Fortinet black logo

Log settings

Log settings

Log-related information is inside the <log_settings> </log_settings> XML tags.

<forticlient_configuration>

<system>

<log_settings>

<onnet_local_logging>[0|1]</onnet_local_logging>

<level>6</level>

<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>

<remote_logging>

<log_upload_enabled>0</log_upload_enabled>

<log_upload_server>0.0.0.0</log_upload_server>

<log_upload_ssl_enabled>1</log_upload_ssl_enabled>

<log_retention_days>90</log_retention_days>

<log_upload_freq_minutes>90</log_upload_freq_minutes>

<log_generation_timeout_secs>900</log_generation_timeout_secs>

<log_compressed>0</log_compressed>

<log_protocol>syslog</log_protocol>

<!-- faz | syslog -->

<!-- server IP address -->

<netlog_server>0.0.0.0</netlog_server>

<netlog_categories>7</netlog_categories>

<send_software_inventory>1</send_software_inventory>

</remote_logging>

</log_settings>

</system>

</forticlient_configuration>

The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<onnet_local_logging>

If you enabled client-log-when-on-net on EMS, EMS sends this XML element to FortiClient.

Boolean value: [0 | 1]

<level>

Configure the FortiClient logging level. FortiClient generates logs equal to and more critical than the selected level. Enter one of the following:

  • 0: Emergency. The system becomes unstable.
  • 1: Alert. Immediate action is required.
  • 2: Critical. Functionality is affected.
  • 3: Error. An error condition exists and could affect functionality.
  • 4: Warning. Functionality could be affected.
  • 5: Notice. Information about normal events.
  • 6: Info. General information about system operations.
  • 7: Debug. Debug FortiClient.

6

<log_events>

FortiClient events or processes to log. Enter a comma-separated list of one or more of the following:

  • ipsecvpn: IPsec VPN log events
  • sslvpn: SSL VPN log events
  • firewall: Application firewall log events
  • av: AV log events
  • webfilter: Web filter log events
  • vuln: Vulnerability scan log events
  • fssoma: SSO mobility agent for FortiAuthenticator log events
  • scheduler: Scheduler log events
  • update: Update log events
  • proxy: FortiProxy log events
  • shield: FortiShield log events
  • endpoint: Endpoint Control log events
  • configd: Configuration log events
  • sandboxing: Sandbox detection events

ipsecvpn, sslvpn, scheduler, update, firewall, av, clientmanager, proxy, shield, webfilter, endpoint, fssoma, configd, vuln

(enable all events by default)

<remote_logging> elements

All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.

<log_upload_enabled>

Upload FortiClient logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

0

<log_upload_server>

Enter the FortiAnalyzer or FortiManager IP address to send logs to.

<log_upload_ssl_enabled>

Enable using the SSL protocol when uploading logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

1

<log_upload_freq_minutes>

Enter the log frequency upload period in minutes.

90

<log_generation_timeout_sec>

Configure how often logs are created in seconds.

900

<log_compressed>

Enable log compression.

Boolean value: [0 | 1]

<log_retention_days>

Enter the number of days to retain the logs in the upload queue before being deleted in the event that the FortiClient cannot reach the server. This setting does not affect local logs.

90

<log_protocol>

Enter the remote server type:

  • faz: FortiAnalyzer
  • syslog: Syslog server

<netlog_server>

Enter the syslog server's IP address. FortiClient uses this setting only when <log_protocol> is set to syslog.

<netlog_categories>

Enter the bitmask of logs to upload.

Bitmask:

1 = traffic logs

2 = vulnerability logs

4 = event logs

Since these are bitmasks, you may combine them as follows:

3 = 1 or 2 (traffic and vulnerability)

5 = 1 or 4 (traffic and event)

6 = 2 or 4 (vulnerability and event)

7 = 1 or 2 or 4 (all logs)

7

<send_software_inventory>

Enable sending software inventory reports to FortiAnalyzer.

Boolean value: [0 | 1]

1

The FortiShield daemon protects FortiClient’s own file system and registry settings from modification by unauthorized persons.

Log settings

Log-related information is inside the <log_settings> </log_settings> XML tags.

<forticlient_configuration>

<system>

<log_settings>

<onnet_local_logging>[0|1]</onnet_local_logging>

<level>6</level>

<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>

<remote_logging>

<log_upload_enabled>0</log_upload_enabled>

<log_upload_server>0.0.0.0</log_upload_server>

<log_upload_ssl_enabled>1</log_upload_ssl_enabled>

<log_retention_days>90</log_retention_days>

<log_upload_freq_minutes>90</log_upload_freq_minutes>

<log_generation_timeout_secs>900</log_generation_timeout_secs>

<log_compressed>0</log_compressed>

<log_protocol>syslog</log_protocol>

<!-- faz | syslog -->

<!-- server IP address -->

<netlog_server>0.0.0.0</netlog_server>

<netlog_categories>7</netlog_categories>

<send_software_inventory>1</send_software_inventory>

</remote_logging>

</log_settings>

</system>

</forticlient_configuration>

The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<onnet_local_logging>

If you enabled client-log-when-on-net on EMS, EMS sends this XML element to FortiClient.

Boolean value: [0 | 1]

<level>

Configure the FortiClient logging level. FortiClient generates logs equal to and more critical than the selected level. Enter one of the following:

  • 0: Emergency. The system becomes unstable.
  • 1: Alert. Immediate action is required.
  • 2: Critical. Functionality is affected.
  • 3: Error. An error condition exists and could affect functionality.
  • 4: Warning. Functionality could be affected.
  • 5: Notice. Information about normal events.
  • 6: Info. General information about system operations.
  • 7: Debug. Debug FortiClient.

6

<log_events>

FortiClient events or processes to log. Enter a comma-separated list of one or more of the following:

  • ipsecvpn: IPsec VPN log events
  • sslvpn: SSL VPN log events
  • firewall: Application firewall log events
  • av: AV log events
  • webfilter: Web filter log events
  • vuln: Vulnerability scan log events
  • fssoma: SSO mobility agent for FortiAuthenticator log events
  • scheduler: Scheduler log events
  • update: Update log events
  • proxy: FortiProxy log events
  • shield: FortiShield log events
  • endpoint: Endpoint Control log events
  • configd: Configuration log events
  • sandboxing: Sandbox detection events

ipsecvpn, sslvpn, scheduler, update, firewall, av, clientmanager, proxy, shield, webfilter, endpoint, fssoma, configd, vuln

(enable all events by default)

<remote_logging> elements

All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.

<log_upload_enabled>

Upload FortiClient logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

0

<log_upload_server>

Enter the FortiAnalyzer or FortiManager IP address to send logs to.

<log_upload_ssl_enabled>

Enable using the SSL protocol when uploading logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

1

<log_upload_freq_minutes>

Enter the log frequency upload period in minutes.

90

<log_generation_timeout_sec>

Configure how often logs are created in seconds.

900

<log_compressed>

Enable log compression.

Boolean value: [0 | 1]

<log_retention_days>

Enter the number of days to retain the logs in the upload queue before being deleted in the event that the FortiClient cannot reach the server. This setting does not affect local logs.

90

<log_protocol>

Enter the remote server type:

  • faz: FortiAnalyzer
  • syslog: Syslog server

<netlog_server>

Enter the syslog server's IP address. FortiClient uses this setting only when <log_protocol> is set to syslog.

<netlog_categories>

Enter the bitmask of logs to upload.

Bitmask:

1 = traffic logs

2 = vulnerability logs

4 = event logs

Since these are bitmasks, you may combine them as follows:

3 = 1 or 2 (traffic and vulnerability)

5 = 1 or 4 (traffic and event)

6 = 2 or 4 (vulnerability and event)

7 = 1 or 2 or 4 (all logs)

7

<send_software_inventory>

Enable sending software inventory reports to FortiAnalyzer.

Boolean value: [0 | 1]

1

The FortiShield daemon protects FortiClient’s own file system and registry settings from modification by unauthorized persons.