Fortinet black logo

CLI Reference

Home FortiAnalyzer 6.0.0 CLI Reference

log-forward

6.0.0
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.8
5.6.7
5.6.7
5.6.6
5.6.6
5.6.5
5.6.5
5.6.4
5.6.4
5.6.3
5.6.3
5.6.2
5.6.2
5.6.1
5.6.1
5.6.0
5.6.0
5.4.7
5.4.6
5.4.5
5.4.5
5.4.4
5.4.4
5.4.3
5.4.3
5.4.2
5.4.2
5.4.1
5.4.1
5.4.0
5.4.0
5.2.10
5.2.9
5.2.9
5.2.7
5.2.7
5.2.6
5.2.6
5.2.5
5.2.5
5.2.4
5.2.4
5.2.3
5.2.3
5.2.2
5.2.1
5.2.0
5.0.13
5.0.13
5.0.11
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.1
4.3.0
4.2.0
4.1.0
4.0.0
Copy Link
Copy Doc ID 916c7e61-9129-11e8-a49a-00505692583a:975866
Download PDF

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

set agg-password <passwd>

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set server-device <string>

set server-ip <ipv4_address>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit id

set action include

set device <string>

end

config log-field-exclusion

edit id

set dev-type <string>

set field-type <string>

set log-type <string>

end

config log-filter

edit id

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

end

Variable

Description

<id>

Enter the log aggregation ID that you want to edit. Enter edit ? to view available entries.

mode {aggregation | disable | forwarding}

Log aggregation mode (default = disable). The following options are available:

  • aggregation: Aggregate logs to FortiAnalyzer
  • disable: Do not forward or aggregate logs
  • forwarding: Forward logs to the FortiAnalyzer

agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

Archive type.

  • Web_Archive: Web_Archive
  • Secure_Web_Archive: Secure_Web_Archive
  • Email_Archive: Email_Archive
  • File_Transfer_Archive: File_Transfer_Archive
  • IM_Archive: IM_Archive
  • MMS_Archive: MMS_Archive
  • AV_Quarantine: AV_Quarantine
  • IPS_Packets: IPS_Packets

This command is only available when the mode is set to aggregation.

agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

Log type.

  • none: none
  • app-ctrl: app-ctrl
  • attack: attack
  • content: content
  • dlp: dlp
  • emailfilter: emailfilter
  • event: event
  • history: history
  • traffic: traffic
  • virus: virus
  • webfilter: webfilter
  • netscan: netscan

This command is only available when the mode is set to aggregation.

agg-password <passwd>

Log aggregation access password for server. This command is only available when the mode is set to aggregation.

agg-time <integer>

Daily at the selected time. This command is only available when the mode is set to aggregation.

agg-user <string>

Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

fwd-archives {enable | disable}

Enable/disable forwarding archives. This command is only available when the mode is set to forwarding.

fwd-archive-types fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

Set the forwarding archive types.

  • Web_Archive: Web Archive
  • Email_Archive: Email Archive
  • IM_Archive: IM Archive
  • File_Transfer_Archive: File Transfer Archive
  • MMS_Archive: MMS Archive
  • AV_Quarantine: AV Quarantine
  • IPS_Packets: IPS Packets
  • EDISC_Archive: EDISC Archive

This command is only available when the mode is set to forwarding.

fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Facility for remote syslog.

  • alert: Log alert
  • audit: Log audit
  • auth: Security/authorization messages
  • authpriv: Security/authorization messages (private)
  • clock: Clock daemon
  • cron: Clock daemon
  • daemon: System daemons
  • ftp: FTP daemon
  • kernel: Kernel messages
  • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
  • lpr: Line printer subsystem
  • mail: Mail system
  • news: Network news subsystem
  • ntp: NTP daemon
  • syslog: Messages generated internally by syslogd
  • user: Random user level messages
  • uucp: Network news subsystem

This command is only available when the mode is set to forwarding.

fwd-log-source-ip {local_ip | original_ip}

The logs source IP address.

  • local_ip: Use local IP
  • original_ip: Use original source IP

This command is only available when the mode is set to forwarding.

fwd-max-delay {1min | 5min | realtime}

The maximum delay for near realtime log forwarding.

  • 1min: Near realtime forwarding with up to one minute delay.
  • 5min: Near realtime forwarding with up to five minutes delay (default).
  • realtime: Realtime forwarding, no delay.

This command is only available when the mode is set to forwarding.

fwd-reliable {enable | disable}

Enable/disable reliable logging (default = disable).

set fwd-remote-server must be syslog to support reliable forwarding.

This command is only available when the mode is set to forwarding.

fwd-secure {enable | disable}

Enable/disable TLS/SSL secured reliable logging (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to syslog.

fwd-server-type {cef | fortianalyzer | syslog}

Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device. The following options are available:

  • cef: Common Event Format server
  • fortianalyzer: FortiAnalyzer device
  • syslog: Syslog server

This command is only available when the mode is set to forwarding.

log-field-exclusion-status {enable | disable}

Enable/disable log field exclusion list (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

log-filter-logic {and | or}

Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

log-filter-status {enable | disable}

Enable or disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

server-device <id>

Log aggregation server device ID.

Example: set server-device FL-1KC3R11600346

where FL-1KC3R11600346 is the device ID and 1.1.1.1 is the IP address of the FortiAnalyzer device to be registered in the DVM table of another FortiAnalyzer for aggregation client configuration.

server-ip <ipv4_address>

Remote server IPv4 address.

server-name <string>

Log aggregation server name.

server-port <integer>

Enter the server listen port, from 1 to 65535. Default: 514.

This command is only available when the mode is set to forwarding.

signature <integer>

This field is auto-generated and should not be set.

sync-metadata [sf-topology | interface-role | device | endusr-avatar]

Synchronizing metadata types:

  • sf-topology: Security Fabric topology
  • interface-role: Interface Role
  • device: Device information
  • endusr-avatar: End-user avatar

This command is only available when the mode is set to forwarding.

Variables for config device-filter subcommand:

id

Enter the device filter ID or enter a number to create a new entry.

action include

Include the specified device.

device <string>

Select: All_FortiGates, All_FortiManagers, All_Syslogs, All_FortiClients, All_FortiMails, All_FortiWebs, All_FortiCaches, All_FortiAnalyzers, All_FortiSandboxes, All_FortiDDoS, All_FortiAuthenticators, or specify specific devices.

Variables for config log-field-exclusions subcommand:

This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

id

Enter a device filter ID or enter a number to create a new entry.

dev-type <string>

The device type.

field-type <string>

The field type.

log-type <string>

The log type.

Variables for config log-filter subcommand:

id

Enter the log filter ID or enter a number to create a new entry.

field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

Field name.

  • type: Log type
  • logid: Log ID
  • level: Level
  • devid: Device ID
  • vd:VDOM ID
  • srcip: Source IP
  • srcintf: Source Interface
  • srcport: Source Port
  • dstip: Destination IP
  • dstintf: Destination Interface
  • dstport: Destination Port
  • user: User
  • group: Group
  • free-text: General free-text filter

oper {= | != | < | > | <= | >= | contain | not-contain | match}

Field filter operator.

  • = - Equal to
  • != - Not equal to
  • < - Less than
  • > - Greater than
  • <= - Less than or equal to
  • >= - Greater than or equal to
  • contain - Contain
  • not-contain - Not contain
  • match - Match (expression)

value {traffic | event | utm}

Field filter operand or free-text matching expression.

This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

For example: "a ~ \"regexp\" and (c==d OR e==f)"

Use the show command to display the current configuration if it has been changed from its default value:

show system log-forward

Previous
Next

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

set agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

set agg-password <passwd>

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set server-device <string>

set server-ip <ipv4_address>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit id

set action include

set device <string>

end

config log-field-exclusion

edit id

set dev-type <string>

set field-type <string>

set log-type <string>

end

config log-filter

edit id

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

end

Variable

Description

<id>

Enter the log aggregation ID that you want to edit. Enter edit ? to view available entries.

mode {aggregation | disable | forwarding}

Log aggregation mode (default = disable). The following options are available:

  • aggregation: Aggregate logs to FortiAnalyzer
  • disable: Do not forward or aggregate logs
  • forwarding: Forward logs to the FortiAnalyzer

agg-archive-types {Web_Archive | Email_Archive | File_Transfer_Archive | IM_Archive | MMS_Archive | AV_Quarantine | IPS_Packets}

Archive type.

  • Web_Archive: Web_Archive
  • Secure_Web_Archive: Secure_Web_Archive
  • Email_Archive: Email_Archive
  • File_Transfer_Archive: File_Transfer_Archive
  • IM_Archive: IM_Archive
  • MMS_Archive: MMS_Archive
  • AV_Quarantine: AV_Quarantine
  • IPS_Packets: IPS_Packets

This command is only available when the mode is set to aggregation.

agg-logtypes {none | app-ctrl | attack | content | dlp | emailfilter | event | history | traffic | virus | webfilter | netscan}

Log type.

  • none: none
  • app-ctrl: app-ctrl
  • attack: attack
  • content: content
  • dlp: dlp
  • emailfilter: emailfilter
  • event: event
  • history: history
  • traffic: traffic
  • virus: virus
  • webfilter: webfilter
  • netscan: netscan

This command is only available when the mode is set to aggregation.

agg-password <passwd>

Log aggregation access password for server. This command is only available when the mode is set to aggregation.

agg-time <integer>

Daily at the selected time. This command is only available when the mode is set to aggregation.

agg-user <string>

Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

fwd-archives {enable | disable}

Enable/disable forwarding archives. This command is only available when the mode is set to forwarding.

fwd-archive-types fwd-archive-types {Web_Archive | Email_Archive | IM_Archive | File_Transfer_Archive | MMS_Archive | AV_Quarantine | IPS_Packets | EDISC_Archive}

Set the forwarding archive types.

  • Web_Archive: Web Archive
  • Email_Archive: Email Archive
  • IM_Archive: IM Archive
  • File_Transfer_Archive: File Transfer Archive
  • MMS_Archive: MMS Archive
  • AV_Quarantine: AV Quarantine
  • IPS_Packets: IPS Packets
  • EDISC_Archive: EDISC Archive

This command is only available when the mode is set to forwarding.

fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Facility for remote syslog.

  • alert: Log alert
  • audit: Log audit
  • auth: Security/authorization messages
  • authpriv: Security/authorization messages (private)
  • clock: Clock daemon
  • cron: Clock daemon
  • daemon: System daemons
  • ftp: FTP daemon
  • kernel: Kernel messages
  • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
  • lpr: Line printer subsystem
  • mail: Mail system
  • news: Network news subsystem
  • ntp: NTP daemon
  • syslog: Messages generated internally by syslogd
  • user: Random user level messages
  • uucp: Network news subsystem

This command is only available when the mode is set to forwarding.

fwd-log-source-ip {local_ip | original_ip}

The logs source IP address.

  • local_ip: Use local IP
  • original_ip: Use original source IP

This command is only available when the mode is set to forwarding.

fwd-max-delay {1min | 5min | realtime}

The maximum delay for near realtime log forwarding.

  • 1min: Near realtime forwarding with up to one minute delay.
  • 5min: Near realtime forwarding with up to five minutes delay (default).
  • realtime: Realtime forwarding, no delay.

This command is only available when the mode is set to forwarding.

fwd-reliable {enable | disable}

Enable/disable reliable logging (default = disable).

set fwd-remote-server must be syslog to support reliable forwarding.

This command is only available when the mode is set to forwarding.

fwd-secure {enable | disable}

Enable/disable TLS/SSL secured reliable logging (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to syslog.

fwd-server-type {cef | fortianalyzer | syslog}

Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device. The following options are available:

  • cef: Common Event Format server
  • fortianalyzer: FortiAnalyzer device
  • syslog: Syslog server

This command is only available when the mode is set to forwarding.

log-field-exclusion-status {enable | disable}

Enable/disable log field exclusion list (default = disable).

This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

log-filter-logic {and | or}

Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

log-filter-status {enable | disable}

Enable or disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

server-device <id>

Log aggregation server device ID.

Example: set server-device FL-1KC3R11600346

where FL-1KC3R11600346 is the device ID and 1.1.1.1 is the IP address of the FortiAnalyzer device to be registered in the DVM table of another FortiAnalyzer for aggregation client configuration.

server-ip <ipv4_address>

Remote server IPv4 address.

server-name <string>

Log aggregation server name.

server-port <integer>

Enter the server listen port, from 1 to 65535. Default: 514.

This command is only available when the mode is set to forwarding.

signature <integer>

This field is auto-generated and should not be set.

sync-metadata [sf-topology | interface-role | device | endusr-avatar]

Synchronizing metadata types:

  • sf-topology: Security Fabric topology
  • interface-role: Interface Role
  • device: Device information
  • endusr-avatar: End-user avatar

This command is only available when the mode is set to forwarding.

Variables for config device-filter subcommand:

id

Enter the device filter ID or enter a number to create a new entry.

action include

Include the specified device.

device <string>

Select: All_FortiGates, All_FortiManagers, All_Syslogs, All_FortiClients, All_FortiMails, All_FortiWebs, All_FortiCaches, All_FortiAnalyzers, All_FortiSandboxes, All_FortiDDoS, All_FortiAuthenticators, or specify specific devices.

Variables for config log-field-exclusions subcommand:

This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

id

Enter a device filter ID or enter a number to create a new entry.

dev-type <string>

The device type.

field-type <string>

The field type.

log-type <string>

The log type.

Variables for config log-filter subcommand:

id

Enter the log filter ID or enter a number to create a new entry.

field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | user | group | free-text }

Field name.

  • type: Log type
  • logid: Log ID
  • level: Level
  • devid: Device ID
  • vd:VDOM ID
  • srcip: Source IP
  • srcintf: Source Interface
  • srcport: Source Port
  • dstip: Destination IP
  • dstintf: Destination Interface
  • dstport: Destination Port
  • user: User
  • group: Group
  • free-text: General free-text filter

oper {= | != | < | > | <= | >= | contain | not-contain | match}

Field filter operator.

  • = - Equal to
  • != - Not equal to
  • < - Less than
  • > - Greater than
  • <= - Less than or equal to
  • >= - Greater than or equal to
  • contain - Contain
  • not-contain - Not contain
  • match - Match (expression)

value {traffic | event | utm}

Field filter operand or free-text matching expression.

This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

For example: "a ~ \"regexp\" and (c==d OR e==f)"

Use the show command to display the current configuration if it has been changed from its default value:

show system log-forward

Previous
Next