FortiCache 4.0.1 Administration Guide

Logging

The Log menu provides an interface for viewing and downloading traffic, event, and security logs. Logging, archiving, and user interface settings can also be configured, see Log settings on page 145.

The log messages are a record of all of the traffic that passes through the FortiCache device, and the actions taken by the device while scanning said traffic.

After a log message is recorded, it is stored in a log file. The log files can be stored on the FortiCache device itself, on a connected FortiManager or FortiAnalyzer device, or on a FortiCloud server (you must have a FortiCloud subscription before you can configure the FortiCache device to send logs to a FortiCloud server). The FortiCache device’s system memory or local disk can be configured to store logs.

The following logs are available:

Traffic Log Traffic logs are a record of all of the traffic that passes the FortiCache unit.
Forward Traffic Forward traffic logs include log messages for traffic that passes through the FortiCache device. It includes both traffic and security log messages, so that messages about security events can be viewed alongside messages about the traffic at the time of the event.
HTTP

Transaction

HTTP transaction related logs.
Local Traffic Local traffic logs include messages for traffic that terminates at the FortiCache unit allowed or denied by a local policy.
Event Log Event logs record management and activity events within the FortiCache device, divided into four areas: System, Router, User, and WAN Opt. &

Cache.

System System related logs.
Router Router related logs.
User User related logs.
HA HA related logs.
WAN Opt. &

Cache

WAN optimization and cache related logs.
Security Log The Security Log records attacks that are detected and prevented by the FortiGate unit.

 

Logging

AntiVirus Antivirus logs are recorded when, during the antivirus scanning process, the FortiGate unit finds a match within the antivirus profile, which includes the presence of a virus or grayware signature.
Web Filter Web filter logs record HTTP log rating errors, including web content blocking actions that the FortiCache device performs.
Data Leak Prevention Data Leak Prevention logs, or DLP logs, provide valuable information about the sensitive data trying to get through to your network as well as any unwanted data trying to get into your network.

Can log the following traffic types:

l email (SMTP, POP3 or IMAP; if SSL content SMTPS, POP3S, and

IMAPS) l HTTP l HTTPS l FTP l NNTP l IM

Log Config Log settings can be configured here.
Log Settings Logging and archiving options and GUI preferences can be configured here.

Log messages can be viewed from the Log menu in the FortiCache GUI.

Refresh Select Refresh to refresh the log list.
Download Raw Log Select Download Raw Log to download the raw log file to your local computer. The log file can be viewed in any text editor.
Log Location The location where the displayed logs are stored.
Log list The log messages.

The visible columns can be customized by right-clicking on a column header and selecting which columns are displayed. The available columns varies depending on the type of logs being viewed.

The displayed logs can be filtered by either right-clicking on a cell in the table and selecting Set as Filter, or by selecting the filter icon in the column heading and entering the requisite filter information, depending on the specific column.

Page navigation Navigate to different pages of the log list. The total number of log messages are also shown.
Log Details Details about the selected log message. The information displayed will vary depending on the type of log message selected.

Log settings                                                                                                                                             Logging

Archive View archived versions of the selected log message. This option is only available for traffic logs.

Log settings

The type and frequency of log messages you intend to save determines the type of log storage to use. For example, if you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The FortiCache system disk is unable to log traffic and content logs because of their frequency and large file size.

Storing log messages to one or more locations, such as a syslog server, may be a better solution for your logging requirements than the FortiCache system disk.

This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.

To configure log settings, go to Log > Log Config > Log Settings.

Configure the following settings:

Memory   Select to store logs in the unit’s memory.
Disk   Select to store logs on the unit’s disk.

Logging                                                                                                                                             Log settings

Send Logs to

FortiAnalyzer/FortiCache

Manager

Select to send logs to a FortiAnalyzer or a FortiCache Manager unit.

HTTP Transaction logs will also be sent to FortiAnalyzer in order to generate additional detail in reports.

IP Address The IP address of the FortiAnalyzer or FortiCache Manager unit.

Select Test Connectivity to test the connectivity with the device.

Send Logs to FortiCloud This option is not available.
Send Logs to Syslog Select to send logs to a Syslog server.
Server The IP address of the Syslog server.
Event Logging Select to enable event logging, then select the events to log: Enable All, Endpoint event, System activity event, Explicit web proxy event, Useractivity event, Routeractivity event, and HA event.
GUI Preferences Configure GUI preferences.
Display Logs From Select where logs are displayed from: Memory, Disk, or FortiAnalyzer.
Resolve

Hostnames

Select to resolve hostnames using reverse DNS lookup.
Resolve

Unknown

Applications

Select resolve unknown application using the remote application database.

Local logging and archiving

The FortiCache system can store log messages on disk. It can store traffic and contents logs on the system disk or disks. When the log disk is full, logging to disk can either be suspended, or the oldest logs can be overwritten.

Remote logging to a syslog server

A syslog server is a remote computer running syslog software and is an industry standard for logging. Syslog is used to capture log information provided by network devices. The syslog server is both a convenient and flexible logging device, since any computer system, such as Linux, Unix, and Intel-based Windows can run syslog software.

When configuring logging to a syslog server, you need to configure the facility and the log file format, which is either normal or Comma Separated Values (CSV). The CSV format contains commas whereas the normal format contains spaces. Logs saved in the CSV file format can be viewed in a spread-sheet application, while logs saved in normal format are viewed in a text editor because they are saved as plain text files.

Configuring a facility easily identifies the device that recorded the log file. You can choose from many different facility identifiers, such as daemon or local7.

Log settings                                                                                                                                             Logging

If you are configuring multiple Syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for Syslog log messages in the CLI.

From the CLI, you can enable reliable delivery of syslog messages using the reliable option of the config log {syslog | syslog2 | syslog3} settings command. The FortiCache unit implements the RAW

profile of RFC 3195 for reliable delivery of log messages. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order. This feature is disabled by default.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.