Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Customizing log formats for syslog servers NEW

    Customizing log formats for syslog servers NEW

    You can configure and send custom log formats to syslog servers using custom-format and log-template configurations, allowing you to tailor syslog output to match the exact requirements of your external logging system.

    Use the feature by:

    1. Configuring the custom log format.

      config log custom-format
    edit <name>
        set field-exclusion-list {date | devid | devname | eventtime | level | logid | slot | subtype | time | type | tz | vd | vsn}
        empty-value-indicator <string>
        config log-templates
            edit <name>
                set category <string>
                set subtypes <string>
                set template <string>
            next
        end
    next
end

    2. Configuring the syslog logging devices to use the custom log format.

      config log syslogd setting
    set status enable
    set server <syslog_IP>
    set format {default | csv | cef | rfc5424 | json |custom}
    set custom-log-format <string>
en

    Custom log formats can also be configured for syslogd2, syslogd3, and syslogd-override under multi-VDOM:

    • For syslogd2 and syslogd3 and the config log syslogd2 setting/config log syslogd3 setting commands, set format to custom, and select the log format.

    • For syslogd override under vdom, enable syslog-override under config log setting. Then set format as custom, and select log format under config log syslogd override-setting.

    This topic includes the following examples:

    Example 1: exclude fields

    In this example, logs sent from FortiGate to a syslog server are customized as follows:

    • The percentage (%) character indicates empty values in the logs.

    • The “date”, “eventtime”, “time” and “tz” fields are excluded from the logs.

    To customize logs for syslog servers:

    1. Set the custom log format:

      The empty-value-indicator can be a single character symbol, such as %.

      config log custom-format
    edit “test”
        set empty-value-indicator  “%”
        set field-exclusion-list  "date" "eventtime" "time" "tz"
    end
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server exclude “date”, “eventtime”, “time”, and “tz” fields.

      • Traffic log example:

        Feb  3 10:03:31 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892  logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.22 srcport=33012 dstip=172.16.200.55 dstport=80 sessionid=100663312 transid=100663315 action="accept" policyid=1 policytype="proxy-policy" poluuid="e66b90f6-008d-51f1-e5f4-799c5495850b" url="http://172.16.200.55/" agent="curl/7.68.0" appcat="unscanned" duration=0 reqlength=127 resplength=1145 rcvdbyte=1145 sentbyte=127 scheme="http" hostname="172.16.200.55" resptype="normal" httpmethod="GET" statuscode="200" reqtime=1770134611 resptime=1770134611 respfinishtime=1770134611

      • UTM log example:

        Feb  2 15:31:47 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892  logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="2a0da664-90c8-51ef-c42e-31dd5cc56aea" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=1009 srcip=10.1.100.22 dstip=172.16.200.55 srcport=56586 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" srcuuid="85bf1200-90ae-51ef-7a00-759244bb35e4" dstuuid="85bf1200-90ae-51ef-7a00-759244bb35e4" proto=6 direction="incoming" filename="eicar.com" checksum="6851cf3c" quarskip="No-skip" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="cached" itype="infected" ref="https://fortiguard.com/encyclopedia/virus/2172" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="av-test" agent="curl/7.68.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

      • Event log example:

        Feb  2 15:31:41 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892  logid="0100020025" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Report generated successfully" msg="Report generation succeeded for layout:default." file="/var/log/log/vdom1/report/generated/On-Demand-default-2026-02-02-123140/default.pdf" filesize=272974 datarange="01-Feb-2026 12:00 To 02-Feb-2026 11:59" reporttype="On-demand" processtime=0"

    Example 2: configure specific categories, subtypes, and fields

    In this example, logs sent from FortiGate to a syslog server are customized as follows:

    • The percentage (%) character indicates empty values in the logs.

    • A log type category (event), subtype (system), and specific fields are configured for the logs.

    FortiGate only sends logs for this category and subtype with the configured fields to the syslog server. This feature is supported for all categories.

    To customize logs for syslog servers:

    1. Configure a custom log format:

      config log custom-format
    edit “test”
        set empty-value-indicator "%"
            config log-templates
                edit "1"
                   set category event
                   set subtypes "system"
                   set template “eve_type=$(subtype) eve_msg=$(msg) eve_vdom=$(vd) eve_level=$(level) eve_status=$(status) eve_profile=$(profile)”
                next
            end
        next
    end
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server only include logs configured in template, and fields with empty value display %.

      Feb  2 16:00:55 172.16.200.2 eve_type="system" eve_msg="Administrator admin login failed from https(10.6.30.254) because of invalid password" eve_vdom="vdom1" eve_level="alert" eve_status="failed" eve_profile=%
      Feb  2 16:01:12 172.16.200.2 eve_type="system" eve_msg="Edit system.global " eve_vdom="vdom1" eve_level="information" eve_status=% eve_profile=%

    Example 3: include UTM-related fields in traffic logs

    This example demonstrates how to include UTM-related fields in traffic logs. This feature is only available for traffic logs.

    In this example, category is set to traffic, subtype is set to forward, and specific fields are configured for the logs FortiGate sends to a syslog server.

    When a UTM field does not exist for the category, the invalid log field name error is displayed.

    To customize logs for syslog servers:

    1. Configure a custom log format:

      config log custom-format
    edit "test"
        set empty-value-indicator ' '
        config log-templates
            edit "1"
                set category traffic
                set subtypes "forward"
                set template "type=$(type) subtype=$(subtype) http_status_code=$(statuscode) url=$(virus.url) virus=$(virus.virus) agent=$(virus.agent) profile=$(virus.profile)"
            next
        end
    next
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server include selected traffic and UTM log fields.

      Feb  3 11:44:07 172.16.200.2 type="traffic" subtype="forward" http_status_code=  url="http://172.16.200.55/virus/eicar.com" virus="EICAR_TEST_FILE" agent="curl/7.68.0" profile="av-test"

    Example 4: use wildcard syntax

    This example demonstrates how to include WILDCARD_SYNTAX: $(*) in the template. Note:

    • $(*) will be replaced by default-format log content.

    • You can append additional UTM fields with the WILDCARD_SYNTAX.

    • $(*) behaves like regular field in custom-format.log-templates and can include both prefixes and postfixes.

    • Each template can only have one WILDCARD_SYNTAX $(*). An error is displayed when more than one $(*) are used in the template.

    To customize logs for syslog servers:

    1. Configure a custom log format:

      When the custom log format has exclusion-list set, and the template is set for a specific category, then the template overrides the exclusion-list for the category.

      config log custom-format
    edit "test"
        set field-exclusion-list "date" "eventtime" "time" "tz"
        set empty-value-indicator "%"
        config log-templates
            edit "1"
                set category traffic
                set subtypes "forward"
                set template "url=$(virus.url) virus=$(virus.virus) http_status_code=$(statuscode) $(*) agent=$(virus.agent) profile=$(virus.profile)"
            next
        end
    next
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server includes all traffic log fields with selected UTM log fields.

      Feb  3 09:27:45 172.16.200.2 date=2026-02-03 time=09:27:45 devname=FGT-B-LOG devid=FG201FT920901892 url="http://172.16.200.55/virus/eicar.com" virus="EICAR_TEST_FILE" http_status_code=% eventtime=1770139665020444596 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.22 srcname="10.1.100.22" srcport=40028 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.55 dstname="172.16.200.55" dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=5120 proto=6 action="close" policyid=1 policytype="policy" poluuid="2a0da664-90c8-51ef-c42e-31dd5cc56aea" policyname="B-out" service="HTTP" trandisp="snat" transip=172.16.200.2 transport=40028 appcat="unscanned" duration=30 sentbyte=1784 rcvdbyte=1242 sentpkt=31 rcvdpkt=6 utmaction="block" countav=1 crscore=50 craction=2 agent="curl/7.68.0" profile="av-test"
    Previous
    Next

    Customizing log formats for syslog servers NEW

    Customizing log formats for syslog servers NEW

    You can configure and send custom log formats to syslog servers using custom-format and log-template configurations, allowing you to tailor syslog output to match the exact requirements of your external logging system.

    Use the feature by:

    1. Configuring the custom log format.

      config log custom-format
    edit <name>
        set field-exclusion-list {date | devid | devname | eventtime | level | logid | slot | subtype | time | type | tz | vd | vsn}
        empty-value-indicator <string>
        config log-templates
            edit <name>
                set category <string>
                set subtypes <string>
                set template <string>
            next
        end
    next
end

    2. Configuring the syslog logging devices to use the custom log format.

      config log syslogd setting
    set status enable
    set server <syslog_IP>
    set format {default | csv | cef | rfc5424 | json |custom}
    set custom-log-format <string>
en

    Custom log formats can also be configured for syslogd2, syslogd3, and syslogd-override under multi-VDOM:

    • For syslogd2 and syslogd3 and the config log syslogd2 setting/config log syslogd3 setting commands, set format to custom, and select the log format.

    • For syslogd override under vdom, enable syslog-override under config log setting. Then set format as custom, and select log format under config log syslogd override-setting.

    This topic includes the following examples:

    Example 1: exclude fields

    In this example, logs sent from FortiGate to a syslog server are customized as follows:

    • The percentage (%) character indicates empty values in the logs.

    • The “date”, “eventtime”, “time” and “tz” fields are excluded from the logs.

    To customize logs for syslog servers:

    1. Set the custom log format:

      The empty-value-indicator can be a single character symbol, such as %.

      config log custom-format
    edit “test”
        set empty-value-indicator  “%”
        set field-exclusion-list  "date" "eventtime" "time" "tz"
    end
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server exclude “date”, “eventtime”, “time”, and “tz” fields.

      • Traffic log example:

        Feb  3 10:03:31 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892  logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.22 srcport=33012 dstip=172.16.200.55 dstport=80 sessionid=100663312 transid=100663315 action="accept" policyid=1 policytype="proxy-policy" poluuid="e66b90f6-008d-51f1-e5f4-799c5495850b" url="http://172.16.200.55/" agent="curl/7.68.0" appcat="unscanned" duration=0 reqlength=127 resplength=1145 rcvdbyte=1145 sentbyte=127 scheme="http" hostname="172.16.200.55" resptype="normal" httpmethod="GET" statuscode="200" reqtime=1770134611 resptime=1770134611 respfinishtime=1770134611

      • UTM log example:

        Feb  2 15:31:47 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892  logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="2a0da664-90c8-51ef-c42e-31dd5cc56aea" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=1009 srcip=10.1.100.22 dstip=172.16.200.55 srcport=56586 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" srcuuid="85bf1200-90ae-51ef-7a00-759244bb35e4" dstuuid="85bf1200-90ae-51ef-7a00-759244bb35e4" proto=6 direction="incoming" filename="eicar.com" checksum="6851cf3c" quarskip="No-skip" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="cached" itype="infected" ref="https://fortiguard.com/encyclopedia/virus/2172" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="av-test" agent="curl/7.68.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

      • Event log example:

        Feb  2 15:31:41 172.16.200.2 devname=FGT-B-LOG devid=FG201FT920901892  logid="0100020025" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Report generated successfully" msg="Report generation succeeded for layout:default." file="/var/log/log/vdom1/report/generated/On-Demand-default-2026-02-02-123140/default.pdf" filesize=272974 datarange="01-Feb-2026 12:00 To 02-Feb-2026 11:59" reporttype="On-demand" processtime=0"

    Example 2: configure specific categories, subtypes, and fields

    In this example, logs sent from FortiGate to a syslog server are customized as follows:

    • The percentage (%) character indicates empty values in the logs.

    • A log type category (event), subtype (system), and specific fields are configured for the logs.

    FortiGate only sends logs for this category and subtype with the configured fields to the syslog server. This feature is supported for all categories.

    To customize logs for syslog servers:

    1. Configure a custom log format:

      config log custom-format
    edit “test”
        set empty-value-indicator "%"
            config log-templates
                edit "1"
                   set category event
                   set subtypes "system"
                   set template “eve_type=$(subtype) eve_msg=$(msg) eve_vdom=$(vd) eve_level=$(level) eve_status=$(status) eve_profile=$(profile)”
                next
            end
        next
    end
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server only include logs configured in template, and fields with empty value display %.

      Feb  2 16:00:55 172.16.200.2 eve_type="system" eve_msg="Administrator admin login failed from https(10.6.30.254) because of invalid password" eve_vdom="vdom1" eve_level="alert" eve_status="failed" eve_profile=%
      Feb  2 16:01:12 172.16.200.2 eve_type="system" eve_msg="Edit system.global " eve_vdom="vdom1" eve_level="information" eve_status=% eve_profile=%

    Example 3: include UTM-related fields in traffic logs

    This example demonstrates how to include UTM-related fields in traffic logs. This feature is only available for traffic logs.

    In this example, category is set to traffic, subtype is set to forward, and specific fields are configured for the logs FortiGate sends to a syslog server.

    When a UTM field does not exist for the category, the invalid log field name error is displayed.

    To customize logs for syslog servers:

    1. Configure a custom log format:

      config log custom-format
    edit "test"
        set empty-value-indicator ' '
        config log-templates
            edit "1"
                set category traffic
                set subtypes "forward"
                set template "type=$(type) subtype=$(subtype) http_status_code=$(statuscode) url=$(virus.url) virus=$(virus.virus) agent=$(virus.agent) profile=$(virus.profile)"
            next
        end
    next
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server include selected traffic and UTM log fields.

      Feb  3 11:44:07 172.16.200.2 type="traffic" subtype="forward" http_status_code=  url="http://172.16.200.55/virus/eicar.com" virus="EICAR_TEST_FILE" agent="curl/7.68.0" profile="av-test"

    Example 4: use wildcard syntax

    This example demonstrates how to include WILDCARD_SYNTAX: $(*) in the template. Note:

    • $(*) will be replaced by default-format log content.

    • You can append additional UTM fields with the WILDCARD_SYNTAX.

    • $(*) behaves like regular field in custom-format.log-templates and can include both prefixes and postfixes.

    • Each template can only have one WILDCARD_SYNTAX $(*). An error is displayed when more than one $(*) are used in the template.

    To customize logs for syslog servers:

    1. Configure a custom log format:

      When the custom log format has exclusion-list set, and the template is set for a specific category, then the template overrides the exclusion-list for the category.

      config log custom-format
    edit "test"
        set field-exclusion-list "date" "eventtime" "time" "tz"
        set empty-value-indicator "%"
        config log-templates
            edit "1"
                set category traffic
                set subtypes "forward"
                set template "url=$(virus.url) virus=$(virus.virus) http_status_code=$(statuscode) $(*) agent=$(virus.agent) profile=$(virus.profile)"
            next
        end
    next
end

    2. Set the log template:

      config log syslogd setting
    set status enable
    set server "172.16.200.55"
    set  facility local6
    set format custom
    set custom-log-format “test” 
end

    3. Send logs to a syslog server.

      Logs received by the syslog server includes all traffic log fields with selected UTM log fields.

      Feb  3 09:27:45 172.16.200.2 date=2026-02-03 time=09:27:45 devname=FGT-B-LOG devid=FG201FT920901892 url="http://172.16.200.55/virus/eicar.com" virus="EICAR_TEST_FILE" http_status_code=% eventtime=1770139665020444596 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.22 srcname="10.1.100.22" srcport=40028 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.55 dstname="172.16.200.55" dstport=80 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=5120 proto=6 action="close" policyid=1 policytype="policy" poluuid="2a0da664-90c8-51ef-c42e-31dd5cc56aea" policyname="B-out" service="HTTP" trandisp="snat" transip=172.16.200.2 transport=40028 appcat="unscanned" duration=30 sentbyte=1784 rcvdbyte=1242 sentpkt=31 rcvdpkt=6 utmaction="block" countav=1 crscore=50 craction=2 agent="curl/7.68.0" profile="av-test"
    Previous
    Next