log-forward
Use the following commands to configure log forwarding.
Syntax
config system log-forward
edit <id>
set mode {aggregation | disable | forwarding}
set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}
set agg-data-end-time <hh:mm yyyy/mm/dd>
set agg-data-start-time <hh:mm> <yyyy/mm/dd>
set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}
set agg-password <passwd>
set agg-schedule {daily | on-demand}
set agg-time <integer>
set agg-user <string>
set fwd-archives {enable | disable}
set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}
set fwd-compression {enable | disable}
set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set fwd-ha-bind-vip {enable | disable}
set fwd-log-source-ip {local_ip | original_ip}
set fwd-max-delay {1min | 5min | realtime}
set fwd-reliable {enable | disable}
set fwd-secure {enable | disable}
set fwd-server-type {cef | fortianalyzer | syslog | syslog-pack}
set fwd-syslog-format {fgt | rfc-5424}
set log-field-exclusion-status {enable | disable}
set log-filter-logic {and | or}
set log-filter-status {enable | disable}
set log-masking-custom-priority disable
set log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}
set log-masking-key <passwd>
set log-masking-status {enable | disable}
set pcapurl-enrich
set pcapurl-domain-ip
set peer-cert-cn <string>
set proxy-service {enable | disable}
set proxy-service-priority <integer>
set server-addr <string>
set server-device <string>
set server-name <string>
set server-port <integer>
set signature <integer>
set sync-metadata [sf-topology | interface-role | device | endusr-avatar]
config device-filter
edit <id>
set action {include}
set adom <string>
set device <string>
end
config log-field-exclusion
edit <id>
set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}
set field-list <string>
set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}
end
config log-filter
edit <id>
set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }
set oper {= | != | < | > | <= | >= | contain | not-contain | match}
set value {traffic | event | utm}
end
config log-masking-custom
edit <id>
set field-name <string>
set field-type {email | ip | mac | string | unknown}
end
end
|
Variable |
Description |
||
|---|---|---|---|
|
<id> |
Enter the log aggregation ID that you want to edit. |
||
|
mode {aggregation | disable | forwarding} |
Log aggregation mode:
|
||
|
agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets} |
Archive type (default = all options). This command is only available when the mode is set to |
||
|
agg-data-end-time <hh:mm yyyy/mm/dd> |
Enter the end date and time of the data-range Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values. |
||
|
agg-data-start-time <hh:mm> <yyyy/mm/dd> |
Enter the start date and time of the data-range Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values. |
||
|
agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh} |
Log type (default = all options). This command is only available when the mode is set to |
||
|
agg-password <passwd> |
Log aggregation access password for server. This command is only available when the mode is set to |
||
|
agg-schedule {daily | on-demand} |
Schedule log aggregation mode (default = daily):
This command is only available when the mode is set to |
||
|
agg-time <integer> |
Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to |
||
|
agg-user <string> |
Log aggregation access user name for server. This command is only available when the mode is set to |
||
|
fwd-archives {enable | disable} |
Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to |
||
|
fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive} |
Set the forwarding archive types (default = all options). This command is only available when the mode is set to |
||
|
fwd-compression {enable | disable} |
Enable/disable compression for better bandwidth efficiency (default = disable). This command is only available when the mode is set to |
||
|
fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} |
Facility for remote syslog (default = local7).
This command is only available when the mode is set to
|
||
|
fwd-ha-bind-vip {enable | disable} |
Always use VIP as the forwarding port when HA is enabled (default = enable). This command is only available when the mode is set to |
||
|
fwd-log-source-ip {local_ip | original_ip} |
The logs source IP address (default = local_ip). This command is only available when the mode is set to |
||
|
fwd-max-delay {1min | 5min | realtime} |
The maximum delay for near realtime log forwarding.
This command is only available when the mode is set to |
||
|
fwd-reliable {enable | disable} |
Enable/disable reliable logging (default = disable). This command is only available when the mode is set to |
||
|
fwd-secure {enable | disable} |
Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to |
||
|
fwd-server-type {cef | fortianalyzer | syslog | syslog-pack} |
Forward all logs to one of the following server types:
This command is only available when the mode is set to |
||
|
fwd-syslog-format {fgt | rfc-5424} |
Forwarding format for syslog.
This command is only available when the mode is set to |
||
|
log-field-exclusion-status {enable | disable} |
Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to |
||
|
log-filter-logic {and | or} |
Logic operator used to connect filters (default = or). This command is only available when |
||
|
log-filter-status {enable | disable} |
Enable/disable log filtering (default = disable). This command is only available when the mode is set to |
||
|
log-masking-custom-priority disable |
Disable custom field search priority. This command is only available when the mode is set to |
||
|
log-masking-fields {domain dstip dstname email message srcip srcmac srcname user} |
Log field masking fields . This command is only available when the mode is set to |
||
|
log-masking-key <passwd> |
Enter the log field masking key. This command is only available when the mode is set to |
||
|
log-masking-status {enable | disable} |
Enable/disable log field masking (default = disable). This command is only available when the mode is set to |
||
|
pcapurl-enrich |
|
||
|
pcapurl-domain-ip |
|
||
|
peer-cert-cn <string> |
|
||
|
proxy-service {enable | disable} |
Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to forwarding. |
||
|
proxy-service-priority <integer> |
Proxy service priority from 1 (lowest) to 20 (highest) (default = 10).
This command is only available when the mode is set to forwarding. |
||
|
server-addr <string> |
Remote server address. |
||
|
server-device <id> |
Log aggregation server device ID. |
||
|
server-name <string> |
Log aggregation server name. |
||
|
server-port <integer> |
Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to |
||
|
signature <integer> |
This field is auto-generated and should not be set. |
||
|
sync-metadata [sf-topology | interface-role | device | endusr-avatar] |
Synchronizing metadata types:
This command is only available when the mode is set to |
||
|
Variables for |
|||
|
<id> |
Enter the device filter ID or enter a number to create a new entry. |
||
|
action {include} |
Include the specified device. |
||
|
adom <string> |
Enter the ADOM name from the following:
Alternatively, enter (null) for all ADOM(s) or a wildcard expression matching ADOM(s). |
||
|
device <string> |
Device ID of log client device, or a wildcard expression matching log client device(s). |
||
|
Variables for This command is only available when the |
|||
|
<id> |
Enter a device filter ID or enter a number to create a new entry. |
||
|
dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog} |
The device type (default = FortiGate). |
||
|
field-list <string> |
The field type. Enter a comma separated list from the available fields. |
||
|
log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE} |
The log type (default = traffic). |
||
|
Variables for This command is only available when the |
|||
|
<id> |
Enter the log filter ID or enter a number to create a new entry. |
||
|
field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text} |
Field name (default = type). |
||
|
oper {= | != | < | > | <= | >= | contain | not-contain | match} |
Field filter operator (default = =). |
||
|
value {traffic | event | utm} |
Field filter operand or free-text matching expression. This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported. For example, the following value can be set as a matching expression for the destination IP range from 17.2.16.0.0/16 - 172.19.0.0/16. set value "dstip~ 172\\.1[6-9]\\.[\\d]+\\.[\\d]+" |
||
|
Variables for This command is only available when the mode is set to |
|||
|
<id> |
Enter the log field masking ID or enter a number to create a new entry. |
||
|
field-name <string> |
Field name. |
||
|
field-type {email | ip | mac | string | unknown} |
Field type (default = unknown). |
||