Fortinet white logo
Fortinet white logo

CLI Reference

locallog

locallog

Use the following commands to configure local log settings.

locallog setting

Use this command to configure locallog logging settings.

Syntax

config system locallog setting

set log-daemon-crash {enable | disable}

set log-interval-dev-no-logging <integer>

set log-interval-disk-full <integer>

set log-interval-gbday-exceeded <integer>

set no-log-detection-threshold <integer>

end

Variable

Description

log-daemon-crash {enable | disable}

Send a log message when a daemon crashes (default = disable).

log-interval-dev-no-logging <integer>

Interval for logging the event of no logs received from a device, in minutes (default = 1440).

log-interval-disk-full <integer>

Interval for logging the event of disk full, in minutes (default = 5).

log-interval-gbday-exceeded <integer>

Interval for logging the event of the GB/Day license exceeded, in minutes (default = 1440).

no-log-detection-threshold <integer>

Interval to trigger a local event message if no log data is received, in minutes (default = 15).

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log levels.

  • status must be enabled to view diskfull, max-log-file-size and upload variables.
  • upload must be enabled to view/set other upload* variables.

Syntax

config system locallog disk setting

set status {enable | disable}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set max-log-file-size <integer>

set max-log-file-num <integer>

set roll-schedule {none | daily | weekly}

set roll-day <string>

set roll-time <hh:mm>

set diskfull {nolog | overwrite}

set log-disk-full-percentage <integer>

set log-disk-quota <integer>

set upload {enable | disable}

set uploadip <ipv4_address>

set server-type {FAZ | FTP | SCP | SFTP}

set uploadport <integer>

set uploaduser <string>

set uploadpass <passwd>

set uploaddir <string>

set uploadtype <event>

set uploadzip {enable | disable}

set uploadsched {enable | disable}

set upload-time <hh:mm>

set upload-delete-files {enable | disable}

end

Variable

Description

status {enable | disable}

Enable/disable logging to the local disk (default = enable)

severity {emergency | alert | critical | error | warning | notification | information | debug }

Select the logging severity level.

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations (default).
  • debug: Information used for diagnosis or debugging.

max-log-file-size <integer>

Enter the size at which the log is rolled, in megabytes (1 - 1024, default = 100).

max-log-file-num <integer>

Enter the number of log files at which the logs are rolled (10 - 10000, default = 10000).

roll-schedule {none | daily | weekly}

Enter the period for the scheduled rolling of a log file:

  • none: Not scheduled; the log rolls when max-log-file-size is reached (default).
  • daily: Every day.
  • weekly: Every week.

roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Enter the day for the scheduled rolling of a log file (default = sunday).

roll-time <hh:mm>

Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite}

Enter action to take when the disk is full:

  • nolog: stop logging
  • overwrite: overwrites oldest log entries (default)

log-disk-full-percentage <integer>

Enter the percentage at which the log disk will be considered full (50 - 90, default = 80).

log-disk-quota <integer>

Enter the quota for controlling local log size, in GB (0 - 25, default = 5).

Note: 0 means no control of local log size.

upload {enable | disable}

Enable/disable uploading of logs when rolling log files (default = disable).

uploadip <ipv4_address>

Enter IPv4 address of the destination server.

server-type {FTP | SCP | SFTP}

Enter the server type to use to store the logs:

  • FTP: upload via FTP (default)
  • SCP: upload via SCP
  • SFTP: upload via SFTP

uploadport <integer>

Enter the port to use when communicating with the destination server (1 - 65535, default = 0).

uploaduser <string>

Enter the user account on the destination server.

uploadpass <passwd>

Enter the password of the user account on the destination server (character limit = 127).

uploaddir <string>

Enter the destination directory on the remote server.

uploadtype <event>

Enter to upload the event log files (default = event).

uploadzip {enable | disable}

Enable to compress uploaded log files (default = disable).

uploadsched {enable | disable}

Enable to schedule log uploads (default = disable).

upload-time <hh:mm>

Enter to configure when to schedule an upload.

upload-delete-files {enable | disable}

Enable/disable deleting log files after uploading (default = enable).

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting

set status enable

set severity information

set max-log-file-size 1000MB

set roll-schedule daily

set upload enable

set uploadip 10.10.10.1

set uploadport port 443

set uploaduser myname2

set uploadpass 12345

set uploadtype event

set uploadzip enable

set uploadsched enable

set upload-time 06:45

set upload-delete-file disable

end

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Syntax

config system locallog [disk | memory | fortianalyzer | fortianalyzer2 | fortianalyzer3 | syslogd | syslogd2 | syslogd3] filter

set aid {enable | disable}

set controller {enable | disable}

set devcfg {enable | disable}

set devops {enable | disable}

set diskquota {enable | disable}

set dm {enable | disable}

set docker {enable | disable}

set dvm {enable | disable}

set ediscovery {enable | disable}

set epmgr {enable | disable}

set event {enable | disable}

set eventmgmt {enable | disable}

set faz {enable | disable}

set fazha {enable | disable}

set fazsys {enable | disable}

set fgd {enable | disable}

set fgfm {enable | disable}

set fips {enable | disable}

set fmgws {enable | disable}

set fmlmgr {enable | disable}

set fmwmgr {enable | disable}

set fortiview {enable | disable}

set glbcfg {enable | disable}

set ha {enable | disable}

set hcache {enable | disable}

set incident {enable | disable}

set iolog {enable | disable}

set logd {enable | disable}

set logdb {enable | disable}

set logdev {enable | disable}

set logfile {enable | disable}

set logging {enable | disable}

set lrmgr {enable | disable}

set objcfg {enable | disable}

set report {enable | disable}

set rev {enable | disable}

set rtmon {enable | disable}

set scfw {enable | disable}

set scply {enable | disable}

set scrmgr {enable | disable}

set scvpn {enable | disable}

set system {enable | disable}

set webport {enable | disable}

end

Variable

Description

aid {enable | disable}

Enable/disable configuring aid messages (default = enable).

controller {enable | disable}

Enable/disable controller application generic messages (default = enable).

devcfg {enable | disable}

Enable/disable logging device configuration messages (default = enable).

devops {enable | disable}

Enable/disable managed device's operations messages (default = enable).

diskquota {enable | disable}

Enable/disable logging FortiAnalyzer disk quota messages (default = enable).

dm {enable | disable}

Enable/disable logging deployment manager messages (default = enable).

docker {enable | disable}

Enable/disable docker application generic messages (default = enable).

dvm {enable | disable}

Enable/disable logging device manager messages (default = enable).

ediscovery {enable | disable}

Enable/disable logging device manager messages (default = enable).

epmgr {enable | disable}

Enable/disable logging endpoint manager messages (default = enable).

event {enable | disable}

Enable/disable configuring log filter messages (default = enable).

eventmgmt {enable | disable}

Enable/disable logging FortiAnalyzer event handler messages (default = enable).

faz {enable | disable}

Enable/disable logging FortiAnalyzer messages (default = enable).

fazha {enable | disable}

Enable/disable logging FortiAnalyzer HA messages (default = enable).

fazsys {enable | disable}

Enable/disable logging FortiAnalyzer system messages (default = enable).

fgd {enable | disable}

Enable/disable logging FortiGuard service messages (default = enable).

fgfm {enable | disable}

Enable/disable logging FortiGate/FortiManager communication protocol messages (default = enable).

fips {enable | disable}

Enable/disable logging FIPS messages (default = enable).

fmgws {enable | disable}

Enable/disable logging web service messages (default = enable).

fmlmgr {enable | disable}

Enable/disable logging FortiMail manager messages (default = enable).

fmwmgr {enable | disable}

Enable/disable logging firmware manager messages (default = enable).

fortiview {enable | disable}

Enable/disable logging FortiAnalyzer FortiView messages (default = enable).

glbcfg {enable | disable}

Enable/disable logging global database messages (default = enable).

ha {enable | disable}

Enable/disable logging high availability activity messages (default = enable).

hcache {enable | disable}

Enable/disable logging hcache messages (default = enable).

incident {enable | disable}

Enable/disable logging FortiAnalyzer incident messages (default = enable).

iolog {enable | disable}

Enable/disable input/output log activity messages (default = enable).

logd {enable | disable}

Enable/disable logd messages (default = enable).

logdb {enable | disable}

Enable/disable logging FortiAnalyzer log DB messages (default = enable).

logdev {enable | disable}

Enable/disable logging FortiAnalyzer log device messages (default = enable).

logfile {enable | disable}

Enable/disable logging FortiAnalyzer log file messages (default = enable).

logging {enable | disable}

Enable/disable logging FortiAnalyzer logging messages (default = enable).

lrmgr {enable | disable}

Enable/disable logging log and report manager messages (default = enable).

objcfg {enable | disable}

Enable/disable logging object configuration (default = enable).

report {enable | disable}

Enable/disable logging FortiAnalyzer report messages (default = enable).

rev {enable | disable}

Enable/disable logging revision history messages (default = enable).

rtmon {enable | disable}

Enable/disable logging real-time monitor messages (default = enable).

scfw {enable | disable}

Enable/disable logging firewall objects messages (default = enable).

scply {enable | disable}

Enable/disable logging policy console messages (default = enable).

scrmgr {enable | disable}

Enable/disable logging script manager messages (default = enable).

scvpn {enable | disable}

Enable/disable logging VPN console messages (default = enable).

system {enable | disable}

Enable/disable logging system manager messages (default = enable).

webport {enable | disable}

Enable/disable logging web portal messages (default = enable).

Example

In this example, the local log filters are log and report manager, and system settings. Events in these areas of the FortiAnalyzer unit will be logged.

config system locallog filter

set event enable

set lrmgr enable

set system enable

end

locallog fortianalyzer (fortianalyzer2, fortianalyzer3) setting

Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer units. You can configure up to three FortiAnalyzer devices.

The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog, and local logging severity thresholds.

Syntax

config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

set peer-cert-cn <string>

set reliable {enable | disable}

set secure-connection {enable | disable}

set server <address>

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {disable | realtime | upload}

set upload-time <hh:mm>

end

Variable

Description

peer-cert-cn <string>

Certificate common name for the remote FortiAnalyzer. This variable is available only when the status is upload.

Note: Null or '-' means no certificate CN for the remote FortiAnalyzer. Multiple CNs are separated by commas. If there is comma in CN, it must follow an escape character.

reliable {enable | disable}

Enable/disable reliable realtime logging (default = disable).

secure-connection {enable | disable}

Enable/disable connection secured by TLS/SSL (default = disable).

This variable is available when status is realtime or upload.

server <address>

Remote FortiAnalyzer server IP address, FQDN, or hostname.

severity {emergency | alert | critical | error | warning | notification | information | debug }

Select the logging severity level (default = notification).

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

status {disable | realtime | upload}

Set the log to FortiAnalyzer status:

  • disable: Do not log to FortiAnalyzer (default).
  • realtime: Log to FortiAnalyzer in realtime.
  • upload: Log to FortiAnalyzer at a scheduled time.

upload-time <hh:mm>

Set the time to upload local log files (default = 00:00).

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting

set status enable

set severity information

end

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Syntax

config system locallog memory setting

set diskfull {nolog | overwrite}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status <enable | disable>

end

Variable

Description

diskfull {nolog | overwrite}

Enter the action to take when the disk is full:

  • nolog: Stop logging when disk full
  • overwrite: Overwrites oldest log entries

severity {emergency | alert | critical | error | warning | notification | information | debug}

Select the logging severity level (default = notification).

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

status <enable | disable>

Enable/disable logging to the memory buffer (default = disable).

Example

This example shows how to enable logging to memory for all events at the notification level and above. At this level of logging, only information and debug events will not be logged.

config system locallog memory

set severity notification

set status enable

end

locallog syslogd (syslogd2, syslogd3) setting

Use this command to configure the settings for logging to a syslog server. You can configure up to three syslog servers: syslogd, syslogd2 and syslogd3.

Syntax

config system locallog {syslogd | syslogd2 | syslogd3} setting

set cert {Fortinet_Local | Fortinet_Local2}

set csv {enable | disable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set reliable {enable | disable}

set secure-connection {enable | disable}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {enable | disable}

set syslog-name <string>

end

Variable

Description

cert {Fortinet_Local | Fortinet_Local2}

Select local certificate used for secure connection.

csv {enable | disable}

Enable/disable producing the log in comma separated value (CSV) format (default = disable).

If you do not enable CSV format the FortiAnalyzer unit produces space separated log files.

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Enter the facility type (default = local7).

The facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. local0 to local7 are reserved for local use.

reliable {enable | disable}

Enable/disable reliable real time logging (default = disable).

secure-connection {enable | disable}

Enable/disable connection secured by TLS/SSL (default = disable).

This variable is available only when reliable is enabled.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Select the logging severity level (default = notification).

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

status {enable | disable}

Enable/disable logging to the remote syslog server (default = disable).

syslog-name <string>

Enter the remote syslog server name.

To configure a syslog server, use the config system syslog command. See syslog for information.

Use the show command to display the current configuration if it has been changed from its default value:

show system locallog syslogd setting

Example

In this example, the logs are uploaded to a previously configured syslog server named logstorage. The FortiAnalyzer unit is identified as facility local0.

config system locallog syslogd setting

set facility local0

set syslog-name logstorage

set status enable

set severity information

end

locallog

locallog

Use the following commands to configure local log settings.

locallog setting

Use this command to configure locallog logging settings.

Syntax

config system locallog setting

set log-daemon-crash {enable | disable}

set log-interval-dev-no-logging <integer>

set log-interval-disk-full <integer>

set log-interval-gbday-exceeded <integer>

set no-log-detection-threshold <integer>

end

Variable

Description

log-daemon-crash {enable | disable}

Send a log message when a daemon crashes (default = disable).

log-interval-dev-no-logging <integer>

Interval for logging the event of no logs received from a device, in minutes (default = 1440).

log-interval-disk-full <integer>

Interval for logging the event of disk full, in minutes (default = 5).

log-interval-gbday-exceeded <integer>

Interval for logging the event of the GB/Day license exceeded, in minutes (default = 1440).

no-log-detection-threshold <integer>

Interval to trigger a local event message if no log data is received, in minutes (default = 15).

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log levels.

  • status must be enabled to view diskfull, max-log-file-size and upload variables.
  • upload must be enabled to view/set other upload* variables.

Syntax

config system locallog disk setting

set status {enable | disable}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set max-log-file-size <integer>

set max-log-file-num <integer>

set roll-schedule {none | daily | weekly}

set roll-day <string>

set roll-time <hh:mm>

set diskfull {nolog | overwrite}

set log-disk-full-percentage <integer>

set log-disk-quota <integer>

set upload {enable | disable}

set uploadip <ipv4_address>

set server-type {FAZ | FTP | SCP | SFTP}

set uploadport <integer>

set uploaduser <string>

set uploadpass <passwd>

set uploaddir <string>

set uploadtype <event>

set uploadzip {enable | disable}

set uploadsched {enable | disable}

set upload-time <hh:mm>

set upload-delete-files {enable | disable}

end

Variable

Description

status {enable | disable}

Enable/disable logging to the local disk (default = enable)

severity {emergency | alert | critical | error | warning | notification | information | debug }

Select the logging severity level.

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations (default).
  • debug: Information used for diagnosis or debugging.

max-log-file-size <integer>

Enter the size at which the log is rolled, in megabytes (1 - 1024, default = 100).

max-log-file-num <integer>

Enter the number of log files at which the logs are rolled (10 - 10000, default = 10000).

roll-schedule {none | daily | weekly}

Enter the period for the scheduled rolling of a log file:

  • none: Not scheduled; the log rolls when max-log-file-size is reached (default).
  • daily: Every day.
  • weekly: Every week.

roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

Enter the day for the scheduled rolling of a log file (default = sunday).

roll-time <hh:mm>

Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite}

Enter action to take when the disk is full:

  • nolog: stop logging
  • overwrite: overwrites oldest log entries (default)

log-disk-full-percentage <integer>

Enter the percentage at which the log disk will be considered full (50 - 90, default = 80).

log-disk-quota <integer>

Enter the quota for controlling local log size, in GB (0 - 25, default = 5).

Note: 0 means no control of local log size.

upload {enable | disable}

Enable/disable uploading of logs when rolling log files (default = disable).

uploadip <ipv4_address>

Enter IPv4 address of the destination server.

server-type {FTP | SCP | SFTP}

Enter the server type to use to store the logs:

  • FTP: upload via FTP (default)
  • SCP: upload via SCP
  • SFTP: upload via SFTP

uploadport <integer>

Enter the port to use when communicating with the destination server (1 - 65535, default = 0).

uploaduser <string>

Enter the user account on the destination server.

uploadpass <passwd>

Enter the password of the user account on the destination server (character limit = 127).

uploaddir <string>

Enter the destination directory on the remote server.

uploadtype <event>

Enter to upload the event log files (default = event).

uploadzip {enable | disable}

Enable to compress uploaded log files (default = disable).

uploadsched {enable | disable}

Enable to schedule log uploads (default = disable).

upload-time <hh:mm>

Enter to configure when to schedule an upload.

upload-delete-files {enable | disable}

Enable/disable deleting log files after uploading (default = enable).

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting

set status enable

set severity information

set max-log-file-size 1000MB

set roll-schedule daily

set upload enable

set uploadip 10.10.10.1

set uploadport port 443

set uploaduser myname2

set uploadpass 12345

set uploadtype event

set uploadzip enable

set uploadsched enable

set upload-time 06:45

set upload-delete-file disable

end

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Syntax

config system locallog [disk | memory | fortianalyzer | fortianalyzer2 | fortianalyzer3 | syslogd | syslogd2 | syslogd3] filter

set aid {enable | disable}

set controller {enable | disable}

set devcfg {enable | disable}

set devops {enable | disable}

set diskquota {enable | disable}

set dm {enable | disable}

set docker {enable | disable}

set dvm {enable | disable}

set ediscovery {enable | disable}

set epmgr {enable | disable}

set event {enable | disable}

set eventmgmt {enable | disable}

set faz {enable | disable}

set fazha {enable | disable}

set fazsys {enable | disable}

set fgd {enable | disable}

set fgfm {enable | disable}

set fips {enable | disable}

set fmgws {enable | disable}

set fmlmgr {enable | disable}

set fmwmgr {enable | disable}

set fortiview {enable | disable}

set glbcfg {enable | disable}

set ha {enable | disable}

set hcache {enable | disable}

set incident {enable | disable}

set iolog {enable | disable}

set logd {enable | disable}

set logdb {enable | disable}

set logdev {enable | disable}

set logfile {enable | disable}

set logging {enable | disable}

set lrmgr {enable | disable}

set objcfg {enable | disable}

set report {enable | disable}

set rev {enable | disable}

set rtmon {enable | disable}

set scfw {enable | disable}

set scply {enable | disable}

set scrmgr {enable | disable}

set scvpn {enable | disable}

set system {enable | disable}

set webport {enable | disable}

end

Variable

Description

aid {enable | disable}

Enable/disable configuring aid messages (default = enable).

controller {enable | disable}

Enable/disable controller application generic messages (default = enable).

devcfg {enable | disable}

Enable/disable logging device configuration messages (default = enable).

devops {enable | disable}

Enable/disable managed device's operations messages (default = enable).

diskquota {enable | disable}

Enable/disable logging FortiAnalyzer disk quota messages (default = enable).

dm {enable | disable}

Enable/disable logging deployment manager messages (default = enable).

docker {enable | disable}

Enable/disable docker application generic messages (default = enable).

dvm {enable | disable}

Enable/disable logging device manager messages (default = enable).

ediscovery {enable | disable}

Enable/disable logging device manager messages (default = enable).

epmgr {enable | disable}

Enable/disable logging endpoint manager messages (default = enable).

event {enable | disable}

Enable/disable configuring log filter messages (default = enable).

eventmgmt {enable | disable}

Enable/disable logging FortiAnalyzer event handler messages (default = enable).

faz {enable | disable}

Enable/disable logging FortiAnalyzer messages (default = enable).

fazha {enable | disable}

Enable/disable logging FortiAnalyzer HA messages (default = enable).

fazsys {enable | disable}

Enable/disable logging FortiAnalyzer system messages (default = enable).

fgd {enable | disable}

Enable/disable logging FortiGuard service messages (default = enable).

fgfm {enable | disable}

Enable/disable logging FortiGate/FortiManager communication protocol messages (default = enable).

fips {enable | disable}

Enable/disable logging FIPS messages (default = enable).

fmgws {enable | disable}

Enable/disable logging web service messages (default = enable).

fmlmgr {enable | disable}

Enable/disable logging FortiMail manager messages (default = enable).

fmwmgr {enable | disable}

Enable/disable logging firmware manager messages (default = enable).

fortiview {enable | disable}

Enable/disable logging FortiAnalyzer FortiView messages (default = enable).

glbcfg {enable | disable}

Enable/disable logging global database messages (default = enable).

ha {enable | disable}

Enable/disable logging high availability activity messages (default = enable).

hcache {enable | disable}

Enable/disable logging hcache messages (default = enable).

incident {enable | disable}

Enable/disable logging FortiAnalyzer incident messages (default = enable).

iolog {enable | disable}

Enable/disable input/output log activity messages (default = enable).

logd {enable | disable}

Enable/disable logd messages (default = enable).

logdb {enable | disable}

Enable/disable logging FortiAnalyzer log DB messages (default = enable).

logdev {enable | disable}

Enable/disable logging FortiAnalyzer log device messages (default = enable).

logfile {enable | disable}

Enable/disable logging FortiAnalyzer log file messages (default = enable).

logging {enable | disable}

Enable/disable logging FortiAnalyzer logging messages (default = enable).

lrmgr {enable | disable}

Enable/disable logging log and report manager messages (default = enable).

objcfg {enable | disable}

Enable/disable logging object configuration (default = enable).

report {enable | disable}

Enable/disable logging FortiAnalyzer report messages (default = enable).

rev {enable | disable}

Enable/disable logging revision history messages (default = enable).

rtmon {enable | disable}

Enable/disable logging real-time monitor messages (default = enable).

scfw {enable | disable}

Enable/disable logging firewall objects messages (default = enable).

scply {enable | disable}

Enable/disable logging policy console messages (default = enable).

scrmgr {enable | disable}

Enable/disable logging script manager messages (default = enable).

scvpn {enable | disable}

Enable/disable logging VPN console messages (default = enable).

system {enable | disable}

Enable/disable logging system manager messages (default = enable).

webport {enable | disable}

Enable/disable logging web portal messages (default = enable).

Example

In this example, the local log filters are log and report manager, and system settings. Events in these areas of the FortiAnalyzer unit will be logged.

config system locallog filter

set event enable

set lrmgr enable

set system enable

end

locallog fortianalyzer (fortianalyzer2, fortianalyzer3) setting

Use this command to enable or disable, and select the severity threshold of, remote logging to the FortiAnalyzer units. You can configure up to three FortiAnalyzer devices.

The severity threshold required to forward a log message to the FortiAnalyzer unit is separate from event, syslog, and local logging severity thresholds.

Syntax

config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

set peer-cert-cn <string>

set reliable {enable | disable}

set secure-connection {enable | disable}

set server <address>

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {disable | realtime | upload}

set upload-time <hh:mm>

end

Variable

Description

peer-cert-cn <string>

Certificate common name for the remote FortiAnalyzer. This variable is available only when the status is upload.

Note: Null or '-' means no certificate CN for the remote FortiAnalyzer. Multiple CNs are separated by commas. If there is comma in CN, it must follow an escape character.

reliable {enable | disable}

Enable/disable reliable realtime logging (default = disable).

secure-connection {enable | disable}

Enable/disable connection secured by TLS/SSL (default = disable).

This variable is available when status is realtime or upload.

server <address>

Remote FortiAnalyzer server IP address, FQDN, or hostname.

severity {emergency | alert | critical | error | warning | notification | information | debug }

Select the logging severity level (default = notification).

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

status {disable | realtime | upload}

Set the log to FortiAnalyzer status:

  • disable: Do not log to FortiAnalyzer (default).
  • realtime: Log to FortiAnalyzer in realtime.
  • upload: Log to FortiAnalyzer at a scheduled time.

upload-time <hh:mm>

Set the time to upload local log files (default = 00:00).

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting

set status enable

set severity information

end

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Syntax

config system locallog memory setting

set diskfull {nolog | overwrite}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status <enable | disable>

end

Variable

Description

diskfull {nolog | overwrite}

Enter the action to take when the disk is full:

  • nolog: Stop logging when disk full
  • overwrite: Overwrites oldest log entries

severity {emergency | alert | critical | error | warning | notification | information | debug}

Select the logging severity level (default = notification).

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

status <enable | disable>

Enable/disable logging to the memory buffer (default = disable).

Example

This example shows how to enable logging to memory for all events at the notification level and above. At this level of logging, only information and debug events will not be logged.

config system locallog memory

set severity notification

set status enable

end

locallog syslogd (syslogd2, syslogd3) setting

Use this command to configure the settings for logging to a syslog server. You can configure up to three syslog servers: syslogd, syslogd2 and syslogd3.

Syntax

config system locallog {syslogd | syslogd2 | syslogd3} setting

set cert {Fortinet_Local | Fortinet_Local2}

set csv {enable | disable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set reliable {enable | disable}

set secure-connection {enable | disable}

set severity {emergency | alert | critical | error | warning | notification | information | debug}

set status {enable | disable}

set syslog-name <string>

end

Variable

Description

cert {Fortinet_Local | Fortinet_Local2}

Select local certificate used for secure connection.

csv {enable | disable}

Enable/disable producing the log in comma separated value (CSV) format (default = disable).

If you do not enable CSV format the FortiAnalyzer unit produces space separated log files.

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

Enter the facility type (default = local7).

The facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. local0 to local7 are reserved for local use.

reliable {enable | disable}

Enable/disable reliable real time logging (default = disable).

secure-connection {enable | disable}

Enable/disable connection secured by TLS/SSL (default = disable).

This variable is available only when reliable is enabled.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Select the logging severity level (default = notification).

The FortiAnalyzer unit logs all messages at and above the logging severity level you select.

status {enable | disable}

Enable/disable logging to the remote syslog server (default = disable).

syslog-name <string>

Enter the remote syslog server name.

To configure a syslog server, use the config system syslog command. See syslog for information.

Use the show command to display the current configuration if it has been changed from its default value:

show system locallog syslogd setting

Example

In this example, the logs are uploaded to a previously configured syslog server named logstorage. The FortiAnalyzer unit is identified as facility local0.

config system locallog syslogd setting

set facility local0

set syslog-name logstorage

set status enable

set severity information

end