Log message syntax
All FortiMail log messages are comprised of a log header and a log body.
- Header — Contains the time and date the log originated, a log identifier, the type of log, the severity level (priority) and where the log message originated.
- Body — Describes the reason why the log was created, plus any actions that the FortiMail appliance took to respond to it. These fields may vary by log type.
Log message header and body
For example, in the following event log, the bold section is the header and the italic section is the body.
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=kevent subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)"
Device ID field
Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail web UI or download them to your local PC, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.
Starting from 4.0 MR3, a field called
endpoint was added to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.
For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field,
log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.
Hex numbers in history logs
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the Log message dispositions and classifiers.