Fortinet black logo

Log Message Reference

Home FortiWeb 7.2.2 Log Message Reference
7.2.2
7.4.0
7.2.2
7.2.1
7.2.0
7.0.4
7.0.3
7.0.2
7.0.0
6.4.2
6.4.1
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
4.4.6
4.4.4
4.4.3
4.4.2
4.4.1

10000017

10000017

Meaning
Someone attempted to log in to a FortiWeb administrator account, successfully or failed.

Solution

If you suspect that an unauthorized person is attempting to log in to your FortiWeb, there are some preventative measures that you can take.

Restrict physical access to the FortiWeb to ensure that only authorized persons can attach a console or computer to the appliance’s local console port.

Configure all administrator accounts with trusted IPs that restrict login attempts to ones that originate only from your trusted, physically secured, private administrative network. Do not allow login attempts from hostile or untrusted IP addresses. If any administrator account uses a broad trusted IP definition such as 0.0.0.0/0.0.0.0, then due to that account, FortiWeb must allow login attempts from all IP addresses, including the Internet. Brute force login attempts are then a significant risk.

Enable strong password enforcement. Passwords must be significantly complex in length and character types in order to make brute force login attempts impractically slow.

Require regular password changes.

Enable only secure administrative protocols (SSH and HTTPS) on network interfaces. Insecure protocols such as HTTP and Telnet are easily susceptible to eavesdropping, man-in-the-middle, and other attacks that could compromise your connection, your password, or both.

Field name Description

ID

(log_id)

10000017

See Log ID numbers.

Sub Type

(subtype)

admin

See Subtypes.

Level

(pri)

alert

See Priority level.

User

(user)

 <administrator_name>

User Interface

(ui)

 {GUI(<mgmt_ip>) | telnet(<mgmt_ip>) | ssh(<mgmt_ip>) | console}

Action

(action)

 login

Status

(status)

 failure | success

Message

(msg)

User <administrator_name> login failed from {GUI(<mgmt_ip>) | telnet(<mgmt_ip>) | ssh(<mgmt_ip>) | console}

Examples

2023-03-13T17:53:18.818570+08:00 10.20.128.44 date=2023-03-13 time=00:27:21 log_id=10000017 msg_id=000004513309 device_id=FVVM02TM22001887 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" timezone_dayst="GMT+8" type=event subtype="system" pri=alert trigger_policy="N/A" user=admin ui=GUI action=login status=failure msg="User admin login failed from GUI->HTTPS(172.23.132.33)"

2023-03-13T17:53:21.419753+08:00 10.20.128.44 date=2023-03-13 time=00:27:24 log_id=10000017 msg_id=000004513310 device_id=FVVM02TM22001887 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" timezone_dayst="GMT+8" type=event subtype="system" pri=information trigger_policy="N/A" user=admin ui=GUI action=login status=success msg="User admin logged in successfully from GUI->HTTPS(172.23.132.33)"
Previous
Next

10000017

Meaning
Someone attempted to log in to a FortiWeb administrator account, successfully or failed.

Solution

If you suspect that an unauthorized person is attempting to log in to your FortiWeb, there are some preventative measures that you can take.

Restrict physical access to the FortiWeb to ensure that only authorized persons can attach a console or computer to the appliance’s local console port.

Configure all administrator accounts with trusted IPs that restrict login attempts to ones that originate only from your trusted, physically secured, private administrative network. Do not allow login attempts from hostile or untrusted IP addresses. If any administrator account uses a broad trusted IP definition such as 0.0.0.0/0.0.0.0, then due to that account, FortiWeb must allow login attempts from all IP addresses, including the Internet. Brute force login attempts are then a significant risk.

Enable strong password enforcement. Passwords must be significantly complex in length and character types in order to make brute force login attempts impractically slow.

Require regular password changes.

Enable only secure administrative protocols (SSH and HTTPS) on network interfaces. Insecure protocols such as HTTP and Telnet are easily susceptible to eavesdropping, man-in-the-middle, and other attacks that could compromise your connection, your password, or both.

Field name Description

ID

(log_id)

10000017

See Log ID numbers.

Sub Type

(subtype)

admin

See Subtypes.

Level

(pri)

alert

See Priority level.

User

(user)

 <administrator_name>

User Interface

(ui)

 {GUI(<mgmt_ip>) | telnet(<mgmt_ip>) | ssh(<mgmt_ip>) | console}

Action

(action)

 login

Status

(status)

 failure | success

Message

(msg)

User <administrator_name> login failed from {GUI(<mgmt_ip>) | telnet(<mgmt_ip>) | ssh(<mgmt_ip>) | console}

Examples

2023-03-13T17:53:18.818570+08:00 10.20.128.44 date=2023-03-13 time=00:27:21 log_id=10000017 msg_id=000004513309 device_id=FVVM02TM22001887 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" timezone_dayst="GMT+8" type=event subtype="system" pri=alert trigger_policy="N/A" user=admin ui=GUI action=login status=failure msg="User admin login failed from GUI->HTTPS(172.23.132.33)"

2023-03-13T17:53:21.419753+08:00 10.20.128.44 date=2023-03-13 time=00:27:24 log_id=10000017 msg_id=000004513310 device_id=FVVM02TM22001887 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" timezone_dayst="GMT+8" type=event subtype="system" pri=information trigger_policy="N/A" user=admin ui=GUI action=login status=success msg="User admin logged in successfully from GUI->HTTPS(172.23.132.33)"
Previous
Next