partial log file Go to Log Browse Convert to CSV format Compress with gzip Customizing the log view Select Download Current View Configure the followingDisplaying and arranging log columns To display logs in Raw or Formatted view To change the order of the columns Filtering logsTo display or hide columns Filtering tips To filter log messages by column contentsTo disable a filter 101 Searching the logs From Searching the logs 103 Search tipsTo search the logs Go to Log Search Downloading the search results 192.168.* action=loginPrinting the search results 105 Rolling and uploading logsTo download log search results Go to Log Search Not exceeded ExceedServer IP address Username 107 108 Viewing content archives Content Archive Timeframe View per page Page n of n Column SettingsPrintable Version Delete associated content archive files 109 Customizing the content archive view Filter icons in the content logs 111 Searching full email content archives 113 Last activity 114 Reports Configuring reports Configuring report layout 115 To configure a report layout Go to Report Config LayoutName Enter a name for the report Description Category Title Page LogoHeader Logo 117 Editing charts in a report layout Maximum Entries Top N Time Scale Advanced To edit a chart To edit text Configuring report schedulesTo edit section 119 Schedule Name To configure a report schedule Go to Report ScheduleReport layout Name Schedule Data Filter Log Data FilteringTime Period 121 Data filter templates Configuring data filter templates 123 Filter logicSources Interfaces DestinationsPolicy IDs Day of the Week 125 Configuring report output templates Output template FTP/SFTP/SCP Server Action 127 Nomatch=No matching log data for this report Configuring language 129 Comment is# Localization uses a Latin character set Font Languages 131 Language file error messages Error message DescriptionSave the format file Browsing reports 133 134 Viewing quarantined files QuarantineQuarantined files for a specific device See Date & Time ServiceChecksum Status Description Triggers AlertAlert Events To add a new alert event Go to Alert Alert Event Adding an alert event Output Configuring alerts by email serverTo Email Address Add Configuring Snmp traps and alerts Testing the mail server configurationEnable Smtp Server 137 FortiAnalyzer Snmp support Adding an Snmp server Fortinet MIB System Traps Fortinet MIB Administrator AccountsFortinet MIB Logging Traps Fortinet MIB VPN Traps Adding a Syslog server Configuring alerts by Syslog serverRFC-1213 MIB RFC-2665 Ethernet-like MIB 141 Configure the following options, and select OK 142 Network Analyzer Config log settings Set enableanalyzer yes End Example network topology for Network Analyzer use 143 Viewing Network Analyzer log messagesViewing current Network Analyzer log messages Viewing historical Network Analyzer log messages Protocol Protocol used when sending the traffic Message Browsing Network Analyzer log files Viewing Network Analyzer log file contents Printable Version Download Current View Resolve Service View n per page Page n of n Column Settings 147 Downloading a Network Analyzer log file Displaying and arranging Network Analyzer log columns Customizing the Network Analyzer log view 149 Filter icons in Network Analyzer 150 Keywords Searching the Network Analyzer logsQuick Search Full Search Other To search the logs Go to Tools Network Analyzer Search 153 172.20.120.127 tcp Select the download options that you want, then select OK Rolling and uploading Network Analyzer logs 155 Log file should be rolled... even if size is not exceeded Select the protocol to use when uploading to the server 157 ToolsPreparing for the vulnerability scan job Preparing Windows target hosts 159 To enable NetBIOS Go to Start Control Panel 161 Viewing vulnerability scan modulesPreparing Unix target hosts Vulnerability Scan modules View modules with severity 163 Configuring vulnerability scan jobsDetails Target Job Name Select Create New Complete the following Remote Authentication User NameScan Targets Quick Scan Email Body File outputEmail Attachment 167 Viewing vulnerability scan reports Formats File ExplorerEnd Time 169 File Explorer with Storage directory expanded 170 Managing firmware versions Backing up your configuration Backing up your configuration using the CLI Backing up your configuration using the web-based managerTo back up your configuration file using the CLI Execute backup config filename addressip passwd 171 To test the firmware image before upgrading Testing firmware before upgradingPress any key to display configuration menu… Enter Local Address Enter Tftp server addressEnter firmware image file name image.out 173 Upgrading your FortiAnalyzer unit Upgrading using the web-based managerUpgrading to FortiAnalyzer Only To upgrade to FortiAnalyzer 3.0 using the web-based manager Upgrading using the CLITo upgrade to FortiAnalyzer 3.0 using the CLI Execute restore image namestr tftpip4 Get system status Verifying the upgrade Downgrading to FortiLog Reverting to a previous firmware versionSelect OK Following message appears 177 To downgrade using the CLI Downgrading to FortiLog 1.6 using the CLIExecute restore image tftp namestr tftpipv4 Execute restore image tftp image.out 179 Restoring configuration settings on a FortiAnalyzer unit Restoring your configurationTo restore a firmware image to the FortiAnalyzer unit Execute reboot Press any key to display configuration menu When this message appearsEnter File Name image.out 181 To restore configuration settings using the CLI Restoring your configuration settings using the CLIExecute restore config namestr tftpipv4 passwrd Execute restore config confall 192.168.1.168 ghrffdt123 183 184 185 Appendix FortiAnalyzer reports in 3.0 MR7FortiGate reports Antivirus Activity reports MR6 reports MR7 reports Antivirus ActivityIntrusion Activity reports MR6 reports MR7 reports 187 Antivirus Activity reports Top Virus Destinations over POP3 189 Webfilter ActivityWebFilter Activity reports MR6 reports MR7 reports Antispam Activity reports MR6 reports MR7 reports Antispam ActivityWebFilter Activity reports Antispam Activity reports IM ActivityIM reports MR6 reports MR7 reports 191 VoIP reports MR7 reports IM reports 193 Content ActivityVoIP reports Network Activity reports MR6 reports MR7 reports Content Activity reports MR6 reports MR7 reportsNetwork Activity 195 Web ActivityNetwork Activity reports Report, Top Mail Servers Connections remains unchanged Mail ActivityFTP Activity VPN Activity Terminal ActivityFTP Activity reports Terminal Activity reports MR6 reports MR7 reports Event Activity reports MR6 reports MR7 reports Event ActivityVPN Activity reports MR6 reports MR7 reports Report, Top Event Categories by Status, was removed P2P ActivityEvent Activity reports P2P Activity reports MR6 reports MR7 reports P2P Activity reports Audit Activity 201 Summary Reports Audit Forensic ReportsDetailed Report, Top Client Requests to Permitted Sites, was removed Summary FortiMail ReportsMail High Level 203 Mail High Level reports 205 Mail SenderMail Sender reports MR6 reports MR7 reports Mail Destination IP Mail Recipient ActivityMail Sender reports Mail Recipient Activity reports MR6 reports MR7 reports Mail Destination IP reports MR6 reports MR7 reports Spam SenderSpam Sender reports MR6 reports MR7 reports 207 Spam Recipient reports MR6 reports MR7 reports Spam RecipientSpam Sender reports Virus Sender Spam Destination IPSpam Recipient reports Spam Destination IP reports MR6 reports MR7 reports Virus Sender reports MR6 reports MR7 reports Virus Sender reports Virus RecipientVirus Recipient reports MR6 reports MR7 reports 211 Virus Destination IP FortiClient Reports 213 Index FDN 215 FTP Mail server 135 Main Menu 20 managing firmware 217 RFC See also protocol test 219 Index FortiAnalyzer Version 3.0 MR7 Administration Guide