Fortinet black logo

CLI Reference

config log setting remote

config log setting remote

Use this command to configure logging to a remote syslog server.

Note

To configure from global, see config log setting global_remote. Global has preset configurations that customers may use for easy configuration, which apply to all vdoms. However, in config log setting remote, the customer can customize the configuration for the individual vdom, overriding the global remote config.

You can enable override_global_remote here:

FortiADC-VM (root) # config log setting general

FortiADC-VM (general) # show full-configuration

config log setting general

set override_global_remote enable

end

A remote syslog server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools.

Before you begin:

  • You must have read-write permission for log settings.

Syntax

config log setting remote

edit <name>

set attack-log-status {enable|disable}

set attack-log-category {synflood ipreputation waf geo}

set comma-separated-value {enable|disable}

set event-log-status {enable|disable}

set event-log-category {admin configuration fw glb health-check llb slb system user}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, ntp}

set loglevel {alert | critical | debug | emerge | error | information | notification | warning}

set proto [udp|tcp|tcpssl]

set tcp_framing [traditional|octet_counted]

set port <integer>

set server <string>

set status {enable|disable}

set traffic-log-status {enable|disable}

set traffic-log-category {slb dns llb}

set script-log-status {enable|disable}

set script-log-category {slb}

next

end

attack-log-status

Enable/disable logging for security events.

attack-log-category

  • synflood—SYN flood protection logs.
  • ipreputation—IP Reputation logs.
  • waf—WAF logs.
  • geo—Geo IP logs

comma-separated-value

Send logs in CSV format. Do not use with FortiAnalyzer.

event-log-status

Enable/disable logging for system events.

event-log-category

Select the types of events to collect in the local log:

  • Configuration—Configuration changes.
  • Admin—Administrator actions.
  • System—System operations, warnings, and errors.
  • User—Authentication results logs.
  • Health Check—Health check results and client certificate validation check results.
  • SLB—Notifications, such as connection limit reached.
  • LLB—Notifications, such as bandwidth thresholds reached.
  • GLB—Notifications, such as the status of associated local SLB and virtual servers.
  • Firewall—Notifications for the "firewall" module, such as SNAT source IP pool is using all of its addresses.

facility

Identifier that is not used by any other device on your network when sending logs to FortiAnalyzer/syslog.

loglevel

Specify the lowest severity for which alerts are sent:

  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select error, the system sends alerts with level Error, Critical, Alert, and Emergency. If you select alert, the system sends alerts with level Alert and Emergency.

port

Listening port number of the syslog server. Usually this is UDP/TCP/TCPSSL port 514.

server

IP address of the syslog server.

status

Enable/disable the configuration.

proto

Use protocol to transfer log messages.

tcp_framing

The frame in which the log message is stored in tcp/tcpssl packets.

traffic-log-status

Enable/disable logging for traffic processed by the load balancing modules.

traffic-log-category

  • SLB—Server Load Balancing traffic logs related to sessions and throughput.
  • GLB—Global Load Balancing traffic logs related to DNS requests.
  • LLB—Link Load Balancing traffic logs related to sessions and throughput.

script-log-status

Enable/disable script log.

script-log-category

Specify the script log category.

Example

FortiADC-VM # config log setting remote

FortiADC-VM (remote) # edit 1

Add new entry '1' for node 547

FortiADC-VM (1) # get

status : disable

server : 0.0.0.0

port : 514

loglevel : information

comma-separated-value : disable

facility : kern

event-log-status : disable

traffic-log-status : disable

attack-log-status : disable

FortiADC-VM (1) # set status enable

FortiADC-VM (1) # set server 203.0.113.10

FortiADC-VM (1) # set loglevel notification

FortiADC-VM (1) # set event-log-status enable

FortiADC-VM (1) # set event-log-category admin configuration system

FortiADC-VM (1) # set traffic-log-status enable

FortiADC-VM (1) # set traffic-log-category slb dns llb

FortiADC-VM (1) # end

FortiADC-VM # get log setting remote

== [ 1 ]

status: enable

server: 203.0.113.10

port: 514

loglevel: notification

facility: kern

FortiADC-VM # show log setting remote

config log setting remote

edit 1

set status enable

set server 203.0.113.10

set loglevel notification

set event-log-status enable

set event-log-category configuration admin system

set traffic-log-status enable

set traffic-log-category slb dns llb

next

end

config log setting remote

Use this command to configure logging to a remote syslog server.

Note

To configure from global, see config log setting global_remote. Global has preset configurations that customers may use for easy configuration, which apply to all vdoms. However, in config log setting remote, the customer can customize the configuration for the individual vdom, overriding the global remote config.

You can enable override_global_remote here:

FortiADC-VM (root) # config log setting general

FortiADC-VM (general) # show full-configuration

config log setting general

set override_global_remote enable

end

A remote syslog server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools.

Before you begin:

  • You must have read-write permission for log settings.

Syntax

config log setting remote

edit <name>

set attack-log-status {enable|disable}

set attack-log-category {synflood ipreputation waf geo}

set comma-separated-value {enable|disable}

set event-log-status {enable|disable}

set event-log-category {admin configuration fw glb health-check llb slb system user}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, ntp}

set loglevel {alert | critical | debug | emerge | error | information | notification | warning}

set proto [udp|tcp|tcpssl]

set tcp_framing [traditional|octet_counted]

set port <integer>

set server <string>

set status {enable|disable}

set traffic-log-status {enable|disable}

set traffic-log-category {slb dns llb}

set script-log-status {enable|disable}

set script-log-category {slb}

next

end

attack-log-status

Enable/disable logging for security events.

attack-log-category

  • synflood—SYN flood protection logs.
  • ipreputation—IP Reputation logs.
  • waf—WAF logs.
  • geo—Geo IP logs

comma-separated-value

Send logs in CSV format. Do not use with FortiAnalyzer.

event-log-status

Enable/disable logging for system events.

event-log-category

Select the types of events to collect in the local log:

  • Configuration—Configuration changes.
  • Admin—Administrator actions.
  • System—System operations, warnings, and errors.
  • User—Authentication results logs.
  • Health Check—Health check results and client certificate validation check results.
  • SLB—Notifications, such as connection limit reached.
  • LLB—Notifications, such as bandwidth thresholds reached.
  • GLB—Notifications, such as the status of associated local SLB and virtual servers.
  • Firewall—Notifications for the "firewall" module, such as SNAT source IP pool is using all of its addresses.

facility

Identifier that is not used by any other device on your network when sending logs to FortiAnalyzer/syslog.

loglevel

Specify the lowest severity for which alerts are sent:

  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select error, the system sends alerts with level Error, Critical, Alert, and Emergency. If you select alert, the system sends alerts with level Alert and Emergency.

port

Listening port number of the syslog server. Usually this is UDP/TCP/TCPSSL port 514.

server

IP address of the syslog server.

status

Enable/disable the configuration.

proto

Use protocol to transfer log messages.

tcp_framing

The frame in which the log message is stored in tcp/tcpssl packets.

traffic-log-status

Enable/disable logging for traffic processed by the load balancing modules.

traffic-log-category

  • SLB—Server Load Balancing traffic logs related to sessions and throughput.
  • GLB—Global Load Balancing traffic logs related to DNS requests.
  • LLB—Link Load Balancing traffic logs related to sessions and throughput.

script-log-status

Enable/disable script log.

script-log-category

Specify the script log category.

Example

FortiADC-VM # config log setting remote

FortiADC-VM (remote) # edit 1

Add new entry '1' for node 547

FortiADC-VM (1) # get

status : disable

server : 0.0.0.0

port : 514

loglevel : information

comma-separated-value : disable

facility : kern

event-log-status : disable

traffic-log-status : disable

attack-log-status : disable

FortiADC-VM (1) # set status enable

FortiADC-VM (1) # set server 203.0.113.10

FortiADC-VM (1) # set loglevel notification

FortiADC-VM (1) # set event-log-status enable

FortiADC-VM (1) # set event-log-category admin configuration system

FortiADC-VM (1) # set traffic-log-status enable

FortiADC-VM (1) # set traffic-log-category slb dns llb

FortiADC-VM (1) # end

FortiADC-VM # get log setting remote

== [ 1 ]

status: enable

server: 203.0.113.10

port: 514

loglevel: notification

facility: kern

FortiADC-VM # show log setting remote

config log setting remote

edit 1

set status enable

set server 203.0.113.10

set loglevel notification

set event-log-status enable

set event-log-category configuration admin system

set traffic-log-status enable

set traffic-log-category slb dns llb

next

end