log-forward
Use the following commands to configure log forwarding.
Syntax
config system log-forward
edit <id>
set mode {aggregation | disable | forwarding}
set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}
set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}
set agg-password <passwd>
set agg-time <integer>
set agg-user <string>
set fwd-archives {enable | disable}
set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}
set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set fwd-log-source-ip {local_ip | original_ip}
set fwd-max-delay {1min | 5min | realtime}
set fwd-reliable {enable | disable}
set fwd-secure {enable | disable}
set fwd-server-type {cef | fortianalyzer | syslog}
set log-field-exclusion-status {enable | disable}
set log-filter-logic {and | or}
set log-filter-status {enable | disable}
set proxy-service {enable | disable}
set proxy-service-priority <integer>
set server-device <string>
set server-ip <ipv4_address>
set server-name <string>
set server-port <integer>
set signature <integer>
set sync-metadata [sf-topology | interface-role | device | endusr-avatar]
config device-filter
edit <id>
set action {include}
set device <string>
end
config log-field-exclusion
edit <id>
set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}
set field-list <string>
set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}
end
config log-filter
edit <id>
set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }
set oper {= | != | < | > | <= | >= | contain | not-contain | match}
set value {traffic | event | utm}
end
end
|
<id>
|
Enter the log aggregation ID that you want to edit.
|
|
mode {aggregation | disable | forwarding}
|
Log aggregation mode:
-
aggregation: Aggregate logs to FortiAnalyzer
-
disable: Do not forward or aggregate logs (default)
-
forwarding: Forward logs to the FortiAnalyzer
|
|
agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}
|
Archive type (default = all options). This command is only available when the mode is set to aggregation.
|
|
agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}
|
Log type (default = all options). This command is only available when the mode is set to aggregation.
|
|
agg-password <passwd>
|
Log aggregation access password for server. This command is only available when the mode is set to aggregation.
|
|
agg-time <integer>
|
Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to aggregation.
|
|
agg-user <string>
|
Log aggregation access user name for server. This command is only available when the mode is set to aggregation.
|
|
fwd-archives {enable | disable}
|
Enable/disable forwarding archives (default = enable).
This command is only available when the mode is set to forwarding.
|
|
fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}
|
Set the forwarding archive types (default = all options). This command is only available when the mode is set to forwarding.
|
|
fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
|
Facility for remote syslog (default = local7).
-
alert: Log alert
-
audit: Log audit
-
auth: Security/authorization messages
-
authpriv: Security/authorization messages (private)
-
clock: Clock daemon
-
cron: Clock daemon
-
daemon: System daemons
-
ftp: FTP daemon
-
kernel: Kernel messages
-
local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
-
lpr: Line printer subsystem
-
mail: Mail system
-
news: Network news subsystem
-
ntp: NTP daemon
-
syslog: Messages generated internally by syslogd
-
user: Random user level messages
-
uucp: Network news subsystem
This command is only available when the mode is set to forwarding.
|
|
fwd-log-source-ip {local_ip | original_ip}
|
The logs source IP address (default = local_ip). This command is only available when the mode is set to forwarding.
|
|
fwd-max-delay {1min | 5min | realtime}
|
The maximum delay for near realtime log forwarding.
-
1min: Near realtime forwarding with up to one minute delay.
-
5min: Near realtime forwarding with up to five minutes delay (default).
-
realtime:
Realtime forwarding, no delay.
This command is only available when the mode is set to forwarding.
|
|
fwd-reliable {enable | disable}
|
Enable/disable reliable logging (default = disable). This command is only available when the mode is set to forwarding. fwd-remote-server must be syslog to support reliable forwarding.
|
|
fwd-secure {enable | disable}
|
Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to forwarding, fwd-reliable is enabled, and fwd-server-type is set to syslog.
|
|
fwd-server-type {cef | fortianalyzer | syslog}
|
Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device (default = fortianalyzer). This command is only available when the mode is set to forwarding.
|
|
log-field-exclusion-status {enable | disable}
|
Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.
|
|
log-filter-logic {and | or}
|
Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.
|
|
log-filter-status {enable | disable}
|
Enable/disable log filtering (default = disable). This command is only available when the mode is set to forwarding.
|
|
proxy-service {enable | disable}
|
Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to forwarding. |
|
proxy-service-priority <integer>
|
Proxy service priority from 1 (lowest) to 20 (highest) (default = 10).
This command is only available when the mode is set to forwarding. |
|
server-device <id>
|
Log aggregation server device ID.
|
|
server-ip <ipv4_address>
|
Remote server IPv4 address.
|
|
server-name <string>
|
Log aggregation server name.
|
|
server-port <integer>
|
Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to forwarding.
|
|
signature <integer>
|
This field is auto-generated and should not be set.
|
|
sync-metadata [sf-topology | interface-role | device | endusr-avatar]
|
Synchronizing metadata types:
-
sf-topology: Security Fabric topology
-
interface-role: Interface Role
-
device: Device information
-
endusr-avatar: End-user avatar
This command is only available when the mode is set to forwarding.
|
|
Variables for config device-filter subcommand:
|
|
<id>
|
Enter the device filter ID or enter a number to create a new entry.
|
|
action {include}
|
Include the specified device.
|
|
device <string>
|
Device ID of log client devices, or all of a device type.
|
|
Variables for config log-field-exclusions subcommand:
This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.
|
|
<id>
|
Enter a device filter ID or enter a number to create a new entry.
|
|
dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}
|
The device type (default = FortiGate).
|
|
field-list <string>
|
The field type. Enter a comma separated list from the available fields.
|
|
log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}
|
The log type (default = traffic).
|
|
Variables for config log-filter subcommand:
This command is only available when the mode is set to forwarding and log-field-status is set to enable.
|
|
<id>
|
Enter the log filter ID or enter a number to create a new entry.
|
|
field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text}
|
Field name (default = type).
|
|
oper {= | != | < | > | <= | >= | contain | not-contain | match}
|
Field filter operator (default = =).
|
|
value {traffic | event | utm}
|
Field filter operand or free-text matching expression.
This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.
For example: "a ~ \"regexp\" and (c==d OR e==f)"
|
