Log Settings

This page includes configuration information for attack logs and traffic logs. For information on audit logs, please see Audit Logs Export.

• Attack logs Export

• Configuring attack log alert

• Exporting traffic logs

• Sensitive Data Masking

• Retention and Periodic clean

Attack logs Export

Attack logs provide detailed insights for individual applications, helping track and analyze security events.

To export the attack logs to a log server:

1. Go to Application > Log Settings.
2. Enable Attack Log Export.
3. Click Add Log Server.
4. Configure the following settings.

   Name	Enter a name for the log server.
   Server Type	Select whether to export the logs to a log server, an ElasticSearch service, FortiAnalyzer, or FortiSIEM. See the following instructions for SysLog, ElasticSearch, FortiAnalyzer, and FortiSIEM
   SysLog
   IP/Domain and Port	Enter the IP/Domain and Port of the log server.
   Protocol	Select the protocol used for log transfer.
   Server Certificate Verification	When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
   Custom Certificate and Key	Off: FortiAppSec Cloud automatically retrieves the SSL certificate used to encrypt the HTTPS connections between the log server and FortiAppSec Cloud. On: Manually enter the SSL certificate. Available only if you select SSL in Protocol.
   Client Certificate	Fill in the Certificate field. Available only if you enabled Custom Certificate and Key.
   Private Key	Fill in the Private Key field. Available only if you enabled Custom Certificate and Key.
   Password	Enter the password of the private key. Available only if you enabled Custom Certificate and Key.
   Log Format	Default: Export logs in default format. Custom: Customize the log format. All the supported parameters are listed by default. You can select the ones that you need, and delete the others. See Custom Log Fields Splunk: Export logs to Splunk log server. CEF:0 (ArcSight): Export logs in CEF:0 format. Microsoft Azure OMS: Export logs in Microsoft Azure OMS format. LEEF1.0(QRadar): Export logs in LEEF1.0 format.
   Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
   Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.
   ElasticSearch ElasticSearch is a search engine providing a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.
   Address and Port	Enter the address and port to access your ElasticSearch service. The default port for ElasticSearch service is 9200.
   User Name	Enter the user name of the ElasticSearch service.
   Password	Enter the password of the ElasticSearch service user.
   FortiAnalyzer FortiAnalyzer is a powerful log management, analytics, and reporting platform that provides centralized logging and analysis, plus end-to-end visibility. Please note the following: FortiAnalyzer is supported; however, FortiAnalyzer Cloud is not. When configuring the corresponding ADOM on FortiAnalyzer, please set the Type to FortiWeb. FortiAnalyzer supports assigning devices to different ADOMs, provided that each OU’s master account is associated with a distinct contract (i.e., a unique serial number). However, if the organization has enabled Contract Sharing Mode, all OU accounts share the same contract and serial number. In this case, FortiAnalyzer treats them as a single device, which prevents assigning them to different ADOMs.
   IP/Domain and Port	Enter the IP/Domain and Port of the log server.
   Protocol	Select the protocol used for log transfer.
   Server Certificate Verification	When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
   Log Format Preview	This box shows a preview of the log format, and is not editable.
   Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
   Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.
   FortiSIEM
   IP/Domain and Port	Enter the IP/Domain and Port of the log server.
   Protocol	Select the protocol used for log transfer.
   Server Certificate Verification	When enabled, the system will enforces server certificate verification before it sends attack logs to the log server.
   Log Format	This box shows a preview of the log format, and is not editable.
   Log Severity	Select the severity level of the logs. All the exported logs will be attached with the selected severity level.
   Log Facility	Select the source facility of the logs. We only support the local use facilities which are not reserved and are available for general use.

5. Click OK. The system exports newly generated attack logs to the log server every minute.

To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiAppSec Cloud. The source IPs are as follows:

• 3.226.2.163
• 3.123.68.65

Custom Log Fields

Below is a list of all supported log fields when Log Format is set to Custom.

Field Name	Placeholder	Example
Date and Time	dt	2025-02-19T19:34:05-05:00
Date	date	2025-02-27
Time	tm	19:34:05
Time Zone	tz	-05:00
UTC Date	utc	2025-02-20T00:34:05
Timestamp	ts	1740011645000
Log Type ID	li	20000007
Message ID	mid	098765432123
Application ID	eid	1234567890
Application Name	an	ftnt-app1
Application Domain	ed	docs.fortinet.com
Template Name	tn	My Template
Source IP	si	0.00.000.00
Source Port	sp	80
Destination IP	ds	123.456.789.0
Destination Port	dp	443
Source Country	sc	Canada
Service	svc	https/tls1.3
Login User	lu	Unknown
Main Type of Threat	mt	Known Attacks
Sub Type of Threat	st	Cross Site Scripting
Threat Level	tl	Severe
Threat Weight	tw	10
Action	act	Block
HTTP Host	hh	fortinet.com
HTTP URL	hu	/ContactUs.aspx
HTTP Version	hv	1.x
HTTP Method	hm	POST
HTTP Agent	ha	gp-vcloud-director
HTTP Refer	hr	none
Signature ID	sid	010000009
Signature CVE ID	sci	N/A
OWASP Top10	ott	A03:2021-Injection
Message	msg	Parameter(emailID) triggered signature ID 010000009 of Signatures
Packet	pkt	"packet string"

Configuring attack log alert

FortiAppSec Cloud monitors the attack logs every five minutes, and sends alert email based on the set threat level. You can also customize a more complex rule for the alert email.

To configure an attack log alert:

1. Go to Log Settings.
2. Enable Attack Log Alerts.
3. For Mode, when you select Basic, configure the following settings
   

   Threat Level	The attacks of different threat levels are marked with the following values: Critical: 50 High: 30 Medium: 10 Low: 5 The system counts the threat score every 5 minutes. For example, if there are 2 critical attacks and 1 high threat level attack in 5 minutes, the threat score is 50*2+30=130. Basic In basic mode, an alert email will be sent if the threat score is accumulated higher than the following value in 5 minutes: 1 (low) 100 (medium) 400 (high) 700 (critical) For example, if you set the Threat Level to medium, and the threat score is 130, then an alert email will be sent.
   Notification Recipient	Default—The alert email will be sent to the email address that is used to register your account. Custom—Specify the email addresses to receive the alert.
   Custom Recipient	Enter the email addresses. Separate multiple email addresses with ",". Available only if you select Custom for Notification Recipient.

4. For Mode, when you select Advanced, click +Create Alert to customize a more complex rule. You can create at most two rules.
5. Configure the following settings.
   

   Name	Enter a name for the alert rule.
   Threat Score	Specify a threat score for the attack log. The attacks of different threat levels are marked with the following values: Critical: 50 High: 30 Medium: 10 Low: 5 The system counts the threat score every 5 minutes. For example, if there are 2 critical attacks and 1 high threat level attack in 5 minutes, the threat score is 50*2+30=130. If the actual threat score is higher than the score value you set, an alert email will be sent.
   Notification Recipient	Default—The alert email will be sent to the email address that is used to register your account. Custom—Specify the email addresses to receive the alert.
   Custom Recipient	Enter the email addresses. Separate multiple email addresses with ",". Available only if you select Custom for Notification Recipient.

6. For Filter Overview, click Add Filter to create a filter based on attack log messages. Only messages that match the criteria in the filter will be calculated on the threat score.
7. Click OK.

Exporting traffic logs

Traffic logs record traffic events such as HTTP requests and responses, and the expiration of HTTP sessions. FortiAppSec Cloud's Web UI doesn't show traffic logs, but you can export traffic logs to AWS S3 or Azure Blob bucket in real time for long-term storage, analysis, or alerting.

Please note that at this time, FortiAppSec Cloud does not support exporting traffic logs to OCI (Oracle Cloud Infrastructure).

1. Go to Log Settings.
2. Enable Traffic Log Export.
3. Configure the following settings.

   Server Type	Select whether to export the logs to AWS S3 or Azure Blob.
   AWS S3
   Bucket name	Enter the AWS S3 bucket name.
   Region	Enter the region code, for example, ap-southeast-1.
   Access Key ID	Enter the access key ID of the S3 bucket.
   Secret Key ID	Enter the secret key ID of the S3 bucket.
   Folder	Enter the folder to store the traffic log.
   Azure Blob
   Storage Account Name	Enter the Azure Blob storage account name
   Account Access Key	Enter the Account Access Key for your storage account.
   Container Name	Enter the name of the blob container to which you would like to export your traffic logs.

   To use an S3 bucket for traffic export, the IAM role must have the following permissions enabled: s3:PutObject s3:GetObject s3:GetBucketLocation

4. Click Save.

To prevent log poisoning, it's recommended to set filters on your S3 bucket to allow only the traffic from FortiAppSec Cloud. The source IPs from FortiAppSec Cloud are as follows: 3.226.2.163 3.123.68.65 We also recommend adding the source IP addresses of traffic log exporting centers into the filter, corresponding to the region of your application. AWS: Region Logstash IP ap-east-1: Asia Pacific (Hong Kong) 16.162.29.183 ap-south-1: Asia Pacific (Mumbai) 15.207.118.191 ap-southeast-1.prod: Asia Pacific (Singapore) 18.142.59.230 ap-southeast-2: Asia Pacific (Sydney) 13.238.126.108 ap-southeast-3: Jakarta 108.137.118.125 ca-central-1: Canada (Central) 52.60.181.20 eu-central-1: Europe (Frankfurt) 3.64.92.136 3.79.38.161 eu-west-1: Europe (Ireland) 54.220.37.1 eu-west-2: Europe (London) 18.171.94.215 eu-west-3: Europe (Paris) 15.237.205.81 eu-south-1: Europe (Milan) 35.152.101.76 il-central-1: AWS Israel (Tel Aviv) 51.17.180.108 sa-east-1:L South America (Sao Paulo) 15.229.167.39 us-east-1: US East (N.Virginia) 44.215.25.31 44.216.53.179 us-east-2: US East (Ohio) 3.19.8.134 us-west-1: US West (N. California) 54.177.53.242 us-west-2: US West (Oregon) 34.208.62.10 Azure: Region Logstash IP Logstash Private IP Australia East 20.188.247.221 10.22.1.52 Brazil South (São Paulo State) 191.234.179.164 10.35.1.52 Canada Central 52.237.13.214 10.37.1.52 East US 52.191.198.64 10.3.1.57 East US 2 20.10.187.167 104.208.237.249 40.123.43.190 10.4.1.167 10.4.1.166 10.4.1.134 Qatar Central 20.173.78.67 10.39.1.40 South Africa North 4.221.143.107 10.40.1.10 West Europe 20.73.191.71 10.9.1.58 West US 2 40.125.64.146 10.15.1.58 Google Cloud: Region Logstash IP europe-west3 (Frankfurt) 35.242.250.207 europe-west8 (Milan) 34.154.63.237 me-west1 (Tel Aviv) 34.165.47.110 us-east1 (South Carolina) 34.74.77.198 us-west1 (Oregon) 34.127.22.16

Sensitive Data Masking

Configure Sensitive Data Masking as part of Log Settings to mask information deemed sensitive in log message fields, such as passwords or credit card numbers. The Sensitive Data Masking settings are applied at the application level, with each application able to support up to 8 sensitive data rules.

To create a sensitive data rule:

1. Go to Log Settings.
2. Enable Sensitive Data Masking.
3. Click +Sensitive Data Rule.
4. Configure the following settings.

   Type	Select the type of data the rule will apply to. URL Cookie Parameter Header
   Name	Type a regular expression that matches all and only the input names whose values you want to obscure. To create a regular expression, see Frequently used regular expressions. This field is not required if URL data type is selected.
   Value	Type a regular expression that matches all and only input values that you want to obscure. To create a regular expression, see Frequently used regular expressions.

5. Click OK.

Retention and Periodic clean

All logs are periodically cleaned at the beginning of each month.

Please see table below for the retention information on each type of log:

Category	Features	Retention
Incident	Dashboard - Incidents	90 days
	Dashboard - Top Incidents by Severity
	Threat Analytics - Incidents
Attack log	Threat Analytics -Attack log	60 days
	FortiView ThreatView
	Dashboard - OWASP Top 10 Threats
	Dashboard - Threat Level History
	Dashboard - Top Known Threats
Traffic log	Dashboard - Traffic Statistics by Country	60 days
	Traffic Summary
Audit log	Audit log	90 days
On-Premise Device Attack log	Threat Analytics - Attack log (on-premise device only)	90 days