config log setting remote
Use this command to configure logging to a remote syslog server.
To configure from global, see config log setting global_remote. Global has preset configurations that users may use for easy configuration, which apply to all VDOMs. However, in config log setting remote, the user can customize the configuration for the individual VDOM, overriding the global remote config. You can enable override_global_remote here: FortiADC-VM (root) # config log setting general FortiADC-VM (general) # show full-configuration config log setting general set override_global_remote enable end |
A remote syslog server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools.
Before you begin:
- You must have read-write permission for log settings.
Syntax
config log setting remote
edit <name>
set address_type {ip|fqdn}
set attack-log-status {enable|disable}
set attack-log-category {av|ddos|geo|ipreputation|ips|waf|fw|ztna}
set comma-separated-value {enable|disable}
set event-log-status {enable|disable}
set event-log-category {admin|configuration|fw|glb|health-check|llb|slb|system|user}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, ntp}
set fqdn <string>
set loglevel {alert|critical|debug|emergency|error|information|notification|warning}
set proto {udp|tcp|tcpssl}
set enc-algorithm {high-medium|high}
set tcp_framing {traditional|octet_counted}
set port <integer>
set server <ipv4 or ipv6>
set status {enable|disable}
set traffic-log-status {enable|disable}
set traffic-log-category {slb|dns|llb}
next
end
address_type |
Select the Address Type of the syslog server:
|
attack-log-status |
Enable/disable logging for security events. |
attack-log-category |
If attack-log-status is enabled, the attack-log-category becomes configurable. Select one or more of the following security categories to include in the security logs export:
|
comma-separated-value |
Send logs in CSV format. Do not use with FortiAnalyzer. |
event-log-status |
Enable/disable logging for system events. |
event-log-category |
If event-log-status is enabled, the event-log-category becomes configurable. Select one or more of the following event categories to include in the event logs export:
|
facility |
Identifier that is not used by any other device on your network when sending logs to FortiAnalyzer/syslog. |
fqdn |
The fqdn option is available if address_type is fqdn. Specify the FQDN of the syslog server. |
loglevel |
Select the lowest severity to log from the following options:
The exported logs will include the selected severity level and above. For example, if you select error, the system collects logs with severity level error, critical, alert, and emergency. If you select alert, the system collects logs with severity level alert and emergency. |
port |
Listening port number of the syslog server. Usually this is UDP/TCP/TCPSSL port 514. |
server |
The server option is available if address_type is ip. IP address of the syslog server. Note: In IPv6, certain reserved or designated addresses cannot function as globally unique addresses. Users can configure these invalid IPs in remote settings without errors, but this leads to failed IPv6 communication. Below are examples of unusable IPv6 address types.
|
status |
Enable/disable the configuration. |
|
Specify the protocol to use for transferring log messages.
|
enc-algorithm
|
The enc-algorithm option is available if proto is tcpssl. Select either the high-medium or high encryption algorithm options. Note: Modifying the enc-algorithm setting triggers the initiation of a new SSL session negotiation with the syslog server, resulting in the disconnection of the current connection. The High-Medium Level contains the following 80 algorithm combinations:
The High Level contains the following 40 algorithm combinations:
|
|
The frame in which the log message is stored in tcp/tcpssl packets. |
traffic-log-status |
Enable/disable logging for traffic processed by the load balancing modules. |
traffic-log-category |
If traffic-log-status is enabled, the traffic-log-category becomes configurable. Select one or more of the following traffic categories to include in the traffic logs export:
|
Example
FortiADC-VM # config log setting remote
FortiADC-VM (remote) # edit 1
Add new entry '1' for node 547
FortiADC-VM (1) # get
status : disable
server : 0.0.0.0
port : 514
loglevel : information
comma-separated-value : disable
facility : kern
event-log-status : disable
traffic-log-status : disable
attack-log-status : disable
FortiADC-VM (1) # set status enable
FortiADC-VM (1) # set address_type ip
FortiADC-VM (1) # set server 203.0.113.10
FortiADC-VM (1) # set loglevel notification
FortiADC-VM (1) # set event-log-status enable
FortiADC-VM (1) # set event-log-category admin configuration system
FortiADC-VM (1) # set traffic-log-status enable
FortiADC-VM (1) # set traffic-log-category slb dns llb
FortiADC-VM (1) # end
FortiADC-VM # get log setting remote
== [ 1 ]
status: enable
server: 203.0.113.10
port: 514
loglevel: notification
facility: kern
FortiADC-VM # show log setting remote
config log setting remote
edit 1
set status enable
set server 203.0.113.10
set loglevel notification
set event-log-status enable
set event-log-category configuration admin system
set traffic-log-status enable
set traffic-log-category slb dns llb
next
end