Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiAnalyzer 7.2.8 CLI Reference
    7.2.8
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.8
    5.6.7
    5.6.7
    5.6.6
    5.6.6
    5.6.5
    5.6.5
    5.6.4
    5.6.4
    5.6.3
    5.6.3
    5.6.2
    5.6.2
    5.6.1
    5.6.1
    5.6.0
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.5
    5.4.4
    5.4.4
    5.4.3
    5.4.3
    5.4.2
    5.4.2
    5.4.1
    5.4.1
    5.4.0
    5.4.0
    5.2.10
    5.2.9
    5.2.9
    5.2.7
    5.2.7
    5.2.6
    5.2.6
    5.2.5
    5.2.5
    5.2.4
    5.2.4
    5.2.3
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.13
    5.0.11
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    5.0.1
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    log-forward

    log-forward

    Use the following commands to configure log forwarding.

    Syntax

    config system log-forward

    edit <id>

    set mode {aggregation | disable | forwarding}

    set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

    set agg-data-end-time <hh:mm yyyy/mm/dd>

    set agg-data-start-time <hh:mm> <yyyy/mm/dd>

    set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

    set agg-password <passwd>

    set agg-schedule {daily | on-demand}

    set agg-time <integer>

    set agg-user <string>

    set fwd-archives {enable | disable}

    set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

    set fwd-compression {enable | disable}

    set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

    set fwd-ha-bind-vip {enable | disable}

    set fwd-log-source-ip {local_ip | original_ip}

    set fwd-max-delay {1min | 5min | realtime}

    set fwd-reliable {enable | disable}

    set fwd-secure {enable | disable}

    set fwd-server-type {cef | fortianalyzer | syslog | syslog-pack}

    set fwd-syslog-format {fgt | rfc-5424}

    set log-field-exclusion-status {enable | disable}

    set log-filter-logic {and | or}

    set log-filter-status {enable | disable}

    set log-masking-custom-priority disable

    set log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

    set log-masking-key <passwd>

    set log-masking-status {enable | disable}

    set pcapurl-enrich

    set pcapurl-domain-ip

    set peer-cert-cn <string>

    set proxy-service {enable | disable}

    set proxy-service-priority <integer>

    set server-addr <string>

    set server-device <string>

    set server-name <string>

    set server-port <integer>

    set signature <integer>

    set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

    config device-filter

    edit <id>

    set action {include}

    set adom <string>

    set device <string>

    end

    config log-field-exclusion

    edit <id>

    set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

    set field-list <string>

    set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

    end

    config log-filter

    edit <id>

    set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }

    set oper {= | != | < | > | <= | >= | contain | not-contain | match}

    set value {traffic | event | utm}

    end

    config log-masking-custom

    edit <id>

    set field-name <string>

    set field-type {email | ip | mac | string | unknown}

    end

    end

    Variable

    Description

    <id>

    Enter the log aggregation ID that you want to edit.

    mode {aggregation | disable | forwarding}

    Log aggregation mode:

    • aggregation: Aggregate logs to FortiAnalyzer
    • disable: Do not forward or aggregate logs (default)
    • forwarding: Forward logs to the FortiAnalyzer

    agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

    Archive type (default = all options). This command is only available when the mode is set to aggregation.

    agg-data-end-time <hh:mm yyyy/mm/dd>

    Enter the end date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

    Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

    agg-data-start-time <hh:mm> <yyyy/mm/dd>

    Enter the start date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

    Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

    agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

    Log type (default = all options). This command is only available when the mode is set to aggregation.

    agg-password <passwd>

    Log aggregation access password for server. This command is only available when the mode is set to aggregation.

    agg-schedule {daily | on-demand}

    Schedule log aggregation mode (default = daily):

    • daily: Run daily log aggregation.

    • on-demand: Run log aggregation on demand.

    This command is only available when the mode is set to aggregation.

    agg-time <integer>

    Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to aggregation.

    agg-user <string>

    Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

    fwd-archives {enable | disable}

    Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to forwarding.

    fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

    Set the forwarding archive types (default = all options). This command is only available when the mode is set to forwarding.

    fwd-compression {enable | disable}

    Enable/disable compression for better bandwidth efficiency (default = disable). This command is only available when the mode is set to forwarding.

    fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

    Facility for remote syslog (default = local7).

    • alert: Log alert
    • audit: Log audit
    • auth: Security/authorization messages
    • authpriv: Security/authorization messages (private)
    • clock: Clock daemon
    • cron: Clock daemon
    • daemon: System daemons
    • ftp: FTP daemon
    • kernel: Kernel messages
    • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
    • lpr: Line printer subsystem
    • mail: Mail system
    • news: Network news subsystem
    • ntp: NTP daemon
    • syslog: Messages generated internally by syslogd
    • user: Random user level messages
    • uucp: Network news subsystem

    This command is only available when the mode is set to forwarding.

    Note

    The facility will only be included in the forwarded logs when the fwd-server-type = syslog.

    fwd-ha-bind-vip {enable | disable}

    Always use VIP as the forwarding port when HA is enabled (default = enable).

    This command is only available when the mode is set to forwarding.

    fwd-log-source-ip {local_ip | original_ip}

    The logs source IP address (default = local_ip). This command is only available when the mode is set to forwarding.

    fwd-max-delay {1min | 5min | realtime}

    The maximum delay for near realtime log forwarding.

    • 1min: Near realtime forwarding with up to one minute delay.
    • 5min: Near realtime forwarding with up to five minutes delay (default).
    • realtime: Realtime forwarding, no delay.

    This command is only available when the mode is set to forwarding.

    fwd-reliable {enable | disable}

    Enable/disable reliable logging (default = disable). This command is only available when the mode is set to forwarding.

    fwd-secure {enable | disable}

    Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to forwarding, fwd-reliable is enabled, and fwd-server-type is set to cef or syslog.

    fwd-server-type {cef | fortianalyzer | syslog | syslog-pack}

    Forward all logs to one of the following server types:

    • cef: CEF (Common Event Format) server

    • fortianalyzer: FortiAnalyzer (this is the default)

    • syslog: generic syslog server.

    • syslog-pack: FortiAnalyzer which supports packed syslog message

    This command is only available when the mode is set to forwarding.

    fwd-syslog-format {fgt | rfc-5424}

    Forwarding format for syslog.

    • fgt: FortiGate syslog format (default).
    • rfc-5424: rfc-5424 syslog format.

    This command is only available when the mode is set to forwarding and fwd-server-type is syslog.

    log-field-exclusion-status {enable | disable}

    Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

    log-filter-logic {and | or}

    Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

    log-filter-status {enable | disable}

    Enable/disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

    log-masking-custom-priority disable

    Disable custom field search priority.

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

    Log field masking fields .

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    log-masking-key <passwd>

    Enter the log field masking key.

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    log-masking-status {enable | disable}

    Enable/disable log field masking (default = disable). This command is only available when the mode is set to forwarding.

    pcapurl-enrich

    pcapurl-domain-ip

    peer-cert-cn <string>

    proxy-service {enable | disable}

    		 Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to forwarding.

    proxy-service-priority <integer>

    		 Proxy service priority from 1 (lowest) to 20 (highest) (default = 10). This command is only available when the mode is set to forwarding.

    server-addr <string>

    Remote server address.

    server-device <id>

    Log aggregation server device ID.

    server-name <string>

    Log aggregation server name.

    server-port <integer>

    Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to forwarding.

    signature <integer>

    This field is auto-generated and should not be set.

    sync-metadata [sf-topology | interface-role | device | endusr-avatar]

    Synchronizing metadata types:

    • sf-topology: Security Fabric topology
    • interface-role: Interface Role
    • device: Device information
    • endusr-avatar: End-user avatar

    This command is only available when the mode is set to forwarding.

    Variables for config device-filter subcommand:

    <id>

    Enter the device filter ID or enter a number to create a new entry.

    action {include}

    Include the specified device.

    adom <string>

    Enter the ADOM name from the following:

    • FortiAnalyzer

    • FortiAuthenticator

    • FortiCache

    • FortiCarrier

    • FortiClient

    • FortiDDoS

    • FortiDeceptor

    • FortiFirewall

    • FortiFirewallCarrier

    • FortiMail

    • FortiManager

    • FortiProxy

    • FortiSandbox

    • FortiWeb

    • Syslog

    • Unmanaged_Devices

    • root

    Alternatively, enter (null) for all ADOM(s) or a wildcard expression matching ADOM(s).

    device <string>

    Device ID of log client device, or a wildcard expression matching log client device(s).

    Variables for config log-field-exclusions subcommand:

    This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

    <id>

    Enter a device filter ID or enter a number to create a new entry.

    dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

    The device type (default = FortiGate).

    field-list <string>

    The field type. Enter a comma separated list from the available fields.

    log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

    The log type (default = traffic).

    Variables for config log-filter subcommand:

    This command is only available when the mode is set to forwarding and log-field-status is set to enable.

    <id>

    Enter the log filter ID or enter a number to create a new entry.

    field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text}

    Field name (default = type).

    oper {= | != | < | > | <= | >= | contain | not-contain | match}

    Field filter operator (default = =).

    value {traffic | event | utm}

    Field filter operand or free-text matching expression.

    This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

    For example, the following value can be set as a matching expression for the destination IP range from 17.2.16.0.0/16 - 172.19.0.0/16.

    set value "dstip~ 172\\.1[6-9]\\.[\\d]+\\.[\\d]+"

    Variables for log-masking-custom subcommand:

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    <id>

    Enter the log field masking ID or enter a number to create a new entry.

    field-name <string>

    Field name.

    field-type {email | ip | mac | string | unknown}

    Field type (default = unknown).
    Previous
    Next

    log-forward

    log-forward

    Use the following commands to configure log forwarding.

    Syntax

    config system log-forward

    edit <id>

    set mode {aggregation | disable | forwarding}

    set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

    set agg-data-end-time <hh:mm yyyy/mm/dd>

    set agg-data-start-time <hh:mm> <yyyy/mm/dd>

    set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

    set agg-password <passwd>

    set agg-schedule {daily | on-demand}

    set agg-time <integer>

    set agg-user <string>

    set fwd-archives {enable | disable}

    set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

    set fwd-compression {enable | disable}

    set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

    set fwd-ha-bind-vip {enable | disable}

    set fwd-log-source-ip {local_ip | original_ip}

    set fwd-max-delay {1min | 5min | realtime}

    set fwd-reliable {enable | disable}

    set fwd-secure {enable | disable}

    set fwd-server-type {cef | fortianalyzer | syslog | syslog-pack}

    set fwd-syslog-format {fgt | rfc-5424}

    set log-field-exclusion-status {enable | disable}

    set log-filter-logic {and | or}

    set log-filter-status {enable | disable}

    set log-masking-custom-priority disable

    set log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

    set log-masking-key <passwd>

    set log-masking-status {enable | disable}

    set pcapurl-enrich

    set pcapurl-domain-ip

    set peer-cert-cn <string>

    set proxy-service {enable | disable}

    set proxy-service-priority <integer>

    set server-addr <string>

    set server-device <string>

    set server-name <string>

    set server-port <integer>

    set signature <integer>

    set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

    config device-filter

    edit <id>

    set action {include}

    set adom <string>

    set device <string>

    end

    config log-field-exclusion

    edit <id>

    set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

    set field-list <string>

    set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

    end

    config log-filter

    edit <id>

    set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }

    set oper {= | != | < | > | <= | >= | contain | not-contain | match}

    set value {traffic | event | utm}

    end

    config log-masking-custom

    edit <id>

    set field-name <string>

    set field-type {email | ip | mac | string | unknown}

    end

    end

    Variable

    Description

    <id>

    Enter the log aggregation ID that you want to edit.

    mode {aggregation | disable | forwarding}

    Log aggregation mode:

    • aggregation: Aggregate logs to FortiAnalyzer
    • disable: Do not forward or aggregate logs (default)
    • forwarding: Forward logs to the FortiAnalyzer

    agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

    Archive type (default = all options). This command is only available when the mode is set to aggregation.

    agg-data-end-time <hh:mm yyyy/mm/dd>

    Enter the end date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

    Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

    agg-data-start-time <hh:mm> <yyyy/mm/dd>

    Enter the start date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

    Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

    agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

    Log type (default = all options). This command is only available when the mode is set to aggregation.

    agg-password <passwd>

    Log aggregation access password for server. This command is only available when the mode is set to aggregation.

    agg-schedule {daily | on-demand}

    Schedule log aggregation mode (default = daily):

    • daily: Run daily log aggregation.

    • on-demand: Run log aggregation on demand.

    This command is only available when the mode is set to aggregation.

    agg-time <integer>

    Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to aggregation.

    agg-user <string>

    Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

    fwd-archives {enable | disable}

    Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to forwarding.

    fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

    Set the forwarding archive types (default = all options). This command is only available when the mode is set to forwarding.

    fwd-compression {enable | disable}

    Enable/disable compression for better bandwidth efficiency (default = disable). This command is only available when the mode is set to forwarding.

    fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

    Facility for remote syslog (default = local7).

    • alert: Log alert
    • audit: Log audit
    • auth: Security/authorization messages
    • authpriv: Security/authorization messages (private)
    • clock: Clock daemon
    • cron: Clock daemon
    • daemon: System daemons
    • ftp: FTP daemon
    • kernel: Kernel messages
    • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
    • lpr: Line printer subsystem
    • mail: Mail system
    • news: Network news subsystem
    • ntp: NTP daemon
    • syslog: Messages generated internally by syslogd
    • user: Random user level messages
    • uucp: Network news subsystem

    This command is only available when the mode is set to forwarding.

    Note

    The facility will only be included in the forwarded logs when the fwd-server-type = syslog.

    fwd-ha-bind-vip {enable | disable}

    Always use VIP as the forwarding port when HA is enabled (default = enable).

    This command is only available when the mode is set to forwarding.

    fwd-log-source-ip {local_ip | original_ip}

    The logs source IP address (default = local_ip). This command is only available when the mode is set to forwarding.

    fwd-max-delay {1min | 5min | realtime}

    The maximum delay for near realtime log forwarding.

    • 1min: Near realtime forwarding with up to one minute delay.
    • 5min: Near realtime forwarding with up to five minutes delay (default).
    • realtime: Realtime forwarding, no delay.

    This command is only available when the mode is set to forwarding.

    fwd-reliable {enable | disable}

    Enable/disable reliable logging (default = disable). This command is only available when the mode is set to forwarding.

    fwd-secure {enable | disable}

    Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to forwarding, fwd-reliable is enabled, and fwd-server-type is set to cef or syslog.

    fwd-server-type {cef | fortianalyzer | syslog | syslog-pack}

    Forward all logs to one of the following server types:

    • cef: CEF (Common Event Format) server

    • fortianalyzer: FortiAnalyzer (this is the default)

    • syslog: generic syslog server.

    • syslog-pack: FortiAnalyzer which supports packed syslog message

    This command is only available when the mode is set to forwarding.

    fwd-syslog-format {fgt | rfc-5424}

    Forwarding format for syslog.

    • fgt: FortiGate syslog format (default).
    • rfc-5424: rfc-5424 syslog format.

    This command is only available when the mode is set to forwarding and fwd-server-type is syslog.

    log-field-exclusion-status {enable | disable}

    Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

    log-filter-logic {and | or}

    Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

    log-filter-status {enable | disable}

    Enable/disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

    log-masking-custom-priority disable

    Disable custom field search priority.

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

    Log field masking fields .

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    log-masking-key <passwd>

    Enter the log field masking key.

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    log-masking-status {enable | disable}

    Enable/disable log field masking (default = disable). This command is only available when the mode is set to forwarding.

    pcapurl-enrich

    pcapurl-domain-ip

    peer-cert-cn <string>

    proxy-service {enable | disable}

    		 Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to forwarding.

    proxy-service-priority <integer>

    		 Proxy service priority from 1 (lowest) to 20 (highest) (default = 10). This command is only available when the mode is set to forwarding.

    server-addr <string>

    Remote server address.

    server-device <id>

    Log aggregation server device ID.

    server-name <string>

    Log aggregation server name.

    server-port <integer>

    Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to forwarding.

    signature <integer>

    This field is auto-generated and should not be set.

    sync-metadata [sf-topology | interface-role | device | endusr-avatar]

    Synchronizing metadata types:

    • sf-topology: Security Fabric topology
    • interface-role: Interface Role
    • device: Device information
    • endusr-avatar: End-user avatar

    This command is only available when the mode is set to forwarding.

    Variables for config device-filter subcommand:

    <id>

    Enter the device filter ID or enter a number to create a new entry.

    action {include}

    Include the specified device.

    adom <string>

    Enter the ADOM name from the following:

    • FortiAnalyzer

    • FortiAuthenticator

    • FortiCache

    • FortiCarrier

    • FortiClient

    • FortiDDoS

    • FortiDeceptor

    • FortiFirewall

    • FortiFirewallCarrier

    • FortiMail

    • FortiManager

    • FortiProxy

    • FortiSandbox

    • FortiWeb

    • Syslog

    • Unmanaged_Devices

    • root

    Alternatively, enter (null) for all ADOM(s) or a wildcard expression matching ADOM(s).

    device <string>

    Device ID of log client device, or a wildcard expression matching log client device(s).

    Variables for config log-field-exclusions subcommand:

    This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

    <id>

    Enter a device filter ID or enter a number to create a new entry.

    dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

    The device type (default = FortiGate).

    field-list <string>

    The field type. Enter a comma separated list from the available fields.

    log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

    The log type (default = traffic).

    Variables for config log-filter subcommand:

    This command is only available when the mode is set to forwarding and log-field-status is set to enable.

    <id>

    Enter the log filter ID or enter a number to create a new entry.

    field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text}

    Field name (default = type).

    oper {= | != | < | > | <= | >= | contain | not-contain | match}

    Field filter operator (default = =).

    value {traffic | event | utm}

    Field filter operand or free-text matching expression.

    This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

    For example, the following value can be set as a matching expression for the destination IP range from 17.2.16.0.0/16 - 172.19.0.0/16.

    set value "dstip~ 172\\.1[6-9]\\.[\\d]+\\.[\\d]+"

    Variables for log-masking-custom subcommand:

    This command is only available when the mode is set to forwarding and log-masking-status is enabled.

    <id>

    Enter the log field masking ID or enter a number to create a new entry.

    field-name <string>

    Field name.

    field-type {email | ip | mac | string | unknown}

    Field type (default = unknown).
    Previous
    Next