Logs
Logs in FortiAnalyzer are in one of the following phases.
- Real-time log: Log entries that have just arrived and have not been added to the SQL database. These logs are stored in Archive in an uncompressed file until the system has a chance to insert them into the SQL database.
- Archive logs: When the real-time log file in Archive has been completely inserted, that file is compressed and considered to be offline.
- Analytics logs or historical logs: Indexed in the SQL database and online.
In order for FortiAnalyzer to accept logs, the sending device must be registered in FortiAnalyzer. You can add devices to FortiAnalyzer by specifying the serial number and other details, or you may point the device’s log settings to the FortiAnalyzer. If initiated by the remote device, the device must be authorized before logs can be received on FortiAnalyzer. See Adding devices.
For more information on the types of logs collected for each device, see Types of logs collected for each device.
Log encryption
Beginning in FortiAnalyzer 6.2, all logs from Fortinet devices (using Fortinet's proprietary protocol: OFTP) must be encrypted. FortiAnalyzer encryption level must be equal or less than the sending device’s level. For example, when configuring logging from a FortiGate, FortiAnalyzer must have the same encryption level or lower than FortiGate in order to accept logs from FortiGate.
To configure the encryption level on FortiAnalyzer:
- In the FortiAnalyzer CLI, enter the following commands:
config system global
set enc-algorithm {high | low | medium}
To configure the encryption level on FortiGate:
- In the FortiGate CLI, enter the following commands:
config log fortianalyzer setting
set enc-algorithm {high-medium | high | low}
See also Appendix B - Log Integrity and Secure Log Transfer.