Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

log setting remote

Use this command to configure remote log message storage, either on a Syslog server or FortiAnalyzer unit.

Syntax

config log setting remote

edit <log-destination_index>

set certificate <certificate>

set comma-separated-value {enable | disable}

set encryption-log-status {enable | disable}

set event-log-category {admin configuration ha | imap pop3 smtp system update webmail}

set event-log-status {enable | disable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp}

set history-log-status {enable | disable}

set loglevel {alert | critical | debug | emergency | error | information | notification | warning}

set matched-session-status {enable | disable}

set port <port_int>

set protocol {syslog | cftps}

set server <log_ipv4>

set spam-log-status {enable | disable}

set status {enable | disable}

set sysevent-log-category {admin | configuration | dns | ha | system | update}

set sysevent-log-status {enable | disable}

set syslog-mode {tcp | tcp-tls | udp}

set virus-log-status {enable | disable}

end

Variable

Description

Default

<log-destination_index>

Type an index number to identify which remote Syslog server or FortiAnalyzer unit you are configuring.

 

certificate <certificate>

The certificate used by the Syslog-TLS connection to encrypt the log before delivery to the remote Syslog server.

This option is only available when syslog-mode is set to tcp-tls.

 

comma-separated-value {enable | disable}

Enable if you want to send log messages in comma-separated value (CSV) format.

Note: Do not enable this option if the log destination is a FortiAnalyzer unit. FortiAnalyzer units do not support CSV format logs.

disable

encryption-log-status {enable | disable}

Enable or disable IBE event logging to a remote Syslog server or FortiAnalyzer unit.

disable

event-log-category {admin configuration ha | imap pop3 smtp system update webmail}

Type all of the log types and subtypes that you want to record to this storage location. Separate each type with a space.

  • admin: Log all administrative events, such as logins, resets, and configuration updates.
  • configuration: Enable to log configuration changes.
  • ha: Log all high availability (HA) activity.
  • imap: Log all IMAP events.
  • pop3: Log all POP3 events.
  • smtp: Log all SMTP relay or proxy events.
  • system: Log all system-related events, such as rebooting the FortiMail unit.
  • update: Log both successful and unsuccessful attempts to download FortiGuard updates.
  • webmail: Log all FortiMail webmail events.

 

event-log-status {enable | disable}

Enable or disable event logging to a remote Syslog server or FortiAnalyzer unit.

disable

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp}

Type the facility identifier that the FortiMail unit will use to identify itself when sending log messages to the first Syslog server.

To easily identify log messages from the FortiWeb unit when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

kern

history-log-status {enable | disable}

Enable to log both successful and unsuccessful attempts by the built-in MTA or proxies to deliver email.

disable

loglevel {alert | critical | debug | emergency | error | information | notification | warning}

Type one of the following severity levels:

  • emergency
  • alert
  • critical
  • error
  • warning
  • notification
  • information
  • debug

This log destination will receive log messages greater than or equal to this severity level.

information

matched-session-status {enable | disable}

Enable to log only matched sessions.

disable

port <port_int>

If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the UDP port number on which the Syslog server listens for connections.

514

protocol {syslog | cftps}

Enter the protocol used for remote logging.

syslog

server <log_ipv4>

Type the IP address of the Syslog server or FortiAnalyzer unit.

 

spam-log-status {enable | disable}

Enable to log all antispam events.

disable

status {enable | disable}

Enable to send log messages to a remote Syslog server or FortiAnalyzer unit.

disable

sysevent-log-category {admin | configuration | dns | ha | system | update}

Enter the system event log category to log.

 

sysevent-log-status {enable | disable}

Enable to log system events.

disable

syslog-mode {tcp | tcp-tls | udp}

Enter the protocol used for delivering the log to the remote Syslog server.

udp

virus-log-status {enable | disable}

Enable to log all antivirus events.

disable

Related topics

log setting local

log alertemail recipient

log alertemail setting

log setting remote

Use this command to configure remote log message storage, either on a Syslog server or FortiAnalyzer unit.

Syntax

config log setting remote

edit <log-destination_index>

set certificate <certificate>

set comma-separated-value {enable | disable}

set encryption-log-status {enable | disable}

set event-log-category {admin configuration ha | imap pop3 smtp system update webmail}

set event-log-status {enable | disable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp}

set history-log-status {enable | disable}

set loglevel {alert | critical | debug | emergency | error | information | notification | warning}

set matched-session-status {enable | disable}

set port <port_int>

set protocol {syslog | cftps}

set server <log_ipv4>

set spam-log-status {enable | disable}

set status {enable | disable}

set sysevent-log-category {admin | configuration | dns | ha | system | update}

set sysevent-log-status {enable | disable}

set syslog-mode {tcp | tcp-tls | udp}

set virus-log-status {enable | disable}

end

Variable

Description

Default

<log-destination_index>

Type an index number to identify which remote Syslog server or FortiAnalyzer unit you are configuring.

 

certificate <certificate>

The certificate used by the Syslog-TLS connection to encrypt the log before delivery to the remote Syslog server.

This option is only available when syslog-mode is set to tcp-tls.

 

comma-separated-value {enable | disable}

Enable if you want to send log messages in comma-separated value (CSV) format.

Note: Do not enable this option if the log destination is a FortiAnalyzer unit. FortiAnalyzer units do not support CSV format logs.

disable

encryption-log-status {enable | disable}

Enable or disable IBE event logging to a remote Syslog server or FortiAnalyzer unit.

disable

event-log-category {admin configuration ha | imap pop3 smtp system update webmail}

Type all of the log types and subtypes that you want to record to this storage location. Separate each type with a space.

  • admin: Log all administrative events, such as logins, resets, and configuration updates.
  • configuration: Enable to log configuration changes.
  • ha: Log all high availability (HA) activity.
  • imap: Log all IMAP events.
  • pop3: Log all POP3 events.
  • smtp: Log all SMTP relay or proxy events.
  • system: Log all system-related events, such as rebooting the FortiMail unit.
  • update: Log both successful and unsuccessful attempts to download FortiGuard updates.
  • webmail: Log all FortiMail webmail events.

 

event-log-status {enable | disable}

Enable or disable event logging to a remote Syslog server or FortiAnalyzer unit.

disable

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp}

Type the facility identifier that the FortiMail unit will use to identify itself when sending log messages to the first Syslog server.

To easily identify log messages from the FortiWeb unit when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

kern

history-log-status {enable | disable}

Enable to log both successful and unsuccessful attempts by the built-in MTA or proxies to deliver email.

disable

loglevel {alert | critical | debug | emergency | error | information | notification | warning}

Type one of the following severity levels:

  • emergency
  • alert
  • critical
  • error
  • warning
  • notification
  • information
  • debug

This log destination will receive log messages greater than or equal to this severity level.

information

matched-session-status {enable | disable}

Enable to log only matched sessions.

disable

port <port_int>

If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the UDP port number on which the Syslog server listens for connections.

514

protocol {syslog | cftps}

Enter the protocol used for remote logging.

syslog

server <log_ipv4>

Type the IP address of the Syslog server or FortiAnalyzer unit.

 

spam-log-status {enable | disable}

Enable to log all antispam events.

disable

status {enable | disable}

Enable to send log messages to a remote Syslog server or FortiAnalyzer unit.

disable

sysevent-log-category {admin | configuration | dns | ha | system | update}

Enter the system event log category to log.

 

sysevent-log-status {enable | disable}

Enable to log system events.

disable

syslog-mode {tcp | tcp-tls | udp}

Enter the protocol used for delivering the log to the remote Syslog server.

udp

virus-log-status {enable | disable}

Enable to log all antivirus events.

disable

Related topics

log setting local

log alertemail recipient

log alertemail setting