Fortinet black logo

Administration Guide

About FortiMail logging

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

  • system-related events, such as system restarts and HA activity
  • virus detections
  • spam filtering results
  • POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see Log message severity levels.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see Configuring logging. It can also use log messages as the basis for reports. For more information, see Configuring report profiles and generating mail statistic reports.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

  • On the FortiMail web UI, you can view log messages by going to Monitor > Log. From here you can download log messages to your local PC by clicking Export and view them later. For details, see the FortiMail Administration Guide.
  • Go to Log & Report > Log Setting > Remote and add a FortiAnalyzer unit as a remote host in order to send log messages to FortiAnalyzer. You can send log messages to any Syslog server from here.

Log message syntax

All FortiMail log messages are comprised of a log header and a log body.

  • Header — Contains the time and date the log originated, a log identifier, the type of log, the severity level (priority) and where the log message originated.
  • Body — Describes the reason why the log was created, plus any actions that the FortiMail appliance took to respond to it. These fields may vary by log type.
Log message header and body

For example, in the following event log, the bold section is the header and the italic section is the body.

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=kevent subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)"

Device ID field

Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail web UI or download them to your local PC, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.

Policy ID and domain fields

Starting from v5.0 release, two new fields -- policy ID and domain -- have been added to history logs.

The policy ID is in the format of x:y:z, where:

  • x is the ID of the global access control policy.
  • y is the ID of the IP-based policy.
  • z is the ID of the recipient-based policy.

If the value of x, y, and z is 0, it means that no policy is matched.

If the matched recipient-based policy is incoming, the protected domain will be logged in the domain field.

If the matched recipient-based policy is outgoing, the domain field will be empty.

Endpoint field

Starting from 4.0 MR3, a field called endpoint was added to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.

Log_part field

For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field, log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.

Hex numbers in history logs

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the Classifiers and dispositions in history logs.

See also

FortiMail log types

Configuring logging

Log message severity levels

Viewing log messages

Viewing generated reports

FortiMail log types

FortiMail units can record the following types of log messages. The Event log also contains several subtypes. You can view and download these logs from the Log submenu of the Monitor tab.

Log types

Log Types

Default File Name

Description

History (statistics)

alog

Records all email traffic going through the FortiMail unit.

System Event

(kevent)

klog

Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs.

Mail Event

(event)

elog

Records mail activities.

Antispam

(spam)

slog

Records spam detection events.

Antivirus

(virus)

vlog

Records virus intrusion events.

Encryption

(encrypt)

nlog

Records detection of IBE-related events.

Email related logs contain a session identification (ID) number, which is located in the session ID field of the log message. The session ID corresponds to all the relevant log types so that the administrator can get all the information about the event or activity that occurred on their network.

For more information about these specific log types, see the FortiMail Log Reference.

Caution

Avoid recording highly frequent log types to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

See also

Log message severity levels

Viewing log messages

Configuring logging

About FortiMail logging

Subtypes

FortiMail logs are grouped into categories by log type and subtype as shown in the table below:

Log Type

Subtype

kevent

admin

config

dns

ha

system

update

event

imap

pop3

smtp

webmail

virus

infected

malware-outbreak

file-signature

spam

default

admin

user

statistics

(no subtype)

encrypt

(no subtype)

Log message severity levels

Each log message contains a field that indicates the severity level of the log message, such as pri=warning.

Log severity levels

Levels

(0 is highest)

Name

Description

0

Emergency

The system has become unstable

1

Alert

Immediate action is required.

2

Critical

Functionality is affected.

3

Error

An error condition exists and functionality could be affected.

4

Warning

Functionality could be affected.

5

Notice

Information about normal events.

6

Information

General information about system operation.

For each location where the FortiMail unit can store log files, you can define the severity threshold of the log messages to be stored there.

Caution

Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

The FortiMail unit stores all log messages equal to or exceeding the severity level you select. For example, if you select Error, the FortiMail unit stores log messages whose severity level is Error, Critical, Alert, or Emergency.

Classifiers and dispositions in history logs

Each history log contains one field called Classifier and another called Disposition.

The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email messages was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.

Note

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.

The following tables map the hex numbers with English terms.

Classifiers

Hex number

Classifier

Hex Number

Classifier

0x00

Undefined

0x2A

Message Cryptography

0x01

User Safe

0x2B

Delivery Control

0x02

User Discard

0x2C

Encrypted Content

0x03

System Safe

0x2D

SPF Failure as Spam

0x04

System Discard

0x2E

Fragmented Email

0x05

RBL

0x2F

Email Contains Image

0x06

SURBL

0x30

Content Requires Encryption

0x07

FortiGuard AntiSpam

0x31

FortiGuard AntiSpam Block IP

0x08

FortiGuard AntiSpam-Safe

0x32

Session Remote

0x09

Bayesian

0x33

FortiGuard Phishing

0x0A

Heuristic

0x34

AntiVirus

0x0B

Dictionary Scanner

0x35

Sender Address Rate Control

0x0C

Banned Word

0x36

SMTP Auth Failure

0x0D

Deep Header

0x37

Access Control List Reject

0x0E

Forged IP (before v5.2 release)

0x38

Access Control List Discard

0x0F

Quarantine Control

0x39

Access Control List Bypass

0x10

Tagged virus (before v4.3 release)

0x3A

FortiGuard Antispam Webfilter

0x11

Attachment Filter (see note above)

0x3B

Newsletter Suspicious

0x12

Grey List

0x3C

TLS Streaming

0x13

Bypass Scan On Auth

0x3D

Policy Match

0x14

Disclaimer

0x3E

Dynamic Safe List

0x15

Defer Delivery

0x3F

Sender Verification

0x16

Session Domain

0x40

Behavior Analysis

0x17

Session Limits

0x41

FortiGuard Spam Outbreak

0x18

Session Safe

0x42

Newsletter

0x19

Session Block

0x43

DMARC

0x1A

Content Monitor and Filter

0x44

SHA1 Hash

0x1B

Content Monitor as Spam

0x45

Sandbox

0x1C

Attachment as Spam

0x46

Malware Outbreak

0x1D

Image Spam

0x47

DLP Filter

0x1E

Sender Reputation

0x48

DLP Treated as Spam

0x1F

Access Control List Relay Denied

0x49

DLP Requires Encryption

0x20

Safelist Word

0x4A

Access Control List Safe

0x21

Domain Safe

0x4B

Virus Outbreak

0x22

Domain Block

0x4C

FortiGuard Antispam Webfilter

0x23

SPF (not in use)

0x4D

Impersonation Analysis

0x24

Domain Key (not in use)

0x4E

Session Action

0x25

DKIM (not in use)

0x4F

SPF Sender Alignment

0x26

Recipient Verification

0x50

SPF Check

0x27

Bounce Verification

0x51

Sandbox URL

0x28

Endpoint Reputation

0x52

Sandbox No Result

0x29

SSL Profile Check

0x53

Content Modification

Note

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.

Dispositions

Hex number

Disposition

Hex Number

Disposition

0x00

Undefined

0x10000

Encrypt

0x01

Accept

0x20000

Decrypt

0x04

Reject

0x40000

Alternate Host

0x08

Add Header

0x80000

BCC

0x10

Modify Subject

0x100000

Archive

0x20

Quarantine

0x200000

Customized repackage

0x40

Insert Disclaimer

0x400000

Repackage

0x80

Block

0x800000

Notification

0x100

Replace

0x1000000

Sign

0x200

Delay

0x2000000

Defer

0x400

Forward

0x4000000

HTML to Text

0x800

Disclaimer Body

0x8000000

Sanitize HTML

0x1000

Disclaimer Header

0x10000000

Remove URLs

0x2000

Defer

0x20000000

Deliver to Original Host

0x4000

Quarantine to Review

0x40000000

Content Reconstruction

0x8000

Treat as Spam

0x80000000

URL Click Protection

Note

The disposition field in a log message may contain one or more dispositions/actions. For example, “accept” and “defer” dispositions may appear in the same message. Defer disposition is added when an email message is deferred for either of the following two reasons: FortiGuard antispam outbreak and FortiSandbox scan.

See also

FortiMail log types

Viewing log messages

Configuring logging

About FortiMail logging

About FortiMail logging

FortiMail units can log many different email activities and traffic including:

  • system-related events, such as system restarts and HA activity
  • virus detections
  • spam filtering results
  • POP3, SMTP, IMAP and webmail events

You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see Log message severity levels.

A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see Configuring logging. It can also use log messages as the basis for reports. For more information, see Configuring report profiles and generating mail statistic reports.

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:

  • On the FortiMail web UI, you can view log messages by going to Monitor > Log. From here you can download log messages to your local PC by clicking Export and view them later. For details, see the FortiMail Administration Guide.
  • Go to Log & Report > Log Setting > Remote and add a FortiAnalyzer unit as a remote host in order to send log messages to FortiAnalyzer. You can send log messages to any Syslog server from here.

Log message syntax

All FortiMail log messages are comprised of a log header and a log body.

  • Header — Contains the time and date the log originated, a log identifier, the type of log, the severity level (priority) and where the log message originated.
  • Body — Describes the reason why the log was created, plus any actions that the FortiMail appliance took to respond to it. These fields may vary by log type.
Log message header and body

For example, in the following event log, the bold section is the header and the italic section is the body.

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=kevent subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)"

Device ID field

Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail web UI or download them to your local PC, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.

Policy ID and domain fields

Starting from v5.0 release, two new fields -- policy ID and domain -- have been added to history logs.

The policy ID is in the format of x:y:z, where:

  • x is the ID of the global access control policy.
  • y is the ID of the IP-based policy.
  • z is the ID of the recipient-based policy.

If the value of x, y, and z is 0, it means that no policy is matched.

If the matched recipient-based policy is incoming, the protected domain will be logged in the domain field.

If the matched recipient-based policy is outgoing, the domain field will be empty.

Endpoint field

Starting from 4.0 MR3, a field called endpoint was added to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.

Log_part field

For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field, log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.

Hex numbers in history logs

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the Classifiers and dispositions in history logs.

See also

FortiMail log types

Configuring logging

Log message severity levels

Viewing log messages

Viewing generated reports

FortiMail log types

FortiMail units can record the following types of log messages. The Event log also contains several subtypes. You can view and download these logs from the Log submenu of the Monitor tab.

Log types

Log Types

Default File Name

Description

History (statistics)

alog

Records all email traffic going through the FortiMail unit.

System Event

(kevent)

klog

Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs.

Mail Event

(event)

elog

Records mail activities.

Antispam

(spam)

slog

Records spam detection events.

Antivirus

(virus)

vlog

Records virus intrusion events.

Encryption

(encrypt)

nlog

Records detection of IBE-related events.

Email related logs contain a session identification (ID) number, which is located in the session ID field of the log message. The session ID corresponds to all the relevant log types so that the administrator can get all the information about the event or activity that occurred on their network.

For more information about these specific log types, see the FortiMail Log Reference.

Caution

Avoid recording highly frequent log types to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

See also

Log message severity levels

Viewing log messages

Configuring logging

About FortiMail logging

Subtypes

FortiMail logs are grouped into categories by log type and subtype as shown in the table below:

Log Type

Subtype

kevent

admin

config

dns

ha

system

update

event

imap

pop3

smtp

webmail

virus

infected

malware-outbreak

file-signature

spam

default

admin

user

statistics

(no subtype)

encrypt

(no subtype)

Log message severity levels

Each log message contains a field that indicates the severity level of the log message, such as pri=warning.

Log severity levels

Levels

(0 is highest)

Name

Description

0

Emergency

The system has become unstable

1

Alert

Immediate action is required.

2

Critical

Functionality is affected.

3

Error

An error condition exists and functionality could be affected.

4

Warning

Functionality could be affected.

5

Notice

Information about normal events.

6

Information

General information about system operation.

For each location where the FortiMail unit can store log files, you can define the severity threshold of the log messages to be stored there.

Caution

Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

The FortiMail unit stores all log messages equal to or exceeding the severity level you select. For example, if you select Error, the FortiMail unit stores log messages whose severity level is Error, Critical, Alert, or Emergency.

Classifiers and dispositions in history logs

Each history log contains one field called Classifier and another called Disposition.

The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email messages was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.

Note

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.

The following tables map the hex numbers with English terms.

Classifiers

Hex number

Classifier

Hex Number

Classifier

0x00

Undefined

0x2A

Message Cryptography

0x01

User Safe

0x2B

Delivery Control

0x02

User Discard

0x2C

Encrypted Content

0x03

System Safe

0x2D

SPF Failure as Spam

0x04

System Discard

0x2E

Fragmented Email

0x05

RBL

0x2F

Email Contains Image

0x06

SURBL

0x30

Content Requires Encryption

0x07

FortiGuard AntiSpam

0x31

FortiGuard AntiSpam Block IP

0x08

FortiGuard AntiSpam-Safe

0x32

Session Remote

0x09

Bayesian

0x33

FortiGuard Phishing

0x0A

Heuristic

0x34

AntiVirus

0x0B

Dictionary Scanner

0x35

Sender Address Rate Control

0x0C

Banned Word

0x36

SMTP Auth Failure

0x0D

Deep Header

0x37

Access Control List Reject

0x0E

Forged IP (before v5.2 release)

0x38

Access Control List Discard

0x0F

Quarantine Control

0x39

Access Control List Bypass

0x10

Tagged virus (before v4.3 release)

0x3A

FortiGuard Antispam Webfilter

0x11

Attachment Filter (see note above)

0x3B

Newsletter Suspicious

0x12

Grey List

0x3C

TLS Streaming

0x13

Bypass Scan On Auth

0x3D

Policy Match

0x14

Disclaimer

0x3E

Dynamic Safe List

0x15

Defer Delivery

0x3F

Sender Verification

0x16

Session Domain

0x40

Behavior Analysis

0x17

Session Limits

0x41

FortiGuard Spam Outbreak

0x18

Session Safe

0x42

Newsletter

0x19

Session Block

0x43

DMARC

0x1A

Content Monitor and Filter

0x44

SHA1 Hash

0x1B

Content Monitor as Spam

0x45

Sandbox

0x1C

Attachment as Spam

0x46

Malware Outbreak

0x1D

Image Spam

0x47

DLP Filter

0x1E

Sender Reputation

0x48

DLP Treated as Spam

0x1F

Access Control List Relay Denied

0x49

DLP Requires Encryption

0x20

Safelist Word

0x4A

Access Control List Safe

0x21

Domain Safe

0x4B

Virus Outbreak

0x22

Domain Block

0x4C

FortiGuard Antispam Webfilter

0x23

SPF (not in use)

0x4D

Impersonation Analysis

0x24

Domain Key (not in use)

0x4E

Session Action

0x25

DKIM (not in use)

0x4F

SPF Sender Alignment

0x26

Recipient Verification

0x50

SPF Check

0x27

Bounce Verification

0x51

Sandbox URL

0x28

Endpoint Reputation

0x52

Sandbox No Result

0x29

SSL Profile Check

0x53

Content Modification

Note

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.

Dispositions

Hex number

Disposition

Hex Number

Disposition

0x00

Undefined

0x10000

Encrypt

0x01

Accept

0x20000

Decrypt

0x04

Reject

0x40000

Alternate Host

0x08

Add Header

0x80000

BCC

0x10

Modify Subject

0x100000

Archive

0x20

Quarantine

0x200000

Customized repackage

0x40

Insert Disclaimer

0x400000

Repackage

0x80

Block

0x800000

Notification

0x100

Replace

0x1000000

Sign

0x200

Delay

0x2000000

Defer

0x400

Forward

0x4000000

HTML to Text

0x800

Disclaimer Body

0x8000000

Sanitize HTML

0x1000

Disclaimer Header

0x10000000

Remove URLs

0x2000

Defer

0x20000000

Deliver to Original Host

0x4000

Quarantine to Review

0x40000000

Content Reconstruction

0x8000

Treat as Spam

0x80000000

URL Click Protection

Note

The disposition field in a log message may contain one or more dispositions/actions. For example, “accept” and “defer” dispositions may appear in the same message. Defer disposition is added when an email message is deferred for either of the following two reasons: FortiGuard antispam outbreak and FortiSandbox scan.

See also

FortiMail log types

Viewing log messages

Configuring logging

About FortiMail logging