Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    8.0.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Secure log upload enhancements with SFTP and LZ4 support

    Secure log upload enhancements with SFTP and LZ4 support

    FortiGate logs can now be uploaded in standard LZ4 log compression format to SFTP servers. Previously logs could only be uploaded in Fortinet FLZ4 formation to FTP servers. The ehancement improves log transfer security and flexibility while supporting both default FLZ4 and industry-standard LZ4 formats.

    New options are available:

    config log disk setting    
    set upload-file-format {default | lz4}
    set upload-destination {ftp-server | sftp-server} 
end

    Option

    Description

    upload-file-format {default | lz4}

    Configure the file format to be used for log files prior to being uploaded (default = default):

    • default: Upload rolled log files as they appear on disk.

    • lz4: Upload rolled log files with standard LZ4 format.

    upload-destination {ftp-server | sftp-server}

    Set upload destination (default = ftp-server):

    • ftp-server: Upload rolled log files to a FTP server.

    • sftp-server: Upload rolled log files to a SFTP server.

    Example

    This example describes how to:

    • Upload log files in default file format to an SFTP server

    • Enable a schedule to upload log files in standard LZ4 file format to an SFTP server

    The default file format is Fortinet FLZ4. A third-party tool named lz4_reader can be used to decompress and convert FLZ4 log files to a readable .txt format. See Technical Tip: Transferring historical logs from a FortiGate hard disk to a FortiAnalyzer for more information.

    The LZ4 file format is standard LZ4 compression. The standard Linux CLI tool named lz4 can be used to decompress LZ4 files using lz4 -d [log_filename].lz4. The lz4 tool is a standard Linux CLI tool for LZ4 compression/decompression.

    To upload log files in default format to an SFTP server:

    1. On FortiGate, set SFTP server as the upload destination:

      config log disk setting
    set status enable
    set upload enable
    set upload-destination sftp-server
    set uploadport 22
    set uploadpass *
    set uploaddir "fgtlog/sftp"
    set uploadip 172.16.200.55
    set uploaduser "pc5user2"
end

    2. Run execute log roll.

    3. FortiGate uploads the log files to the SFTP server.

      The diagnose debug application uploadd -1 command can be used to view upload activity.

    4. On the SFTP server, view the log files in the correct directory: 

      pc5user2@logging_pc05:/fgtlog/sftp# ls
elog.FG201FT920901892.vdom1.65508.20260303110938
mlog.FG201FT920901892.vdom1.65516.20260303110659
plog.FG201FT920901892.vdom1.65516.20260303110659
tlog.FG201FT920901892.vdom1.65505.20260303110938
    To upload log files in standard LZ4 format to an SFTP server:

    1. On FortiGate, set the file format to LZ4, set destination to SFTP server, and enable an upload schedule:

      config log disk setting
    set status enable
    set upload enable
    set upload-destination sftp-server
    set upload-file-format lz4
    set uploadport 22
    set uploadpass *
    set uploaddir "fgtlog/sftp”
    set uploadsched enable
    set uploadtime 11:50
    set uploadip 172.16.200.55
    set uploaduser "pc5user2"
end

    2. FortiGate uploads the log files to the SFTP server on schedule.

      FortiGate logs include upload details:

      1: date=2026-03-09 time=11:51:06 eventtime=1773078605563616801 tz="-0700" logid="0100020108" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Log upload completed" action="upload" status="completed" user="pc5user2" server="172.16.200.55" port=22 msg="Log upload to SFTP completed on vdom vdom1"

2: date=2026-03-09 time=11:50:06 eventtime=1773078605080086909 tz="-0700" logid="0100032051" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Disk logs upload started" ui="uploadd" action="upload" status="start" msg="Start uploading disk logs to SFTP from vdom vdom1."

    3. On the SFTP server, view the log files in the correct directory in standard LZ4 format:

      pc5user2@logging_pc05:/fgtlog/sftp# ls
elog.FG201FT920901892.vdom1.65506.20260309115102.lz4
mlog.FG201FT920901892.vdom1.65515.20260309115102.lz4
plog.FG201FT920901892.vdom1.65515.20260309115102.lz4
tlog.FG201FT920901892.vdom1.65503.20260309115041

      The tlog file is a tar package that includes traffic logs and most UTM logs:

      pc5user2@logging_pc05:/fgtlog/sftp# tar –xvf   tlog.FG201FT920901892.vdom1.65503.20260309115041
tlog.65503.lz4
vlog.65503.lz4
wlog.65503.lz4
alog.65503.lz4
slog.65503.lz4
dlog.65503.lz4
rlog.65503.lz4
flog.65503.lz4
olog.65503.lz4
hlog.65503.lz4
ssllog.65503.lz4
fflog.65503.lz4
gclog.65503.lz4
sctplog.65503.lz4
vplog.65503.lz4
casblog.65503.lz4

    4. View FTP server and SFTP server information using the following command: 

      # diagnose  test application uploadd 1
vdom_admin:1
have_disk:1
in_ha_mode:0
ha_vfid:3
mgmt_vfid:1
ha_direct:0
hamgmt_vfid:-1
global:

vdom:0-root

vdom:1-vdom1
        FTP info:0x7fe370f2a908 ip:172.16.200.55 port:21 override:1 sch:0x7fe370f2aa00 option:1 intf_sel:auto() vrf:0
                next_upload_time:2522399024
        ftp state:0 file:

        SFTP info:0x7fe370f2ac80 ip:172.16.200.55 port:22 override:1 sch:0x7fe370f2ad78 option:1 intf_sel:auto() vrf:0
                next_upload_time:85828
sftp: local: remote:/fgtlog/sftp
        server info:
                dst:172.16.200.55:22 src:0.0.0.0
                user:pc5user2 pass:*
                vdom:vdom1(1)
    Previous
    Next

    Secure log upload enhancements with SFTP and LZ4 support

    Secure log upload enhancements with SFTP and LZ4 support

    FortiGate logs can now be uploaded in standard LZ4 log compression format to SFTP servers. Previously logs could only be uploaded in Fortinet FLZ4 formation to FTP servers. The ehancement improves log transfer security and flexibility while supporting both default FLZ4 and industry-standard LZ4 formats.

    New options are available:

    config log disk setting    
    set upload-file-format {default | lz4}
    set upload-destination {ftp-server | sftp-server} 
end

    Option

    Description

    upload-file-format {default | lz4}

    Configure the file format to be used for log files prior to being uploaded (default = default):

    • default: Upload rolled log files as they appear on disk.

    • lz4: Upload rolled log files with standard LZ4 format.

    upload-destination {ftp-server | sftp-server}

    Set upload destination (default = ftp-server):

    • ftp-server: Upload rolled log files to a FTP server.

    • sftp-server: Upload rolled log files to a SFTP server.

    Example

    This example describes how to:

    • Upload log files in default file format to an SFTP server

    • Enable a schedule to upload log files in standard LZ4 file format to an SFTP server

    The default file format is Fortinet FLZ4. A third-party tool named lz4_reader can be used to decompress and convert FLZ4 log files to a readable .txt format. See Technical Tip: Transferring historical logs from a FortiGate hard disk to a FortiAnalyzer for more information.

    The LZ4 file format is standard LZ4 compression. The standard Linux CLI tool named lz4 can be used to decompress LZ4 files using lz4 -d [log_filename].lz4. The lz4 tool is a standard Linux CLI tool for LZ4 compression/decompression.

    To upload log files in default format to an SFTP server:

    1. On FortiGate, set SFTP server as the upload destination:

      config log disk setting
    set status enable
    set upload enable
    set upload-destination sftp-server
    set uploadport 22
    set uploadpass *
    set uploaddir "fgtlog/sftp"
    set uploadip 172.16.200.55
    set uploaduser "pc5user2"
end

    2. Run execute log roll.

    3. FortiGate uploads the log files to the SFTP server.

      The diagnose debug application uploadd -1 command can be used to view upload activity.

    4. On the SFTP server, view the log files in the correct directory: 

      pc5user2@logging_pc05:/fgtlog/sftp# ls
elog.FG201FT920901892.vdom1.65508.20260303110938
mlog.FG201FT920901892.vdom1.65516.20260303110659
plog.FG201FT920901892.vdom1.65516.20260303110659
tlog.FG201FT920901892.vdom1.65505.20260303110938
    To upload log files in standard LZ4 format to an SFTP server:

    1. On FortiGate, set the file format to LZ4, set destination to SFTP server, and enable an upload schedule:

      config log disk setting
    set status enable
    set upload enable
    set upload-destination sftp-server
    set upload-file-format lz4
    set uploadport 22
    set uploadpass *
    set uploaddir "fgtlog/sftp”
    set uploadsched enable
    set uploadtime 11:50
    set uploadip 172.16.200.55
    set uploaduser "pc5user2"
end

    2. FortiGate uploads the log files to the SFTP server on schedule.

      FortiGate logs include upload details:

      1: date=2026-03-09 time=11:51:06 eventtime=1773078605563616801 tz="-0700" logid="0100020108" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Log upload completed" action="upload" status="completed" user="pc5user2" server="172.16.200.55" port=22 msg="Log upload to SFTP completed on vdom vdom1"

2: date=2026-03-09 time=11:50:06 eventtime=1773078605080086909 tz="-0700" logid="0100032051" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Disk logs upload started" ui="uploadd" action="upload" status="start" msg="Start uploading disk logs to SFTP from vdom vdom1."

    3. On the SFTP server, view the log files in the correct directory in standard LZ4 format:

      pc5user2@logging_pc05:/fgtlog/sftp# ls
elog.FG201FT920901892.vdom1.65506.20260309115102.lz4
mlog.FG201FT920901892.vdom1.65515.20260309115102.lz4
plog.FG201FT920901892.vdom1.65515.20260309115102.lz4
tlog.FG201FT920901892.vdom1.65503.20260309115041

      The tlog file is a tar package that includes traffic logs and most UTM logs:

      pc5user2@logging_pc05:/fgtlog/sftp# tar –xvf   tlog.FG201FT920901892.vdom1.65503.20260309115041
tlog.65503.lz4
vlog.65503.lz4
wlog.65503.lz4
alog.65503.lz4
slog.65503.lz4
dlog.65503.lz4
rlog.65503.lz4
flog.65503.lz4
olog.65503.lz4
hlog.65503.lz4
ssllog.65503.lz4
fflog.65503.lz4
gclog.65503.lz4
sctplog.65503.lz4
vplog.65503.lz4
casblog.65503.lz4

    4. View FTP server and SFTP server information using the following command: 

      # diagnose  test application uploadd 1
vdom_admin:1
have_disk:1
in_ha_mode:0
ha_vfid:3
mgmt_vfid:1
ha_direct:0
hamgmt_vfid:-1
global:

vdom:0-root

vdom:1-vdom1
        FTP info:0x7fe370f2a908 ip:172.16.200.55 port:21 override:1 sch:0x7fe370f2aa00 option:1 intf_sel:auto() vrf:0
                next_upload_time:2522399024
        ftp state:0 file:

        SFTP info:0x7fe370f2ac80 ip:172.16.200.55 port:22 override:1 sch:0x7fe370f2ad78 option:1 intf_sel:auto() vrf:0
                next_upload_time:85828
sftp: local: remote:/fgtlog/sftp
        server info:
                dst:172.16.200.55:22 src:0.0.0.0
                user:pc5user2 pass:*
                vdom:vdom1(1)
    Previous
    Next