Fortinet white logo
Fortinet white logo

CLI Reference

log-forward

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

set agg-data-end-time <hh:mm yyyy/mm/dd>

set agg-data-start-time <hh:mm> <yyyy/mm/dd>

set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

set agg-password <passwd>

set agg-schedule {daily | on-demand}

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

set fwd-compression {enable | disable}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-ha-bind-vip {enable | disable}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set fwd-syslog-format {fgt | rfc-5424}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set log-masking-custom-priority disable

set log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

set log-masking-key <passwd>

set log-masking-status {enable | disable}

set pcapurl-enrich

set pcapurl-domain-ip

set peer-cert-cn <string>

set proxy-service {enable | disable}

set proxy-service-priority <integer>

set server-addr <string>

set server-device <string>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit <id>

set action {include}

set adom <string>

set device <string>

end

config log-field-exclusion

edit <id>

set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

set field-list <string>

set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

end

config log-filter

edit <id>

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

config log-masking-custom

edit <id>

set field-name <string>

set field-type {email | ip | mac | string | unknown}

end

end

Variable

Description

<id>

Enter the log aggregation ID that you want to edit.

mode {aggregation | disable | forwarding}

Log aggregation mode:

  • aggregation: Aggregate logs to FortiAnalyzer
  • disable: Do not forward or aggregate logs (default)
  • forwarding: Forward logs to the FortiAnalyzer

agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

Archive type (default = all options). This command is only available when the mode is set to aggregation.

agg-data-end-time <hh:mm yyyy/mm/dd>

Enter the end date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

agg-data-start-time <hh:mm> <yyyy/mm/dd>

Enter the start date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

Log type (default = all options). This command is only available when the mode is set to aggregation.

agg-password <passwd>

Log aggregation access password for server. This command is only available when the mode is set to aggregation.

agg-schedule {daily | on-demand}

Schedule log aggregation mode (default = daily):

  • daily: Run daily log aggregation.

  • on-demand: Run log aggregation on demand.

This command is only available when the mode is set to aggregation.

agg-time <integer>

Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to aggregation.

agg-user <string>

Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

fwd-archives {enable | disable}

Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to forwarding.

fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

Set the forwarding archive types (default = all options). This command is only available when the mode is set to forwarding.

fwd-compression {enable | disable}

Enable/disable compression for better bandwidth efficiency (default = disable). This command is only available when the mode is set to forwarding.

fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Facility for remote syslog (default = local7).

  • alert: Log alert
  • audit: Log audit
  • auth: Security/authorization messages
  • authpriv: Security/authorization messages (private)
  • clock: Clock daemon
  • cron: Clock daemon
  • daemon: System daemons
  • ftp: FTP daemon
  • kernel: Kernel messages
  • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
  • lpr: Line printer subsystem
  • mail: Mail system
  • news: Network news subsystem
  • ntp: NTP daemon
  • syslog: Messages generated internally by syslogd
  • user: Random user level messages
  • uucp: Network news subsystem

This command is only available when the mode is set to forwarding.

Note

The facility will only be included in the forwarded logs when the fwd-server-type = syslog.

fwd-ha-bind-vip {enable | disable}

Always use VIP as the forwarding port when HA is enabled (default = enable).

This command is only available when the mode is set to forwarding.

fwd-log-source-ip {local_ip | original_ip}

The logs source IP address (default = local_ip). This command is only available when the mode is set to forwarding.

fwd-max-delay {1min | 5min | realtime}

The maximum delay for near realtime log forwarding.

  • 1min: Near realtime forwarding with up to one minute delay.
  • 5min: Near realtime forwarding with up to five minutes delay (default).
  • realtime: Realtime forwarding, no delay.

This command is only available when the mode is set to forwarding.

fwd-reliable {enable | disable}

Enable/disable reliable logging (default = disable). This command is only available when the mode is set to forwarding.

fwd-secure {enable | disable}

Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to forwarding, fwd-reliable is enabled, and fwd-server-type is set to cef or syslog.

fwd-server-type {cef | fortianalyzer | syslog}

Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device (default = fortianalyzer). This command is only available when the mode is set to forwarding.

fwd-syslog-format {fgt | rfc-5424}

Forwarding format for syslog.

  • fgt: FortiGate syslog format (default).
  • rfc-5424: rfc-5424 syslog format.

This command is only available when the mode is set to forwarding and fwd-server-type is syslog.

log-field-exclusion-status {enable | disable}

Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

log-filter-logic {and | or}

Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

log-filter-status {enable | disable}

Enable/disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

log-masking-custom-priority disable

Disable custom field search priority.

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

Log field masking fields .

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

log-masking-key <passwd>

Enter the log field masking key.

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

log-masking-status {enable | disable}

Enable/disable log field masking (default = disable). This command is only available when the mode is set to forwarding.

pcapurl-enrich

pcapurl-domain-ip

peer-cert-cn <string>

proxy-service {enable | disable}

Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to forwarding.

proxy-service-priority <integer>

Proxy service priority from 1 (lowest) to 20 (highest) (default = 10). This command is only available when the mode is set to forwarding.

server-addr <string>

Remote server address.

server-device <id>

Log aggregation server device ID.

server-name <string>

Log aggregation server name.

server-port <integer>

Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to forwarding.

signature <integer>

This field is auto-generated and should not be set.

sync-metadata [sf-topology | interface-role | device | endusr-avatar]

Synchronizing metadata types:

  • sf-topology: Security Fabric topology
  • interface-role: Interface Role
  • device: Device information
  • endusr-avatar: End-user avatar

This command is only available when the mode is set to forwarding.

Variables for config device-filter subcommand:

<id>

Enter the device filter ID or enter a number to create a new entry.

action {include}

Include the specified device.

adom <string>

Enter the ADOM name from the following:

  • FortiAnalyzer

  • FortiAuthenticator

  • FortiCache

  • FortiCarrier

  • FortiClient

  • FortiDDoS

  • FortiDeceptor

  • FortiFirewall

  • FortiFirewallCarrier

  • FortiMail

  • FortiManager

  • FortiProxy

  • FortiSandbox

  • FortiWeb

  • Syslog

  • Unmanaged_Devices

  • root

Alternatively, enter (null) for all ADOM(s) or a wildcard expression matching ADOM(s).

device <string>

Device ID of log client device, or a wildcard expression matching log client device(s).

Variables for config log-field-exclusions subcommand:

This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

<id>

Enter a device filter ID or enter a number to create a new entry.

dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

The device type (default = FortiGate).

field-list <string>

The field type. Enter a comma separated list from the available fields.

log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

The log type (default = traffic).

Variables for config log-filter subcommand:

This command is only available when the mode is set to forwarding and log-field-status is set to enable.

<id>

Enter the log filter ID or enter a number to create a new entry.

field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text}

Field name (default = type).

oper {= | != | < | > | <= | >= | contain | not-contain | match}

Field filter operator (default = =).

value {traffic | event | utm}

Field filter operand or free-text matching expression.

This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

For example: "a ~ \"regexp\" and (c==d OR e==f)"

Variables for log-masking-custom subcommand:

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

<id>

Enter the log field masking ID or enter a number to create a new entry.

field-name <string>

Field name.

field-type {email | ip | mac | string | unknown}

Field type (default = unknown).

log-forward

log-forward

Use the following commands to configure log forwarding.

Syntax

config system log-forward

edit <id>

set mode {aggregation | disable | forwarding}

set agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

set agg-data-end-time <hh:mm yyyy/mm/dd>

set agg-data-start-time <hh:mm> <yyyy/mm/dd>

set agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

set agg-password <passwd>

set agg-schedule {daily | on-demand}

set agg-time <integer>

set agg-user <string>

set fwd-archives {enable | disable}

set fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

set fwd-compression {enable | disable}

set fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set fwd-ha-bind-vip {enable | disable}

set fwd-log-source-ip {local_ip | original_ip}

set fwd-max-delay {1min | 5min | realtime}

set fwd-reliable {enable | disable}

set fwd-secure {enable | disable}

set fwd-server-type {cef | fortianalyzer | syslog}

set fwd-syslog-format {fgt | rfc-5424}

set log-field-exclusion-status {enable | disable}

set log-filter-logic {and | or}

set log-filter-status {enable | disable}

set log-masking-custom-priority disable

set log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

set log-masking-key <passwd>

set log-masking-status {enable | disable}

set pcapurl-enrich

set pcapurl-domain-ip

set peer-cert-cn <string>

set proxy-service {enable | disable}

set proxy-service-priority <integer>

set server-addr <string>

set server-device <string>

set server-name <string>

set server-port <integer>

set signature <integer>

set sync-metadata [sf-topology | interface-role | device | endusr-avatar]

config device-filter

edit <id>

set action {include}

set adom <string>

set device <string>

end

config log-field-exclusion

edit <id>

set dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

set field-list <string>

set log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

end

config log-filter

edit <id>

set field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text }

set oper {= | != | < | > | <= | >= | contain | not-contain | match}

set value {traffic | event | utm}

end

config log-masking-custom

edit <id>

set field-name <string>

set field-type {email | ip | mac | string | unknown}

end

end

Variable

Description

<id>

Enter the log aggregation ID that you want to edit.

mode {aggregation | disable | forwarding}

Log aggregation mode:

  • aggregation: Aggregate logs to FortiAnalyzer
  • disable: Do not forward or aggregate logs (default)
  • forwarding: Forward logs to the FortiAnalyzer

agg-archive-types {Web_Archive Secure_Web_Archive Email_Archive File_Transfer_Archive IM_Archive MMS_Archive AV_Quarantine IPS_Packets}

Archive type (default = all options). This command is only available when the mode is set to aggregation.

agg-data-end-time <hh:mm yyyy/mm/dd>

Enter the end date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

agg-data-start-time <hh:mm> <yyyy/mm/dd>

Enter the start date and time of the data-range <hh:mm yyyy/mm/dd>. This command is only available when the mode is set to aggregation.

Note: Use colon to connect hour and minute values. Use slash to connect year, month, and day values.

agg-logtypes {none app-ctrl attack content dlp emailfilter event generic history traffic virus webfilter netscan fct-event fct-traffic fct-netscan waf gtp dns ssh}

Log type (default = all options). This command is only available when the mode is set to aggregation.

agg-password <passwd>

Log aggregation access password for server. This command is only available when the mode is set to aggregation.

agg-schedule {daily | on-demand}

Schedule log aggregation mode (default = daily):

  • daily: Run daily log aggregation.

  • on-demand: Run log aggregation on demand.

This command is only available when the mode is set to aggregation.

agg-time <integer>

Daily at the selected time (0 - 23, default = 0). This command is only available when the mode is set to aggregation.

agg-user <string>

Log aggregation access user name for server. This command is only available when the mode is set to aggregation.

fwd-archives {enable | disable}

Enable/disable forwarding archives (default = enable). This command is only available when the mode is set to forwarding.

fwd-archive-types {Web_Archive Email_Archive IM_Archive File_Transfer_Archive MMS_Archive AV_Quarantine IPS_Packets EDISC_Archive}

Set the forwarding archive types (default = all options). This command is only available when the mode is set to forwarding.

fwd-compression {enable | disable}

Enable/disable compression for better bandwidth efficiency (default = disable). This command is only available when the mode is set to forwarding.

fwd-facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Facility for remote syslog (default = local7).

  • alert: Log alert
  • audit: Log audit
  • auth: Security/authorization messages
  • authpriv: Security/authorization messages (private)
  • clock: Clock daemon
  • cron: Clock daemon
  • daemon: System daemons
  • ftp: FTP daemon
  • kernel: Kernel messages
  • local0, local1, local2, local3, local4, local5, local6, local7: Reserved for local use
  • lpr: Line printer subsystem
  • mail: Mail system
  • news: Network news subsystem
  • ntp: NTP daemon
  • syslog: Messages generated internally by syslogd
  • user: Random user level messages
  • uucp: Network news subsystem

This command is only available when the mode is set to forwarding.

Note

The facility will only be included in the forwarded logs when the fwd-server-type = syslog.

fwd-ha-bind-vip {enable | disable}

Always use VIP as the forwarding port when HA is enabled (default = enable).

This command is only available when the mode is set to forwarding.

fwd-log-source-ip {local_ip | original_ip}

The logs source IP address (default = local_ip). This command is only available when the mode is set to forwarding.

fwd-max-delay {1min | 5min | realtime}

The maximum delay for near realtime log forwarding.

  • 1min: Near realtime forwarding with up to one minute delay.
  • 5min: Near realtime forwarding with up to five minutes delay (default).
  • realtime: Realtime forwarding, no delay.

This command is only available when the mode is set to forwarding.

fwd-reliable {enable | disable}

Enable/disable reliable logging (default = disable). This command is only available when the mode is set to forwarding.

fwd-secure {enable | disable}

Enable/disable TLS/SSL secured reliable logging (default = disable). This command is only available when the mode is set to forwarding, fwd-reliable is enabled, and fwd-server-type is set to cef or syslog.

fwd-server-type {cef | fortianalyzer | syslog}

Forwarding all logs to a CEF (Common Event Format) server, syslog server, or the FortiAnalyzer device (default = fortianalyzer). This command is only available when the mode is set to forwarding.

fwd-syslog-format {fgt | rfc-5424}

Forwarding format for syslog.

  • fgt: FortiGate syslog format (default).
  • rfc-5424: rfc-5424 syslog format.

This command is only available when the mode is set to forwarding and fwd-server-type is syslog.

log-field-exclusion-status {enable | disable}

Enable/disable log field exclusion list (default = disable). This command is only available when the mode is set to forwarding and fwd-server-type is set to cef or syslog.

log-filter-logic {and | or}

Logic operator used to connect filters (default = or). This command is only available when log-filter-status is enabled.

log-filter-status {enable | disable}

Enable/disable log filtering (default = disable). This command is only available when the mode is set to forwarding.

log-masking-custom-priority disable

Disable custom field search priority.

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

log-masking-fields {domain dstip dstname email message srcip srcmac srcname user}

Log field masking fields .

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

log-masking-key <passwd>

Enter the log field masking key.

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

log-masking-status {enable | disable}

Enable/disable log field masking (default = disable). This command is only available when the mode is set to forwarding.

pcapurl-enrich

pcapurl-domain-ip

peer-cert-cn <string>

proxy-service {enable | disable}

Enable/disable proxy service under collector mode (default = enable). This command is only available when the mode is set to forwarding.

proxy-service-priority <integer>

Proxy service priority from 1 (lowest) to 20 (highest) (default = 10). This command is only available when the mode is set to forwarding.

server-addr <string>

Remote server address.

server-device <id>

Log aggregation server device ID.

server-name <string>

Log aggregation server name.

server-port <integer>

Enter the server listen port (1 - 65535, default = 514). This command is only available when the mode is set to forwarding.

signature <integer>

This field is auto-generated and should not be set.

sync-metadata [sf-topology | interface-role | device | endusr-avatar]

Synchronizing metadata types:

  • sf-topology: Security Fabric topology
  • interface-role: Interface Role
  • device: Device information
  • endusr-avatar: End-user avatar

This command is only available when the mode is set to forwarding.

Variables for config device-filter subcommand:

<id>

Enter the device filter ID or enter a number to create a new entry.

action {include}

Include the specified device.

adom <string>

Enter the ADOM name from the following:

  • FortiAnalyzer

  • FortiAuthenticator

  • FortiCache

  • FortiCarrier

  • FortiClient

  • FortiDDoS

  • FortiDeceptor

  • FortiFirewall

  • FortiFirewallCarrier

  • FortiMail

  • FortiManager

  • FortiProxy

  • FortiSandbox

  • FortiWeb

  • Syslog

  • Unmanaged_Devices

  • root

Alternatively, enter (null) for all ADOM(s) or a wildcard expression matching ADOM(s).

device <string>

Device ID of log client device, or a wildcard expression matching log client device(s).

Variables for config log-field-exclusions subcommand:

This command is only available when the mode is set to forwarding and log-field-exclusions-status is set to enable.

<id>

Enter a device filter ID or enter a number to create a new entry.

dev-type {FortiGate | FortiMail | FortiManager | FortiAnalyzer | FortiWeb | FortiCache | FortiSandbox | FortiDDoS | Syslog}

The device type (default = FortiGate).

field-list <string>

The field type. Enter a comma separated list from the available fields.

log-type {app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan | waf | gtp | dns | ssh | ANY-TYPE}

The log type (default = traffic).

Variables for config log-filter subcommand:

This command is only available when the mode is set to forwarding and log-field-status is set to enable.

<id>

Enter the log filter ID or enter a number to create a new entry.

field {type | logid | level | devid | vd | srcip | srcintf | srcport | dstip | dstintf | dstport | user | group | free-text}

Field name (default = type).

oper {= | != | < | > | <= | >= | contain | not-contain | match}

Field filter operator (default = =).

value {traffic | event | utm}

Field filter operand or free-text matching expression.

This variable uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, escape characters must be use when needed, and both upper and lower case characters are supported.

For example: "a ~ \"regexp\" and (c==d OR e==f)"

Variables for log-masking-custom subcommand:

This command is only available when the mode is set to forwarding and log-masking-status is enabled.

<id>

Enter the log field masking ID or enter a number to create a new entry.

field-name <string>

Field name.

field-type {email | ip | mac | string | unknown}

Field type (default = unknown).