Advanced logging – FortiOS 6

Activating a FortiCloud account for logging purposes

When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the web-based manager, from the License Information widget located in Dashboard.

From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at Dashboard and that you have located the License Information widget.

  1. In the License Information widget, select Activate in the FortiCloud

The Registration window appears. From this window, you create the login credentials that you will use to access the account.

  1. Select Create Account and enter then information for the login credentials.

After entering the login credentials, you are automatically logged in to your FortiCloud account.

  1. Check that the account has been activated by viewing the account status from the License Information widget.

If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

Viewing log storage space

Viewing log storage space

The Log & Report > Log Settings GUI page displays two charts to visualize disk space: Disk Usage, which is a pie-chart illustrating the Free/Used space on the internal hard drive, and Historical Disk Usage, which displays the volume of disk logging activity over time. These charts may not be visible if disk logging is disabled.

The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB

Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom “root”: 30MB/22583MB

Customizing and filtering log messages

When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.

Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title rightclick menu.

Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

  • OS Name
  • OS Version l Policy ID l Src (Source IP) Viewing logs from the CLI

The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Forward Traffic.

  1. On the Forward Traffic page, right click anywhere on a column title.
  2. Right click on a column title, and mouse over Column Settings to open the list.
  3. Select each checkmarked title to uncheck it and remove them all from the displayed columns.
  4. Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.
  5. Click outside the menu, and wait for the page to refresh with the new settings in place.
  6. Select the funnel icon next to the word Src in the title bar of the Src column.
  7. Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.
  8. Click Apply, and wait for the page to reload.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, Fortinet, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Advanced logging – FortiOS 6

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.