Log settings
Log-related information is inside the <log_settings> </log_settings>
XML tags.
<forticlient_configuration>
<system>
<log_settings>
<onnet_local_logging>[0|1]</onnet_local_logging>
<level>6</level>
<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>
<remote_logging>
<log_upload_enabled>0</log_upload_enabled>
<log_upload_server>0.0.0.0</log_upload_server>
<log_upload_ssl_enabled>1</log_upload_ssl_enabled>
<log_retention_days>90</log_retention_days>
<log_upload_freq_minutes>90</log_upload_freq_minutes>
<log_generation_timeout_secs>900</log_generation_timeout_secs>
<log_compressed>0</log_compressed>
<log_protocol>syslog</log_protocol>
<!-- faz | syslog -->
<!-- server IP address -->
<netlog_server>0.0.0.0</netlog_server>
<netlog_categories>7</netlog_categories>
<send_software_inventory>1</send_software_inventory>
</remote_logging>
</log_settings>
</system>
</forticlient_configuration>
The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.
<onnet_local_logging>
|
If client-log-when-on-net is enabled on EMS, EMS sends this XML element to FortiClient.
Boolean value: [0 | 1]
|
|
<level>
|
Configure the FortiClient logging level. FortiClient generates logs equal to and more critical than the selected level. Enter one of the following:
-
0 : Emergency. The system becomes unstable.
-
1 : Alert. Immediate action is required.
-
2 : Critical. Functionality is affected.
-
3 : Error. An error condition exists and functionality could be affected.
-
4 : Warning. Functionality could be affected.
-
5 : Notice. Information about normal events.
-
6 : Info. General information about system operations.
-
7 : Debug. Debug FortiClient.
|
6
|
<log_events>
|
FortiClient events or processes to log. Enter a comma-separated list of one or more of the following:
-
ipsecvpn : IPsec VPN log events
-
sslvpn : SSL VPN log events
-
firewall : Application firewall log events
-
av : AV log events
-
webfilter : Web filter log events
-
vuln : Vulnerability scan log events
-
fssoma : SSO mobility agent for FortiAuthenticator log events
-
scheduler : Scheduler log events
-
update : Update log events
-
proxy : FortiProxy log events
-
shield : FortiShield log events
-
endpoint : Endpoint Control log events
-
configd : Configuration log events
-
sandboxing : Sandbox detection events
|
ipsecvpn , sslvpn , scheduler , update , firewall , av , clientmanager , proxy , shield , webfilter , endpoint , fssoma , configd , vuln
(enable all events by default)
|
<remote_logging> elements
All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.
|
<log_upload_enabled>
|
Enable to upload FortiClient logs to FortiAnalyzer or FortiManager.
Boolean value: [0 | 1]
|
0
|
<log_upload_server>
|
Enter the FortiAnalyzer or FortiManager IP address to send logs to.
|
|
<log_upload_ssl_enabled>
|
Enable or disable use of SSL protocol during log upload.
Boolean value: [0 | 1]
|
1
|
<log_upload_freq_minutes>
|
Enter the log frequency upload period in minutes.
|
90
|
<log_generation_timeout_sec>
|
Configure how often logs are created in seconds.
|
900
|
<log_compressed>
|
Enable or disable log compression.
Boolean value: [0 | 1]
|
|
<log_retention_days>
|
Enter the number of days to retain the logs in the upload queue before being deleted in the event that the FortiClient cannot reach the server. This setting does not affect local logs.
|
90
|
<log_protocol>
|
Enter the remote server type:
-
faz : FortiAnalyzer
-
syslog : Syslog server
|
|
<netlog_server>
|
Enter the syslog server's IP address. FortiClient uses this setting only when <log_protocol> is set to syslog .
|
|
<netlog_categories>
|
Enter the bitmask of logs to upload.
Bitmask:
1 = traffic logs
2 = vulnerability logs
4 = event logs
Since these are bitmasks, you may combine them as follows:
3 = 1 or 2 (traffic and vulnerability)
5 = 1 or 4 (traffic and event)
6 = 2 or 4 (vulnerability and event)
7 = 1 or 2 or 4 (all logs)
|
7
|
<send_software_inventory>
|
Enable or disable sending software inventory to FortiAnalyzer.
Boolean value: [0 | 1]
|
1
|
|
The FortiShield daemon protects FortiClient’s own file system and registry settings from modification by unauthorized persons.
|