FortiSandbox logs
The FortiManager unit can receive logs from a FortiSandbox. FortiSandbox logs can be viewed in FortiView > Log View. Logs can be viewed in both historical view and in both formatted and raw log views.
FortiSandbox logs
The following information is displayed:
| Malware logs | The following columns are supported by default for event logs: Date/Time, Level, Risk, Malware Name, Source IP, and Destination IP. Click the log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional columns. Right-click the column field to apply a search filter. Not all columns support this feature. |
| Network Alerts logs | The following columns are supported by default for event logs: Date/Time, Level, Destination IP:Port, Attack Name, and Host. Click the log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional columns. Right-click the column field to apply a search filter. Not all columns support this feature. |
FortiWeb logs
The FortiManager unit can receive logs from a FortiWeb. FortiWeb logs can be viewed in FortiView > Log View. Logs can be viewed in both historical view and in both formatted and raw log views.
FortiWeb logs
The following information is displayed:
| Event logs | The following columns are supported by default for event logs: Date/Time, Device ID, Level, User Interface, Action, and Message. Click the log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional columns. Right-click the column field to apply a search filter. Not all columns support this feature. |
| Intrusion Prevention logs | The following columns are supported by default for event logs: Date/Time, Device ID, Source, Destination, Policy, Action, HTTP URL, HTTP Host, and Message. Click the log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional columns. Right-click the column field to apply a search filter. Not all columns support this feature. |
| Traffic logs | The following columns are supported by default for event logs: Date/Time, Device
ID, Service, Source, Destination, Policy, HTTP Method, HTTP RETCODE, and Message. Click the log details icon to the left of the limit field to view additional log information. Click the column header to set column settings. Select More Columns for additional columns. Right-click the column field to apply a search filter. Not all columns support this feature. |
Syslog server logs
The FortiManager unit can receive logs from a syslog server. Syslog logs can be viewed in FortiView > Log View > Syslog. Event logs are available. Logs can be viewed in both historical and real-time views and in both formatted and raw log views.
Syslog server logs
The following information is displayed:
| Syslog logs | The following columns are supported by default for event logs: Date/Time, Device ID, Level, and Message. Click the log details icon to the left of the limit field to view additional log information.
Click the column header to set column settings. Select More Columns for additional columns. Right-click the column field to apply a search filter. Not all columns support this feature. |
Configuring rolling and uploading of logs
You can control device log file size and use of the FortiManager unit’s disk space by configuring log rolling and scheduled uploads to a server.
As the FortiManager unit receives new log items, it performs the following tasks: verifies whether the log file has exceeded its file size limit checks to see if it is time to roll the log file if the file size is not exceeded.
Configure the time to be either a daily or weekly occurrence, and when the roll occurs. When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiManager unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the Web-based Manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2012-09-29-08-03-54.gz
If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.
Log rolling and uploading can be enabled and configured in the Web-based Manager in System Settings > Advanced > Device Log Settings. For more information, see Device log settings on page 147. Log rolling and uploading can also be enabled and configured using the CLI. For more information, see the FortiManagerCLI Reference.
To enable or disable log file uploads:
To enable log uploads, enter the following CLI commands:
config system log settings config rolling-regular set upload enable
end
end
To disable log uploads, enter the following CLI commands:
config system log settings config rolling-regular set upload disable
end
end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!