FortiView

Configuring rolling and uploading of logs

You can control device log file size and use of the FortiAnalyzer unit’s disk space by configuring log rolling and scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks:

  • verifies whether the log file has exceeded its file size limit
  • checks to see if it is time to roll the log file if the file size is not exceeded.

Configure the time to be either a daily or weekly occurrence, and when the roll occurs. When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the Web-based Manager, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2012-09-29-08-03-54.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.

Log rolling and uploading can be enabled and configured in the Web-based Manager in System Settings > Advanced > Device Log Settings. For more information, see “Device log settings” on page 111. Log rolling and uploading can also be enabled and configured using the CLI. For more information, see the FortiAnalyzer CLI Reference.

To enable or disable log file uploads:

To enable log uploads, enter the following CLI commands:

config system log settings config rolling-regular set upload enable end

end

To disable log uploads, enter the following CLI commands:

config system log settings config rolling-regular set upload disable end end

To roll logs when they reach a specific size:

Enter the following CLI commands:

config system log settings config rolling-regular

set file-size <integer> end

end where <integer> is the size at which the logs will roll, in MB.

To roll logs on a schedule:

To disable log rolling, enter the following CLI commands:

config system log settings

config rolling-regular

set when none end

end

To enable daily log rolling, enter the following CLI commands:

config system log settings

config rolling-regular

set upload enble set when daily set hour <integer> set min <integer> set file-size <integer> end

end where:

hour <integer> The hour of the day when the when the FortiAnalyzer rolls the traffic analyzer logs.
min <integer> The minute when the FortiAnalyzer rolls the traffic analyzer logs.
file-size <integer> Roll log files when they reach this size (MB).

To enable weekly log rolling, enter the following CLI commands:

config system log settings

config rolling-regular

set when weekly set days {mon | tue | wed | thu | fri | sat | sun} set hour <integer> set min <integer> end

end where:

days {mon | tue | wed | thu | fri | sat | sun} The days week when the FortiAnalyzer rolls the traffic analyzer logs.
hour <integer> The hour of the day when the when the FortiAnalyzer rolls the traffic analyzer logs.
min <integer> The minute when the FortiAnalyzer rolls the traffic analyzer logs.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiAnalyzer and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.