Fortinet black logo

Administration Guide

Viewing log messages

Viewing log messages

The Log submenu displays locally stored log files. If you configured the FortiMail unit to store log messages locally (that is, to the hard disk), you can view the log messages currently stored in each log file.

Note

Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see Configuring logging to the hard disk.

The Log submenu includes the following tabs, one for each log type:

  • History: Where you can view the log of sent and undelivered SMTP email messages.
  • System Event: Where you can view the log of administrator activities and system events.
  • Mail Event: Where you can view the log of normal email delivery activities.
  • AntiVirus: Where you can view the log of email detected as infected by a virus.
  • AntiSpam: Where you can view the log of email detected as spam.
  • Encryption: Where you can view the log of IBE encryption. For more information about using IBE, see Configuring IBE encryption.

For more information on log types, see FortiMail log types.

Each tab contains a similar display.

The lists are sorted by the time range of the log messages contained in the log file, with the most recent log files appearing near the top of the list.

For example, the current log file would appear at the top of the list, above a rolled log file whose time might range from 2008-05-08 11:59:36 Thu to 2008-05-29 10:44:02 Thu.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see About administrator account permissions and domains.

To view the list of log files and their contents
  1. Go to Monitor > Log.
  2. Click the tab corresponding to the type of log file that you want to view (History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption).
  3. GUI item

    Description

    Download

    (button)

    Click to download the report in one of several formats:

    Normal Format for a log file that can be viewed with a plain text editor such as Microsoft Notepad.

    CSV Format for a comma-separated value (.csv) file that can be viewed in a spreadsheet application such as Microsoft Excel or OpenOffice Calc.

    Compressed Format for a plain text log file like Normal Format, except that it is compressed and stored within a .gz archive.

    Search

    (button)

    Click to search all log files of this type.

    Unlike the search when viewing the contents of an individual log file, this search displays results regardless of which log file contains them. For more information, see Searching log messages.

    Start Time

    Lists the beginning of the log file’s time range.

    End Time

    Lists the end of the log file’s time range.

    Size

    Lists the size of the log file in bytes.

  4. To view messages contained in logs:
  • Double-click a log file to display the file’s log messages
Note

To view the current page’s worth of the log messages as an HTML table, right-click and select Export to Table. The table appears in a new tab. To download the table, click and drag to select the whole table, then copy and paste it into a rich text editor such as Microsoft Word or OpenOffice Writer.

  • Click a row to select its log file, click Download, then select a format option

Alternatively, to display a set of log messages that may reside in multiple, separate log files:

  • If the log files are of the same type (for example, all antispam logs), click Search. For details, see Searching log messages.
  • If the log messages are of different types but all caused by the same email session ID, you can do a cross-search to find and display all correlating log messages. For details, see Cross-searching log messages.

Log messages can appear in either raw or formatted views.

  • Raw view displays log messages exactly as they appear in the plain text log file.
  • Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

By default, log messages always appear in columnar format, with one log field per column. However, when viewing this columnar display, you can also view the log message in raw format by hovering your mouse over the index number of the log message, in the # column.

When hovering your mouse cursor over a log message, that row is temporarily highlighted; however, this temporary highlight automatically follows the cursor, and will move to a different row if you move your mouse. To create a row highlight that does not move when you move your mouse, click anywhere in the row of the log message.

Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide, sort and re-order columns.

For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see Searching log messages.

By default, each page’s worth of log messages is listed with the log message with the lowest index number towards the top.

To sort the page’s entries in ascending or descending order
  1. Click the column heading by which you want to sort.
  2. The log messages are sorted in ascending order.

  3. To sort in descending order, click the column heading again.
  4. Depending on your currently selected theme:

  • the column heading may darken in color to indicate which column is being used to sort the page
  • a small upwards-or downwards-pointing arrow may appear in the column heading next to its name to indicate the current sort order.
To display or hide columns
  1. Go to Monitor > Log.
  2. Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
  3. Click Configure View > Show/Hide Columns.
  4. Turn on/off the columns.
  5. Click OK.
To change the order of the columns
  1. Go to Monitor > Log.
  2. Click a log type tab, such as History.
  3. Double-click the row corresponding to time period whose log messages you want to view.
  4. For each column whose order you want to change, click and drag its column heading to the left or right.
  5. While dragging the column heading within the heading row, two arrows follow the column, jumping to the nearest border between columns, indicating where the column will be inserted if you release the mouse button at that time.

  6. Click Configure View > Save View.

Using the right-click pop-up menus

When you right-click on a log message, a context menu appears.

Using the right-click menus on log reports

Log report right-click menu options

GUI item

Description

View Details

Select to view the log message in a pop-up window.

Select All

Select to select all log messages in the current page, so that you can export all messages to a table.

Clear Selection

Select to deselect one or multiple log messages.

Export to Table

Select to export the selected log messages to a table format. A new tab named Exported Table appears, displaying the exported information. The table format allows you to copy the information and paste it elsewhere.

Cross Search (Session)

Select to search for the log messages triggered by the same SMTP session. This may result in multiple email messages if multiple messages were sent in the same SMTP session.search log messages by session ID and message ID. For details, see Cross-searching log messages.

Cross Search (Message)

Select to search for the log messages triggered by the same email message. For details, see Cross-searching log messages.

View Quarantined Message

When viewing quarantine logs on the History tab, select to view the quarantined email message. For details about quarantined email, see Managing the quarantines.

Release Quarantined Message

When viewing quarantine logs on the History tab, select one or multiple log entries of the “Quarantine to Review” or “Quarantine” messages, then from the right-click popup menu, select the Release Quarantined Message option to release the selected message/messages. For details about quarantined email, see Managing the quarantines.

Release Log Search

When viewing quarantine logs on the History tab, select one or multiple log entries of the “System Quarantine” messages, then from the right-click popup menu, select the Release Log Search option to release the selected message/messages.

A message will show that the qurantined message was released, along with all logs related to the email being quarantined.

Searching log messages

You can search logs to quickly find specific log messages in a log file, rather than browsing the entire contents of the log file.

Search appearance varies by the log type.

Note

Some email processing such as mail routing and subject-line tagging modifies the recipient email address, the sender email address, and/or the subject line of an email message. If you search for log messages by these attributes, enter your search criteria using text exactly as it appears in the log messages, not in the email message. For example, you might send an email message from sender@example.com; however, if you have configured mail routing on the FortiMail unit or other network devices, this address, at the time it was logged by the FortiMail unit, may have been sender-1@example.com. In that case, you would search for sender-1@example.com instead of sender@example.com.

To search log messages
  1. Go to Monitor > Log.
  2. Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
  3. To search all log files of that type, click Search.
  4. To search one of the log files, first double-click the name of a log file to display the contents of the log file, then click Search.

  5. Enter your search criteria by configuring one or more of the following:
  6. GUI item

    Description

    Keyword

    Enter any word or words to search for within the log messages.

    For example, you might enter starting daemon to locate all log messages containing that exact phrase in any log field.

    Message

    Enter all or part of the message log field.

    This option does not appear for history log searches.

    Subject

    Enter all or part of the subject line of the email message as it appears in the log message.

    This option appears only for history log searches.

    From

    Enter all or part of the sender’s email address as it appears in the log message.

    This option does not appear for event log searches.

    To

    Enter all or part of the recipient’s email address as it appears in the log message.

    This option does not appear for event log searches.

    Session ID

    Enter all or part of the session ID in the log message.

    Log ID

    Enter all or part of the log ID in the log message.

    Client name

    (History log search only)

    Enter all or part of the domain name or IP address of the SMTP client. For email users connecting to send email, this is usually an IP address rather than a domain name. For SMTP servers connecting to deliver mail, this may often be a domain name.

    Classifier

    Enter the classifier in the log message.

    The classifier field displays which FortiMail scanner applies to the email message. For example, Banned Word means the email messages was detected by the FortiMail banned word scanning.

    For information about classifiers, see Classifiers and dispositions in history logs.

    Disposition

    Enter the disposition in the log message.

    The disposition field specifies the action taken by the FortiMail unit.

    For information about dispositions, see Classifiers and dispositions in history logs.

    Match condition

    • Contain: searches for the exact match.
    • Wildcard: supports wildcards in the entered search criteria.

    Time

    Select the time span of log messages to include in the search results.

    For example, you might want to search only log messages that were recorded during the last 10 days and 8 hours previous to the current date. In that case, you would specify the current date, and also specify the size of the span of time (10 days and 8 hours) before that date.

  7. Click Apply.

The FortiMail unit searches your currently selected log file for log messages that match your search criteria, and displays any matching log messages. For example, if you are currently viewing a history log file, the search locates all matching log messages located in that specific history log file.

Cross-searching log messages

Since different types of log files record different events/activities, the same SMTP session (with one or more email messages sent during the session) or the same email message may be logged in different types of log files. For example, if the FortiMail units detects a virus in an email messages, this event will be logged in the following types of log files:

  • History log: because the history log records the metadata of all sent and undelivered email messages.
  • AntiVirus log: because a virus is detected. The antivirus log has more descriptions of the virus than the history log does.
  • Event log: because the FortiMail system’s antivirus process has been started and stopped.

To find and display all log messages triggered by the same SMTP session or the same email message, you can use the cross-search feature.

Note

The cross-search searches log files recorded five minutes before and after the log entry (this design is for performance purpose). Therefore, the search may cover multiple log files but may not cover all the related log files if any log files are recorded out of the ten minutes interval.

To do a cross-search of the log messages
  1. Go to Monitor > Log.
  2. When viewing a log message on the History, System Event, Mail Event, AntiVirus, or AntiSpam tab, right-click the log message that has a message ID. From the pop-up menu, select:
  • Cross Search (Session) to search for the log messages triggered by the same SMTP session. This may result in multiple email messages if multiple messages were sent in the same SMTP session.
  • Cross Search (Message) to search for the log messages triggered by the same email message.

You can also click the session ID of the log message to search for the log messages triggered by the same SMTP session. This is equivalent to the Cross Search (Session) pop-up menu.

All correlating history, event, antivirus and antispam log messages will appear in a new tab.

Note

For instances where the search is conducted within 60 minutes, it is recommended to conduct the cross search via SMTP session ID.

If the log is not in the same log file but in rotated log files, and it is also not within the 60 minute time frame, the cross search will not retrieve all the related logs.

If this occurs, it is recommended to conduct a search in antispam logs.

Viewing log messages

The Log submenu displays locally stored log files. If you configured the FortiMail unit to store log messages locally (that is, to the hard disk), you can view the log messages currently stored in each log file.

Note

Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see Configuring logging to the hard disk.

The Log submenu includes the following tabs, one for each log type:

  • History: Where you can view the log of sent and undelivered SMTP email messages.
  • System Event: Where you can view the log of administrator activities and system events.
  • Mail Event: Where you can view the log of normal email delivery activities.
  • AntiVirus: Where you can view the log of email detected as infected by a virus.
  • AntiSpam: Where you can view the log of email detected as spam.
  • Encryption: Where you can view the log of IBE encryption. For more information about using IBE, see Configuring IBE encryption.

For more information on log types, see FortiMail log types.

Each tab contains a similar display.

The lists are sorted by the time range of the log messages contained in the log file, with the most recent log files appearing near the top of the list.

For example, the current log file would appear at the top of the list, above a rolled log file whose time might range from 2008-05-08 11:59:36 Thu to 2008-05-29 10:44:02 Thu.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see About administrator account permissions and domains.

To view the list of log files and their contents
  1. Go to Monitor > Log.
  2. Click the tab corresponding to the type of log file that you want to view (History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption).
  3. GUI item

    Description

    Download

    (button)

    Click to download the report in one of several formats:

    Normal Format for a log file that can be viewed with a plain text editor such as Microsoft Notepad.

    CSV Format for a comma-separated value (.csv) file that can be viewed in a spreadsheet application such as Microsoft Excel or OpenOffice Calc.

    Compressed Format for a plain text log file like Normal Format, except that it is compressed and stored within a .gz archive.

    Search

    (button)

    Click to search all log files of this type.

    Unlike the search when viewing the contents of an individual log file, this search displays results regardless of which log file contains them. For more information, see Searching log messages.

    Start Time

    Lists the beginning of the log file’s time range.

    End Time

    Lists the end of the log file’s time range.

    Size

    Lists the size of the log file in bytes.

  4. To view messages contained in logs:
  • Double-click a log file to display the file’s log messages
Note

To view the current page’s worth of the log messages as an HTML table, right-click and select Export to Table. The table appears in a new tab. To download the table, click and drag to select the whole table, then copy and paste it into a rich text editor such as Microsoft Word or OpenOffice Writer.

  • Click a row to select its log file, click Download, then select a format option

Alternatively, to display a set of log messages that may reside in multiple, separate log files:

  • If the log files are of the same type (for example, all antispam logs), click Search. For details, see Searching log messages.
  • If the log messages are of different types but all caused by the same email session ID, you can do a cross-search to find and display all correlating log messages. For details, see Cross-searching log messages.

Log messages can appear in either raw or formatted views.

  • Raw view displays log messages exactly as they appear in the plain text log file.
  • Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

By default, log messages always appear in columnar format, with one log field per column. However, when viewing this columnar display, you can also view the log message in raw format by hovering your mouse over the index number of the log message, in the # column.

When hovering your mouse cursor over a log message, that row is temporarily highlighted; however, this temporary highlight automatically follows the cursor, and will move to a different row if you move your mouse. To create a row highlight that does not move when you move your mouse, click anywhere in the row of the log message.

Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide, sort and re-order columns.

For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see Searching log messages.

By default, each page’s worth of log messages is listed with the log message with the lowest index number towards the top.

To sort the page’s entries in ascending or descending order
  1. Click the column heading by which you want to sort.
  2. The log messages are sorted in ascending order.

  3. To sort in descending order, click the column heading again.
  4. Depending on your currently selected theme:

  • the column heading may darken in color to indicate which column is being used to sort the page
  • a small upwards-or downwards-pointing arrow may appear in the column heading next to its name to indicate the current sort order.
To display or hide columns
  1. Go to Monitor > Log.
  2. Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
  3. Click Configure View > Show/Hide Columns.
  4. Turn on/off the columns.
  5. Click OK.
To change the order of the columns
  1. Go to Monitor > Log.
  2. Click a log type tab, such as History.
  3. Double-click the row corresponding to time period whose log messages you want to view.
  4. For each column whose order you want to change, click and drag its column heading to the left or right.
  5. While dragging the column heading within the heading row, two arrows follow the column, jumping to the nearest border between columns, indicating where the column will be inserted if you release the mouse button at that time.

  6. Click Configure View > Save View.

Using the right-click pop-up menus

When you right-click on a log message, a context menu appears.

Using the right-click menus on log reports

Log report right-click menu options

GUI item

Description

View Details

Select to view the log message in a pop-up window.

Select All

Select to select all log messages in the current page, so that you can export all messages to a table.

Clear Selection

Select to deselect one or multiple log messages.

Export to Table

Select to export the selected log messages to a table format. A new tab named Exported Table appears, displaying the exported information. The table format allows you to copy the information and paste it elsewhere.

Cross Search (Session)

Select to search for the log messages triggered by the same SMTP session. This may result in multiple email messages if multiple messages were sent in the same SMTP session.search log messages by session ID and message ID. For details, see Cross-searching log messages.

Cross Search (Message)

Select to search for the log messages triggered by the same email message. For details, see Cross-searching log messages.

View Quarantined Message

When viewing quarantine logs on the History tab, select to view the quarantined email message. For details about quarantined email, see Managing the quarantines.

Release Quarantined Message

When viewing quarantine logs on the History tab, select one or multiple log entries of the “Quarantine to Review” or “Quarantine” messages, then from the right-click popup menu, select the Release Quarantined Message option to release the selected message/messages. For details about quarantined email, see Managing the quarantines.

Release Log Search

When viewing quarantine logs on the History tab, select one or multiple log entries of the “System Quarantine” messages, then from the right-click popup menu, select the Release Log Search option to release the selected message/messages.

A message will show that the qurantined message was released, along with all logs related to the email being quarantined.

Searching log messages

You can search logs to quickly find specific log messages in a log file, rather than browsing the entire contents of the log file.

Search appearance varies by the log type.

Note

Some email processing such as mail routing and subject-line tagging modifies the recipient email address, the sender email address, and/or the subject line of an email message. If you search for log messages by these attributes, enter your search criteria using text exactly as it appears in the log messages, not in the email message. For example, you might send an email message from sender@example.com; however, if you have configured mail routing on the FortiMail unit or other network devices, this address, at the time it was logged by the FortiMail unit, may have been sender-1@example.com. In that case, you would search for sender-1@example.com instead of sender@example.com.

To search log messages
  1. Go to Monitor > Log.
  2. Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
  3. To search all log files of that type, click Search.
  4. To search one of the log files, first double-click the name of a log file to display the contents of the log file, then click Search.

  5. Enter your search criteria by configuring one or more of the following:
  6. GUI item

    Description

    Keyword

    Enter any word or words to search for within the log messages.

    For example, you might enter starting daemon to locate all log messages containing that exact phrase in any log field.

    Message

    Enter all or part of the message log field.

    This option does not appear for history log searches.

    Subject

    Enter all or part of the subject line of the email message as it appears in the log message.

    This option appears only for history log searches.

    From

    Enter all or part of the sender’s email address as it appears in the log message.

    This option does not appear for event log searches.

    To

    Enter all or part of the recipient’s email address as it appears in the log message.

    This option does not appear for event log searches.

    Session ID

    Enter all or part of the session ID in the log message.

    Log ID

    Enter all or part of the log ID in the log message.

    Client name

    (History log search only)

    Enter all or part of the domain name or IP address of the SMTP client. For email users connecting to send email, this is usually an IP address rather than a domain name. For SMTP servers connecting to deliver mail, this may often be a domain name.

    Classifier

    Enter the classifier in the log message.

    The classifier field displays which FortiMail scanner applies to the email message. For example, Banned Word means the email messages was detected by the FortiMail banned word scanning.

    For information about classifiers, see Classifiers and dispositions in history logs.

    Disposition

    Enter the disposition in the log message.

    The disposition field specifies the action taken by the FortiMail unit.

    For information about dispositions, see Classifiers and dispositions in history logs.

    Match condition

    • Contain: searches for the exact match.
    • Wildcard: supports wildcards in the entered search criteria.

    Time

    Select the time span of log messages to include in the search results.

    For example, you might want to search only log messages that were recorded during the last 10 days and 8 hours previous to the current date. In that case, you would specify the current date, and also specify the size of the span of time (10 days and 8 hours) before that date.

  7. Click Apply.

The FortiMail unit searches your currently selected log file for log messages that match your search criteria, and displays any matching log messages. For example, if you are currently viewing a history log file, the search locates all matching log messages located in that specific history log file.

Cross-searching log messages

Since different types of log files record different events/activities, the same SMTP session (with one or more email messages sent during the session) or the same email message may be logged in different types of log files. For example, if the FortiMail units detects a virus in an email messages, this event will be logged in the following types of log files:

  • History log: because the history log records the metadata of all sent and undelivered email messages.
  • AntiVirus log: because a virus is detected. The antivirus log has more descriptions of the virus than the history log does.
  • Event log: because the FortiMail system’s antivirus process has been started and stopped.

To find and display all log messages triggered by the same SMTP session or the same email message, you can use the cross-search feature.

Note

The cross-search searches log files recorded five minutes before and after the log entry (this design is for performance purpose). Therefore, the search may cover multiple log files but may not cover all the related log files if any log files are recorded out of the ten minutes interval.

To do a cross-search of the log messages
  1. Go to Monitor > Log.
  2. When viewing a log message on the History, System Event, Mail Event, AntiVirus, or AntiSpam tab, right-click the log message that has a message ID. From the pop-up menu, select:
  • Cross Search (Session) to search for the log messages triggered by the same SMTP session. This may result in multiple email messages if multiple messages were sent in the same SMTP session.
  • Cross Search (Message) to search for the log messages triggered by the same email message.

You can also click the session ID of the log message to search for the log messages triggered by the same SMTP session. This is equivalent to the Cross Search (Session) pop-up menu.

All correlating history, event, antivirus and antispam log messages will appear in a new tab.

Note

For instances where the search is conducted within 60 minutes, it is recommended to conduct the cross search via SMTP session ID.

If the log is not in the same log file but in rotated log files, and it is also not within the 60 minute time frame, the cross search will not retrieve all the related logs.

If this occurs, it is recommended to conduct a search in antispam logs.