Fortinet black logo

CLI Reference

config log setting local

config log setting local

Use this command to configure basic log settings.

The local log is a datastore hosted on the FortiADC system.

Typically, you use the local log to capture information about system health and system administration activities. We recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository where they can be stored long term and analyzed using preferred analytic tools.

Local log disk settings are configurable. You can select a subset of system events, traffic, and security logs.

Before you begin:
  • You must have read-write permission for log settings.

Syntax

config log setting local

set attack-log-cached-lines {0|100|500|800|1000|2000|5000|10000}

set attack-log-status {enable|disable}

set attack-log-category {av|ddos|geo|ipreputation|ips|waf|fw|ztna}

set disk-full {overwrite | nolog}

set event-log-cached-lines {0|100|500|800|1000|2000|5000|10000}

set event-log-status {enable|disable}

set event-log-category {admin|configuration|fw|glb|health-check|llb|slb|system|user}

set loglevel {alert|critical|debug|emerge|error|information|notification|warning}

set rate_limit <integer>

set rotation-size <integer>

set status {enable|disable}

set traffic-log-cached-lines {0|100|500|800|1000|2000|5000|10000}

set traffic-log-status {enable|disable}

set traffic-log-category {slb|dns|llb}

set script-log-status {enable|disable}

set script-log-category {slb}

end

attack-log-cached-lines

Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to disk immediately. If 1000, logs are written to disk in batches of 1000.

attack-log-status

Enable/disable logging for security events.

attack-log-category

If attack-log-status is enabled, the attack-log-category becomes configurable.

Select one or more of the following security categories to include in the security logs export:

  • ddos — DoS protection logs.
  • ipreputation — IP Reputation logs.
  • waf — WAF logs.
  • geo — Geo IP blocking logs.
  • av — AV logs.
  • ips — IPS logs.
  • fw — Firewall logs.
  • ztna — ZTNA logs.

disk-full

Specify log behavior when the maximum disk space for local logs (30% of total disk space) is reached:

  • overwrite—Continue logging. Overwrite the earliest logs.
  • nolog—Stop logging.

event-log-cached-lines

Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to disk immediately. If 1000, logs are written to disk in batches of 1000.

event-log-status

Enable/disable logging for the category.

event-log-category

If event-log-status is enabled, the event-log-category becomes configurable.

Select one or more of the following event categories to include in the event logs export:

  • configuration — Configuration changes.
  • admin — Administrator actions.
  • system — System operations, warnings, and errors.
  • user — Authentication results logs.
  • health-check — Health check results and client certificate validation check results.
  • slb — Notifications, such as connection limit reached.
  • llb — Notifications, such as bandwidth thresholds reached.
  • glb — Notifications, such as the status of associated local SLB and virtual servers.
  • fw — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

loglevel

Specify the lowest severity for which alerts are sent:

  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select error, the system sends alerts with level Error, Critical, Alert, and Emergency. If you select alert, the system sends alerts with level Alert and Emergency.

rate_limit

Rate limit logging (logs/second). The default is 0 (disabled).

rotation-size

Maximum size for a local log file. The default is 200 MB. When the current log file reaches this size, a new file is created.

status

Enable/disable local logging.

traffic-log-cached-lines

Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to disk immediately. If 1000, logs are written to disk in batches of 1000.

traffic-log-status

Enable/disable logging for the category.

traffic-log-category

If traffic-log-status is enabled, the traffic-log-category becomes configurable.

Select one or more of the following traffic categories to include in the traffic logs export:

  • slb — Server Load Balancing traffic logs related to sessions and throughput.
  • dns — Global Load Balancing traffic logs related to DNS requests.
  • llb — Link Load Balancing traffic logs related to session and throughput.

script-log-status

Enable/disable script log.

script-log-category

Set script log category.

Example

FortiADC-VM (root) # get log setting local

status : enable

rotation-size : 199

disk-full : overwrite

loglevel : information

event-log-status : enable

event-log-category : configuration admin health_check system user slb llb glb fw

traffic-log-status : enable

traffic-log-category : slb dns

attack-log-status : enable

attack-log-category : synflood ipreputation waf geo

script-log-status : enable

script-log-category : slb

event-log-cached-lines : 0

traffic-log-cached-lines : 0

attack-log-cached-lines : 0

rate_limit : 0

config log setting local

Use this command to configure basic log settings.

The local log is a datastore hosted on the FortiADC system.

Typically, you use the local log to capture information about system health and system administration activities. We recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository where they can be stored long term and analyzed using preferred analytic tools.

Local log disk settings are configurable. You can select a subset of system events, traffic, and security logs.

Before you begin:
  • You must have read-write permission for log settings.

Syntax

config log setting local

set attack-log-cached-lines {0|100|500|800|1000|2000|5000|10000}

set attack-log-status {enable|disable}

set attack-log-category {av|ddos|geo|ipreputation|ips|waf|fw|ztna}

set disk-full {overwrite | nolog}

set event-log-cached-lines {0|100|500|800|1000|2000|5000|10000}

set event-log-status {enable|disable}

set event-log-category {admin|configuration|fw|glb|health-check|llb|slb|system|user}

set loglevel {alert|critical|debug|emerge|error|information|notification|warning}

set rate_limit <integer>

set rotation-size <integer>

set status {enable|disable}

set traffic-log-cached-lines {0|100|500|800|1000|2000|5000|10000}

set traffic-log-status {enable|disable}

set traffic-log-category {slb|dns|llb}

set script-log-status {enable|disable}

set script-log-category {slb}

end

attack-log-cached-lines

Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to disk immediately. If 1000, logs are written to disk in batches of 1000.

attack-log-status

Enable/disable logging for security events.

attack-log-category

If attack-log-status is enabled, the attack-log-category becomes configurable.

Select one or more of the following security categories to include in the security logs export:

  • ddos — DoS protection logs.
  • ipreputation — IP Reputation logs.
  • waf — WAF logs.
  • geo — Geo IP blocking logs.
  • av — AV logs.
  • ips — IPS logs.
  • fw — Firewall logs.
  • ztna — ZTNA logs.

disk-full

Specify log behavior when the maximum disk space for local logs (30% of total disk space) is reached:

  • overwrite—Continue logging. Overwrite the earliest logs.
  • nolog—Stop logging.

event-log-cached-lines

Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to disk immediately. If 1000, logs are written to disk in batches of 1000.

event-log-status

Enable/disable logging for the category.

event-log-category

If event-log-status is enabled, the event-log-category becomes configurable.

Select one or more of the following event categories to include in the event logs export:

  • configuration — Configuration changes.
  • admin — Administrator actions.
  • system — System operations, warnings, and errors.
  • user — Authentication results logs.
  • health-check — Health check results and client certificate validation check results.
  • slb — Notifications, such as connection limit reached.
  • llb — Notifications, such as bandwidth thresholds reached.
  • glb — Notifications, such as the status of associated local SLB and virtual servers.
  • fw — Notifications for the Firewall module, such as SNAT source IP pool is using all of its addresses.

loglevel

Specify the lowest severity for which alerts are sent:

  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select error, the system sends alerts with level Error, Critical, Alert, and Emergency. If you select alert, the system sends alerts with level Alert and Emergency.

rate_limit

Rate limit logging (logs/second). The default is 0 (disabled).

rotation-size

Maximum size for a local log file. The default is 200 MB. When the current log file reaches this size, a new file is created.

status

Enable/disable local logging.

traffic-log-cached-lines

Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to disk immediately. If 1000, logs are written to disk in batches of 1000.

traffic-log-status

Enable/disable logging for the category.

traffic-log-category

If traffic-log-status is enabled, the traffic-log-category becomes configurable.

Select one or more of the following traffic categories to include in the traffic logs export:

  • slb — Server Load Balancing traffic logs related to sessions and throughput.
  • dns — Global Load Balancing traffic logs related to DNS requests.
  • llb — Link Load Balancing traffic logs related to session and throughput.

script-log-status

Enable/disable script log.

script-log-category

Set script log category.

Example

FortiADC-VM (root) # get log setting local

status : enable

rotation-size : 199

disk-full : overwrite

loglevel : information

event-log-status : enable

event-log-category : configuration admin health_check system user slb llb glb fw

traffic-log-status : enable

traffic-log-category : slb dns

attack-log-status : enable

attack-log-category : synflood ipreputation waf geo

script-log-status : enable

script-log-category : slb

event-log-cached-lines : 0

traffic-log-cached-lines : 0

attack-log-cached-lines : 0

rate_limit : 0