Fortinet black logo

Administration Guide

Types of logs collected for each device

Types of logs collected for each device

FortiAnalyzer can collect logs from the following device types: FortiAnalyzer, FortiAuthenticator, FortiCache, FortiCarrier, FortiClient, FortiDDoS, FortiDeceptor, FortiGate, FortiMail, FortiManager, FortiNAC, FortiNDR (formerly FortiAI), FortiProxy, FortiSandbox, FortiSOAR, FortiWeb, and Syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:

Device Type

Log Type

Fabric

All

FortiAnalyzer

Event, Application

FortiAuthenticator

Event

FortiGate

Traffic

Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient

Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi

Note

File Filter logs are sent when the File Filter sensor is enabled in the FortiOS Web Filter profile. You can enable the File Filter sensor in FortiOS at Security Profiles > Web Filters.

FortiCarrier

Traffic, Event, GTP

FortiCache

Traffic, Event, Antivirus, Web Filter

FortiClient

Traffic, Event, Vulnerability Scan

FortiDDoS

Event, Intrusion Prevention

FortiDeceptor

Event

FortiMail

History, Event, Antivirus, Email Filter.

Note

FortiMail logs support cross-log functionality. When viewing History, Event, Antivirus, or Email Filter logs from FortiMail, you can click on the Session ID to see correlated logs.

Note

When VDOMs are used to divide FortiMail into two or more virtual units, cross-log searches display correlated log data from FortiMail’s VDOMs, including those assigned to different ADOMs. VDOM results are included only when performing the cross-log search through FortiMail's History log view, but results include correlated data for all available log types (History, Events, Antivirus, and Email Filter).

FortiManager

Event

FortiNAC

Event

FortiNDR

Event, NDR

Attack: Attack Chain, Malware

FortiProxy

Traffic, Event, Antivirus, Web Filter

FortiSandbox

Malware, Network Alerts

FortiSOAR

Event

FortiWeb

Event, Intrusion Prevention, Traffic

Tooltip

You can view a subset of FortiWEB packet logs which contain additional HTTP request information. See Viewing message details.

Syslog

Generic

The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features.

ADOMs must be enabled to support non-FortiGate logging. In a Security Fabric ADOM, all device logs are displayed.

Traffic logs

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

ZTNA logs: FortiAnalyzer syncs unified ZTNA logs with FortiGate. ZTNA logs are a sub-type of FortiGate traffic logs, and can be viewed in Log View > FortiGate > Traffic. You can filter for ZTNA logs using the sub-type filter and optionally create a custom view for ZTNA logs. See Custom views.

Security logs

Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

DNS logs

DNS logs (FortiGate) record the DNS activity on your managed devices.

Event logs

Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.

Application Logs

Application logs record playbook and incident activity on FortiAnalyzer. Logs are generated and stored separately for each ADOM. Application logs can only be viewed on the local FortiAnalyzer.

Fabric (SIEM) Logs

Fabric logs are a licensed feature that enables FortiAnalyzer's SIEM capabilities to parse, normalize, and correlate logs from Fortinet products as well as security event logs of Windows and Linux hosts (with Fabric Agent integration). When licensed, parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators.

Tooltip

A SIEM database is automatically created for Fabric ADOMs once a SIEM license has been applied to FortiAnalyzer and Fabric devices begin logging. Past logs and imported log files are not included in the SIEM database.

Types of logs collected for each device

FortiAnalyzer can collect logs from the following device types: FortiAnalyzer, FortiAuthenticator, FortiCache, FortiCarrier, FortiClient, FortiDDoS, FortiDeceptor, FortiGate, FortiMail, FortiManager, FortiNAC, FortiNDR (formerly FortiAI), FortiProxy, FortiSandbox, FortiSOAR, FortiWeb, and Syslog servers. Following is a description of the types of logs FortiAnalyzer collects from each type of device:

Device Type

Log Type

Fabric

All

FortiAnalyzer

Event, Application

FortiAuthenticator

Event

FortiGate

Traffic

Security: Antivirus, Intrusion Prevention, Application Control, Web Filter, File Filter, DNS, Data Leak Prevention, Email Filter, Web Application Firewall, Vulnerability Scan, VoIP, FortiClient

Event: Endpoint, HA, Compliance, System, Router, VPN, User, WAN Opt. & Cache, WiFi

Note

File Filter logs are sent when the File Filter sensor is enabled in the FortiOS Web Filter profile. You can enable the File Filter sensor in FortiOS at Security Profiles > Web Filters.

FortiCarrier

Traffic, Event, GTP

FortiCache

Traffic, Event, Antivirus, Web Filter

FortiClient

Traffic, Event, Vulnerability Scan

FortiDDoS

Event, Intrusion Prevention

FortiDeceptor

Event

FortiMail

History, Event, Antivirus, Email Filter.

Note

FortiMail logs support cross-log functionality. When viewing History, Event, Antivirus, or Email Filter logs from FortiMail, you can click on the Session ID to see correlated logs.

Note

When VDOMs are used to divide FortiMail into two or more virtual units, cross-log searches display correlated log data from FortiMail’s VDOMs, including those assigned to different ADOMs. VDOM results are included only when performing the cross-log search through FortiMail's History log view, but results include correlated data for all available log types (History, Events, Antivirus, and Email Filter).

FortiManager

Event

FortiNAC

Event

FortiNDR

Event, NDR

Attack: Attack Chain, Malware

FortiProxy

Traffic, Event, Antivirus, Web Filter

FortiSandbox

Malware, Network Alerts

FortiSOAR

Event

FortiWeb

Event, Intrusion Prevention, Traffic

Tooltip

You can view a subset of FortiWEB packet logs which contain additional HTTP request information. See Viewing message details.

Syslog

Generic

The logs displayed on your FortiAnalyzer depends on the device type logging to it and the enabled features.

ADOMs must be enabled to support non-FortiGate logging. In a Security Fabric ADOM, all device logs are displayed.

Traffic logs

Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

ZTNA logs: FortiAnalyzer syncs unified ZTNA logs with FortiGate. ZTNA logs are a sub-type of FortiGate traffic logs, and can be viewed in Log View > FortiGate > Traffic. You can filter for ZTNA logs using the sub-type filter and optionally create a custom view for ZTNA logs. See Custom views.

Security logs

Security logs (FortiGate) record all antivirus, web filtering, file filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

DNS logs

DNS logs (FortiGate) record the DNS activity on your managed devices.

Event logs

Event logs record administration management and Fortinet device system activity, such as when a configuration changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs includes System, Router, VPN, User, and WiFi menu objects to provide you with more granularity when viewing and searching log data.

Application Logs

Application logs record playbook and incident activity on FortiAnalyzer. Logs are generated and stored separately for each ADOM. Application logs can only be viewed on the local FortiAnalyzer.

Fabric (SIEM) Logs

Fabric logs are a licensed feature that enables FortiAnalyzer's SIEM capabilities to parse, normalize, and correlate logs from Fortinet products as well as security event logs of Windows and Linux hosts (with Fabric Agent integration). When licensed, parsing is predefined by FortiAnalyzer and does not require manual configuration by administrators.

Tooltip

A SIEM database is automatically created for Fabric ADOMs once a SIEM license has been applied to FortiAnalyzer and Fabric devices begin logging. Past logs and imported log files are not included in the SIEM database.