Fortinet black logo

CLI Reference

locallog

locallog

Use the following commands to configure local log settings.

locallog setting

Use this command to configure locallog logging settings.

Syntax

config system locallog setting

set log-interval-dev-no-logging <integer>

set log-interval-disk-full <integer>

set log-interval-gbday-exceeded <integer>

end

Variable

Description

log-interval-dev-no-logging <integer>

Interval in minute for logging the event of no logs received from a device. Default: 5.

log-interval-disk-full <integer>

Interval in minute for logging the event of disk full. Default: 5.

log-interval-gbday-exceeded <integer>

Interval in minute for logging the event of the GB/Day license exceeded. Default: 1440.

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log levels.

status must be enabled to view diskfull, max-log-file-size and upload variables.

upload must be enabled to view/set other upload* variables.

Syntax

config system locallog disk setting

set status {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

set max-log-file-size <integer>

set roll-schedule {none | daily | weekly}

set roll-day <string>

set roll-time <hh:mm>

set diskfull {nolog | overwrite}

set log-disk-full-percentage <integer>

set upload {disable | enable}

set uploadip <ipv4_address>

set server-type {FAZ | FTP | SCP | SFTP}

set uploadport <integer>

set uploaduser <string>

set uploadpass <passwd>

set uploaddir <string>

set uploadtype <event>

set uploadzip {disable | enable}

set uploadsched {disable | enable}

set upload-time <hh:mm>

set upload-delete-files {disable | enable}

end

Variable

Description

status {enable | disable}

Enable or diable logging to the local disk. Default: disable

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages.

The logging levels in descending order are:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

Default: alert

max-log-file-size <integer>

Enter the size at which the log is rolled. Default: 100. Range: 1 to 1024 (MB)

roll-schedule {none | daily | weekly}

Enter the period for the scheduled rolling of a log file. If roll-schedule is none, the log rolls when max-log-file-size is reached. The following options are available:

  • none: Not scheduled.
  • daily: Every day.
  • weekly: Every week.

Default: none

roll-day <string>

Enter the day for the scheduled rolling of a log file.

roll-time <hh:mm>

Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite}

Enter action to take when the disk is full:
  • nolog: stop logging
  • overwrite: overwrites oldest log entries
Default: overwrite

log-disk-full-percentage <integer>

Enter the percentage at which the log disk will be considered full (50-90%).

upload {disable | enable}

Enable to permit uploading of logs. Default: disable

uploadip <ipv4_address>

Enter IPv4 address of the destination server. Default: 0.0.0.0

server-type {FAZ | FTP | SCP | SFTP}

Enter the server type to use to store the logs. The following options are available:

  • FAZ: Upload to FortiAnalyzer.
  • FTP: Upload via FTP.
  • SCP: Upload via SCP.
  • SFTP: Upload via SFTP.

uploadport <integer>

Enter the port to use when communicating with the destination server. Default: 21. Range: 1 to 65535

uploaduser <string>

Enter the user account on the destination server.

uploadpass <passwd>

Enter the password of the user account on the destination server. Character limit: 127

uploaddir <string>

Enter the destination directory on the remote server.

uploadtype <event>

Enter to upload the event log files. Default: event

uploadzip {disable | enable}

Enable to compress uploaded log files. Default: disable

uploadsched {disable | enable}

Enable to schedule log uploads. The following options are available:

  • disable: Upload when rolling.
  • enable: Scheduled upload.

upload-time <hh:mm>

Enter to configure when to schedule an upload.

upload-delete-files {disable | enable}

Enable to delete log files after uploading. Default: enable

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting

set status enable

set severity information

set max-log-file-size 1000MB

set roll-schedule daily

set upload enable

set uploadip 10.10.10.1

set uploadport port 443

set uploaduser myname2

set uploadpass 12345

set uploadtype event

set uploadzip enable

set uploadsched enable

set upload-time 06:45

set upload-delete-file disable

end

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Syntax

config system locallog [memory | disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | syslogd | syslogd2 | syslogd3] filter

set devcfg {disable | enable}

set devops {disable | enable}

set diskquota {disable | enable}

set dm {disable | enable}

set dvm {disable | enable}

set ediscovery {disable | enable}

set epmgr {disable | enable}

set event {disable | enable}

set eventmgmt {disable | enable}

set faz {enable | disable}

set fazha {enable | disable}

set fazsys {disable | enable}

set fgd {disable | enable}

set fgfm {disable | enable}

set fips {disable | enable}

set fmgws {disable | enable}

set fmlmgr {disable | enable}

set fmwmgr {disable | enable}

set fortiview {disable | enable}

set glbcfg {disable | enable}

set ha {disable | enable}

set hcache {disable | enable}

set iolog {disable | enable}

set logd {disable | enable}

set logdb {disable | enable}

set logdev {disable | enable}

set logfile {disable | enable}

set logging {disable | enable}

set lrmgr {disable | enable}

set objcfg {disable | enable}

set report {disable | enable}

set rev {disable | enable}

set rtmon {disable | enable}

set scfw {disable | enable}

set scply {disable | enable}

set scrmgr {disable | enable}

set scvpn {disable | enable}

set system {disable | enable}

set webport {disable | enable}

end

Variable

Description

devcfg {disable | enable}

Enable to log device configuration messages (default = enable).

devops {disable | enable}

Enable managed devices operations messages (default = enable).

diskquota {disable | enable}

Enable/disable logging FortiAnalyzer disk quota messages (default = enable).

dm {disable | enable}

Enable to log deployment manager messages (default = enable).

dvm {disable | enable}

Enable to log device manager messages (default = enable).

ediscovery {disable | enable}

Enable/disable logging device manager messages (default = enable).

epmgr {disable | enable}

Enable to log endpoint manager messages (default = enable).

event {disable | enable}

Enable to configure log filter messages (default = enable).

eventmgmt {disable | enable}

Enable/disable logging FortiAnalyzer event handler messages (default = enable).

faz {enable | disable}

Enable to log FortiAnalyzer messages (default = enable).

fazha {enable | disable}

Enable to log FortiAnalyzer HA messages (default = enable).

fazsys {disable | enable}

Enable/disable logging FortiAnalyzer system messages (default = enable).

fgd {disable | enable}

Enable to log FortiGuard service messages (default = enable).

fgfm {disable | enable}

Enable to log FortiGate/FortiAnalyzer communication protocol messages (default = enable).

fips {disable | enable}

Enable to log FIPS messages (default = enable).

fmgws {disable | enable}

Enable to log web service messages (default = enable).

fmlmgr {disable | enable}

Enable to log FortiMail manager messages (default = enable).

fmwmgr {disable | enable}

Enable to log firmware manager messages (default = enable).

fortiview {disable | enable}

Enable/disable logging FortiAnalyzer FortiView messages (default = enable).

glbcfg {disable | enable}

Enable to log global database messages (default = enable).

ha {disable | enable}

Enable to log high availability activity messages (default = enable).

hcache {disable | enable}

Enable/disable logging hcache messages (default = enable).

iolog {disable | enable}

Enable input/output log activity messages (default = enable).

logd {disable | enable}

Enable logd messages (default = enable).

logdb {disable | enable}

Enable/disable logging FortiAnalyzer log DB messages (default = enable).

logdev {disable | enable}

Enable/disable logging FortiAnalyzer log device messages (default = enable).

logfile {disable | enable}

Enable/disable logging FortiAnalyzer log file messages (default = enable).

logging {disable | enable}

Enable/disable logging FortiAnalyzer logging messages (default = enable).

lrmgr {disable | enable}

Enable to log log and report manager messages (default = enable).

objcfg {disable | enable}

Enable to log object configuration (default = enable).

report {disable | enable}

Enable/disable logging FortiAnalyzer report messages (default = enable).

rev {disable | enable}

Enable to log revision history messages (default = enable).

rtmon {disable | enable}

Enable to log real-time monitor messages (default = enable).

scfw {disable | enable}

Enable to log firewall objects messages (default = enable).

scply {disable | enable}

Enable to log policy console messages (default = enable).

scrmgr {disable | enable}

Enable to log script manager messages (default = enable).

scvpn {disable | enable}

Enable to log VPN console messages (default = enable).

system {disable | enable}

Enable to log system manager messages (default = enable).

webport {disable | enable}

Enable to log web portal messages (default = enable).

Example

In this example, the local log filters are log and report manager, and system settings. Events in these areas of the FortiAnalyzer unit will be logged.

config system locallog filter

set event enable

set lrmgr enable

set system enable

end

locallog fortianalyzer (fortianalyzer2, fortianalyzer3) setting

Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer units. You can configure up to three FortiAnalyzer devices.

The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog, and local logging severity thresholds.

Syntax

config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

set reliable {enable | disable}

set secure-connection {diable | enable}

set server-ip <ipv4_address>

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {disable | realtime | upload}

set upload-time <hh:mm>

end

Variable

Description

reliable {enable | disable}

Enable/disable reliable realtime logging (default = disable).

secure-connection {diable | enable}

Enable/disable connection secured by TLS/SSL. This variable is available when status is realtime or upload.

server-ip <ipv4_address>

Remote FortiAnalyzer server IP address. Enter an IPv4 address in the format xxx.xxx.xxx.xxx.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Enter the severity threshold that a log message must meet or exceed to be logged to the unit. The following options are available:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events (default).
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

status {disable | realtime | upload}

Set the log to FortiAnalyzer status:

  • disable: Do not log to FortiAnalyzer (default).
  • realtime: Log to FortiAnalyzer in realtime.
  • upload: Log to FortiAnalyzer at a scheduled time.

upload-time <hh:mm>

Set the time to upload local log files (default = 00:00).

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting

set status enable

set severity information

end

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Syntax

config system locallog memory setting

set diskfull {nolog | overwrite}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status <disable | enable>

end

Variable

Description

diskfull {nolog | overwrite}

Enter the action to take when the disk is full:

  • nolog: Stop logging when disk full
  • overwrite: Overwrites oldest log entries

severity {emergency | alert | critical | error | warning | notification | information | debug}

Enter the log severity level to log files. The following options are available:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

Default: alert

status <disable | enable>

Enable/disable memory buffer logging. Default: disable

Example

This example shows how to enable logging to memory for all events at the notification level and above. At this level of logging, only information and debug events will not be logged.

config system locallog memory

set severity notification

set status enable

end

locallog syslogd (syslogd2, syslogd3) setting

Use this command to configure the settings for logging to a syslog server. You can configure up to three syslog servers; syslogd, syslogd2 and syslogd3.

Syntax

config system locallog {syslogd | syslogd2 | syslogd3} setting

set csv {disable | enable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {enable | disable}

set syslog-name <string>

end

Variable

Description

csv {disable | enable}

Enable to produce the log in comma separated value (CSV) format. If you do not enable CSV format the FortiAnalyzer unit produces space separated log files. Default: disable

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Enter the facility type. facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. Available facility types are:

  • alert: Log alert.
  • audit: Log audit.
  • auth: Security/authorization messages.
  • authpriv: Security/authorization messages (private).
  • clock: Clock daemon
  • cron: Clock daemon.
  • daemon: System daemons.
  • ftp: File Transfer Protocol (FTP) daemon
  • kernel: Kernel messages.
  • local0 tolocal7: reserved for local use
  • lpr: Line printer subsystem.
  • mail: Mail system.
  • news: Network news subsystem.
  • ntp: Network Time Protocol (NTP) daemon
  • syslog: Messages generated internally by the syslog daemon.
  • user: Random user-level messages.
  • uucp: Network news subsystem.

Default: local7

severity {emergency | alert | critical | error | warning | notification | information | debug}

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert, and emergency level messages.

The logging levels in descending order are:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

status {enable | disable}

Enter enable to begin logging. The following options are available:

  • disable: Do not log to remote syslog server.
  • enable: Log to remote syslog server.

syslog-name <string>

Enter the remote syslog server name.

Use the show command to display the current configuration if it has been changed from its default value:

show system locallog syslogd setting

Example

In this example, the logs are uploaded to a syslog server at IPv4 address 10.10.10.8. The FortiAnalyzer unit is identified as facility local0.

config system locallog syslogd setting

set facility local0

set server 10.10.10.8

set status enable

set severity information

end

locallog

Use the following commands to configure local log settings.

locallog setting

Use this command to configure locallog logging settings.

Syntax

config system locallog setting

set log-interval-dev-no-logging <integer>

set log-interval-disk-full <integer>

set log-interval-gbday-exceeded <integer>

end

Variable

Description

log-interval-dev-no-logging <integer>

Interval in minute for logging the event of no logs received from a device. Default: 5.

log-interval-disk-full <integer>

Interval in minute for logging the event of disk full. Default: 5.

log-interval-gbday-exceeded <integer>

Interval in minute for logging the event of the GB/Day license exceeded. Default: 1440.

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log levels.

status must be enabled to view diskfull, max-log-file-size and upload variables.

upload must be enabled to view/set other upload* variables.

Syntax

config system locallog disk setting

set status {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

set max-log-file-size <integer>

set roll-schedule {none | daily | weekly}

set roll-day <string>

set roll-time <hh:mm>

set diskfull {nolog | overwrite}

set log-disk-full-percentage <integer>

set upload {disable | enable}

set uploadip <ipv4_address>

set server-type {FAZ | FTP | SCP | SFTP}

set uploadport <integer>

set uploaduser <string>

set uploadpass <passwd>

set uploaddir <string>

set uploadtype <event>

set uploadzip {disable | enable}

set uploadsched {disable | enable}

set upload-time <hh:mm>

set upload-delete-files {disable | enable}

end

Variable

Description

status {enable | disable}

Enable or diable logging to the local disk. Default: disable

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages.

The logging levels in descending order are:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

Default: alert

max-log-file-size <integer>

Enter the size at which the log is rolled. Default: 100. Range: 1 to 1024 (MB)

roll-schedule {none | daily | weekly}

Enter the period for the scheduled rolling of a log file. If roll-schedule is none, the log rolls when max-log-file-size is reached. The following options are available:

  • none: Not scheduled.
  • daily: Every day.
  • weekly: Every week.

Default: none

roll-day <string>

Enter the day for the scheduled rolling of a log file.

roll-time <hh:mm>

Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite}

Enter action to take when the disk is full:
  • nolog: stop logging
  • overwrite: overwrites oldest log entries
Default: overwrite

log-disk-full-percentage <integer>

Enter the percentage at which the log disk will be considered full (50-90%).

upload {disable | enable}

Enable to permit uploading of logs. Default: disable

uploadip <ipv4_address>

Enter IPv4 address of the destination server. Default: 0.0.0.0

server-type {FAZ | FTP | SCP | SFTP}

Enter the server type to use to store the logs. The following options are available:

  • FAZ: Upload to FortiAnalyzer.
  • FTP: Upload via FTP.
  • SCP: Upload via SCP.
  • SFTP: Upload via SFTP.

uploadport <integer>

Enter the port to use when communicating with the destination server. Default: 21. Range: 1 to 65535

uploaduser <string>

Enter the user account on the destination server.

uploadpass <passwd>

Enter the password of the user account on the destination server. Character limit: 127

uploaddir <string>

Enter the destination directory on the remote server.

uploadtype <event>

Enter to upload the event log files. Default: event

uploadzip {disable | enable}

Enable to compress uploaded log files. Default: disable

uploadsched {disable | enable}

Enable to schedule log uploads. The following options are available:

  • disable: Upload when rolling.
  • enable: Scheduled upload.

upload-time <hh:mm>

Enter to configure when to schedule an upload.

upload-delete-files {disable | enable}

Enable to delete log files after uploading. Default: enable

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting

set status enable

set severity information

set max-log-file-size 1000MB

set roll-schedule daily

set upload enable

set uploadip 10.10.10.1

set uploadport port 443

set uploaduser myname2

set uploadpass 12345

set uploadtype event

set uploadzip enable

set uploadsched enable

set upload-time 06:45

set upload-delete-file disable

end

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Syntax

config system locallog [memory | disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | syslogd | syslogd2 | syslogd3] filter

set devcfg {disable | enable}

set devops {disable | enable}

set diskquota {disable | enable}

set dm {disable | enable}

set dvm {disable | enable}

set ediscovery {disable | enable}

set epmgr {disable | enable}

set event {disable | enable}

set eventmgmt {disable | enable}

set faz {enable | disable}

set fazha {enable | disable}

set fazsys {disable | enable}

set fgd {disable | enable}

set fgfm {disable | enable}

set fips {disable | enable}

set fmgws {disable | enable}

set fmlmgr {disable | enable}

set fmwmgr {disable | enable}

set fortiview {disable | enable}

set glbcfg {disable | enable}

set ha {disable | enable}

set hcache {disable | enable}

set iolog {disable | enable}

set logd {disable | enable}

set logdb {disable | enable}

set logdev {disable | enable}

set logfile {disable | enable}

set logging {disable | enable}

set lrmgr {disable | enable}

set objcfg {disable | enable}

set report {disable | enable}

set rev {disable | enable}

set rtmon {disable | enable}

set scfw {disable | enable}

set scply {disable | enable}

set scrmgr {disable | enable}

set scvpn {disable | enable}

set system {disable | enable}

set webport {disable | enable}

end

Variable

Description

devcfg {disable | enable}

Enable to log device configuration messages (default = enable).

devops {disable | enable}

Enable managed devices operations messages (default = enable).

diskquota {disable | enable}

Enable/disable logging FortiAnalyzer disk quota messages (default = enable).

dm {disable | enable}

Enable to log deployment manager messages (default = enable).

dvm {disable | enable}

Enable to log device manager messages (default = enable).

ediscovery {disable | enable}

Enable/disable logging device manager messages (default = enable).

epmgr {disable | enable}

Enable to log endpoint manager messages (default = enable).

event {disable | enable}

Enable to configure log filter messages (default = enable).

eventmgmt {disable | enable}

Enable/disable logging FortiAnalyzer event handler messages (default = enable).

faz {enable | disable}

Enable to log FortiAnalyzer messages (default = enable).

fazha {enable | disable}

Enable to log FortiAnalyzer HA messages (default = enable).

fazsys {disable | enable}

Enable/disable logging FortiAnalyzer system messages (default = enable).

fgd {disable | enable}

Enable to log FortiGuard service messages (default = enable).

fgfm {disable | enable}

Enable to log FortiGate/FortiAnalyzer communication protocol messages (default = enable).

fips {disable | enable}

Enable to log FIPS messages (default = enable).

fmgws {disable | enable}

Enable to log web service messages (default = enable).

fmlmgr {disable | enable}

Enable to log FortiMail manager messages (default = enable).

fmwmgr {disable | enable}

Enable to log firmware manager messages (default = enable).

fortiview {disable | enable}

Enable/disable logging FortiAnalyzer FortiView messages (default = enable).

glbcfg {disable | enable}

Enable to log global database messages (default = enable).

ha {disable | enable}

Enable to log high availability activity messages (default = enable).

hcache {disable | enable}

Enable/disable logging hcache messages (default = enable).

iolog {disable | enable}

Enable input/output log activity messages (default = enable).

logd {disable | enable}

Enable logd messages (default = enable).

logdb {disable | enable}

Enable/disable logging FortiAnalyzer log DB messages (default = enable).

logdev {disable | enable}

Enable/disable logging FortiAnalyzer log device messages (default = enable).

logfile {disable | enable}

Enable/disable logging FortiAnalyzer log file messages (default = enable).

logging {disable | enable}

Enable/disable logging FortiAnalyzer logging messages (default = enable).

lrmgr {disable | enable}

Enable to log log and report manager messages (default = enable).

objcfg {disable | enable}

Enable to log object configuration (default = enable).

report {disable | enable}

Enable/disable logging FortiAnalyzer report messages (default = enable).

rev {disable | enable}

Enable to log revision history messages (default = enable).

rtmon {disable | enable}

Enable to log real-time monitor messages (default = enable).

scfw {disable | enable}

Enable to log firewall objects messages (default = enable).

scply {disable | enable}

Enable to log policy console messages (default = enable).

scrmgr {disable | enable}

Enable to log script manager messages (default = enable).

scvpn {disable | enable}

Enable to log VPN console messages (default = enable).

system {disable | enable}

Enable to log system manager messages (default = enable).

webport {disable | enable}

Enable to log web portal messages (default = enable).

Example

In this example, the local log filters are log and report manager, and system settings. Events in these areas of the FortiAnalyzer unit will be logged.

config system locallog filter

set event enable

set lrmgr enable

set system enable

end

locallog fortianalyzer (fortianalyzer2, fortianalyzer3) setting

Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer units. You can configure up to three FortiAnalyzer devices.

The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog, and local logging severity thresholds.

Syntax

config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

set reliable {enable | disable}

set secure-connection {diable | enable}

set server-ip <ipv4_address>

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {disable | realtime | upload}

set upload-time <hh:mm>

end

Variable

Description

reliable {enable | disable}

Enable/disable reliable realtime logging (default = disable).

secure-connection {diable | enable}

Enable/disable connection secured by TLS/SSL. This variable is available when status is realtime or upload.

server-ip <ipv4_address>

Remote FortiAnalyzer server IP address. Enter an IPv4 address in the format xxx.xxx.xxx.xxx.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Enter the severity threshold that a log message must meet or exceed to be logged to the unit. The following options are available:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events (default).
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

status {disable | realtime | upload}

Set the log to FortiAnalyzer status:

  • disable: Do not log to FortiAnalyzer (default).
  • realtime: Log to FortiAnalyzer in realtime.
  • upload: Log to FortiAnalyzer at a scheduled time.

upload-time <hh:mm>

Set the time to upload local log files (default = 00:00).

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting

set status enable

set severity information

end

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Syntax

config system locallog memory setting

set diskfull {nolog | overwrite}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status <disable | enable>

end

Variable

Description

diskfull {nolog | overwrite}

Enter the action to take when the disk is full:

  • nolog: Stop logging when disk full
  • overwrite: Overwrites oldest log entries

severity {emergency | alert | critical | error | warning | notification | information | debug}

Enter the log severity level to log files. The following options are available:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

Default: alert

status <disable | enable>

Enable/disable memory buffer logging. Default: disable

Example

This example shows how to enable logging to memory for all events at the notification level and above. At this level of logging, only information and debug events will not be logged.

config system locallog memory

set severity notification

set status enable

end

locallog syslogd (syslogd2, syslogd3) setting

Use this command to configure the settings for logging to a syslog server. You can configure up to three syslog servers; syslogd, syslogd2 and syslogd3.

Syntax

config system locallog {syslogd | syslogd2 | syslogd3} setting

set csv {disable | enable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {enable | disable}

set syslog-name <string>

end

Variable

Description

csv {disable | enable}

Enable to produce the log in comma separated value (CSV) format. If you do not enable CSV format the FortiAnalyzer unit produces space separated log files. Default: disable

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Enter the facility type. facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. Available facility types are:

  • alert: Log alert.
  • audit: Log audit.
  • auth: Security/authorization messages.
  • authpriv: Security/authorization messages (private).
  • clock: Clock daemon
  • cron: Clock daemon.
  • daemon: System daemons.
  • ftp: File Transfer Protocol (FTP) daemon
  • kernel: Kernel messages.
  • local0 tolocal7: reserved for local use
  • lpr: Line printer subsystem.
  • mail: Mail system.
  • news: Network news subsystem.
  • ntp: Network Time Protocol (NTP) daemon
  • syslog: Messages generated internally by the syslog daemon.
  • user: Random user-level messages.
  • uucp: Network news subsystem.

Default: local7

severity {emergency | alert | critical | error | warning | notification | information | debug}

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert, and emergency level messages.

The logging levels in descending order are:

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.
  • debug: Information used for diagnosis or debugging.

status {enable | disable}

Enter enable to begin logging. The following options are available:

  • disable: Do not log to remote syslog server.
  • enable: Log to remote syslog server.

syslog-name <string>

Enter the remote syslog server name.

Use the show command to display the current configuration if it has been changed from its default value:

show system locallog syslogd setting

Example

In this example, the logs are uploaded to a syslog server at IPv4 address 10.10.10.8. The FortiAnalyzer unit is identified as facility local0.

config system locallog syslogd setting

set facility local0

set server 10.10.10.8

set status enable

set severity information

end