Fortinet 558 FortiWeb 5.0 Patch 6 Administration Guide
Depending on the type of log, some log messages cannot be viewed from the web UI.
Log messages are in human-readable format, where each column’s name, such as Source (src
in Raw view), indicates its contents.
An attack’s origin is not always the same as the IP that appears in your logs. Network
address translation (NAT) at various points between a web browser and your web servers can
mask the original IP address of the attacker. Depending on your configuration of Use X-Header
to Identify Original Client’s IP, attack logs’ Source column may contain the IP address of the
client according to X-Forwarded-For: or a similar header in the HTTP layer, not the SRC field
in the IP header. In that case, the corresponding traffic log’s Source column will not match,
since it reflects the IP layer. (Typically in that scenario, the connection has been relayed by a
load balancer or proxy, and therefore the IP would be that of the load balancer, which is not the
real origin of the attack.) Relatedly, if Shared IP is enabled, FortiWeb will attempt to differentiate
innocent clients that share the same public address with an attacker according to the IP layer
SRC field due to NAT.
Not all attack detections will be logged. In some cases, only one entry will be logged when
there are many attack instances. See “Log rate limits” on page 544. Relatedly, server
information disclosure detections will not be logged if you have configured Action to be Erase,
no Alert. See “Blocking known attacks & data leaks” on page 387.
To view log messages
1. Go to one of the log types:
•Log&Report > Log Access > Attack
•Log&Report > Log Access > Event
•Log&Report > Log Access > Traffic
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Log & Report category. For details, see
“Permissions” on page 47.
Columns and appearance varies slightly by the log type. For details on structure or
interpretations of and troubleshooting suggestions for individual log messages, see the
FortiWeb Log Reference.
Initially, the page displays the most recent log messages for that log type. Contents of the
Message column may vary by your selection of Raw or Formatted view.
Table 50:Availability of each log type via the web UI
Storage method Log type
Event Traffic Attack
Local disk Yes Yes Ye s
Local memory Yes No No
Syslog server Yes Yes Ye s
FortiAnalyzer Yes Yes Ye s
In FortiWeb HA clusters, log messages are recorded on their originating appliance. If you notice
a gap in the logs, a failover may have occurred. Logs during that period will be stored on the
other appliance. To view those logs, switch to the other appliance.