Fortinet black logo

Handbook

Configuring local log settings

Configuring local log settings

The local log is a datastore hosted on the FortiADC system.

Typically, you use the local log to capture information about system health and system administration activities. We recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository where they can be stored long term and analyzed using preferred analytic tools.

Local log disk settings are configurable. You can select a subset of system events, traffic, and security logs.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To configure local log settings:
  1. Go to Log & Report > Log Setting.
  2. The configuration page displays the Local Log tab.

  3. Complete the configuration as described in Local logging configuration.
  4. Save the configuration.

Local logging configuration

Settings Guidelines
Status Select to enable local logging.
File Size Maximum disk space for a local log file. The default is 200 MB. When the current log file reaches this size, a new file is created.
Log Level Select the lowest severity to log from the following choices:

  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select Error, the system collects logs with level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with level Alert and Emergency.
Disk Full Select log behavior when the maximum disk space for local logs (30% of total disk space) is reached:

  • Overwrite—Continue logging. Overwrite the earliest logs.
  • No Log—Stop logging.
Event Select to enable logging for events.
Event Category
This option becomes available only when the Event check box is selected. In that case, select the types of events to collect in the local log:

  • Configuration—Configuration changes.
  • Admin—Administrator actions.
  • System—System operations, warnings, and errors.
  • User—Authentication results logs.
  • Health Check—Health check results and client certificate validation check results.
  • SLB—Notifications, such as connection limit reached.
  • LLB—Notifications, such as bandwidth thresholds reached.
  • GLB—Notifications, such as the status of associated local SLB and virtual servers.
  • Firewall—Notifications for the "firewall" module, such as SNAT source IP pool is using all of its addresses.
Traffic

Select to enable logging for traffic processed by the load balancing modules.

Traffic Category

The following options become available only when the Traffic check-box is selected. See above.

  • SLB—Server Load Balancing traffic logs related to sessions and throughput.
  • GLB—Global Load Balancing traffic logs related to DNS requests.
  • LLB—Link Load Balancing traffic logs related to session and throughput.
Security

Select to enable logging for traffic processed by the security modules.

Security Category
  • DDoS—DDoS logs
  • IP Reputation—IP Reputation logs
  • WAF—WAF logs
  • GEO—Geo IP blocking logs
  • AV—AV logs
  • IPS—IPS logs
  • FW—Firewall logs
  • Enable All—All types of log mentioned above
Script

Select to enable scripting.

Script Category SLB is selected by default and required.

Configuring local log settings

The local log is a datastore hosted on the FortiADC system.

Typically, you use the local log to capture information about system health and system administration activities. We recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository where they can be stored long term and analyzed using preferred analytic tools.

Local log disk settings are configurable. You can select a subset of system events, traffic, and security logs.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To configure local log settings:
  1. Go to Log & Report > Log Setting.
  2. The configuration page displays the Local Log tab.

  3. Complete the configuration as described in Local logging configuration.
  4. Save the configuration.

Local logging configuration

Settings Guidelines
Status Select to enable local logging.
File Size Maximum disk space for a local log file. The default is 200 MB. When the current log file reaches this size, a new file is created.
Log Level Select the lowest severity to log from the following choices:

  • Emergency—The system has become unstable.
  • Alert—Immediate action is required.
  • Critical—Functionality is affected.
  • Error—An error condition exists and functionality could be affected.
  • Warning—Functionality might be affected.
  • Notification—Information about normal events.
  • Information—General information about system operations.
  • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior.

For example, if you select Error, the system collects logs with level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with level Alert and Emergency.
Disk Full Select log behavior when the maximum disk space for local logs (30% of total disk space) is reached:

  • Overwrite—Continue logging. Overwrite the earliest logs.
  • No Log—Stop logging.
Event Select to enable logging for events.
Event Category
This option becomes available only when the Event check box is selected. In that case, select the types of events to collect in the local log:

  • Configuration—Configuration changes.
  • Admin—Administrator actions.
  • System—System operations, warnings, and errors.
  • User—Authentication results logs.
  • Health Check—Health check results and client certificate validation check results.
  • SLB—Notifications, such as connection limit reached.
  • LLB—Notifications, such as bandwidth thresholds reached.
  • GLB—Notifications, such as the status of associated local SLB and virtual servers.
  • Firewall—Notifications for the "firewall" module, such as SNAT source IP pool is using all of its addresses.
Traffic

Select to enable logging for traffic processed by the load balancing modules.

Traffic Category

The following options become available only when the Traffic check-box is selected. See above.

  • SLB—Server Load Balancing traffic logs related to sessions and throughput.
  • GLB—Global Load Balancing traffic logs related to DNS requests.
  • LLB—Link Load Balancing traffic logs related to session and throughput.
Security

Select to enable logging for traffic processed by the security modules.

Security Category
  • DDoS—DDoS logs
  • IP Reputation—IP Reputation logs
  • WAF—WAF logs
  • GEO—Geo IP blocking logs
  • AV—AV logs
  • IPS—IPS logs
  • FW—Firewall logs
  • Enable All—All types of log mentioned above
Script

Select to enable scripting.

Script Category SLB is selected by default and required.