Fortinet black logo

XML Reference Guide

Log settings

Log settings

Log-related information is inside the <log_settings> </log_settings> XML tags.

<forticlient_configuration>

<system>

<log_settings>

<onnet_local_logging>[0|1]</onnet_local_logging>

<level>6</level>

<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>

<remote_logging>

<log_upload_enabled>0</log_upload_enabled>

<log_upload_server>0.0.0.0</log_upload_server>

<log_upload_ssl_enabled>1</log_upload_ssl_enabled>

<log_retention_days>90</log_retention_days>

<log_upload_freq_minutes>90</log_upload_freq_minutes>

<log_generation_timeout_secs>900</log_generation_timeout_secs>

<log_compressed>0</log_compressed>

<log_protocol>syslog</log_protocol>

<!-- faz | syslog -->

<!-- server IP address -->

<netlog_server>0.0.0.0</netlog_server>

<netlog_categories>7</netlog_categories>

</remote_logging>

</log_settings>

</system>

</forticlient_configuration>

The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<onnet_local_logging>

If client-log-when-on-net is enabled on EMS, EMS sends this XML element.

Boolean value: [0 | 1]

<level>

Select the FortiClient logging level. Enter one of the following:

  • 0: emergency
  • 1: alert
  • 2: critical
  • 3: error
  • 4: warning
  • 5: notice
  • 6: information
  • 7: debug

6

<log_events>

FortiClient events or processes to log. One or more comma-separated list of:

  • ipsecvpn: IPsec VPN log events
  • sslvpn: SSL VPN log events
  • firewall: Application Firewall log events
  • av: Antivirus log events
  • webfilter: Web Filtering log events
  • vuln: Vulnerability Scan log events
  • fssoma: Single Sign-On (SSO) mobility agent for FortiAuthenticator log events
  • scheduler: Scheduler log events
  • update: Update log events
  • proxy: FortiProxy log events
  • shield: FortiShield log events
  • endpoint: Endpoint Control log events
  • configd: Configuration log events
  • sandboxing: Sandbox Detection events

ipsecvpn, sslvpn, scheduler, update, firewall, av, clientmanager, proxy, shield, webfilter, endpoint, fssoma, configd, vuln

(enable all events by default)

<remote_logging> elements

All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.

<log_upload_enabled>

Set the Boolean value to 1 to upload FortiClient logs to the FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

0

<log_upload_server>

Enter the IP address of the FortiAnalyzer or FortiManager to send logs to.

<log_upload_ssl_enabled>

Enable or disable use of SSL protocol during log upload.

Boolean value: [0 | 1]

1

<log_upload_freq_minutes>

The log frequency upload period in minutes.

90

<log_generation_timeout_sec>

How often logs are created in seconds.

900

<log_compressed>

Enable or disable compression of logs.

Boolean value: [0 | 1]

<log_retention_days>

If the server is not reachable, the number of days to retain the logs in the upload queue before being deleted. Local logs are not deleted.

90

<log_protocol>

Enter the remote server type:

  • faz: FortiAnalyzer
  • syslog: Syslog server

<netlog_server>

Enter the syslog server's IP address. Used only when <log_protocol> is set to syslog.

<netlog_categories>

Enter the bitmask of logs to upload.

Bitmask:

1 = traffic logs

2 = vulnerability logs

4 = event logs

Since these are bitmasks, you may combine as follows:

3 = 1 or 2 (traffic and vulnerability)

5 = 1 or 4 (traffic and event)

6 = 2 or 4 (vulnerability and event)

7 = 1 or 2 or 4 (all logs)

7

The FortiShield daemon protects FortiClient's own file system and registry settings from modification by unauthorized persons.

Log settings

Log-related information is inside the <log_settings> </log_settings> XML tags.

<forticlient_configuration>

<system>

<log_settings>

<onnet_local_logging>[0|1]</onnet_local_logging>

<level>6</level>

<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>

<remote_logging>

<log_upload_enabled>0</log_upload_enabled>

<log_upload_server>0.0.0.0</log_upload_server>

<log_upload_ssl_enabled>1</log_upload_ssl_enabled>

<log_retention_days>90</log_retention_days>

<log_upload_freq_minutes>90</log_upload_freq_minutes>

<log_generation_timeout_secs>900</log_generation_timeout_secs>

<log_compressed>0</log_compressed>

<log_protocol>syslog</log_protocol>

<!-- faz | syslog -->

<!-- server IP address -->

<netlog_server>0.0.0.0</netlog_server>

<netlog_categories>7</netlog_categories>

</remote_logging>

</log_settings>

</system>

</forticlient_configuration>

The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<onnet_local_logging>

If client-log-when-on-net is enabled on EMS, EMS sends this XML element.

Boolean value: [0 | 1]

<level>

Select the FortiClient logging level. Enter one of the following:

  • 0: emergency
  • 1: alert
  • 2: critical
  • 3: error
  • 4: warning
  • 5: notice
  • 6: information
  • 7: debug

6

<log_events>

FortiClient events or processes to log. One or more comma-separated list of:

  • ipsecvpn: IPsec VPN log events
  • sslvpn: SSL VPN log events
  • firewall: Application Firewall log events
  • av: Antivirus log events
  • webfilter: Web Filtering log events
  • vuln: Vulnerability Scan log events
  • fssoma: Single Sign-On (SSO) mobility agent for FortiAuthenticator log events
  • scheduler: Scheduler log events
  • update: Update log events
  • proxy: FortiProxy log events
  • shield: FortiShield log events
  • endpoint: Endpoint Control log events
  • configd: Configuration log events
  • sandboxing: Sandbox Detection events

ipsecvpn, sslvpn, scheduler, update, firewall, av, clientmanager, proxy, shield, webfilter, endpoint, fssoma, configd, vuln

(enable all events by default)

<remote_logging> elements

All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.

<log_upload_enabled>

Set the Boolean value to 1 to upload FortiClient logs to the FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

0

<log_upload_server>

Enter the IP address of the FortiAnalyzer or FortiManager to send logs to.

<log_upload_ssl_enabled>

Enable or disable use of SSL protocol during log upload.

Boolean value: [0 | 1]

1

<log_upload_freq_minutes>

The log frequency upload period in minutes.

90

<log_generation_timeout_sec>

How often logs are created in seconds.

900

<log_compressed>

Enable or disable compression of logs.

Boolean value: [0 | 1]

<log_retention_days>

If the server is not reachable, the number of days to retain the logs in the upload queue before being deleted. Local logs are not deleted.

90

<log_protocol>

Enter the remote server type:

  • faz: FortiAnalyzer
  • syslog: Syslog server

<netlog_server>

Enter the syslog server's IP address. Used only when <log_protocol> is set to syslog.

<netlog_categories>

Enter the bitmask of logs to upload.

Bitmask:

1 = traffic logs

2 = vulnerability logs

4 = event logs

Since these are bitmasks, you may combine as follows:

3 = 1 or 2 (traffic and vulnerability)

5 = 1 or 4 (traffic and event)

6 = 2 or 4 (vulnerability and event)

7 = 1 or 2 or 4 (all logs)

7

The FortiShield daemon protects FortiClient's own file system and registry settings from modification by unauthorized persons.