Fortinet white logo
Fortinet white logo

Administration Guide

Types of logs collected for each device

Types of logs collected for each device

FortiAnalyzer can collect logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:

Device Type

Log Type

FortiAnalyzer

Event

FortiAuthenticator

Event

FortiGate

Traffic

Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient

Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi

Note

File Filter logs are sent when the File Filter sensor is enabled in the FortiOS Web Filter profile. You can enable the File Filter sensor in FortiOS at Security Profiles > Web Filters.

FortiCarrier

Traffic, Event, GTP

FortiCache

Traffic, Event, Antivirus, Web Filter

FortiClient

Traffic, Event, Vulnerability Scan

FortiDDoS

Event, Intrusion Prevention

FortiMail

History, Event, Antivirus, Email Filter.

Note

FortiMail logs support cross-log functionality. When viewing History, Event, Antivirus, or Email Filter logs from FortiMail, you can click on the Session ID to see correlated logs.

FortiManager

Event

FortiSandbox

Malware, Network Alerts

FortiWeb

Event, Intrusion Prevention, Traffic

Syslog

Generic

Traffic logs

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

Security logs

Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

DNS logs

DNS logs (FortiGate) record the DNS activity on your managed devices.

Event logs

Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.

The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox, FortiClient, and Syslog logging is supported. ADOMs must be enabled to support non-FortiGate logging.
In a Security Fabric ADOM, all device logs are displayed.

Types of logs collected for each device

Types of logs collected for each device

FortiAnalyzer can collect logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:

Device Type

Log Type

FortiAnalyzer

Event

FortiAuthenticator

Event

FortiGate

Traffic

Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient

Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi

Note

File Filter logs are sent when the File Filter sensor is enabled in the FortiOS Web Filter profile. You can enable the File Filter sensor in FortiOS at Security Profiles > Web Filters.

FortiCarrier

Traffic, Event, GTP

FortiCache

Traffic, Event, Antivirus, Web Filter

FortiClient

Traffic, Event, Vulnerability Scan

FortiDDoS

Event, Intrusion Prevention

FortiMail

History, Event, Antivirus, Email Filter.

Note

FortiMail logs support cross-log functionality. When viewing History, Event, Antivirus, or Email Filter logs from FortiMail, you can click on the Session ID to see correlated logs.

FortiManager

Event

FortiSandbox

Malware, Network Alerts

FortiWeb

Event, Intrusion Prevention, Traffic

Syslog

Generic

Traffic logs

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

Security logs

Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

DNS logs

DNS logs (FortiGate) record the DNS activity on your managed devices.

Event logs

Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.

The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox, FortiClient, and Syslog logging is supported. ADOMs must be enabled to support non-FortiGate logging.
In a Security Fabric ADOM, all device logs are displayed.