Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

set agg-password <passwd>

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set server-device <string>

set server-ip <ipv4_address>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit id

set action include

set device <string>

end

config log-field-exclusion

edit id

set dev-type <string>

set field-type <string>

set log-type <string>

end

config log-filter

edit id

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

end

Variable

Description

<id>

Enter the log aggregation ID that you want to edit. Enter edit ? to view available entries.

mode {aggregation | disable | forwarding}

Log aggregation mode (default = disable). The following options are available:

  • aggregation: Aggregate logs to FortiAnalyzer
  • disable: Do not forward or aggregate logs
  • forwarding: Forward logs to the FortiAnalyzer

agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

Archive type.

  • Web_Archive: Web_Archive
  • Secure_Web_Archive: Secure_Web_Archive
  • Email_Archive: Email_Archive
  • File_Transfer_Archive: File_Transfer_Archive
  • IM_Archive: IM_Archive
  • MMS_Archive: MMS_Archive
  • AV_Quarantine: AV_Quarantine
  • IPS_Packets: IPS_Packets

This command is only available when the mode is set to aggregation.

agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

Log type.  

  • none: none
  • app-ctrl: app-ctrl
  • attack: attack
  • content: content
  • dlp: dlp
  • emailfilter: emailfilter
  • event: event
  • history: history
  • traffic: traffic
  • virus: virus
  • webfilter: webfilter
  • netscan: netscan

This command is only available when the mode is set to aggregation.

agg-password <passwd>

Log aggregation access password for server. This command is only available when the mode is set to aggregation.

agg-time <integer>

Daily at the selected time. This command is only available when the mode is set to aggregation.

agg-user <string>

Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

fwd-archives {enable | disable}

Enable/disable forwarding archives. This command is only available when the mode is set to forwarding.

fwd-archive-types fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

Set the forwarding archive types.

  • Web_Archive: Web Archive
  • Email_Archive: Email Archive
  • IM_Archive: IM Archive
  • File_Transfer_Archive: File Transfer Archive
  • MMS_Archive: MMS Archive
  • AV_Quarantine: AV Quarantine
  • IPS_Packets: IPS Packets
  • EDISC_Archive: EDISC Archive

This command is only available when the mode is set to forwarding.

fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Facility for remote syslog. 

  • alert: Log alert
  • audit: Log audit
  • auth: Security/authorization messages
  • authpriv: Security/authorization messages (private)
  • clock: Clock daemon
  • cron: Clock daemon
  • daemon: System daemons
  • ftp: FTP daemon
  • kernel: Kernel messages
  • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
  • lpr: Line printer subsystem
  • mail: Mail system
  • news: Network news subsystem
  • ntp: NTP daemon
  • syslog: Messages generated internally by syslogd
  • user: Random user level messages
  • uucp: Network news subsystem

This command is only available when the mode is set to forwarding.

fwd-log-source-ip {local_ip | original_ip}

The logs source IP address.  

  • local_ip: Use local IP
  • original_ip: Use original source IP

This command is only available when the mode is set to forwarding.

fwd-max-delay {1min | 5min | realtime}

The maximum delay for near realtime log forwarding.

  • 1min: Near realtime forwarding with up to one minute delay.
  • 5min: Near realtime forwarding with up to five minutes delay (default).
  • realtime: Realtime forwarding, no delay.

This command is only available when the mode is set to forwarding.

fwd-reliable {enable | disable}

Enable/disable reliable logging (default = disable).

set fwd-remote-server must be syslog to support reliable forwarding.

This command is only available when the mode is set to forwarding.

fwd-secure {enable | disable}

Enable/disable TLS/SSL secured reliable logging (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to syslog.

fwd-server-type {cef | fortianalyzer | syslog}

Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device. The following options are available: 

  • cef: Common Event Format server
  • fortianalyzer: FortiAnalyzer device
  • syslog: Syslog server

This command is only available when the mode is set to forwarding.

log-field-exclusion-status {enable | disable}

Enable/disable log field exclusion list (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

log-filter-logic {and | or}

Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

log-filter-status {enable | disable}

Enable or disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

server-device <id>

Log aggregation server device ID.

Example: set server-device FL-1KC3R11600346

where FL-1KC3R11600346 is the device ID and 1.1.1.1 is the IP address of the FortiAnalyzer device to be registered in the DVM table of another FortiAnalyzer for aggregation client configuration.

server-ip <ipv4_address>

Remote server IPv4 address.

server-name <string>

Log aggregation server name.

server-port <integer>

Enter the server listen port, from 1 to 65535. Default: 514.

This command is only available when the mode is set to forwarding.

signature <integer>

This field is auto-generated and should not be set.

sync-metadata [sf-topology | interface-role | device | endusr-avatar]

Synchronizing metadata types:

  • sf-topology: Security Fabric topology
  • interface-role: Interface Role
  • device: Device information
  • endusr-avatar: End-user avatar

This command is only available when the mode is set to forwarding.

Variables for config device-filter subcommand:

id

Enter the device filter ID or enter a number to create a new entry.

action include

Include the specified device.

device <string>

Select: All_FortiGates, All_FortiManagers, All_Syslogs, All_FortiClients, All_FortiMails, All_FortiWebs, All_FortiCaches, All_FortiAnalyzers, All_FortiSandboxes, All_FortiDDoS, All_FortiAuthenticators, or specify specific devices.

Variables for config log-field-exclusions subcommand:

This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

id

Enter a device filter ID or enter a number to create a new entry.

dev-type <string>

The device type.

field-type <string>

The field type.

log-type <string>

The log type.

Variables for config log-filter subcommand:

id

Enter the log filter ID or enter a number to create a new entry.

field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

Field name.

  • type: Log type
  • logid: Log ID
  • level: Level
  • devid: Device ID
  • vd:VDOM ID
  • srcip: Source IP
  • srcintf: Source Interface
  • srcport: Source Port
  • dstip: Destination IP
  • dstintf: Destination Interface
  • dstport: Destination Port
  • user: User
  • group: Group
  • free-text: General free-text filter

oper {= | != | < | > | <= | >= | contain | not-contain | match}

Field filter operator.

  • = - Equal to
  • != - Not equal to
  • < - Less than
  • > - Greater than
  • <= - Less than or equal to
  • >= - Greater than or equal to
  • contain - Contain
  • not-contain - Not contain
  • match - Match (expression)

value {traffic | event | utm}

Field filter operand or free-text matching expression.

This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

For example: "a ~ \"regexp\" and (c==d OR e==f)"

Use the show command to display the current configuration if it has been changed from its default value:

show system log-forward

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

set agg-password <passwd>

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set server-device <string>

set server-ip <ipv4_address>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit id

set action include

set device <string>

end

config log-field-exclusion

edit id

set dev-type <string>

set field-type <string>

set log-type <string>

end

config log-filter

edit id

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

end

Variable

Description

<id>

Enter the log aggregation ID that you want to edit. Enter edit ? to view available entries.

mode {aggregation | disable | forwarding}

Log aggregation mode (default = disable). The following options are available:

  • aggregation: Aggregate logs to FortiAnalyzer
  • disable: Do not forward or aggregate logs
  • forwarding: Forward logs to the FortiAnalyzer

agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

Archive type.

  • Web_Archive: Web_Archive
  • Secure_Web_Archive: Secure_Web_Archive
  • Email_Archive: Email_Archive
  • File_Transfer_Archive: File_Transfer_Archive
  • IM_Archive: IM_Archive
  • MMS_Archive: MMS_Archive
  • AV_Quarantine: AV_Quarantine
  • IPS_Packets: IPS_Packets

This command is only available when the mode is set to aggregation.

agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

Log type.  

  • none: none
  • app-ctrl: app-ctrl
  • attack: attack
  • content: content
  • dlp: dlp
  • emailfilter: emailfilter
  • event: event
  • history: history
  • traffic: traffic
  • virus: virus
  • webfilter: webfilter
  • netscan: netscan

This command is only available when the mode is set to aggregation.

agg-password <passwd>

Log aggregation access password for server. This command is only available when the mode is set to aggregation.

agg-time <integer>

Daily at the selected time. This command is only available when the mode is set to aggregation.

agg-user <string>

Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

fwd-archives {enable | disable}

Enable/disable forwarding archives. This command is only available when the mode is set to forwarding.

fwd-archive-types fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

Set the forwarding archive types.

  • Web_Archive: Web Archive
  • Email_Archive: Email Archive
  • IM_Archive: IM Archive
  • File_Transfer_Archive: File Transfer Archive
  • MMS_Archive: MMS Archive
  • AV_Quarantine: AV Quarantine
  • IPS_Packets: IPS Packets
  • EDISC_Archive: EDISC Archive

This command is only available when the mode is set to forwarding.

fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Facility for remote syslog. 

  • alert: Log alert
  • audit: Log audit
  • auth: Security/authorization messages
  • authpriv: Security/authorization messages (private)
  • clock: Clock daemon
  • cron: Clock daemon
  • daemon: System daemons
  • ftp: FTP daemon
  • kernel: Kernel messages
  • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
  • lpr: Line printer subsystem
  • mail: Mail system
  • news: Network news subsystem
  • ntp: NTP daemon
  • syslog: Messages generated internally by syslogd
  • user: Random user level messages
  • uucp: Network news subsystem

This command is only available when the mode is set to forwarding.

fwd-log-source-ip {local_ip | original_ip}

The logs source IP address.  

  • local_ip: Use local IP
  • original_ip: Use original source IP

This command is only available when the mode is set to forwarding.

fwd-max-delay {1min | 5min | realtime}

The maximum delay for near realtime log forwarding.

  • 1min: Near realtime forwarding with up to one minute delay.
  • 5min: Near realtime forwarding with up to five minutes delay (default).
  • realtime: Realtime forwarding, no delay.

This command is only available when the mode is set to forwarding.

fwd-reliable {enable | disable}

Enable/disable reliable logging (default = disable).

set fwd-remote-server must be syslog to support reliable forwarding.

This command is only available when the mode is set to forwarding.

fwd-secure {enable | disable}

Enable/disable TLS/SSL secured reliable logging (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to syslog.

fwd-server-type {cef | fortianalyzer | syslog}

Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device. The following options are available: 

  • cef: Common Event Format server
  • fortianalyzer: FortiAnalyzer device
  • syslog: Syslog server

This command is only available when the mode is set to forwarding.

log-field-exclusion-status {enable | disable}

Enable/disable log field exclusion list (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

log-filter-logic {and | or}

Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

log-filter-status {enable | disable}

Enable or disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

server-device <id>

Log aggregation server device ID.

Example: set server-device FL-1KC3R11600346

where FL-1KC3R11600346 is the device ID and 1.1.1.1 is the IP address of the FortiAnalyzer device to be registered in the DVM table of another FortiAnalyzer for aggregation client configuration.

server-ip <ipv4_address>

Remote server IPv4 address.

server-name <string>

Log aggregation server name.

server-port <integer>

Enter the server listen port, from 1 to 65535. Default: 514.

This command is only available when the mode is set to forwarding.

signature <integer>

This field is auto-generated and should not be set.

sync-metadata [sf-topology | interface-role | device | endusr-avatar]

Synchronizing metadata types:

  • sf-topology: Security Fabric topology
  • interface-role: Interface Role
  • device: Device information
  • endusr-avatar: End-user avatar

This command is only available when the mode is set to forwarding.

Variables for config device-filter subcommand:

id

Enter the device filter ID or enter a number to create a new entry.

action include

Include the specified device.

device <string>

Select: All_FortiGates, All_FortiManagers, All_Syslogs, All_FortiClients, All_FortiMails, All_FortiWebs, All_FortiCaches, All_FortiAnalyzers, All_FortiSandboxes, All_FortiDDoS, All_FortiAuthenticators, or specify specific devices.

Variables for config log-field-exclusions subcommand:

This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

id

Enter a device filter ID or enter a number to create a new entry.

dev-type <string>

The device type.

field-type <string>

The field type.

log-type <string>

The log type.

Variables for config log-filter subcommand:

id

Enter the log filter ID or enter a number to create a new entry.

field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

Field name.

  • type: Log type
  • logid: Log ID
  • level: Level
  • devid: Device ID
  • vd:VDOM ID
  • srcip: Source IP
  • srcintf: Source Interface
  • srcport: Source Port
  • dstip: Destination IP
  • dstintf: Destination Interface
  • dstport: Destination Port
  • user: User
  • group: Group
  • free-text: General free-text filter

oper {= | != | < | > | <= | >= | contain | not-contain | match}

Field filter operator.

  • = - Equal to
  • != - Not equal to
  • < - Less than
  • > - Greater than
  • <= - Less than or equal to
  • >= - Greater than or equal to
  • contain - Contain
  • not-contain - Not contain
  • match - Match (expression)

value {traffic | event | utm}

Field filter operand or free-text matching expression.

This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

For example: "a ~ \"regexp\" and (c==d OR e==f)"

Use the show command to display the current configuration if it has been changed from its default value:

show system log-forward