Viewing Log Messages

Viewing log messages

The Log submenu displays locally stored log files. If you configured the FortiMail unit to store log messages locally (that is, to the hard disk), you can view the log messages currently stored in each log file.

Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see “Configuring logging to the hard disk” on page 672.

The Log submenu includes the following tabs, one for each log type:

  • History: Where you can view the log of sent and undelivered SMTP email messages.
  • Event: Where you can view the log of administrator activities and system events.
  • AntiSpam: Where you can view the log of email detected as spam.
  • AntiVirus: Where you can view the log of email detected as infected by a virus.
  • Encryption: Where you can view the log of IBE encryption. For more information about using IBE, see “Configuring IBE encryption” on page 357.

For more information on log types, see “FortiMail log types” on page 667.

Each tab contains a similar display.

The lists are sorted by the time range of the log messages contained in the log file, with the most recent log files appearing near the top of the list.

For example, the current log file would appear at the top of the list, above a rolled log file whose time might range from 2008-05-08 11:59:36 Thu to 2008-05-29 10:44:02 Thu.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view the list of log files and their contents

  1. Go to Monitor > Log.
  2. Click the tab corresponding to the type of log file that you want to view (History, Event, AntiVirus, AntiSpam, or Encryption).

Figure 81:Antispam log tab

GUI item Description


Click to download the report in one of several formats:

•      Normal Format for a log file that can be viewed with a plain text editor such as Microsoft Notepad.

•      CSV Format for a comma-separated value (.csv) file that can be viewed in a spreadsheet application such as Microsoft Excel or OpenOffice Calc.

•      Compressed Format for a plain text log file like Normal Format, except that it is compressed and stored within a .gz archive.



Click to search all log files of this type.

Unlike the search when viewing the contents of an individual log file, this search displays results regardless of which log file contains them.

For more information, see “Searching log messages” on page 212.

Start Time Lists the beginning of the log file’s time range.
End Time Lists the end of the log file’s time range.
Size Lists the size of the log file in bytes.
  1. To view messages contained in logs:
    • double-click a log file to display the file’s log messages

To view the current page’s worth of the log messages as an HTML table, right-click and select Export to Table. The table appears in a new tab. To download the table, click and drag to select the whole table, then copy and paste it into a rich text editor such as Microsoft Word or OpenOffice Writer.

  • click a row to select its log file, click Download, then select a format option

Alternatively, to display a set of log messages that may reside in multiple, separate log files:

  • If the log files are of the same type (for example, all antispam logs), click Search. For details, see “Searching log messages” on page 212.
  • If the log messages are of different types but all caused by the same email session ID, you can do a cross-search to find and display all correlating log messages. For details, see “Cross-searching log messages” on page 214.

For descriptions of individual log messages, see the FortiMail Log Message Reference.

Log messages can appear in either raw or formatted views.

  • Raw view displays log messages exactly as they appear in the plain text log file.
  • Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

By default, log messages always appear in columnar format, with one log field per column. However, when viewing this columnar display, you can also view the log message in raw format by hovering your mouse over the index number of the log message, in the # column, as shown in Table .

Figure 82:Log messages

Table 19:Viewing log messages at Monitor > Log

GUI item Description
Level Select the severity level that a log message must equal or exceed in order to appear.

For more information, see “Log message severity levels” on page 668.

Save View (button) Click to save the customized view. Future log message reports appear in this view.


Click to search the currently displayed log file. For more information, see “Searching log messages” on page 212.

Alternatively, if you want to search all log files of that type. For details, see “Viewing log messages” on page 206.

Back (button) Click to return the view before a search.

(event log only)

Select one of the following subtypes that a log message must match in order to appear:

•      ALL: Display all log messages, and do not filter out any subtype.

•      Configuration: Display only log messages containing subtype=config.

•      Admin User: Display only log messages containing subtype=admin.

•      Web Mail: Display only log messages containing subtype=webmail.

•      System: Display only log messages containing subtype=system.

•      HA: Display only log messages containing subtype=ha.

•      Update: Display only log messages containing subtype=update.

•      POP3: Display only log messages containing subtype=pop3.

•      IMAP: Display only log messages containing subtype=imap.

•      SMTP: Display only log messages containing subtype=smtp.

•      OTHERS: Display all lines that have a subtype value that is not any of the above subtypes, from Configuration to SMTP.

This option appears only when displaying the event log. Log subtypes reflect types selected when enabling logging. For details, see “FortiMail log types” on page 667.

When hovering your mouse cursor over a log message, that row is temporarily highlighted; however, this temporary highlight automatically follows the cursor, and will move to a different row if you move your mouse. To create a row highlight that does not move when you move your mouse, click anywhere in the row of the log message.

For information on individual log messages, see the FortiMail Log Message Reference.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiMail on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Viewing Log Messages

  1. ken chua

    Dear Sir,
    G’day to you. I am new to Fortigate device. I have some queries regarding the log which showing direction “outgoing” but the mail actually going to local mail server.
    2nd, I have enable the log for Outbound mail log and i did enable all session log but so far i don’t see any of other mail that going out. Please advise.
    3rd, regarding BWL local override, i have enable this in CLI, does this apply to POP and IMAP as well?
    if my domain blacklist in fortiguard, can I use BWL to whitelist(Override) it?
    4.Spam submission- i have enable this, do you have any sample on this?

    Thanks and appreciate your help.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.