log
Use the following commands to configure log settings.
log alert
Use this command to configure log based alert settings.
Syntax
config system log alert
set max-alert-count <integer>
set min-severity-to-raise-incident-by-grouping {critical | high | none}
end
|
Variable |
Description |
|---|---|
|
max-alert-count <integer> |
Set the maximum number of alerts supported (100 - 50000, default = 10000). |
|
min-severity-to-raise-incident-by-grouping {critical | high | none} |
Set the minimum severity to raise incident by grouping (default = critical).
|
log api-ratelimit
Use this command to configure the API rate limit.
Syntax
config system log api-ratelimit
set read-limit <integer>
set write-limit <integer>
end
|
Variable |
Description |
|---|---|
|
read-limit <integer> |
Set the API rate limiting per minute: applies to read methods such as get, fetch (default = 1000). |
|
write-limit <integer> |
Set the API rate limiting per minute: applies to write methods such as exec, add, and others (default = 100). |
log device-selector
Use this command to accept or reject devices matching specified filter types.
Syntax
config system log device-selector
edit <id>
set action <exclude | include>
set comment <string>
set devid <input>
set expire <string>
set srcip <input>
set srcip-mode <TCP514 | UDP514 | any>
set type <devid | srcip | unspecified>
end
|
Variable |
Description |
|---|---|
|
<id> |
The ID for the device selector entry. |
|
action <exclude | include> |
Include or exclude devices matching specified filter type (default = include). |
|
comment <string> |
Additional comment for the selector. This option is not available when the |
|
devid <input> |
Enter the device ID to be disabled for logging. Wildcard matching supported. |
|
expire <string> |
Set the expiration time of the rule. Leave the field unset for no expiration. Duration or formatted date time string are supported.
Supported units for duration:
|
|
srcip <input> |
Enter the source IP or an IP range. This option is only available when the |
|
srcip-mode <TCP514 | UDP514 | any> |
Apply the selector to UDP/514, TCP/514, or any mode (default = UDP514). |
|
type <devid | srcip | unspecified> |
Set the type of the selector. You can filter devices by Device ID, source IP, or leave unspecified (default = unspecified). |
log fos-policy-stats
Use this command to configure FortiOS policy statistics settings.
Syntax
config system log fos-policy-stats
set retention-days <integer>
set sampling-interval <integer>
set status{enable | disable}
end
|
Variable |
Description |
|---|---|
|
retention-days <integer> |
The number of days that FortiOS policy stats are stored (60 - 1825, default = 365). |
|
sampling-interval <integer> |
The interval in which policy stats data are received from FortiOS devices, in minutes (5 - 1440, default = 60). |
|
status {enable | disable} |
Enable/disable FortiOS policy statistics feature (default = enable). |
log interface-stats
Use this command to configure log based interface statistics settings.
Syntax
config system log interface-stats
set billing-report {enable | disable}
set retention-days <integer>
set sampling-interval <integer>
set status {enable | disable}
end
|
Variable |
Description |
|---|---|
|
billing-report {enable | disable} |
Enable/disable billing report feature (default = disable). |
|
retention-days <integer> |
The number of days that interface data are stored (0 - 2000, default = 100). |
|
sampling-interval <integer> |
The interval in which interface data are received from FortiGate devices, in seconds (300 - 86400, default = 1200). |
|
status {enable | disable} |
Enable/disable interface statistics (default = enable). |
log ioc
Use this command to configure log based IoC (Indicators of Compromise) settings.
Syntax
config system log ioc
set notification {enable | disable}
set notification-throttle <integer>
set rescan-max-runner <integer>
set rescan-run-at <integer>
set rescan-status {enable | disable}
set status {enable | disable}
end
|
Variable |
Description |
|---|---|
|
notification {enable | disable} |
Enable/disable IoC notification (default = enable). |
|
notification-throttle <integer> |
Set the minute value for throttling the rate of IoC notifications (1 - 10080, default = 1440). |
|
rescan-max-runner <integer> |
Set the maximum number of concurrent IoC rescans (1 to CPU count, default = 8). |
|
rescan-run-at <integer> |
Set the hour of the day when IoC rescan runs (1 - 24, 0 = run immediately, default = 24). |
|
rescan-status {enable | disable} |
Enable/disable IoC rescan (default = enable). |
|
status {enable | disable} |
Enable/disable the IoC feature (default = enable). |
log mail-domain
Use this command to configure FortiMail domain settings.
Syntax
config system log mail-domain
edit <id>
set devices <string>
set domain <string>
set vdom <string>
end
|
Variable |
Description |
|---|---|
|
<id> |
The ID of the FortiMail domain. |
|
devices <string> |
The device IDs for domain to VDOM mapping, separated by commas (default = All_FortiMails). For example: |
|
domain <string> |
The FortiMail domain. |
|
vdom <string> |
The VDOM name that is mapping to the FortiMail domain. |
log pcap-file
Use this command to configure log pcap-file settings.
Syntax
config system log pcap-file
set download-mode {plain | zip | zip-with-password}
end
|
Variable |
Description |
|---|---|
|
download-mode {plain | zip | zip-with-password} |
Set the download mode for pcap files:
|
log ratelimit
Use this command to log the rate limit.
Syntax
config system log ratelimit
set device-ratelimit-default <integer>
set mode {disable | manual}
set system-ratelimit <integer>
config ratelimits
edit id
set filter <string>
set filter-type {adom | devid}
set ratelimit <integer>
end
end
|
Variable |
Description |
|---|---|
|
device-ratelimit-default <integer> |
The default maximum device log rate limit (default = 0). Note: This command is only available when the mode is set to |
|
mode {disable | manual} |
The logging rate limit mode (default = disable). In the manual mode, the system rate limit and the device rate limit both are configurable, no limit if not configured. |
|
system-ratelimit <integer> |
The maximum system log rate limit (default = 0). Note: This command is only available when the mode is set to |
|
ratelimits |
The device log rate limit. |
|
Variables for |
|
|
<id> |
The device id. |
|
filter <string> |
The device(s) or ADOM filter according to the filter-type setting. Note: Wildcard expression is supported. |
|
filter-type { adom | devid} |
The device filter type (default = devid):
|
|
ratelimit <integer> |
The maximum device log rate limit (default = 0). |
log settings
Use this command to configure settings for logs.
Syntax
config system log settings
set browse-max-logfiles <integer>
set device-auto-detect {enable | disable}
set dns-resolve-dstip {enable | disable}
set download-max-logs <integer>
set FAC-custom-field1 <string>
set FCH-custom-field1 <string>
set FCT-custom-field1 <string>
set FDD-custom-field1 <string>
set FFW-custom-field1 <string>
set FGT-custom-field1 <string>
set FML-custom-field1 <string>
set FPX-custom-field1 <string>
set FSA-custom-field1 <string>
set FWB-custom-field1 <string>
set ha-auto-migrate {enable | disable}
set import-max-logfiles <integer>
set keep-dev-logs {enable | disable}
set legacy-auth-mode {enable | disable}
set log-file-archive-name {basic | extended}
set log-interval-dev-no-logging <interger>
set log-process-fast-mode {enable | disable}
set log-upload-interval-dev-no-logging <interval>
set sync-search-timeout <integer>
set syslog-over-tls-port {514 | 6514}
set unencrypted-logging-tcp {enable | disable}
set unencrypted-logging-udp {enable | disable}
config client-cert-auth
set mode {basic | strict}
set tls-port {514 | 6514 | both}
config trusted-client
edit <id>
set certificate <string>
set description <string>
set domain <string>
set type {certificate | domain}
next
end
end
config {rolling-regular | rolling-local | rolling-analyzer}
set days {fri | mon| sat | sun | thu | tue | wed}
set del-files {enable | disable}
set directory <string>
set file-size <integer>
set gzip-format {enable | disable}
set hour <integer>
set log-format {csv | native | text}
set min <integer>
set password <passwd>
set password2 <passwd>
set password3 <passwd>
set port <integer>
set port2 <integer>
set port3 <integer>
set rolling-upgrade-status <integer>
set server <string>
set server-type {ftp | scp | sftp}
set server2 <string>
set server3 <string>
set upload {enable | disable}
set upload-hour <integer>
set upload-mode {backup | mirror}
set upload-trigger {on-roll | on-schedule}
set username <string>
set username2 <string>
set username3 <string>
set when {daily | none | weekly}
end
end
|
Variable |
Description |
|---|---|
|
browse-max-logfiles <integer> |
Maximum number of log files for each log browse attempt, per ADOM (default = 10000). |
|
device-auto-detect {enable | disable} |
Enable/disable looking up device ID in syslog received with no encryption (default = enable). |
|
dns-resolve-stip {enable | disable} |
Enable/disable resolving destination IP by DNS (default = disable). |
|
download-max-logs <integer> |
Maximum number of logs for each log download attempt (default = 100000). |
|
FAC-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FCH-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FCT-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FDD-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FFW-custom-field1 |
Enter a name of the custom log field to index (character limit = 31). |
|
FGT-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FML-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FPX-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FSA-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
FWB-custom-field1 <string> |
Enter a name of the custom log field to index (character limit = 31). |
|
ha-auto-migrate {enable | disable} |
Enabled/disable automatically merging HA member's logs to HA cluster (default = disable). |
|
import-max-logfiles <integer> |
Maximum number of log files for each log import attempt (default = 10000). |
|
keep-dev-logs {enable | disable} |
Enable/disable keeping the device logs after the device has been deleted (default = disable). |
|
legacy-auth-mode {enable | disable} |
Enable/disable legacy mode of device authentication by username/password (default = disable). When disabled, FortiGate, FortiWeb, FortiMail, and other devices that connect through OFTP connection must send the correct certificate that includes the device serial number in the Common Name field. If the correct certificate is not sent with the serial number, FortiAnalyzer will fail the OFTP connection. |
|
log-file-archive-name {basic | extended} |
Log file name format for archiving.
|
|
log-interval-dev-no-logging <interger> |
Interval in minutes of no log received from a device when considering the device down (default = 15). |
|
log-process-fast-mode {enable | disable} |
Enable/disable log process fast mode (default = disable). |
|
log-upload-interval-dev-no-logging <interger> |
Interval in minutes of no log uploaded from a device when considering the device down (default = 360). |
|
sync-search-timeout <integer> |
The maximum amount of time that a log search session can run in synchronous mode, in seconds (1 - 86400, default = 60). |
|
syslog-over-tls-port {514 | 6514} |
Set the TCP port for receiving syslog over TLS:
|
|
unencrypted-logging-tcp {enable | disable} |
Enable/disable receiving syslog through TCP(514) un-encrypted (default = disable). |
|
unencrypted-logging-udp {enable | disable} |
Enable/disable receiving syslog through UDP(514) un-encrypted (default = disable). |
|
Variables for |
|
|
mode {basic | strict} |
Set the client certificate authentication mode for specified tls_port.
|
|
tls-port {514 | 6514 | both} |
Set the TCP port for applying the client certificate authentication mode.
This option is only available when |
|
Variables for |
|
|
edit <id> |
ID of trusted-client entry. |
|
certificate <string> |
Enter the PEM format certificate. This option is only available when |
|
description <string> |
Enter additional comment. |
|
domain <string> |
Enter the trusted domain value in the format xyz.example.com or *.example.com. This variable supported wildcard patterns. This option is only available when |
|
type {certificate | domain} |
Set the type to one of the following:
|
|
Variables for |
|
|
days {fri | mon| sat | sun | thu | tue | wed} |
Log files rolling schedule (days of the week). When |
|
del-files {enable | disable} |
Enable/disable log file deletion after uploading (default = disable). |
|
directory <string> |
The upload server directory (character limit = 127). |
|
file-size <integer> |
Roll log files when they reach this size, in megabytes (10 - 1000, default = 200). |
|
gzip-format {enable | disable} |
Enable/disable compression of uploaded log files (default = disable). |
|
hour <integer> |
The hour of the day that log files are rolled (0 - 23, default = 0). |
|
log-format {csv | native | text} |
Format of uploaded log files:
|
|
min <integer> |
The minute of the hour that log files are rolled (0 - 59, default = 0). |
|
password <passwd> password2 <passwd> password3 <passwd> |
Upload server log in passwords (character limit = 128). |
|
port <integer> port2 <integer> port3 <integer> |
Upload server IP port number. |
|
rolling-upgrade-status <integer> |
The rolling upgrade status. |
|
server <string> server2 <string> server3 <string> |
Upload server FQDN, IPv4, or IPv6 addresses. Configure up to three servers. |
|
server-type {ftp | scp | sftp} |
Upload server type (default = ftp). |
|
upload {enable | disable} |
Enable/disable log file uploads (default = disable). |
|
upload-hour <integer> |
The hour of the day that log files are uploaded (0 - 23, default = 0). |
|
upload-mode {backup | mirror} |
Configure upload mode with multiple servers. Servers are tried then used one after the other upon failure to connect.
|
|
upload-trigger {on-roll | on-schedule} |
Event triggering log files upload:
|
|
username <string> username2 <string> username3 <string> |
Upload server log in usernames (character limit = 35). |
|
when {daily | none | weekly} |
Roll log files periodically:
|
log topology
Use this command to configure settings for the logging topology.
Syntax
config system log topology
set max-depth <integer>
set max-depth-share <integer>
end
|
Variable |
Description |
|---|---|
|
max-depth <integer> |
Maximum levels to descend from this device to get the logging topology information (0 - 32, default = 5). |
|
max-depth-share <integer> |
Maximum levels to descend from this device to share logging topology information with upstream (0 - 32, default = 5). |
log ueba
Use this command to configure UEBA settings.
Syntax
config system log ueba
set hostname-ep-unifier {enable | disable}
set ip-only-ep {enable | disable}
set ip-unique-scope {adom | vdom}
end
|
Variable |
Description |
|---|---|
|
hostname-ep-unifier {enable | disable} |
Disable/Enable hostname as endpoint unifier (default = disable). |
|
ip-only-ep {enable | disable} |
Disable/Enable IP-only endpoint identification (default = disable). |
|
ip-unique-scope {adom | vdom} |
Set the IP unique scope to ADOM or VDOM (default = vdom). This command is only effective when |