Configuring remote log server settings for event logs
A remote log server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools. We recommend FortiAnalyzer.
The system has two configurations to support sending logs to remote log servers: remote log server settings for system event logs, and remote log server settings for DDoS logs.
The system event log configuration applies to system-wide data, such as system health indicators and system administrator activities. The DDoS log configuration applies to security data.
You can configure up to three Log Remote or Remote Event Log Servers.
Before you begin:
- You must have Read-Write permission for Log & Report settings.
See also: Configuring remote log server settings for DDoS attack log.
To configure remote event log settings:
- Go to Log & Report > Log Configuration > Event Log Remote.
- Click Add.
- Complete the configuration as described in the table below.
- Save the configuration.
Remote log server settings
Remote log configuration guidelines
| Settings | Guidelines |
|---|---|
| Status | Select to display settings to manage the disk used for logging. |
| Address | IP address of the FortiAnalyzer or syslog server. |
| Port | Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514. |
| Log Level |
Select the severity to log from the following choices:
|
| CSV Format | Send logs in CSV format. Do not use with FortiAnalyzer. |
| Minimum Log Level | Select the lowest severity to log from the following choices:
For example, if you select Error, the system sends the syslog server logs with level Error, Critical, Alert, and Emergency. If you select Alert, the system collects logs with level Alert and Emergency. |
| Facility | Identifier that is not used by any other device on your network when sending logs to FortiAnalyzer/syslog. |
| Event Logging | Select to enable event logging and then select the types of events that you want included in the event log. |
|
RFC 5424 Compliance |
Enable to comply with RFC 5424 guidelines |
|
Encrypt Syslog to FortiAnalyzer |
Enable to send encrypted Syslog to FortiAnalyzer. Please do not combine with RFC 5424 settings if you choose this option. |
The following is an example of an event syslog message:
device_id=SYSLOG-AC1E997F type=generic pri=information itime=1431633173 msg="date=2015-05-
13,time=13:25:13,tz=PDT,devid=FI800B3913000032,log_
id=0000002168,type=event,subtype=config,level=information,msg_id=426204,user=admin,ui=ssh
(172.30.153.9),action=none,status=none,reason=none,msg='changed settings for 'ddos spp setting'
on domain 'SPP-1''"
Event syslog fields
| Field | Example |
|---|---|
|
Syslog device ID |
device_id=SYSLOG-AC1E997F |
|
Syslog type |
type=generic |
|
Syslog log level |
pri=information |
|
Syslog time |
itime=1431633173 |
|
Log datestamp |
date=2015-05-13 |
|
Log timestamp |
13:25:13 |
|
Log time zone |
tz=PDT |
|
Device ID |
devid=FI800B3913000032 |
|
Log ID |
log_id=0000002168 |
|
Log type |
type=event |
|
Log subtype |
subtype=config |
|
Log level |
level=information |
|
Message ID |
msg_id=426204 |
|
Admin user |
user=admin |
|
Admin UI |
ui=ssh(172.30.153.9) |
|
Action |
action=none |
|
Status |
status=none |
|
Reason string |
reason=none |
|
Log message |
msg='changed settings for 'ddos spp setting' on domain 'SPP-1''" |
|
CLI commands: config log setting remote edit 1 set status enable set server 172.30.153.105 set comma-separated-value enable set event-log-status enable set event-log-category configuration spp_switching ir_update next end |