Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through the unit, this type of logging is also referred to as firewall policy logging. Firewall policies control all traffic that attempts to pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.
The event log records administration management as well as Fortinet device system activity, such as when a configuration has changed, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity, which provides valuable information about how your Fortinet unit is performing. The FortiGate event logs includes System, Router, VPN, and User menu objects to provide you with more granularity when viewing and searching log data.
Security logs (FortiGate) record all antivirus, web filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.
The logs displayed on your FortiManager are dependent on the device type logging to it and the features enabled. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox, FortiClient and Syslog logging is supported. ADOMs must be enabled to support non-FortiGate logging.
For more information on logging see the Logging and Reporting forFortiOS Handbook in the Fortinet Document
The Log View menu displays log messages for connected devices. You can also view, import, and export log files that are stored for a given device, and browse logs for all devices.
When rebuilding the SQL database, Log View will not be available until after the rebuild is completed. Although you can view older logs, new logs will not be inserted into the database until after the rebuild is completed. Select the Show Progress link in the message to voew the status of the SQL rebuild.
Viewing log messages
To view log messages, select the FortiView tab, select Log View in the left tree menu, then browse to the ADOM whose logs you would like to view in the tree menu. You can view the traffic log, event log, or security log information per device or per log array. FortiMail and FortiWeb logs are found in their respective default ADOMs. For more information on FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library. For more information on other device raw logs, see the Log Message Reference for the platform type.
Log View (formatted display)
This page displays the following information and options:
| Refresh | Select the icon to refresh the log view. This option is only available when viewing historical logs. |
| Search | Enter a search term to search the log messages. See “FortiView” on page 472. You can also right-click an entry in one of the columns and select to add a search filter. Select GO in the toolbar to apply the filter. Not all columns support the search feature. |
| Latest Search | Select the icon to repeat previous searches, select favorite searches, or quickly add filters to your search. The filters available will vary based on device and log type. |
| Clear Search | Select the icon to clear search filters. |
| Help | Hover your mouse over the help icon, for example search syntax. See “FortiView” on page 473. |
| Device | Select the device or log array in the drop-down list. Select Manage Log Arrays in the Tools menu to create, edit, or delete log arrays. |
| Time Period | Select a time period from the drop-down list. Options include: Last 30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, or Custom. See “FortiView” on page 473.
This option is only available when viewing historical logs. |
| GO | Select the icon to apply the time period and limit to the displayed log entries. A progress bar is displayed in the lower toolbar. |
| Custom View | Select to create a new custom view. You can select to create multiple custom views in log view. Each custom view can display a select device or log array with specific filters and time period. See “FortiView” on page 471. Custom views are displayed under the Custom View menu.
This option is only available when viewing historical logs. |
| Pause | Resume | Pause or resume real-time log display. These two options are only available when viewing real-time logs. |
| Tools | The tools button provides options for changing the manner in which the logs are displayed, and search and column options. You can manage log arrays and it also provides an option for downloading logs, see “FortiView” on page 473. |
| Real-time Log Historical Log | Select to change view from Real-time Log to Historical Log. |
| Display Raw | Select to change view from formatted display to raw log display. |
| Download | Select to download logs. A download dialog box is displayed. Select the log file format, compress with gzip, the pages to include and select Apply to save the log file to the management computer. This option is only available when viewing historical logs in formatted display. |
| Manage Log Arrays | Select to create new, edit, and delete log arrays. Once you have created a log array, you can select the log array in the Device drop-down menu in the Log View toolbar.
In FortiManager v5.2.0 and later, when selecting to add a device with VDOMs, all VDOMs are automatically added to the Log Array. |
| Case Sensitive Search | Select to enable case sensitive search. |
| Enable Column Filter | Select to enable column filters. |
| Logs | The columns and information shown in the log message list will vary depending on the selected log type, the device type, and the view settings. Right-click on various columns to add search filters to refine the logs displayed. When a search filter is applied, the value is highlighted in the table and log details. |
| Log Details | Detailed information on the log message selected in the log message list. The item is not available when viewing raw logs. See Log details for more information.
Log Details are only displayed when enabled in the Tools menu. |
| Status Bar | Displays the log view status as a percentage. |
| Pagination | Adjust the number of logs that are listed per page and browse through the pages. |
| Limit | Select the maximum number of log entries to be displayed from the drop-down list. Options include: 1000, 5000, 10000, 50000, or All. |
| Display Log Details | Select the icon to the right of Limit to display the log details window. |
| Archive | Information about archived logs, when they are available. The item is not available when viewing raw logs, or when the selected log message has no archived logs. When an archive is available, the archive icon is displayed. See Archive for more information.
This option is only available when viewing historical logs in formatted display and when an archive is available. |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!