Memory logging enabled-fortinet-FortiOS
Vendor: fortinet
OS: FortiOS
Description:
Indeni will alert if logging to the system memory is enabled.
Remediation Steps:
Turn off memory logging as soon as possible.
|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get log memory setting” to review the logging memory status. If the FortiGate unit has a hard disk, it is enabled by default to store logs. If the FortiGate unit has only flash memory, disk logging is disabled by default.
|2. Login via https to the Fortinet firewall and go to the menu System > Dashboard > Status. Look at the system resources widget to review the Memory utilization graph. If the memory utilization is high then it is recommended to disable the logging to memory setting. Use the FortiOS commands “execute filter log device X”, “execute log filter category Y” and “execute log delete” to clear the logs.
|3. Run the FortiOS command “execute log filter device“ to get a list of the supported log devices. Consider storing logs to Syslog, FortiAnalyzer or FortiCloud instead of memory or hard disk.
|4. If logging to memory is the only option then it is a good practice to manually set the warning thresholds and the max memory log buffer size under the “config log memory global-setting” FortiOS CLI.
|5. For more information review the Fortinet Handbook: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf
How does this work?
This script retrieves the log system memory setting by using the REST API
Why is this important?
This metric is used to identify if logging to the system memory is enabled. Enabling logging to the system memory is not recommended because this may affect the performance of the device. In addition, logs stored in the memory are cleared when the FortiGate device is restated. Based on the network security best practice is recommended to store logs to a remote device. Fortinet recommends uploading the logs for analysis to a remote device such as FortiAnalyzer or FortiGuard Analysis server. Check the link below for more information: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf
Without Indeni how would you find this?
The user would have to login to the device and use the “get log memory setting” command to identify if the logging memory is enabled on the device.
fortios-get-log-memory-setting
name: fortios-get-log-memory-setting
description: FortiGate check memory logging status
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: fortinet
os.name: FortiOS
product: firewall
comments:
fortios-memory-logging:
why: |
This metric is used to identify if logging to the system memory is enabled. Enabling logging to the system
memory is not recommended because this may affect the performance of the device. In addition, logs stored in
the memory are cleared when the FortiGate device is restated. Based on the network security best practice is
recommended to store logs to a remote device. Fortinet recommends uploading the logs for analysis to a remote
device such as FortiAnalyzer or FortiGuard Analysis server. Check the link below for more information:
https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf
how: |
This script retrieves the log system memory setting by using the REST API
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: HTTP
command: /api/v2/cmdb/log.memory/setting?global=1
parse:
type: JSON
file: get_log_memory_setting.parser.1.json.yaml
FortinetMemoryLogging
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/fortinet/FortinetMemoryLogging.scala