[轉貼]Enable disk logging on a FortiGate running FortiOS 5
<a href="http://alstechcorner.blogspot.tw/2013/10/how-to-enable-disk-logging-on-fortigate.html">http://alstechcorner.blogspot.tw/2013/10/how-to-enable-disk-logging-on-fortigate.html</a><div><br></div><div><h3 class="post-title entry-title" itemprop="name" style="position: relative; font-size: 18px; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; color: rgb(41, 170, 225);">How-to: Enable disk logging on a FortiGate running FortiOS 5</h3><div class="post-header" style="line-height: 1.6; margin: 0px 0px 1em; color: rgb(51, 51, 51); font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px;"><div class="post-header-line-1"></div></div><div class="post-body entry-content" id="post-body-7286646994023759387" itemprop="description articleBody" style="width: 586px; position: relative; line-height: 18px; color: rgb(51, 51, 51); font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px;"><div dir="ltr" trbidi="on">By default disk logging has been disabled on FortiOS v5.0. One of the reasons this was done is because the flash memory on some devices are not designed for constant read/writes, so saving logs to it can degrade the disk (resulting in corrupted sectors). Having said that, we've got a few FortiGates that have been logging to disk for a few years now with no problems.<br><br><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-awz7zdD8Vgc/UnGSxRTxJeI/AAAAAAAAARo/jzbE57R8wLY/s1600/1.png" imageanchor="1" style="text-decoration: none; color: rgb(1, 87, 130); margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="http://4.bp.blogspot.com/-awz7zdD8Vgc/UnGSxRTxJeI/AAAAAAAAARo/jzbE57R8wLY/s320/1.png" width="320" style="border: 1px solid rgb(204, 204, 204); position: relative; padding: 8px; -webkit-box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 20px; box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 20px; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px;"></a></div><a name="more"></a><br><br>Below are the steps to re-enable disk logging: <br><ol><li style="padding: 0px; margin: 0px 0px 0.25em;">Confirm your device has a log disk</li><li style="padding: 0px; margin: 0px 0px 0.25em;">Format the log disk</li><li style="padding: 0px; margin: 0px 0px 0.25em;">Enable logging </li></ol><br><br>1. Confirm you device has a log disk<br><br>Firstly check that your FortiGate has the log disk available. Some units don't come with a log disk. To confirm use the <span style="font-family: 'Courier New', Courier, monospace;">get sys status</span> command and ensure that the variable 'Log hard disk' shows 'Need format'.<br><br><span style="font-family: 'Courier New', Courier, monospace;">fortigate # <b>get sys status </b><br>Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)<br>Virus-DB: 16.00560(2012-10-19 08:31)<br>Extended DB: 1.00000(2012-10-17 15:46)<br>IPS-DB: 4.00345(2013-05-23 00:39)<br>IPS-ETDB: 0.00000(2000-00-00 00:00)<br>Serial-Number: FGVMEV0000000000<br>Botnet DB: 1.00000(2012-05-28 22:51)<br>License Status: Valid<br>Evaluation License Expires: Fri Nov 1 06:24:58 2013<br>VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed<br>BIOS version: 04000002<br><b>Log hard disk: Need format</b><br>Hostname: fortigate<br>Operation Mode: NAT<br>Current virtual domain: root<br>Max number of virtual domains: 1<br>Virtual domains status: 1 in NAT mode, 0 in TP mode<br>Virtual domain configuration: disable<br>FIPS-CC mode: disable<br>Current HA mode: standalone<br>Branch point: 228<br>Release Version Information: GA Patch 4<br>FortiOS x86-64: Yes<br>System time: Wed Oct 30 15:43:01 2013</span><br><br>If your FortiGate doesn't have a hard disk you'll get the following:<br><br><span style="font-family: 'Courier New', Courier, monospace;">fortigate # <b>get sys status </b><br>Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)<br>Virus-DB: 16.00560(2012-10-19 08:31)<br>Extended DB: 1.00000(2012-10-17 15:46)<br>IPS-DB: 4.00345(2013-05-23 00:39)<br>IPS-ETDB: 0.00000(2000-00-00 00:00)<br>Serial-Number: FGVMEV0000000000<br>Botnet DB: 1.00000(2012-05-28 22:51)<br>License Status: Valid<br>Evaluation License Expires: Fri Nov 1 06:24:58 2013<br>VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed<br>BIOS version: 04000002<br><b>Log hard disk: Not available</b><br>Hostname: fortigate<br>Operation Mode: NAT<br>Current virtual domain: root<br>Max number of virtual domains: 1<br>Virtual domains status: 1 in NAT mode, 0 in TP mode<br>Virtual domain configuration: disable<br>FIPS-CC mode: disable<br>Current HA mode: standalone<br>Branch point: 228<br>Release Version Information: GA Patch 4<br>FortiOS x86-64: Yes<br>System time: Wed Oct 30 15:43:01 2013</span><br><br>2. Format the log disk<br><br>Now enter the command <span style="font-family: 'Courier New', Courier, monospace;">execute formatlogdisk</span>, then press y to confirm. This will format the disk then <b>REBOOT</b> the firewall.<br><br><span style="font-family: 'Courier New', Courier, monospace;">fortigate # <b>execute formatlogdisk </b><br>Log disk is /dev/sdb1.<br>Formatting this storage will erase all data on it, including<br> logs, quarantine files;<br>and require the unit to reboot.<br>Do you want to continue? (y/n)<b>y</b></span><br><br>3. Enable logging<br><br>When the device is back up login to the web GUI and navigate to Log & Report > Log Config > Log Settings. You should now see the 'Disk' option. Select this (and 'Enable local reports' if you want to run reports locally) then click apply. Ensure that 'Display logs from' says Disk.<br><br><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-s73Rc6VBTlM/UnGSxaRsRPI/AAAAAAAAARc/NptOTlrCKK0/s1600/2.png" imageanchor="1" style="text-decoration: none; color: rgb(1, 87, 130); margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="http://2.bp.blogspot.com/-s73Rc6VBTlM/UnGSxaRsRPI/AAAAAAAAARc/NptOTlrCKK0/s320/2.png" width="320" style="border: 1px solid rgb(204, 204, 204); position: relative; padding: 8px; -webkit-box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 20px; box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 20px; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px;"></a></div><br>If you don't have this option via the web GUI you can enable it via the CLI with the following commands:<br><br><span style="font-family: 'Courier New', Courier, monospace;">fortigate # <b>config log disk setting</b></span><br><span style="font-family: 'Courier New', Courier, monospace;">fortigate (setting) # <b>set status enable</b></span><br><span style="font-family: 'Courier New', Courier, monospace;">fortigate (setting) # <b>end</b></span></div></div></div>