Fortinet white logo
Fortinet white logo

CLI Reference

log

log

Use the following commands to configure log settings.

log alert

Use this command to configure log based alert settings.

Syntax

config system log alert

set max-alert-count <integer>

end

Variable

Description

max-alert-count <integer>

Maximum number of alerts supported (100 - 50000, default = 10000).

log device-disable

Use this command to disable the client device logging.

Syntax

config system log device-disable

edit <id>

set device <string>

set TTL <string>

end

Variable

Description

<id>

The device ID.

device <string>

The device ID to be used for disabling logging.

Note: The device ID is not checked against the currently registered devices in the system. The entered device ID is ignored if no match is found.

TTL <string>

Set the duration for Time to Live (TTL). For instance, enter 1d5h for 1 day and 5 hours.

Supported units:

  • d- day.

  • h- hour.

  • m- minute.

  • s- second.

Leave the field unset for no expiration.

Note: Do not input auto generated part from [expire:.

fos-policy-stats

Use this command to configure FortiOS policy statistics settings.

Syntax

config system log fos-policy-stats

set retention-days <integer>

set sampling-interval <integer>

set status{enable | disable}

end

Variable

Description

retention-days <integer>

The number of days that FortiOS policy stats are stored (60 - 1825, default = 365).

sampling-interval <integer>

The interval in which policy stats data are received from FortiOS devices, in minutes (5 - 1440, default = 60).

status {enable | disable}

Enable/disable FortiOS policy statistics feature (default = enable).


log interface-stats

Use this command to configure log based interface statistics settings.

Syntax

config system log interface-stats

set billing-report {enable | disable}

set retention-days <integer>

set sampling-interval <integer>

set status {enable | disable}

end

Variable

Description

billing-report {enable | disable}

Enable/disable billing report feature (default = disable).

retention-days <integer>

The number of days that interface data are stored (0 - 2000, default = 100).

sampling-interval <integer>

The interval in which interface data are received from FortiGate devices, in seconds (300 - 86400, default = 1200).

status {enable | disable}

Enable/disable interface statistics (default = enable).

log ioc

Use this command to configure log based IoC (Indicators of Compromise) settings.

Syntax

config system log ioc

set notification {enable | disable}

set notification-throttle <integer>

set rescan-max-runner <integer>

set rescan-run-at <integer>

set rescan-status {enable | disable}

set status {enable | disable}

end

Variable

Description

notification {enable | disable}

Enable/disable IoC notification (default = enable).

notification-throttle <integer>

Set the minute value for throttling the rate of IoC notifications (1 - 10080, default = 1440).

rescan-max-runner <integer>

Set the maximum number of concurrent IoC rescans (1 to CPU count, default = 8).

rescan-run-at <integer>

Set the hour of the day when IoC rescan runs (1 - 24, 0 = run immediately, default = 24).

rescan-status {enable | disable}

Enable/disable IoC rescan (default = enable).

status {enable | disable}

Enable/disable the IoC feature (default = enable).

log mail-domain

Use this command to configure FortiMail domain settings.

Syntax

config system log mail-domain

edit <id>

set devices <string>

set domain <string>

set vdom <string>

end

Variable

Description

<id>

The ID of the FortiMail domain.

devices <string>

The device IDs for domain to VDOM mapping, separated by commas (default = All_FortiMails).

For example: FEVM020000000000,FEVM020000000001

domain <string>

The FortiMail domain.

vdom <string>

The VDOM name that is mapping to the FortiMail domain.

log ratelimit

Use this command to log the rate limit.

Syntax

config system log ratelimit

set device-ratelimit-default <integer>

set mode {disable | manual}

set system-ratelimit <integer>

config ratelimits

edit id

set filter <string>

set filter-type {adom | devid}

set ratelimit <integer>

end

end

Variable

Description

device-ratelimit-default <integer>

The default maximum device log rate limit (default = 0).

Note: This command is only available when the mode is set to manual.

mode {disable | manual}

The logging rate limit mode (default = disable).

In the manual mode, the system rate limit and the device rate limit both are configurable, no limit if not configured.

system-ratelimit <integer>

The maximum system log rate limit (default = 0).

Note: This command is only available when the mode is set to manual.

ratelimits

The device log rate limit.

Variables for config ratelimits subcommand:

<id>

The device id.

filter <string>

The device(s) or ADOM filter according to the filter-type setting.

Note: Wildcard expression is supported.

filter-type { adom | devid}

The device filter type (default = devid):

  • adom: ADOM name.

  • devid: Device ID.

ratelimit <integer>

The maximum device log rate limit (default = 0).

log settings

Use this command to configure settings for logs.

Syntax

config system log settings

set browse-max-logfiles <integer>

set device-auto-detect {enable | disable}

set dns-resolve-dstip {enable | disable}

set download-max-logs <integer>

set FAC-custom-field1 <string>

set FCH-custom-field1 <string>

set FCT-custom-field1 <string>

set FDD-custom-field1 <string>

set FGT-custom-field1 <string>

set FML-custom-field1 <string>

set FPX-custom-field1 <string>

set FSA-custom-field1 <string>

set FWB-custom-field1 <string>

set ha-auto-migrate {enable | disable}

set import-max-logfiles <integer>

set keep-dev-logs {enable | disable}

set log-file-archive-name {basic | extended}

set log-interval-dev-no-logging <interger>

set log-upload-interval-dev-no-logging <interval>

set sync-search-timeout <integer>

set unencrypted-logging {enable | disable}

config {rolling-regular | rolling-local | rolling-analyzer}

set days {fri | mon| sat | sun | thu | tue | wed}

set del-files {enable | disable}

set directory <string>

set file-size <integer>

set gzip-format {enable | disable}

set hour <integer>

set log-format {csv | native | text}

set min <integer>

set password <passwd>

set password2 <passwd>

set password3 <passwd>

set port <integer>

set port2 <integer>

set port3 <integer>

set rolling-upgrade-status <integer>

set server <string>

set server-type {ftp | scp | sftp}

set server2 <string>

set server3 <string>

set upload {enable | disable}

set upload-hour <integer>

set upload-mode {backup | mirror}

set upload-trigger {on-roll | on-schedule}

set username <string>

set username2 <string>

set username3 <string>

set when {daily | none | weekly}

end

end

Variable

Description

browse-max-logfiles <integer>

Maximum number of log files for each log browse attempt, per ADOM (default = 10000).

device-auto-detect {enable | disable}

Enable/disable looking up device ID in syslog received with no encryption (default = enable).

dns-resolve-stip {enable | disable}

Enable/disable resolving destination IP by DNS (default = disable).

download-max-logs <integer>

Maximum number of logs for each log download attempt (default = 100000).

FAC-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FCH-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FCT-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FDD-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FGT-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FML-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FPX-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FSA-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FWB-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

ha-auto-migrate {enable | disable}

Enabled/disable automatically merging HA member's logs to HA cluster (default = disable).

import-max-logfiles <integer>

Maximum number of log files for each log import attempt (default = 10000).

keep-dev-logs {enable | disable}

Enable/disable keeping the device logs after the device has been deleted (default = disable).

log-file-archive-name {basic | extended}

Log file name format for archiving.

  • basic: Basic format for log archive file name (default), for example:

    FGT20C0000000001.tlog.1417797247.log.

  • extended: Extended format for log archive file name, for example:

    FGT20C0000000001.2014-12-05-08:34:58.tlog.1417797247.log.

log-interval-dev-no-logging <interger>

Interval in minutes of no log received from a device when considering the device down (default = 15).

log-upload-interval-dev-no-logging <interger>

Interval in minutes of no log uploaded from a device when considering the device down (default = 360).

sync-search-timeout <integer>

The maximum amount of time that a log search session can run in synchronous mode, in seconds (1 - 86400, default = 60).

unencrypted-logging {enable | disable}

Enable/disable receiving syslog through UDP(514) or TCP(514) un-encrypted (default = disable).

Variables for config {rolling-regular | rolling-local | rolling-analyzer} subcommand:

days {fri | mon| sat | sun | thu | tue | wed}

Log files rolling schedule (days of the week). When when is set to weekly, you can configure days, hour, and min values.

del-files {enable | disable}

Enable/disable log file deletion after uploading (default = disable).

directory <string>

The upload server directory (character limit = 127).

file-size <integer>

Roll log files when they reach this size, in megabytes (10 - 1000, default = 200).

gzip-format {enable | disable}

Enable/disable compression of uploaded log files (default = disable).

hour <integer>

The hour of the day that log files are rolled (0 - 23, default = 0).

log-format {csv | native | text}

Format of uploaded log files:

  • csv: CSV (comma-separated value) format.
  • native: Native format (text or compact) (default).
  • text: Text format (convert if necessary).

min <integer>

The minute of the hour that log files are rolled (0 - 59, default = 0).

password <passwd>

password2 <passwd>

password3 <passwd>

Upload server log in passwords (character limit = 128).

port <integer>

port2 <integer>

port3 <integer>

Upload server IP port number.

rolling-upgrade-status <integer>

The rolling upgrade status.

server <string>

server2 <string>

server3 <string>

Upload server FQDN, IPv4, or IPv6 addresses. Configure up to three servers.

server-type {ftp | scp | sftp}

Upload server type (default = ftp).

upload {enable | disable}

Enable/disable log file uploads (default = disable).

upload-hour <integer>

The hour of the day that log files are uploaded (0 - 23, default = 0).

upload-mode {backup | mirror}

Configure upload mode with multiple servers. Servers are tried then used one after the other upon failure to connect.

  • backup: Servers are attempted and used one after the other upon failure to connect (default).
  • mirror: All configured servers are attempted and used.

upload-trigger {on-roll | on-schedule}

Event triggering log files upload:

  • on-roll: Upload log files after they are rolled (default).
  • on-schedule: Upload log files daily.

username <string>

username2 <string>

username3 <string>

Upload server log in usernames (character limit = 35).

when {daily | none | weekly}

Roll log files periodically:

  • daily: Roll log files daily.
  • none: Do not roll log files periodically .
  • weekly: Roll log files on certain days of week (default).

log topology

Use this command to configure settings for the logging topology.

Syntax

config system log topology

set max-depth <integer>

set max-depth-share <integer>

end

Variable

Description

max-depth <integer>

Maximum levels to descend from this device to get the logging topology information (0 - 32, default = 5).

max-depth-share <integer>

Maximum levels to descend from this device to share logging topology information with upstream (0 - 32, default = 5).

log

log

Use the following commands to configure log settings.

log alert

Use this command to configure log based alert settings.

Syntax

config system log alert

set max-alert-count <integer>

end

Variable

Description

max-alert-count <integer>

Maximum number of alerts supported (100 - 50000, default = 10000).

log device-disable

Use this command to disable the client device logging.

Syntax

config system log device-disable

edit <id>

set device <string>

set TTL <string>

end

Variable

Description

<id>

The device ID.

device <string>

The device ID to be used for disabling logging.

Note: The device ID is not checked against the currently registered devices in the system. The entered device ID is ignored if no match is found.

TTL <string>

Set the duration for Time to Live (TTL). For instance, enter 1d5h for 1 day and 5 hours.

Supported units:

  • d- day.

  • h- hour.

  • m- minute.

  • s- second.

Leave the field unset for no expiration.

Note: Do not input auto generated part from [expire:.

fos-policy-stats

Use this command to configure FortiOS policy statistics settings.

Syntax

config system log fos-policy-stats

set retention-days <integer>

set sampling-interval <integer>

set status{enable | disable}

end

Variable

Description

retention-days <integer>

The number of days that FortiOS policy stats are stored (60 - 1825, default = 365).

sampling-interval <integer>

The interval in which policy stats data are received from FortiOS devices, in minutes (5 - 1440, default = 60).

status {enable | disable}

Enable/disable FortiOS policy statistics feature (default = enable).


log interface-stats

Use this command to configure log based interface statistics settings.

Syntax

config system log interface-stats

set billing-report {enable | disable}

set retention-days <integer>

set sampling-interval <integer>

set status {enable | disable}

end

Variable

Description

billing-report {enable | disable}

Enable/disable billing report feature (default = disable).

retention-days <integer>

The number of days that interface data are stored (0 - 2000, default = 100).

sampling-interval <integer>

The interval in which interface data are received from FortiGate devices, in seconds (300 - 86400, default = 1200).

status {enable | disable}

Enable/disable interface statistics (default = enable).

log ioc

Use this command to configure log based IoC (Indicators of Compromise) settings.

Syntax

config system log ioc

set notification {enable | disable}

set notification-throttle <integer>

set rescan-max-runner <integer>

set rescan-run-at <integer>

set rescan-status {enable | disable}

set status {enable | disable}

end

Variable

Description

notification {enable | disable}

Enable/disable IoC notification (default = enable).

notification-throttle <integer>

Set the minute value for throttling the rate of IoC notifications (1 - 10080, default = 1440).

rescan-max-runner <integer>

Set the maximum number of concurrent IoC rescans (1 to CPU count, default = 8).

rescan-run-at <integer>

Set the hour of the day when IoC rescan runs (1 - 24, 0 = run immediately, default = 24).

rescan-status {enable | disable}

Enable/disable IoC rescan (default = enable).

status {enable | disable}

Enable/disable the IoC feature (default = enable).

log mail-domain

Use this command to configure FortiMail domain settings.

Syntax

config system log mail-domain

edit <id>

set devices <string>

set domain <string>

set vdom <string>

end

Variable

Description

<id>

The ID of the FortiMail domain.

devices <string>

The device IDs for domain to VDOM mapping, separated by commas (default = All_FortiMails).

For example: FEVM020000000000,FEVM020000000001

domain <string>

The FortiMail domain.

vdom <string>

The VDOM name that is mapping to the FortiMail domain.

log ratelimit

Use this command to log the rate limit.

Syntax

config system log ratelimit

set device-ratelimit-default <integer>

set mode {disable | manual}

set system-ratelimit <integer>

config ratelimits

edit id

set filter <string>

set filter-type {adom | devid}

set ratelimit <integer>

end

end

Variable

Description

device-ratelimit-default <integer>

The default maximum device log rate limit (default = 0).

Note: This command is only available when the mode is set to manual.

mode {disable | manual}

The logging rate limit mode (default = disable).

In the manual mode, the system rate limit and the device rate limit both are configurable, no limit if not configured.

system-ratelimit <integer>

The maximum system log rate limit (default = 0).

Note: This command is only available when the mode is set to manual.

ratelimits

The device log rate limit.

Variables for config ratelimits subcommand:

<id>

The device id.

filter <string>

The device(s) or ADOM filter according to the filter-type setting.

Note: Wildcard expression is supported.

filter-type { adom | devid}

The device filter type (default = devid):

  • adom: ADOM name.

  • devid: Device ID.

ratelimit <integer>

The maximum device log rate limit (default = 0).

log settings

Use this command to configure settings for logs.

Syntax

config system log settings

set browse-max-logfiles <integer>

set device-auto-detect {enable | disable}

set dns-resolve-dstip {enable | disable}

set download-max-logs <integer>

set FAC-custom-field1 <string>

set FCH-custom-field1 <string>

set FCT-custom-field1 <string>

set FDD-custom-field1 <string>

set FGT-custom-field1 <string>

set FML-custom-field1 <string>

set FPX-custom-field1 <string>

set FSA-custom-field1 <string>

set FWB-custom-field1 <string>

set ha-auto-migrate {enable | disable}

set import-max-logfiles <integer>

set keep-dev-logs {enable | disable}

set log-file-archive-name {basic | extended}

set log-interval-dev-no-logging <interger>

set log-upload-interval-dev-no-logging <interval>

set sync-search-timeout <integer>

set unencrypted-logging {enable | disable}

config {rolling-regular | rolling-local | rolling-analyzer}

set days {fri | mon| sat | sun | thu | tue | wed}

set del-files {enable | disable}

set directory <string>

set file-size <integer>

set gzip-format {enable | disable}

set hour <integer>

set log-format {csv | native | text}

set min <integer>

set password <passwd>

set password2 <passwd>

set password3 <passwd>

set port <integer>

set port2 <integer>

set port3 <integer>

set rolling-upgrade-status <integer>

set server <string>

set server-type {ftp | scp | sftp}

set server2 <string>

set server3 <string>

set upload {enable | disable}

set upload-hour <integer>

set upload-mode {backup | mirror}

set upload-trigger {on-roll | on-schedule}

set username <string>

set username2 <string>

set username3 <string>

set when {daily | none | weekly}

end

end

Variable

Description

browse-max-logfiles <integer>

Maximum number of log files for each log browse attempt, per ADOM (default = 10000).

device-auto-detect {enable | disable}

Enable/disable looking up device ID in syslog received with no encryption (default = enable).

dns-resolve-stip {enable | disable}

Enable/disable resolving destination IP by DNS (default = disable).

download-max-logs <integer>

Maximum number of logs for each log download attempt (default = 100000).

FAC-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FCH-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FCT-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FDD-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FGT-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FML-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FPX-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FSA-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

FWB-custom-field1 <string>

Enter a name of the custom log field to index (character limit = 31).

ha-auto-migrate {enable | disable}

Enabled/disable automatically merging HA member's logs to HA cluster (default = disable).

import-max-logfiles <integer>

Maximum number of log files for each log import attempt (default = 10000).

keep-dev-logs {enable | disable}

Enable/disable keeping the device logs after the device has been deleted (default = disable).

log-file-archive-name {basic | extended}

Log file name format for archiving.

  • basic: Basic format for log archive file name (default), for example:

    FGT20C0000000001.tlog.1417797247.log.

  • extended: Extended format for log archive file name, for example:

    FGT20C0000000001.2014-12-05-08:34:58.tlog.1417797247.log.

log-interval-dev-no-logging <interger>

Interval in minutes of no log received from a device when considering the device down (default = 15).

log-upload-interval-dev-no-logging <interger>

Interval in minutes of no log uploaded from a device when considering the device down (default = 360).

sync-search-timeout <integer>

The maximum amount of time that a log search session can run in synchronous mode, in seconds (1 - 86400, default = 60).

unencrypted-logging {enable | disable}

Enable/disable receiving syslog through UDP(514) or TCP(514) un-encrypted (default = disable).

Variables for config {rolling-regular | rolling-local | rolling-analyzer} subcommand:

days {fri | mon| sat | sun | thu | tue | wed}

Log files rolling schedule (days of the week). When when is set to weekly, you can configure days, hour, and min values.

del-files {enable | disable}

Enable/disable log file deletion after uploading (default = disable).

directory <string>

The upload server directory (character limit = 127).

file-size <integer>

Roll log files when they reach this size, in megabytes (10 - 1000, default = 200).

gzip-format {enable | disable}

Enable/disable compression of uploaded log files (default = disable).

hour <integer>

The hour of the day that log files are rolled (0 - 23, default = 0).

log-format {csv | native | text}

Format of uploaded log files:

  • csv: CSV (comma-separated value) format.
  • native: Native format (text or compact) (default).
  • text: Text format (convert if necessary).

min <integer>

The minute of the hour that log files are rolled (0 - 59, default = 0).

password <passwd>

password2 <passwd>

password3 <passwd>

Upload server log in passwords (character limit = 128).

port <integer>

port2 <integer>

port3 <integer>

Upload server IP port number.

rolling-upgrade-status <integer>

The rolling upgrade status.

server <string>

server2 <string>

server3 <string>

Upload server FQDN, IPv4, or IPv6 addresses. Configure up to three servers.

server-type {ftp | scp | sftp}

Upload server type (default = ftp).

upload {enable | disable}

Enable/disable log file uploads (default = disable).

upload-hour <integer>

The hour of the day that log files are uploaded (0 - 23, default = 0).

upload-mode {backup | mirror}

Configure upload mode with multiple servers. Servers are tried then used one after the other upon failure to connect.

  • backup: Servers are attempted and used one after the other upon failure to connect (default).
  • mirror: All configured servers are attempted and used.

upload-trigger {on-roll | on-schedule}

Event triggering log files upload:

  • on-roll: Upload log files after they are rolled (default).
  • on-schedule: Upload log files daily.

username <string>

username2 <string>

username3 <string>

Upload server log in usernames (character limit = 35).

when {daily | none | weekly}

Roll log files periodically:

  • daily: Roll log files daily.
  • none: Do not roll log files periodically .
  • weekly: Roll log files on certain days of week (default).

log topology

Use this command to configure settings for the logging topology.

Syntax

config system log topology

set max-depth <integer>

set max-depth-share <integer>

end

Variable

Description

max-depth <integer>

Maximum levels to descend from this device to get the logging topology information (0 - 32, default = 5).

max-depth-share <integer>

Maximum levels to descend from this device to share logging topology information with upstream (0 - 32, default = 5).