Fortinet black logo

Log settings

Log settings

The <log_settings> </log_settings> XML tags contain log-related information.

<forticlient_configuration>

<system>

<log_settings>

<onnet_local_logging>[0|1]</onnet_local_logging>

<level>6</level>

<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>

<remote_logging>

<log_upload_enabled>1</log_upload_enabled>

<log_upload_server>12345.ca-west-1.fortianalyzer.forticloud.com</log_upload_server>

<log_upload_ssl_enabled>1</log_upload_ssl_enabled>

<log_retention_days>90</log_retention_days>

<log_upload_freq_minutes>90</log_upload_freq_minutes>

<log_generation_timeout_secs>900</log_generation_timeout_secs>

<log_compressed>0</log_compressed>

<log_protocol>syslog</log_protocol>

<!-- faz | syslog -->

<!-- server IP address -->

<netlog_server>0.0.0.0</netlog_server>

<netlog_categories>7</netlog_categories>

<send_software_inventory>1</send_software_inventory>

<send_os_events>

<enabled>1</enabled>

<interval>120</interval>

</send_os_events>

</remote_logging>

</log_settings>

</system>

</forticlient_configuration>

The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<onnet_local_logging>

If you enabled client-log-when-on-net on EMS, EMS sends this XML element to FortiClient.

Boolean value: [0 | 1]

<level>

Configure the FortiClient logging level. FortiClient generates logs equal to and more critical than the selected level. Enter one of the following:

  • 0: Emergency. The system becomes unstable.
  • 1: Alert. Immediate action is required.
  • 2: Critical. Functionality is affected.
  • 3: Error. An error condition exists and could affect functionality.
  • 4: Warning. Functionality could be affected.
  • 5: Notice. Information about normal events.
  • 6: Info. General information about system operations.
  • 7: Debug. Debug FortiClient.

6

<log_events>

FortiClient events or processes to log. Enter a comma-separated list of one or more of the following:

  • ipsecvpn: IPsec VPN log events
  • sslvpn: SSL VPN log events
  • firewall: Application firewall log events
  • av: AV log events
  • webfilter: Web filter log events
  • vuln: Vulnerability scan log events
  • fssoma: SSO mobility agent for FortiAuthenticator log events
  • scheduler: Scheduler log events
  • update: Update log events
  • proxy: FortiProxy log events
  • shield: FortiShield log events
  • endpoint: Endpoint Control log events
  • configd: Configuration log events
  • sandboxing: Sandbox detection events

ipsecvpn, sslvpn, scheduler, update, firewall, av, clientmanager, proxy, shield, webfilter, endpoint, fssoma, configd, vuln

(enable all events by default)

<remote_logging> elements

All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.

<log_upload_enabled>

Upload FortiClient logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

0

<log_upload_server>

Enter the FortiAnalyzer IP address or hostname/fully qualified domain name (FQDN). With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

For FortiAnalyzer Cloud, you must enter an FQDN. You cannot enter an IP address. For FortiAnalyzer Cloud, the FQDN is the URL that you use to access the FortiAnalyzer Cloud instance. For example, the FQDN may be 1208151.ca-west-1.fortianalyzer.forticloud.com. You may also need to configure the server name indication (SNI).

<log_uploadserver_sni>

Enter the SNI for FortiAnalyzer Cloud.

<log_upload_ssl_enabled>

Enable using the SSL protocol when uploading logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

1

<log_upload_freq_minutes>

Enter the log frequency upload period in minutes.

90

<log_generation_timeout_sec>

Configure how often logs are created in seconds.

900

<log_compressed>

Enable log compression.

Boolean value: [0 | 1]

<log_retention_days>

Enter the number of days to retain the logs in the upload queue before being deleted in the event that the FortiClient cannot reach the server. This setting does not affect local logs.

90

<log_protocol>

Enter the remote server type:

  • faz: FortiAnalyzer
  • syslog: Syslog server

<netlog_server>

Enter the syslog server's IP address. FortiClient uses this setting only when <log_protocol> is set to syslog.

<netlog_categories>

Enter the bitmask of logs to upload.

Bitmask:

1 = traffic logs

2 = vulnerability logs

4 = event logs

Since these are bitmasks, you may combine them as follows:

3 = 1 or 2 (traffic and vulnerability)

5 = 1 or 4 (traffic and event)

6 = 2 or 4 (vulnerability and event)

7 = 1 or 2 or 4 (all logs)

7

<send_software_inventory>

Enable sending software inventory reports to FortiAnalyzer.

Boolean value: [0 | 1]

1

<send_os_events> elements

Send OS event logs to FortiAnalyzer.

<enabled>

Enable sending OS event logs to FortiAnalyzer.

1

<interval>

Interval to send OS event logs to FortiAnalyzer in seconds.

120

The FortiShield daemon protects FortiClient’s own file system and registry settings from modification by unauthorized persons.

Log settings

The <log_settings> </log_settings> XML tags contain log-related information.

<forticlient_configuration>

<system>

<log_settings>

<onnet_local_logging>[0|1]</onnet_local_logging>

<level>6</level>

<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,configd,vuln,sandboxing,antiexploit</log_events>

<remote_logging>

<log_upload_enabled>1</log_upload_enabled>

<log_upload_server>12345.ca-west-1.fortianalyzer.forticloud.com</log_upload_server>

<log_upload_ssl_enabled>1</log_upload_ssl_enabled>

<log_retention_days>90</log_retention_days>

<log_upload_freq_minutes>90</log_upload_freq_minutes>

<log_generation_timeout_secs>900</log_generation_timeout_secs>

<log_compressed>0</log_compressed>

<log_protocol>syslog</log_protocol>

<!-- faz | syslog -->

<!-- server IP address -->

<netlog_server>0.0.0.0</netlog_server>

<netlog_categories>7</netlog_categories>

<send_software_inventory>1</send_software_inventory>

<send_os_events>

<enabled>1</enabled>

<interval>120</interval>

</send_os_events>

</remote_logging>

</log_settings>

</system>

</forticlient_configuration>

The following table provides the XML tags for log settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<onnet_local_logging>

If you enabled client-log-when-on-net on EMS, EMS sends this XML element to FortiClient.

Boolean value: [0 | 1]

<level>

Configure the FortiClient logging level. FortiClient generates logs equal to and more critical than the selected level. Enter one of the following:

  • 0: Emergency. The system becomes unstable.
  • 1: Alert. Immediate action is required.
  • 2: Critical. Functionality is affected.
  • 3: Error. An error condition exists and could affect functionality.
  • 4: Warning. Functionality could be affected.
  • 5: Notice. Information about normal events.
  • 6: Info. General information about system operations.
  • 7: Debug. Debug FortiClient.

6

<log_events>

FortiClient events or processes to log. Enter a comma-separated list of one or more of the following:

  • ipsecvpn: IPsec VPN log events
  • sslvpn: SSL VPN log events
  • firewall: Application firewall log events
  • av: AV log events
  • webfilter: Web filter log events
  • vuln: Vulnerability scan log events
  • fssoma: SSO mobility agent for FortiAuthenticator log events
  • scheduler: Scheduler log events
  • update: Update log events
  • proxy: FortiProxy log events
  • shield: FortiShield log events
  • endpoint: Endpoint Control log events
  • configd: Configuration log events
  • sandboxing: Sandbox detection events

ipsecvpn, sslvpn, scheduler, update, firewall, av, clientmanager, proxy, shield, webfilter, endpoint, fssoma, configd, vuln

(enable all events by default)

<remote_logging> elements

All elements for <remote_logging> apply only to remote logs. The elements do not affect the behavior of local logs.

<log_upload_enabled>

Upload FortiClient logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

0

<log_upload_server>

Enter the FortiAnalyzer IP address or hostname/fully qualified domain name (FQDN). With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

For FortiAnalyzer Cloud, you must enter an FQDN. You cannot enter an IP address. For FortiAnalyzer Cloud, the FQDN is the URL that you use to access the FortiAnalyzer Cloud instance. For example, the FQDN may be 1208151.ca-west-1.fortianalyzer.forticloud.com. You may also need to configure the server name indication (SNI).

<log_uploadserver_sni>

Enter the SNI for FortiAnalyzer Cloud.

<log_upload_ssl_enabled>

Enable using the SSL protocol when uploading logs to FortiAnalyzer or FortiManager.

Boolean value: [0 | 1]

1

<log_upload_freq_minutes>

Enter the log frequency upload period in minutes.

90

<log_generation_timeout_sec>

Configure how often logs are created in seconds.

900

<log_compressed>

Enable log compression.

Boolean value: [0 | 1]

<log_retention_days>

Enter the number of days to retain the logs in the upload queue before being deleted in the event that the FortiClient cannot reach the server. This setting does not affect local logs.

90

<log_protocol>

Enter the remote server type:

  • faz: FortiAnalyzer
  • syslog: Syslog server

<netlog_server>

Enter the syslog server's IP address. FortiClient uses this setting only when <log_protocol> is set to syslog.

<netlog_categories>

Enter the bitmask of logs to upload.

Bitmask:

1 = traffic logs

2 = vulnerability logs

4 = event logs

Since these are bitmasks, you may combine them as follows:

3 = 1 or 2 (traffic and vulnerability)

5 = 1 or 4 (traffic and event)

6 = 2 or 4 (vulnerability and event)

7 = 1 or 2 or 4 (all logs)

7

<send_software_inventory>

Enable sending software inventory reports to FortiAnalyzer.

Boolean value: [0 | 1]

1

<send_os_events> elements

Send OS event logs to FortiAnalyzer.

<enabled>

Enable sending OS event logs to FortiAnalyzer.

1

<interval>

Interval to send OS event logs to FortiAnalyzer in seconds.

120

The FortiShield daemon protects FortiClient’s own file system and registry settings from modification by unauthorized persons.