Fortinet white logo
Fortinet white logo

Administration Guide

Logs

Logs

Logs in FortiAnalyzer are in one of the following phases.

  • Real-time log: Log entries that have just arrived and have not been added to the SQL database. These logs are stored in Archive in an uncompressed file until the system has a chance to insert them into the SQL database.
  • Archive logs: When the real-time log file in Archive has been completely inserted, that file is compressed and considered to be offline.
  • Analytics logs or historical logs: Indexed in the SQL database and online.

In order for FortiAnalyzer to accept logs, the sending device must be registered in FortiAnalyzer. You can add devices to FortiAnalyzer by specifying the serial number and other details, or you may point the device’s log settings to the FortiAnalyzer. If initiated by the remote device, the device must be authorized before logs can be received on FortiAnalyzer. See Adding devices.

For more information on the types of logs collected for each device, see Types of logs collected for each device.

Log encryption

Beginning in FortiAnalyzer 6.2, all logs from Fortinet devices (using Fortinet's proprietary protocol: OFTP) must be encrypted. FortiAnalyzer encryption level must be equal or less than the sending device’s level. For example, when configuring logging from a FortiGate, FortiAnalyzer must have the same encryption level or lower than FortiGate in order to accept logs from FortiGate.

To configure the encryption level on FortiAnalyzer:
  1. In the FortiAnalyzer CLI, enter the following commands:

    config system global
    set enc-algorithm {high | low | medium}

To configure the encryption level on FortiGate:
  1. In the FortiGate CLI, enter the following commands:

    config log fortianalyzer setting
    set enc-algorithm {high-medium | high | low}

See also Appendix B - Log Integrity and Secure Log Transfer.

Logs

Logs

Logs in FortiAnalyzer are in one of the following phases.

  • Real-time log: Log entries that have just arrived and have not been added to the SQL database. These logs are stored in Archive in an uncompressed file until the system has a chance to insert them into the SQL database.
  • Archive logs: When the real-time log file in Archive has been completely inserted, that file is compressed and considered to be offline.
  • Analytics logs or historical logs: Indexed in the SQL database and online.

In order for FortiAnalyzer to accept logs, the sending device must be registered in FortiAnalyzer. You can add devices to FortiAnalyzer by specifying the serial number and other details, or you may point the device’s log settings to the FortiAnalyzer. If initiated by the remote device, the device must be authorized before logs can be received on FortiAnalyzer. See Adding devices.

For more information on the types of logs collected for each device, see Types of logs collected for each device.

Log encryption

Beginning in FortiAnalyzer 6.2, all logs from Fortinet devices (using Fortinet's proprietary protocol: OFTP) must be encrypted. FortiAnalyzer encryption level must be equal or less than the sending device’s level. For example, when configuring logging from a FortiGate, FortiAnalyzer must have the same encryption level or lower than FortiGate in order to accept logs from FortiGate.

To configure the encryption level on FortiAnalyzer:
  1. In the FortiAnalyzer CLI, enter the following commands:

    config system global
    set enc-algorithm {high | low | medium}

To configure the encryption level on FortiGate:
  1. In the FortiGate CLI, enter the following commands:

    config log fortianalyzer setting
    set enc-algorithm {high-medium | high | low}

See also Appendix B - Log Integrity and Secure Log Transfer.