Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.1
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Configuring remote log server settings for event logs

    Configuring remote log server settings for event logs

    A remote log server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools. We recommend FortiAnalyzer.

    The system has two configurations to support sending logs to remote log servers: remote log server settings for system event logs, and remote log server settings for DDoS logs.

    The system event log configuration applies to system-wide data, such as system health indicators and system administrator activities.

    Please see Configuring remote log server settings for DDoS attack log for remote attack syslog servers.

    tooltip icon

    Before you begin:

    • You must have Read-Write permission for Log & Report settings.

    See also: Configuring remote log server settings for DDoS attack log.

    To configure remote event log settings:
    1. Go to Log & Report > Log Configuration > Event Log Remote.
    2. Click Add.
    3. Complete the configuration as described in the table below.
    4. Save the configuration.
    Remote log server settings

    Remote log configuration guidelines
    Settings Guidelines
    Status

    Enable or disable this configuration.

    Note: if disabled, the configuration still counts towards the maximum three allowed.
    Address IP address of the FortiAnalyzer, FortiManager, or other syslog server.
    Port Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514.
    Log Level

    Select the severity to log from the following choices. Levels below the selected level will not be sent:

    • Emergency—The system has become unstable.
    • Alert—Immediate action is required.
    • Critical—Functionality is affected.
    • Error—An error condition exists and functionality could be affected.
    • Warning—Functionality might be affected.
    • Notification—Information about normal events.
    • Information—General information about system operations.
    • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior
    CSV Format Send logs in CSV format.Disable when using FortiManager / FortiAnalyzer and most other syslog servers.
    Facility Identifier that is not used by FortiDDoS but might be useful for the syslog server.
    Event Logging Select to enable event logging.

    Event Category

    Select the Event Categories that you want included in the event syslogs.
    Note: All Event Categories are disabled by default. It is safe to enable all.

    Event syslog formats

    The following is an example of an event syslog message:

    device_id=SYSLOG-AC1E997F type=generic pri=information itime=1431633173 msg="date=2015-05-

    13,time=13:25:13,tz=PDT,devid=FI800B3913000032,log_

    id=0000002168,type=event,subtype=config,level=information,msg_id=426204,user=admin,ui=ssh

    (172.30.153.9),action=none,status=none,reason=none,msg='changed settings for 'ddos spp setting'

    on domain 'SPP-1''"

    Event syslog fields

    Field Example

    Syslog device ID

    device_id=SYSLOG-AC1E997F

    Syslog type

    type=generic

    Syslog log level

    pri=information

    Syslog time

    itime=1431633173

    Log datestamp

    date=2015-05-13

    Log timestamp

    13:25:13

    Log time zone

    tz=PDT

    Device ID

    devid=FI800B3913000032

    Log ID

    log_id=0000002168

    Log type

    type=event

    Log subtype

    subtype=config

    Log level

    level=information

    Message ID

    msg_id=426204

    Admin user

    user=admin

    Admin UI

    ui=ssh(172.30.153.9)

    Action

    action=none

    Status

    status=none

    Reason string

    reason=none

    Log message

    msg='changed settings for 'ddos spp setting' on domain 'SPP-1''"

    CLI commands:

    #config log setting remote

    (remote)#edit {1 | 2 |3 |} Three event log remote servers allowed.

    (1)# set status {enable | disable }

    (1)# set ip-address <172.30.153.105>

    (1)# set port <514>

    (1)# set comma-separated-value {enable | disable } Note: Disable for FortiAnalyzer and most servers

    (1)# set facility {kern | mail | daemon | auth | lpr | news | cron | auth-priv | ftp | ntp | audit | alert | clock | syslog | user | uucp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }

    (1)# set event-log-status {enable | disable }

    (1)# set loglevel {Emergency | Alert | Critical | Error | Warning | Notification | Information | Debug }

    (1)# set event-log-category { admin configuration default_gateway ha health_check spp_switching system update user } Select all required.

    (1)# set fortianalyzer {enable | disable }

    For FortiAnalyzer:

    (1)# set encrypt-traffic-to-fortianalyzer (= OFTP)

    No setting above = Standard FortiAnalyzer UDP RFC-3164

    For FortiAnalyzer disabled:

    (Name)# set proto {udp | tcp}

    For UDP, no set = RFC3164, otherwise:

    (1)# set rfc-5424

    For TCP:

    This is RFC-6587

    (N1)# set tcp-framing {traditional | octet_counted }

    Above is server-dependent

    end
    Previous
    Next

    Configuring remote log server settings for event logs

    Configuring remote log server settings for event logs

    A remote log server is a system provisioned specifically to collect logs for long term storage and analysis with preferred analytic tools. We recommend FortiAnalyzer.

    The system has two configurations to support sending logs to remote log servers: remote log server settings for system event logs, and remote log server settings for DDoS logs.

    The system event log configuration applies to system-wide data, such as system health indicators and system administrator activities.

    Please see Configuring remote log server settings for DDoS attack log for remote attack syslog servers.

    tooltip icon

    Before you begin:

    • You must have Read-Write permission for Log & Report settings.

    See also: Configuring remote log server settings for DDoS attack log.

    To configure remote event log settings:
    1. Go to Log & Report > Log Configuration > Event Log Remote.
    2. Click Add.
    3. Complete the configuration as described in the table below.
    4. Save the configuration.
    Remote log server settings

    Remote log configuration guidelines
    Settings Guidelines
    Status

    Enable or disable this configuration.

    Note: if disabled, the configuration still counts towards the maximum three allowed.
    Address IP address of the FortiAnalyzer, FortiManager, or other syslog server.
    Port Listening port number of the FortiAnalyzer/syslog server. Usually this is UDP port 514.
    Log Level

    Select the severity to log from the following choices. Levels below the selected level will not be sent:

    • Emergency—The system has become unstable.
    • Alert—Immediate action is required.
    • Critical—Functionality is affected.
    • Error—An error condition exists and functionality could be affected.
    • Warning—Functionality might be affected.
    • Notification—Information about normal events.
    • Information—General information about system operations.
    • Debug—Detailed information about the system that can be used to troubleshoot unexpected behavior
    CSV Format Send logs in CSV format.Disable when using FortiManager / FortiAnalyzer and most other syslog servers.
    Facility Identifier that is not used by FortiDDoS but might be useful for the syslog server.
    Event Logging Select to enable event logging.

    Event Category

    Select the Event Categories that you want included in the event syslogs.
    Note: All Event Categories are disabled by default. It is safe to enable all.

    Event syslog formats

    The following is an example of an event syslog message:

    device_id=SYSLOG-AC1E997F type=generic pri=information itime=1431633173 msg="date=2015-05-

    13,time=13:25:13,tz=PDT,devid=FI800B3913000032,log_

    id=0000002168,type=event,subtype=config,level=information,msg_id=426204,user=admin,ui=ssh

    (172.30.153.9),action=none,status=none,reason=none,msg='changed settings for 'ddos spp setting'

    on domain 'SPP-1''"

    Event syslog fields

    Field Example

    Syslog device ID

    device_id=SYSLOG-AC1E997F

    Syslog type

    type=generic

    Syslog log level

    pri=information

    Syslog time

    itime=1431633173

    Log datestamp

    date=2015-05-13

    Log timestamp

    13:25:13

    Log time zone

    tz=PDT

    Device ID

    devid=FI800B3913000032

    Log ID

    log_id=0000002168

    Log type

    type=event

    Log subtype

    subtype=config

    Log level

    level=information

    Message ID

    msg_id=426204

    Admin user

    user=admin

    Admin UI

    ui=ssh(172.30.153.9)

    Action

    action=none

    Status

    status=none

    Reason string

    reason=none

    Log message

    msg='changed settings for 'ddos spp setting' on domain 'SPP-1''"

    CLI commands:

    #config log setting remote

    (remote)#edit {1 | 2 |3 |} Three event log remote servers allowed.

    (1)# set status {enable | disable }

    (1)# set ip-address <172.30.153.105>

    (1)# set port <514>

    (1)# set comma-separated-value {enable | disable } Note: Disable for FortiAnalyzer and most servers

    (1)# set facility {kern | mail | daemon | auth | lpr | news | cron | auth-priv | ftp | ntp | audit | alert | clock | syslog | user | uucp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }

    (1)# set event-log-status {enable | disable }

    (1)# set loglevel {Emergency | Alert | Critical | Error | Warning | Notification | Information | Debug }

    (1)# set event-log-category { admin configuration default_gateway ha health_check spp_switching system update user } Select all required.

    (1)# set fortianalyzer {enable | disable }

    For FortiAnalyzer:

    (1)# set encrypt-traffic-to-fortianalyzer (= OFTP)

    No setting above = Standard FortiAnalyzer UDP RFC-3164

    For FortiAnalyzer disabled:

    (Name)# set proto {udp | tcp}

    For UDP, no set = RFC3164, otherwise:

    (1)# set rfc-5424

    For TCP:

    This is RFC-6587

    (N1)# set tcp-framing {traditional | octet_counted }

    Above is server-dependent

    end
    Previous
    Next