log-forward
Use the following commands to configure log forwarding.
Syntax
config system log-forward
edit <id>
set mode {aggregation | disable | forwarding}
set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}
set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}
set agg-time <integer>
set agg-user <string>
set fwd-archives {enable | disable}
set fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}
set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set fwd-log-source-ip {local_ip | original_ip}
set fwd-max-delay {1min | 5min | realtime}
set fwd-reliable {enable | disable}
set fwd-secure {enable | disable}
set fwd-server-type {cef | fortianalyzer | syslog}
set log-field-exclusion-status {enable | disable}
set log-filter-logic {and | or}
set log-filter-status {enable | disable}
set server-device <string>
set server-ip <ipv4_address>
set server-name <string>
set server-port <integer>
set signature <integer>
set sync-metadata [sf-topology | interface-role | device | endusr-avatar]
config device-filter
edit id
set action include
set device <string>
end
config log-field-exclusion
edit id
set dev-type <string>
set field-type <string>
set log-type <string>
end
config log-filter
edit id
set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }
set oper {= | != | < | > | <= | >= | contain | not-contain | match}
set value {traffic | event | utm}
end
end
Variable |
Description |
---|---|
<id> |
Enter the log aggregation ID that you want to edit. Enter |
mode {aggregation | disable | forwarding} |
Log aggregation mode (default = disable). The following options are available:
|
agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets} |
Archive type.
This command is only available when the mode is set to |
agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan} |
Log type.
This command is only available when the mode is set to |
agg-password <passwd> |
Log aggregation access password for server. This command is only available when the mode is set to |
agg-time <integer> |
Daily at the selected time. This command is only available when the mode is set to |
agg-user <string> |
Log aggregation access user name for server. This command is only available when the mode is set to |
fwd-archives {enable | disable} |
Enable/disable forwarding archives.
This command is only available when the mode is set to |
fwd-archive-types fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive} |
Set the forwarding archive types.
This command is only available when the mode is set to |
fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} |
Facility for remote syslog.
This command is only available when the mode is set to |
fwd-log-source-ip {local_ip | original_ip} |
This command is only available when the mode is set to |
fwd-max-delay {1min | 5min | realtime} |
The maximum delay for near realtime log forwarding.
This command is only available when the mode is set to |
fwd-reliable {enable | disable} |
Enable/disable reliable logging (default = disable).
This command is only available when the mode is set to |
fwd-secure {enable | disable} |
Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to |
fwd-server-type {cef | fortianalyzer | syslog} |
Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device. The following options are available:
This command is only available when the mode is set to |
log-field-exclusion-status {enable | disable} |
Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to |
log-filter-logic {and | or} |
Logic operator used to connect filters (default = or). This command is only available when |
log-filter-status {enable | disable} |
Enable or disable log filtering (default = disable). This command is only available when the mode is set to |
server-device <id> |
Log aggregation server device ID. Example: where |
server-ip <ipv4_address> |
Remote server IPv4 address. |
server-name <string> |
Log aggregation server name. |
server-port <integer> |
Enter the server listen port, from 1 to 65535. Default: 514. This command is only available when the mode is set to |
signature <integer> |
This field is auto-generated and should not be set. |
sync-metadata [sf-topology | interface-role | device | endusr-avatar] |
Synchronizing metadata types:
This command is only available when the mode is set to |
Variables for |
|
id |
Enter the device filter ID or enter a number to create a new entry. |
action include |
Include the specified device. |
device <string> |
Select: All_FortiGates, All_FortiManagers, All_Syslogs, All_FortiClients, All_FortiMails, All_FortiWebs, All_FortiCaches, All_FortiAnalyzers, All_FortiSandboxes, All_FortiDDoS, All_FortiAuthenticators, or specify specific devices. |
Variables for This command is only available when the |
|
id |
Enter a device filter ID or enter a number to create a new entry. |
dev-type <string> |
|
field-type <string> |
The field type. |
log-type <string> |
The log type. |
Variables for |
|
id |
Enter the log filter ID or enter a number to create a new entry. |
field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text } |
Field name.
|
oper {= | != | < | > | <= | >= | contain | not-contain | match} |
Field filter operator.
|
value {traffic | event | utm} |
Field filter operand or free-text matching expression. This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported. For example: |
Use the show command to display the current configuration if it has been changed from its default value:
show system log-forward