Logging generates system event, traffic, user login, and many other types of records that can be used for alerts, analysis, and troubleshooting. The records can be stored locally (data at rest) or remotely (data in motion). Due to the sensitivity of the log data, it is important to encrypt data in motion through the logging transmission channel. Communication with FortiAnalyzer and FortiCloud is encrypted by default. When logging to third party devices, make sure that the channel is secure. If it is not secure, it is recommended that you form a VPN to the remote logging device before transmitting logs to it.
Logging options include FortiAnalyzer, syslog, and a local disk. Logging with syslog only stores the log messages. Logging to FortiAnalyzer stores the logs and provides log analysis . If a security fabric is established, you can create rules to trigger actions based on the logs. For example, sending an email if the FortiGate configuration is changed, or running a CLI script if a host is compromised. If you are using a standalone logging server, integrating an analyzer application or server allows you to parse the raw logs into meaningful data.
FortiSIEM (security information and event management) and FortiSOAR (security orchestration, automation, and response) both aggregate security data from various sources into alerts. The FortiSOAR can also automate responses to different alerts.