log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

set agg-password <passwd>

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set proxy-service {enable | disable}

set proxy-service-priority <integer>

set server-device <string>

set server-ip <ipv4_address>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit <id>

set action {include}

set device <string>

end

config log-field-exclusion

edit <id>

set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

set field-list <string>

set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

end

config log-filter

edit <id>

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

Variable	Description
<id>	Enter the log aggregation ID that you want to edit.
mode {aggregation \| disable \| forwarding}	Log aggregation mode: `aggregation`: Aggregate logs to FortiAnalyzer `disable`: Do not forward or aggregate logs (default) `forwarding`: Forward logs to the FortiAnalyzer
agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}	Archive type (default = all options). This command is only available when the mode is set to `aggregation`.
agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}	Log type (default = all options). This command is only available when the mode is set to `aggregation`.
agg-password <passwd>	Log aggregation access password for server. This command is only available when the mode is set to `aggregation`.
agg-time <integer>	Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to `aggregation`.
agg-user <string>	Log aggregation access user name for server. This command is only available when the mode is set to `aggregation`.
fwd-archives {enable \| disable}	Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to `forwarding`.
fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}	Set the forwarding archive types (default = all options). This command is only available when the mode is set to `forwarding`.
fwd-facility {alert \| audit \| auth \| authpriv \| clock \| cron \| daemon \| ftp \| kernel \| local0 \| local1 \| local2 \| local3 \| local4 \| local5 \| local6 \| local7 \| lpr \| mail \| news \| ntp \| syslog \| user \| uucp}	Facility for remote syslog (default = local7). `alert`: Log alert `audit`: Log audit `auth`: Security/authorization messages `authpriv`: Security/authorization messages (private) `clock`: Clock daemon `cron`: Clock daemon `daemon`: System daemons `ftp`: FTP daemon `kernel`: Kernel messages `local0`, `local1`, `local2`, `local3`, `local4`, `local5`, `local6`, `local7`: Reserved for local use `lpr`: Line printer subsystem `mail`: Mail system `news`: Network news subsystem `ntp`: NTP daemon `syslog`: Messages generated internally by `syslogd` `user`: Random user level messages `uucp`: Network news subsystem This command is only available when the mode is set to `forwarding`.
fwd-log-source-ip {local_ip \| original_ip}	The logs source IP address (default = local_ip). This command is only available when the mode is set to `forwarding`.
fwd-max-delay {1min \| 5min \| realtime}	The maximum delay for near realtime log forwarding. `1min`: Near realtime forwarding with up to one minute delay. `5min`: Near realtime forwarding with up to five minutes delay (default). `realtime`: Realtime forwarding, no delay. This command is only available when the mode is set to `forwarding`.
fwd-reliable {enable \| disable}	Enable/disable reliable logging (default = disable). This command is only available when the mode is set to `forwarding`. `fwd-remote-server` must be `syslog` to support reliable forwarding.
fwd-secure {enable \| disable}	Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to `forwarding`, `fwd-reliable` is enabled, and `fwd-server-type` is set to `syslog`.
fwd-server-type {cef \| fortianalyzer \| syslog}	Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device (default = fortianalyzer). This command is only available when the mode is set to `forwarding`.
log-field-exclusion-status {enable \| disable}	Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to `forwarding` and `fwd-server-type` is set to `cef` or `syslog`.
log-filter-logic {and \| or}	Logic operator used to connect filters (default = or). This command is only available when `log-filter-status` is enabled.
log-filter-status {enable \| disable}	Enable/disable log filtering (default = disable). This command is only available when the mode is set to `forwarding`.
proxy-service {enable \| disable}	Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to `forwarding`.
proxy-service-priority <integer>	Proxy service priority from 1 (lowest) to 20 (highest) (default = 10). This command is only available when the mode is set to `forwarding`.
server-device <id>	Log aggregation server device ID.
server-ip <ipv4_address>	Remote server IPv4 address.
server-name <string>	Log aggregation server name.
server-port <integer>	Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to `forwarding`.
signature <integer>	This field is auto-generated and should not be set.
sync-metadata [sf-topology \| interface-role \| device \| endusr-avatar]	Synchronizing metadata types: `sf-topology`: Security Fabric topology `interface-role`: Interface Role `device`: Device information `endusr-avatar`: End-user avatar This command is only available when the mode is set to `forwarding`.
Variables for `config device-filter` subcommand:
<id>	Enter the device filter ID or enter a number to create a new entry.
action {include}	Include the specified device.
device <string>	Device ID of log client devices, or all of a device type.
Variables for `config log-field-exclusions` subcommand: This command is only available when the `mode` is set to `forwarding` and `log-field-exclusions-status` is set to `enable`.
<id>	Enter a device filter ID or enter a number to create a new entry.
dev-type {FortiGate \| FortiMail \| FortiManager \| FortiAnalyzer \| FortiWeb \| FortiCache \| FortiSandbox \| FortiDDoS \| Syslog}	The device type (default = FortiGate).
field-list <string>	The field type. Enter a comma separated list from the available fields.
log-type {app-ctrl \| attack \| content \| dlp \| emailfilter \| event \| generic \| history \| traffic \| virus \| voip \| webfilter \| netscan \| waf \| gtp \| dns \| ssh \| ANY-TYPE}	The log type (default = traffic).
Variables for `config log-filter` subcommand: This command is only available when the `mode` is set to `forwarding` and `log-field-status` is set to `enable`.
<id>	Enter the log filter ID or enter a number to create a new entry.
field {type \| logid \| level \| devid \| vd \| srcip \| srcintf \| srcport \| dstip \| dstintf \| dstport \| user \| group \| free-text}	Field name (default = type).
oper {= \| != \| < \| > \| <= \| >= \| contain \| not-contain \| match}	Field filter operator (default = =).
value {traffic \| event \| utm}	Field filter operand or free-text matching expression. This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported. For example: `"a ~ \"regexp\" and (c==d OR e==f)"`

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

set agg-password <passwd>

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set proxy-service {enable | disable}

set proxy-service-priority <integer>

set server-device <string>

set server-ip <ipv4_address>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit <id>

set action {include}

set device <string>

end

config log-field-exclusion

edit <id>

set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

set field-list <string>

set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

end

config log-filter

edit <id>

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

Variable	Description
<id>	Enter the log aggregation ID that you want to edit.
mode {aggregation \| disable \| forwarding}	Log aggregation mode: `aggregation`: Aggregate logs to FortiAnalyzer `disable`: Do not forward or aggregate logs (default) `forwarding`: Forward logs to the FortiAnalyzer
agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}	Archive type (default = all options). This command is only available when the mode is set to `aggregation`.
agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}	Log type (default = all options). This command is only available when the mode is set to `aggregation`.
agg-password <passwd>	Log aggregation access password for server. This command is only available when the mode is set to `aggregation`.
agg-time <integer>	Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to `aggregation`.
agg-user <string>	Log aggregation access user name for server. This command is only available when the mode is set to `aggregation`.
fwd-archives {enable \| disable}	Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to `forwarding`.
fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}	Set the forwarding archive types (default = all options). This command is only available when the mode is set to `forwarding`.
fwd-facility {alert \| audit \| auth \| authpriv \| clock \| cron \| daemon \| ftp \| kernel \| local0 \| local1 \| local2 \| local3 \| local4 \| local5 \| local6 \| local7 \| lpr \| mail \| news \| ntp \| syslog \| user \| uucp}	Facility for remote syslog (default = local7). `alert`: Log alert `audit`: Log audit `auth`: Security/authorization messages `authpriv`: Security/authorization messages (private) `clock`: Clock daemon `cron`: Clock daemon `daemon`: System daemons `ftp`: FTP daemon `kernel`: Kernel messages `local0`, `local1`, `local2`, `local3`, `local4`, `local5`, `local6`, `local7`: Reserved for local use `lpr`: Line printer subsystem `mail`: Mail system `news`: Network news subsystem `ntp`: NTP daemon `syslog`: Messages generated internally by `syslogd` `user`: Random user level messages `uucp`: Network news subsystem This command is only available when the mode is set to `forwarding`.
fwd-log-source-ip {local_ip \| original_ip}	The logs source IP address (default = local_ip). This command is only available when the mode is set to `forwarding`.
fwd-max-delay {1min \| 5min \| realtime}	The maximum delay for near realtime log forwarding. `1min`: Near realtime forwarding with up to one minute delay. `5min`: Near realtime forwarding with up to five minutes delay (default). `realtime`: Realtime forwarding, no delay. This command is only available when the mode is set to `forwarding`.
fwd-reliable {enable \| disable}	Enable/disable reliable logging (default = disable). This command is only available when the mode is set to `forwarding`. `fwd-remote-server` must be `syslog` to support reliable forwarding.
fwd-secure {enable \| disable}	Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to `forwarding`, `fwd-reliable` is enabled, and `fwd-server-type` is set to `syslog`.
fwd-server-type {cef \| fortianalyzer \| syslog}	Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device (default = fortianalyzer). This command is only available when the mode is set to `forwarding`.
log-field-exclusion-status {enable \| disable}	Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to `forwarding` and `fwd-server-type` is set to `cef` or `syslog`.
log-filter-logic {and \| or}	Logic operator used to connect filters (default = or). This command is only available when `log-filter-status` is enabled.
log-filter-status {enable \| disable}	Enable/disable log filtering (default = disable). This command is only available when the mode is set to `forwarding`.
proxy-service {enable \| disable}	Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to `forwarding`.
proxy-service-priority <integer>	Proxy service priority from 1 (lowest) to 20 (highest) (default = 10). This command is only available when the mode is set to `forwarding`.
server-device <id>	Log aggregation server device ID.
server-ip <ipv4_address>	Remote server IPv4 address.
server-name <string>	Log aggregation server name.
server-port <integer>	Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to `forwarding`.
signature <integer>	This field is auto-generated and should not be set.
sync-metadata [sf-topology \| interface-role \| device \| endusr-avatar]	Synchronizing metadata types: `sf-topology`: Security Fabric topology `interface-role`: Interface Role `device`: Device information `endusr-avatar`: End-user avatar This command is only available when the mode is set to `forwarding`.
Variables for `config device-filter` subcommand:
<id>	Enter the device filter ID or enter a number to create a new entry.
action {include}	Include the specified device.
device <string>	Device ID of log client devices, or all of a device type.
Variables for `config log-field-exclusions` subcommand: This command is only available when the `mode` is set to `forwarding` and `log-field-exclusions-status` is set to `enable`.
<id>	Enter a device filter ID or enter a number to create a new entry.
dev-type {FortiGate \| FortiMail \| FortiManager \| FortiAnalyzer \| FortiWeb \| FortiCache \| FortiSandbox \| FortiDDoS \| Syslog}	The device type (default = FortiGate).
field-list <string>	The field type. Enter a comma separated list from the available fields.
log-type {app-ctrl \| attack \| content \| dlp \| emailfilter \| event \| generic \| history \| traffic \| virus \| voip \| webfilter \| netscan \| waf \| gtp \| dns \| ssh \| ANY-TYPE}	The log type (default = traffic).
Variables for `config log-filter` subcommand: This command is only available when the `mode` is set to `forwarding` and `log-field-status` is set to `enable`.
<id>	Enter the log filter ID or enter a number to create a new entry.
field {type \| logid \| level \| devid \| vd \| srcip \| srcintf \| srcport \| dstip \| dstintf \| dstport \| user \| group \| free-text}	Field name (default = type).
oper {= \| != \| < \| > \| <= \| >= \| contain \| not-contain \| match}	Field filter operator (default = =).
value {traffic \| event \| utm}	Field filter operand or free-text matching expression. This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported. For example: `"a ~ \"regexp\" and (c==d OR e==f)"`

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

log-forward

log-forward

Syntax

log-forward

log-forward

Syntax