Event correlation Active mode, Sort list | Fortinet FortiLog-800

Using Logs	Event correlation (Active mode)

5Select Apply.

Event correlation (Active mode)

Event correlation is a data mining feature that provides a way of reviewing attacks on multiple devices in one location. The FortiLog unit collates attack events from all submitted logs and displays the information in a table. With even Correlation you can view:

•all attacks on your network.

•attacks targeted to specific devices.

•the target and source of the attack.

•when the attack occurred.

•details on the type of attack.

To run an event correlation:

1Go to File Browse > Event Correlation.

2Select an attack type from the list

3Select Next.

4From the drop list, select to view the attacks from the same source IP or targets of the same attack.

5Select Show me.

Figure 48: Event Correlation results

Page	Use the page arrows or enter the page number to move to a different page
	of the event correlation results.
Sort list	Select an attack sort for viewing the results. You can choose from Attacks
	from the same source or other targets of the same attack.

FortiLog Administration Guide

05-16000-0082-20050115

79

Image 79

Fortinet FortiLog-800, FortiLog-100, FortiLog-400 manual Event correlation Active mode, Sort list

Contents

January 15, 2004 FortiLog-100 FortiLog-400 FortiLog-800 Trademarks Version 1.6 January 15 05-16000-0082-20050115Regulatory Compliance Table of Contents Managing the FortiLog unit Config Network Reports 110 Setting folder and file properties103 104 FortiLog-400 FortiLog-100 FortiLog-800 Introduction Operational Modes Active Mode Introduction Passive Mode About this guide Explains how to install and set up the FortiLog unitFortiLog documentation Related documentation Explains how to configure VPNs using the web-based managerFortiGate documentation Fortinet Knowledge Center FortiManager documentationFortiClient documentation FortiMail documentation Customer service and technical support Customer service and technical support Checking the package contents Setting up the FortiLog unit Weight Hardware specifications DimensionsFortiLog-100 2.5 kg FortiLog-400 11 kg FortiLog-80014 kg Air flow Planning the installationPower requirements Environmental specifications To connect the FortiLog unit to the network Connecting the FortiLog unitConnecting the FortiLog unit FortiLog unit Management PC To connect to the web-based manager Configuring the FortiLog unitUsing the web-based manager Factory defaults Administrator Set system interface port1 mode static ip IPaddress netmask Using the command line interfaceTo configure the FortiLog unit using the web-based manager To configure the FortiLog unit using the CLI Set the primary DNS server IP address Using the front panel buttons and LCDSet system dns primary IPaddress Configuring the FortiLog unit Sending device logs to the FortiLog unit Connecting to the FortiLog UnitConfiguring FortiGate unit running FortiOS Go to Log&Report Log Config FortiGate 2.8 log settings Configuring FortiGate devices running FortiOS FortiGate 2.5 Log settings Configuring FortiMail devices Unregistered Adding a deviceTo add a device Groups from this tab Defining device port interfaces To create a device group Go to System Devices Groups Creating Device Groups Status Managing the FortiLog unitStatus Alerts Operating ModeInterval Refresh Set system opmode activepassive To change the operating mode in the CLIChanging the FortiLog host name Changing operating modes Viewing system resources information To change the firmware using the web-based managerChanging the firmware Execute restore image FortiLog400-v120.out Installing firmware from a system rebootTo change the firmware using the CLI Execute restore image namestr tftpip Enter Local Address To install firmware from a system rebootPress any key to enter configuration menu Immediately press any key to interrupt the system startup Enter File Name image.out Testing a new firmware imageTo test a new firmware image before installing it Following message appears You can test the new firmware image as required Installing a backup firmware imageSave as Default firmware/Run image without savingD/R Get system status Type B To install a backup firmware image Switching to the default firmware image Switching to a backup firmware imageTo switch to the backup firmware image To backup up system settings Go to System Status Status Backing up system settingsTo switch back to the default firmware image Execute reboot Restoring a FortiLog unit Restoring system settingsRestore factory default system settings To restore system settings Go to System Status Status Press any key to begin download To upload the firmware image to the FortiLog unit Network Config Config RAID Port Log settingsConfig Policy Log to Host Levels Description Generated by Config PolicyLog policy CSV format Language AdminTime Options Configure Administrator access Administrator options Administrator account levels Changing the Administrator password Devices Active modeTo add an administrator account Go to System Config Admin Adding and registering a device Device listEditing device information Server Alert EmailTo edit a device Go to System Devices Local Device Active modeCreating a new device alert Attack Type Entry and listing Level of wait interval Attack Type To add a device alert Go to System Alert Email Device AlertsVirus Type Defining IP aliases Network SharingWindow IP aliases To set host alias names Go to Reports IP Aliases Select New and enter a name for the report To create a report Go to Reports ConfigReports Creating and generating a report Select Run now Configuring report parametersTo define report parameters Go to Reports Config Set the following Select a report from the list Select Queries Configuring a report queryTo set the report queries Go to Reports Config Resolve Service Names Ranked Reports show top To create a query profile To select the devices Go to Reports ConfigCreating a query profile Selecting the devices for the report To create a device profile To set the filtering on a log report Go to Reports ConfigCreating a device profile Select filtering options To create a report filter profile Setting a report scheduleTo create a scheduled report Go to Reports Config Creating a filter profile To create a report schedule profile Creating a report schedule profileChoosing the report destination and format Select Schedule Select a day from the following To create a pre-defined output selection To generate a report on demand Go to Reports ConfigCreating a report destination and format profile Reports on demand To view a generated report Go to File Browse Reports Viewing reports Individual reports Roll up report Vulnerability reports To create a report Go to Reports Config VulnerabilityCreating and generating a report Selecting report result parameters Per device Resolve Host Names Resolve Service NamesSelecting plug-ins To create a plug-in profile To select the plug-ins Go to Reports Config VulnerabilitiesCreating a plug-in profile Selecting the scan targets for the report To add additional devices Creating a scan target profileTo create a scan target profile As an email attachment FileBrowse/Reports hard disk Email list Select the report name from the list of completed reports Viewing the vulnerability report Using Logs Viewing logs Log view interface Ascending and descending order Finding log informationTo view the device log files Go to File Browse Logs Select the column header to change the sort order between Basic log filter Match Up and Down arrows Importing log filesAlert level To import a log file Go to File Browse Logs Show Up and Down arrows Log watch Active modeLog Search To set log watching Go to File Browse Logs Sort list Event correlation Active mode Event correlation Active mode Connecting to the FortiLog file system Using the FortiLog unit as a NAS Adding and modifying user accounts Providing access to the FortiLog hard diskSelect Enable for a file sharing protocol Selecting a file sharing protocol Select Create New Assigning access to foldersAdding and modifying group accounts To add a user group Go to Network Sharing Groups Windows sharing configuration NFS share configuration Modifying the user or group folder access To set file and folder permissions Go to File Browse Files Setting folder and file propertiesOwner CLI documentation conventions FortiLog CLI reference To connect to the FortiLog-800 console Connecting to the CLIConnecting to the FortiLog-800 console FortiLog-800 login To use the CLI to configure SSH or Telnet access Setting administrative access for SSH or TelnetWelcome To connect to the CLI using Telnet Connecting to the FortiLog CLI using SSHConnecting to the FortiLog CLI using Telnet To connect to the CLI using SSH FortiLog CLI commands include CLI commandsExecute branch Get command architecture Use get to display settings, logs, or system informationGet branch Get report aliases Get log logsettingGet system admin Get report resolve Set branch Use set to configure settings, logs, or system informationUse set alertemail to configure alert mails Set alertemail command architecture Set alertmail local time 0.5 1.0 3.0 6.0 String is the passwordNamestr is the user name Below Set alertmail device enable add leveltime CLI commandsSettings originate from a singe source IP Set console Use set console to set console configuration Set log command architecture Use set log to configure log settingsSet log YY-MM-DD 100 101 102 103 Set NAS 104 Set report command architectureSet report Set system 105 106 107 Netmaskstr is the netmask 1080.0 Trusthoststr is trusted host IP address 109 Unset branch 111 112 113 Appendix a Log Report TypesNetwork Activity Web Activity FTP Activity Mail activity reports record Email traffic and connections Terminal ActivityMail Activity 115 Antivirus Activity Intrusion ActivityWeb Filter Activity 117 Mail Filter Activity VPN Activity Content Activity 119 120 121 Index Index 122 123 124