Fortinet Document Library

Version:

Version:


Table of Contents

Log Reference

Download PDF
Copy Link

Log types

FortiMail logs record per recipient, presenting log information in a very different way than most other logs do. By recording logs per recipient, log information is presented in layers, which means that one log file type contains the what and another log file type contains the why. For example, a log message in the history log contains an email message that the FortiMail unit flagged as spam (the what) and the antispam log contains why the FortiMail unit flagged the email message as spam (the why).

FortiMail logs are divided into the following types:

Log Types

Default File Name

Description

History (statistics)

alog

Records all email traffic going through the FortiMail unit.

System Event

(kevent)

klog

Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs.

Mail Event

(event)

elog

Records mail activities.

Antispam

(spam)

slog

Records spam detection events.

Antivirus

(virus)

vlog

Records virus intrusion events.

Encryption

(encrypt)

nlog

Records detection of IBE-related events.

Email related logs contain a session identification (ID) number, which is located in the session ID field of the log message. The session ID corresponds to all the relevant log types so that the administrator can get all the information about the event or activity that occurred on their network.

History/statistics logs

History logs are used to quickly determine the disposition of a message. History logs describe what action was taken by the FortiMail unit. Administrators use the history logs to quickly determine the status of a message for a specific recipient, then either right-click that log message and select Cross Search, or click the Session ID link. (See Log message cross search ). All correlating history, event, antivirus and antispam log messages appear in a new tab where you can find out why that particular action was taken.

In the following log messages, the bolded information indicates what an administrator looks for when using history logs to find out what action was taken, and the antispam log to find out why the action was taken.

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab" subject="" mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject" classifier="Recipient Verification" message_length="188"

From the disposition, “Reject”, we know that the FortiMail unit rejected the email message. We then do a session ID cross search to find it within the antispam logs, as in the following:

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0300001075 type=spam pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab" subject="" msg="<user5@external.lab>... User unknown"

In the above antispam log message, we now know why the FortiMail unit rejected the message because the message failed the recipient verification (User unknown), which is shown in the message field.

System event logs

Kevent logs contain log messages that concern network or system activities and events, such as firmware upgrades or password changes. This log type shows what is occurring at the protocol level, as well as the TCP level. For example, “2020-05-22 00:04:28.565 log_id=0704025033 type=kevent subtype=update pri=information msg="Loaded avdb 77.01588(05/21/0020 22:38) using av engine 6.147."

The kevent log does not have the same relationship with the history log as the antispam or antivirus log does. The kevent log is not necessarily used for finding the reason why an event occurred because there may not be a corresponding session ID number. Kevent logs are also usually self-explanatory, meaning they usually give the what and why within the log message.

Mail event logs

Event logs contain all the SMTP, POP3, IMAP, and webmail activities.

This log type records the metadata of the email messages handled by the FortiMail unit.

Antispam logs

Antispam logs provide information pertaining to email messages that are classified as Spam or Ham messages. The antispam logs describe why they were classified, as was shown in the example in History/statistics logs.

Antispam log messages describe spammy URI’s, black/white listed IP addresses, or other techniques the FortiMail unit used to classify the message. Antispam log messages may also describe message processing errors, such as not handling email that was sent from a specific user.

Antivirus logs

Antivirus logs provide information pertaining to email messages that are classified as virus or suspicious messages. These log messages describe what virus is contained in the email message or in a file attached to the email message.

Administrators use antivirus logs to determine why an attachment was stripped from a file after someone informed them about not receiving an attachment. Administrators may also use this log type to verify why the history log detected a virus.

The session ID is not usually used when looking up an antivirus log message; the time stated in the time field of the log message is usually used as well as using the search method.

Encryption logs

Encryption logs provide information pertaining to IBE email encryption and decryption.

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

Log types

FortiMail logs record per recipient, presenting log information in a very different way than most other logs do. By recording logs per recipient, log information is presented in layers, which means that one log file type contains the what and another log file type contains the why. For example, a log message in the history log contains an email message that the FortiMail unit flagged as spam (the what) and the antispam log contains why the FortiMail unit flagged the email message as spam (the why).

FortiMail logs are divided into the following types:

Log Types

Default File Name

Description

History (statistics)

alog

Records all email traffic going through the FortiMail unit.

System Event

(kevent)

klog

Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs.

Mail Event

(event)

elog

Records mail activities.

Antispam

(spam)

slog

Records spam detection events.

Antivirus

(virus)

vlog

Records virus intrusion events.

Encryption

(encrypt)

nlog

Records detection of IBE-related events.

Email related logs contain a session identification (ID) number, which is located in the session ID field of the log message. The session ID corresponds to all the relevant log types so that the administrator can get all the information about the event or activity that occurred on their network.

History/statistics logs

History logs are used to quickly determine the disposition of a message. History logs describe what action was taken by the FortiMail unit. Administrators use the history logs to quickly determine the status of a message for a specific recipient, then either right-click that log message and select Cross Search, or click the Session ID link. (See Log message cross search ). All correlating history, event, antivirus and antispam log messages appear in a new tab where you can find out why that particular action was taken.

In the following log messages, the bolded information indicates what an administrator looks for when using history logs to find out what action was taken, and the antispam log to find out why the action was taken.

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab" subject="" mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject" classifier="Recipient Verification" message_length="188"

From the disposition, “Reject”, we know that the FortiMail unit rejected the email message. We then do a session ID cross search to find it within the antispam logs, as in the following:

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0300001075 type=spam pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab" subject="" msg="<user5@external.lab>... User unknown"

In the above antispam log message, we now know why the FortiMail unit rejected the message because the message failed the recipient verification (User unknown), which is shown in the message field.

System event logs

Kevent logs contain log messages that concern network or system activities and events, such as firmware upgrades or password changes. This log type shows what is occurring at the protocol level, as well as the TCP level. For example, “2020-05-22 00:04:28.565 log_id=0704025033 type=kevent subtype=update pri=information msg="Loaded avdb 77.01588(05/21/0020 22:38) using av engine 6.147."

The kevent log does not have the same relationship with the history log as the antispam or antivirus log does. The kevent log is not necessarily used for finding the reason why an event occurred because there may not be a corresponding session ID number. Kevent logs are also usually self-explanatory, meaning they usually give the what and why within the log message.

Mail event logs

Event logs contain all the SMTP, POP3, IMAP, and webmail activities.

This log type records the metadata of the email messages handled by the FortiMail unit.

Antispam logs

Antispam logs provide information pertaining to email messages that are classified as Spam or Ham messages. The antispam logs describe why they were classified, as was shown in the example in History/statistics logs.

Antispam log messages describe spammy URI’s, black/white listed IP addresses, or other techniques the FortiMail unit used to classify the message. Antispam log messages may also describe message processing errors, such as not handling email that was sent from a specific user.

Antivirus logs

Antivirus logs provide information pertaining to email messages that are classified as virus or suspicious messages. These log messages describe what virus is contained in the email message or in a file attached to the email message.

Administrators use antivirus logs to determine why an attachment was stripped from a file after someone informed them about not receiving an attachment. Administrators may also use this log type to verify why the history log detected a virus.

The session ID is not usually used when looking up an antivirus log message; the time stated in the time field of the log message is usually used as well as using the search method.

Encryption logs

Encryption logs provide information pertaining to IBE email encryption and decryption.

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.