Logs, Reports, and Alerts

Configuring logging to a Syslog server or FortiAnalyzer unit

Instead of or in addition to logging locally, you can store log messages remotely on a Syslog server or a FortiAnalyzer unit.

You can add a maximum of three remote Syslog servers.

Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see “Configuring logging to the hard disk” on page 672.

Before you can log to a remote location, you must first enable logging. For details, see “Choosing which events to log” on page 673. For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see “Configuring the time and date” on page 265.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure logging to a Syslog server or FortiAnalyzer unit

  1. Go to Log and Report > Log Settings > Remote Log Settings.

Figure 301:Remote Log Settings tab

GUI item Description
Enabled Select to enable remote storage on the server. Clear to disable storage.
ID Displays the remote host ID.
Server Displays the IP of the Syslog server or FortiAnalyzer unit.
Port Displays the port on the Syslog server or FortiAnalyzer unit.
Level Displays the minimum severity level for logging purposes.
Facility Displays the facility identifier the FortiMail unit uses to identify itself.
  1. Click New to create a new entry or double-click an existing entry to modify it.

A dialog appears.

Figure 302:Remote host configuration dialog

  1. Select Enable to allow logging to a remote host.
  2. In Profile name, enter a profile name.
  3. In IP, enter the IP address of the Syslog server or FortiAnalyzer unit where the FortiMail unit will store the logs.
  4. In Port, if the remote host is a FortiAnalyzer unit, enter 514; if the remote host is a Syslog server, enter the UDP port number on which the Syslog server listens for connections (by default, UDP 514). For more information on ports, see “Appendix C: Port Numbers” on page 730.
  5. From Level, select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

For information about severity levels, see “Log message severity levels” on page 668.

  1. From Facility, select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.

To easily identify log messages from the FortiMail unit when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

  1. Enable CSV format if you want to send log messages in comma-separated value (CSV) format.

10.In Logging Policy Configuration, enable the types of logs you want to record to this storage location. Click the arrow to review the options. For details, see “Choosing which events to log” on page 673.

11.Click Create.

12.If the remote host is a FortiAnalyzer unit, confirm with the FortiAnalyzer administrator that the FortiMail unit was added to the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer Administration Guide.

13.To verify logging connectivity, from the FortiMail unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

For example, if you have chosen to record event log messages to the remote host if they are more severe than information, you could log in to the web UI or download a backup copy of the FortiMail unit’s configuration file in order to trigger an event log message.

If the remote host does not receive the log messages, verify the FortiMail unit’s network interfaces (see “Configuring the network interfaces” on page 247 and “About the management IP” on page 245) and static routes (see “Configuring static routes” on page 258), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, you can use the execute traceroute command to determine the point where connectivity fails. For details, see the FortiMail CLI Reference.

Configuring report profiles and generating reports

The Log and Report > Report Settings > Configuration tab displays a list of report profiles.

A report profile is a group of settings that contains the report name, its subject matter, its schedule, and other aspects that the FortiMail unit considers when generating reports from log data. The FortiMail unit presents the information in tabular and graphical format.

You can create one report profile for each type of report that you will generate on demand or on a schedule.

Generating reports can be resource intensive. To avoid email processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night. For more information on scheduling the generation of reports, see “Configuring the report schedule” on page 680.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and configure report profiles

  1. Go to Log and Report > Report Settings > Configuration.

Figure 303:Configuration tab

GUI item Description
Generate

(button)

Select a report and click this button to generate a report immediately. See “Generating a report manually” on page 682.
Report Name Displays the name of the report profiles.
Domain Displays the name of the protected domain that is the source of the report.
Schedule Displays the frequency with which the FortiMail unit generates a scheduled report. If the report is designed for manual generation, Not Scheduled appears in this column.
  1. Click New to add a profile or double-click a profile to modify it.

A multisection dialog appears.

Figure 304:New report configuration

  1. In Report Name, enter a name for the report profile.

Report names cannot include spaces.

  1. Click the arrow next to each option, and configure the following as needed:
    • “Configuring the report time period” on page 678.
    • “Configuring the report query selection” on page 679.
    • “Configuring the report schedule” on page 680.
    • “Selecting the protected domains to report” on page 681.
    • “Configuring report conditions” on page 681.
    • “Configuring report email notification” on page 682.
  2. Click Create or OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

4 thoughts on “Logs, Reports, and Alerts

    1. Mike Post author

      Depends on a wide variety of things. Amount of logs being generated, amount of storage on the device, etc…

      Reply
  1. Nikesh

    in fortigate logs, we have field logid=0315012546 where the last digit of this field i.e. ‘012546’ is referred as message id and it helps in understanding the logs in detail.
    Does such thing applies in log_id field of fortimail as well?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.