Custom log format support for syslog server
This information is also available in the FortiOS 8.0 Administration Guide:
You can now configure and send custom log formats to syslog servers using custom-format and log-template configurations. Previously, FortiGate only sent logs in fixed formats (CSV, CEF, RFC 5424, JSON). With this enhancement, you can tailor syslog output to match the exact requirements of your external logging system.
Use the feature by:
-
Configuring the custom log format.
-
Configuring the syslog logging devices to use the custom log format.
A new command is available:
config log custom-format
edit <name>
set field-exclusion-list {date | devid | devname | eventtime | level | logid | slot | subtype | time | type | tz | vd | vsn}
empty-value-indicator <string>
config log-templates
edit <name>
set category <string>
set subtypes <string>
set template <string>
next
end
next
end
|
Option |
Description |
|---|---|
|
|
Configure custom log format for syslog servers. |
|
|
Specify log fields to exclude from the default format. Available fields for exclusion:
The list applies when the log-template does not have a custom template. |
|
|
Enter a character to indicate log field is empty. Supports only a single symbol, such as %, or empty (default = empty). |
|
|
Custom log templates available for each category. |
|
|
Set log category:
|
subtypes <string>
|
Set log subtypes to apply template to:
Can set one or more subtypes under the same category. The custom format template is applied to all specified subtypes. When no subtypes are set, the custom format template applies to all subtypes in the category. |
|
|
Enter log template string. Template help text displays for the selected category. For example, the following help text is displayed when Please enter a log template string. Use syntax:$(fieldname) to insert the value of FortiOS log field. For example: "datetime=$(date):$(time) id=$(logid) my_field=abc_$(action)_xyz ..." "$(date) $(time) $(logid) abc_$(virus)_xyz ..." For utm related fields, use syntax: $(utmcategory.fieldname). For example: "abc_$(webfilter.url)" Please note that this is only available for traffic logs. To append to the default logs, use $(*) in the template. For example: "$(*) prefix=$(webfilter.url)postfix ..." Available log fields for category:traffic
accessctrl, accessproxy, action, agent, ap,
app, appact, appcat, appid, applist,
apprisk, appstatus, apsn, authserver, centralnatid,
channel, clientcert, clientdeviceems, clientdeviceid, clientdevicemanageable,
clientdeviceowner, clientdevicetags, collectedemail, comment, countapp,
countav, countcasb, countcifs, countdlp, countdns,
countemail, countff, counticap, countips, countllm,
countsctpf, countssh, countssl, countvpatch, countwaf,
countweb, craction, crlevel, crscore, date,
devcategory, devid, devname, devtype, devtype,
dstauthserver, dstcity, dstcollectedemail, dstcountry, dstdevcategory,
dstdevtype, dstdevtype, dstfamily, dsthwvendor, dsthwversion,
dstinetsvc, dstintf, dstintfrole, dstip, dstmac,
dstname, dstosname, dstosversion, dstport, dstregion,
dstreputation, dstserver, dstssid, dstswversion, dstthreatfeed,
dstunauthuser, dstunauthusersource, dstuser, dstuuid, dstzone,
duration, durationdelta, emsconnection, emstag, emstag2,
eventtime, fctuid, fwdsrv, gatewayid, group,
hostname, httpmethod, identifier, lanin, lanout,
level, logid, masterdstmac, mastersrcmac, msg,
osname, osversion, pdstport, policyid, policymode,
policyname, policytype, poluuid, proto, proxyapptype,
psrcport, radioband, rcvdbyte, rcvddelta, rcvdpkt,
rcvdpktdelta, realserverid, referralurl, replydstintf, replysrcintf,
reqlength, reqtime, respfinishtime, resplength, resptime,
resptype, saasname, scheme, sentbyte, sentdelta,
sentpkt, sentpktdelta, service, sessionid, shaperdroprcvdbyte,
shaperdropsentbyte, shaperperipdropbyte, shaperperipname, shaperrcvdname, shapersentname,
shapingpolicyid, shapingpolicyname, signal, slot, snr,
srccity, srccountry, srcdomain, srcfamily, srchwvendor,
srchwversion, srcinetsvc, srcintf, srcintfrole, srcip,
srcmac, srcmacvendor, srcname, srcport, srcregion,
srcremote, srcreputation, srcserver, srcssid, srcswversion,
srcthreatfeed, srcuuid, srczone, sslaction, statuscode,
subtype, tcpnrt, tcporgrtrs, tcprplrtrs, tcprst,
tcpsrt, tcpsynackrtrs, tcpsynrtrs, time, trandisp,
tranip, tranport, transid, transip, transport,
tunneldstip, tunnelid, tunnelproto, tunnelsessionid, tunnelsrcip,
type, tz, unauthuser, unauthusersource, url,
user, utmaction, vd, vip, vipincomingip,
vlan, vpntype, vrf, vsn, vwlid,
vwlname, vwlquality, vwlservice, vwpvlanid
|
A new option and parameter are available:
config log syslogd setting
set format {default | csv | cef | rfc5424 | json | custom}
set custom-log-format <string>
end
|
Option |
Description |
|---|---|
|
|
Set the log format:
|
|
|
Enter the name of the customized format for logs. Available when Before you can select the custom format, you must configure it using |
Custom log formats can also be configured for syslogd2, syslogd3, and syslogd-override under multi-VDOM:
-
For syslogd2 and syslogd3 and the
config log syslogd2 setting/config log syslogd3 settingcommands, setformattocustom, and select the log format. -
For syslogd override under vdom, enable
syslog-overrideunderconfig log setting. Then setformatascustom, and select log format underconfig log syslogd override-setting.
This topic includes the following examples:
Example 1: exclude fields
In this example, logs sent from FortiGate to a syslog server are customized as follows:
-
The percentage (
%) character indicates empty values in the logs. -
The “date”, “eventtime”, “time” and “tz” fields are excluded from the logs.
To customize logs for syslog servers:
-
Set the custom log format:
The
empty-value-indicatorcan be a single character symbol, such as%.config log custom-format edit “test” set empty-value-indicator “%” set field-exclusion-list "date" "eventtime" "time" "tz" end end -
Set the log template:
config log syslogd setting set status enable set server "172.16.200.55" set facility local6 set format custom set custom-log-format “test” end -
Send logs to a syslog server.
Logs received by the syslog server exclude “date”, “eventtime”, “time”, and “tz” fields.
-
Traffic log example:
Feb 3 10:03:31 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892 logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.22 srcport=33012 dstip=172.16.200.55 dstport=80 sessionid=100663312 transid=100663315 action="accept" policyid=1 policytype="proxy-policy" poluuid="e66b90f6-008d-51f1-e5f4-799c5495850b" url="http://172.16.200.55/" agent="curl/7.68.0" appcat="unscanned" duration=0 reqlength=127 resplength=1145 rcvdbyte=1145 sentbyte=127 scheme="http" hostname="172.16.200.55" resptype="normal" httpmethod="GET" statuscode="200" reqtime=1770134611 resptime=1770134611 respfinishtime=1770134611
-
UTM log example:
Feb 2 15:31:47 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="2a0da664-90c8-51ef-c42e-31dd5cc56aea" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=1009 srcip=10.1.100.22 dstip=172.16.200.55 srcport=56586 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" srcuuid="85bf1200-90ae-51ef-7a00-759244bb35e4" dstuuid="85bf1200-90ae-51ef-7a00-759244bb35e4" proto=6 direction="incoming" filename="eicar.com" checksum="6851cf3c" quarskip="No-skip" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="cached" itype="infected" ref="https://fortiguard.com/encyclopedia/virus/2172" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="av-test" agent="curl/7.68.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
-
Event log example:
Feb 2 15:31:41 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892 logid="0100020025" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Report generated successfully" msg="Report generation succeeded for layout:default." file="/var/log/log/vdom1/report/generated/On-Demand-default-2026-02-02-123140/default.pdf" filesize=272974 datarange="01-Feb-2026 12:00 To 02-Feb-2026 11:59" reporttype="On-demand" processtime=0"
-
Example 2: configure specific categories, subtypes, and fields
In this example, logs sent from FortiGate to a syslog server are customized as follows:
-
The percentage (
%) character indicates empty values in the logs. -
A log type category (
event), subtype (system), and specific fields are configured for the logs.
FortiGate only sends logs for this category and subtype with the configured fields to the syslog server. This feature is supported for all categories.
To customize logs for syslog servers:
-
Configure a custom log format:
config log custom-format edit “test” set empty-value-indicator "%" config log-templates edit "1" set category event set subtypes "system" set template “eve_type=$(subtype) eve_msg=$(msg) eve_vdom=$(vd) eve_level=$(level) eve_status=$(status) eve_profile=$(profile)” next end next end end -
Set the log template:
config log syslogd setting set status enable set server "172.16.200.55" set facility local6 set format custom set custom-log-format “test” end -
Send logs to a syslog server.
Logs received by the syslog server only include logs configured in template, and fields with empty value display
%.Feb 2 16:00:55 172.16.200.2 eve_type="system" eve_msg="Administrator admin login failed from https(10.6.30.254) because of invalid password" eve_vdom="vdom1" eve_level="alert" eve_status="failed" eve_profile=%
Feb 2 16:01:12 172.16.200.2 eve_type="system" eve_msg="Edit system.global " eve_vdom="vdom1" eve_level="information" eve_status=% eve_profile=%
Example 3: include UTM-related fields in traffic logs
This example demonstrates how to include UTM-related fields in traffic logs. This feature is only available for traffic logs.
In this example, category is set to traffic, subtype is set to forward, and specific fields are configured for the logs FortiGate sends to a syslog server.
When a UTM field does not exist for the category, the invalid log field name error is displayed.
To customize logs for syslog servers:
-
Configure a custom log format:
config log custom-format edit "test" set empty-value-indicator ' ' config log-templates edit "1" set category traffic set subtypes "forward" set template "type=$(type) subtype=$(subtype) http_status_code=$(statuscode) url=$(virus.url) virus=$(virus.virus) agent=$(virus.agent) profile=$(virus.profile)" next end next end -
Set the log template:
config log syslogd setting set status enable set server "172.16.200.55" set facility local6 set format custom set custom-log-format “test” end -
Send logs to a syslog server.
Logs received by the syslog server include selected traffic and UTM log fields.
Feb 3 11:44:07 172.16.200.2 type="traffic" subtype="forward" http_status_code= url="http://172.16.200.55/virus/eicar.com" virus="EICAR_TEST_FILE" agent="curl/7.68.0" profile="av-test"
Example 4: use wildcard syntax
This example demonstrates how to include WILDCARD_SYNTAX: $(*) in the template. Note:
-
$(*)will be replaced by default-format log content. -
You can append additional UTM fields with the
WILDCARD_SYNTAX. -
$(*)behaves like regular field in custom-format.log-templates and can include both prefixes and postfixes. -
Each template can only have one
WILDCARD_SYNTAX $(*). An error is displayed when more than one$(*)are used in the template.
To customize logs for syslog servers:
-
Configure a custom log format:
When the custom log format has
exclusion-listset, and the template is set for a specific category, then the template overrides theexclusion-listfor the category.config log custom-format edit "test" set field-exclusion-list "date" "eventtime" "time" "tz" set empty-value-indicator "%" config log-templates edit "1" set category traffic set subtypes "forward" set template "url=$(virus.url) virus=$(virus.virus) http_status_code=$(statuscode) $(*) agent=$(virus.agent) profile=$(virus.profile)" next end next end -
Set the log template:
config log syslogd setting set status enable set server "172.16.200.55" set facility local6 set format custom set custom-log-format “test” end -
Send logs to a syslog server.
Logs received by the syslog server includes all traffic log fields with selected UTM log fields.
Feb 3 09:27:45 172.16.200.2 date=2026-02-03 time=09:27:45 devname=FGT-B-LOG devid=FG201FT920901892 url="http://172.16.200.55/virus/eicar.com" virus="EICAR_TEST_FILE" http_status_code=% eventtime=1770139665020444596 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.22 srcname="10.1.100.22" srcport=40028 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.55 dstname="172.16.200.55" dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=5120 proto=6 action="close" policyid=1 policytype="policy" poluuid="2a0da664-90c8-51ef-c42e-31dd5cc56aea" policyname="B-out" service="HTTP" trandisp="snat" transip=172.16.200.2 transport=40028 appcat="unscanned" duration=30 sentbyte=1784 rcvdbyte=1242 sentpkt=31 rcvdpkt=6 utmaction="block" countav=1 crscore=50 craction=2 agent="curl/7.68.0" profile="av-test"