Viewing log messages
The Log submenu displays locally stored log files. If you configured the FortiMail unit to store log messages locally (that is, to the hard disk), you can view the log messages currently stored in each log file.
Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see Configuring logging to the hard disk. |
The Log submenu includes the following tabs, one for each log type:
- History: Where you can view the log of sent and undelivered SMTP email messages.
- System Event: Where you can view the log of administrator activities and system events.
- Mail Event: Where you can view the log of normal email delivery activities.
- AntiVirus: Where you can view the log of email detected as infected by a virus.
- AntiSpam: Where you can view the log of email detected as spam.
- Encryption: Where you can view the log of IBE encryption. For more information about using IBE, see Configuring IBE encryption.
- Log Search Task: Where you can view the log results of advanced searches. For more information, see To conduct advanced log search tasks.
For more information on log types, see FortiMail log types.
Each tab contains a similar display.
The lists are sorted by the time range of the log messages contained in the log file, with the most recent log files appearing near the top of the list.
For example, the current log file would appear at the top of the list, above a rolled log file whose time might range from 2008-05-08 11:59:36 Thu
to 2008-05-29 10:44:02 Thu
.
To view the list of log files and their contents
- Go to Monitor > Log.
- Click the tab corresponding to the type of log file that you want to view (History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption).
- To view messages contained in logs:
GUI item |
Description |
Download (button) |
Click to download the report in one of several formats: Normal Format for a log file that can be viewed with a plain text editor such as Microsoft Notepad. CSV Format for a comma-separated value (.csv) file that can be viewed in a spreadsheet application such as Microsoft Excel or OpenOffice Calc. Compressed Format for a plain text log file like Normal Format, except that it is compressed and stored within a .gz archive. |
Search (button) |
Click to search all log files of this type during a specified time range, match conditions, and keywords. Alternatively, click Advanced Search from the dropdown menu for the ability to apply And/Or search filter criterion. Unlike the search when viewing the contents of an individual log file, this search displays results regardless of which log file contains them. For more information, see Searching log messages. |
Start Time |
Lists the beginning of the log file’s time range. |
End Time |
Lists the end of the log file’s time range. |
Size |
Lists the size of the log file in bytes. |
- Double-click a log file to display the file’s log messages
To view the current page’s worth of the log messages as an HTML table, right-click and select Export to Table. The table appears in a new tab. To download the table, click and drag to select the whole table, then copy and paste it into a rich text editor such as Microsoft Word or OpenOffice Writer. |
- Click a row to select its log file, click Download, then select a format option
Alternatively, to display a set of log messages that may reside in multiple, separate log files:
- If the log files are of the same type (for example, all antispam logs), click Search. For details, see Searching log messages.
- If the log messages are of different types but all caused by the same email session ID, you can do a cross-search to find and display all correlating log messages. For details, see Cross-searching log messages.
Log messages can appear in either raw or formatted views.
- Raw view displays log messages exactly as they appear in the plain text log file.
- Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.
By default, log messages always appear in columnar format, with one log field per column. However, when viewing this columnar display, you can also view the log message in raw format by hovering your mouse over the index number of the log message, in the # column.
When hovering your mouse cursor over a log message, that row is temporarily highlighted; however, this temporary highlight automatically follows the cursor, and will move to a different row if you move your mouse. To create a row highlight that does not move when you move your mouse, click anywhere in the row of the log message.
Displaying and arranging log columns
When viewing logs in Formatted view, you can display, hide, sort and re-order columns.
For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see Searching log messages.
By default, each page’s worth of log messages is listed with the log message with the lowest index number towards the top.
To sort the page’s entries in ascending or descending order
- Click the column heading by which you want to sort.
- To sort in descending order, click the column heading again.
The log messages are sorted in ascending order.
Depending on your currently selected theme:
- the column heading may darken in color to indicate which column is being used to sort the page
- a small upwards-or downwards-pointing arrow may appear in the column heading next to its name to indicate the current sort order.
To display or hide columns
- Go to Monitor > Log.
- Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
- Click Configure View > Show/Hide Columns.
- Turn on/off the columns.
- Click OK.
To change the order of the columns
- Go to Monitor > Log.
- Click a log type tab, such as History.
- Double-click the row corresponding to time period whose log messages you want to view.
- For each column whose order you want to change, click and drag its column heading to the left or right.
- Click Configure View > Save View.
While dragging the column heading within the heading row, two arrows follow the column, jumping to the nearest border between columns, indicating where the column will be inserted if you release the mouse button at that time.
Using the right-click pop-up menus
When you right-click on a log message, a context menu appears.
Using the right-click menus on log reports
Log report right-click menu options
GUI item |
Description |
---|---|
View Details |
Select to view the log message in a pop-up window. |
Select All |
Select to select all log messages in the current page, so that you can export all messages to a table. |
Clear Selection |
Select to deselect one or multiple log messages. |
Export |
Select to export the selected log messages to .CSV format, allowing you to review the information elsewhere. |
Cross Search (Session) |
Select to search for the log messages triggered by the same SMTP session. This may result in multiple email messages if multiple messages were sent in the same SMTP session.search log messages by session ID and message ID. For details, see Cross-searching log messages. |
Cross Search (Message) |
Select to search for the log messages triggered by the same email message. For details, see Cross-searching log messages. |
View Quarantined Message |
When viewing quarantine logs on the History tab, select to view the quarantined email message. For details about quarantined email, see Managing the quarantines. |
Release Quarantined Message |
When viewing quarantine logs on the History tab, select one or multiple log entries of the “System Quarantine” messages, then from the right-click popup menu, select the Release Quarantined Message option to release the selected message/messages. For details about quarantined email, see Managing the quarantines. |
Release Log Search |
When viewing quarantine logs on the History tab, select one or multiple log entries of the “System Quarantine” messages, then from the right-click popup menu, select the Release Log Search option to release the selected message/messages. A message will show that the qurantined message was released, along with all logs related to the email being quarantined. |
Searching log messages
You can search logs to quickly find specific log messages in a log file, rather than browsing the entire contents of the log file.
Search appearance varies by the log type.
Some email processing such as mail routing and subject-line tagging modifies the recipient email address, the sender email address, and/or the subject line of an email message. If you search for log messages by these attributes, enter your search criteria using text exactly as it appears in the log messages, not in the email message. For example, you might send an email message from sender@example.com; however, if you have configured mail routing on the FortiMail unit or other network devices, this address, at the time it was logged by the FortiMail unit, may have been sender-1@example.com. In that case, you would search for sender-1@example.com instead of sender@example.com. |
To search log messages
- Go to Monitor > Log.
- Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
- To search all log files of that type, click Search.
- Enter your search criteria by configuring one or more of the following:
- Contains: searches for the exact match.
- Does not contain: searches exclude keyword instances.
- Matches (wildcard): supports wildcards in the entered search criteria.
- Does not match (wildcard): searches exclude wildcard instances.
To search one of the log files, first double-click the name of a log file to display the contents of the log file, then click Search.
GUI item |
Description |
Time Range |
Select a time range of log messages to include in the search results. Either search the last hour, 4 hours, 8 hours, 12 hours, or a custom date or time span. For example, you might want to search only log messages that were recorded during the last 10 days and 8 hours previous to the current date. In that case, you would select Custom, select Date, and specify the required dates and time of day to conduct the search. |
Match condition |
Select from one of the following options: |
Keyword |
Enter any word or words to search for within the log messages. For example, you might enter |
Message |
Enter all or part of the message log field. This option does not appear for history log searches. |
Subject |
Enter all or part of the subject line of the email message as it appears in the log message. This option appears only for history log searches. |
Message-ID |
Enter all or part of the message ID in the log message. |
From |
Enter all or part of the sender’s email address as it appears in the log message. This option does not appear for event log searches. |
Header From |
Enter all or part of the email header from address. This option does not appear for event log searches. |
To |
Enter all or part of the recipient’s email address as it appears in the log message. This option does not appear for event log searches. |
Session ID |
Enter all or part of the session ID in the log message. |
Client location (History log search only) |
Select a geographical location by country from the dropdown menu. |
Client name/IP (History log search only) |
Enter all or part of the domain name or IP address of the SMTP client. For email users connecting to send email, this is usually an IP address rather than a domain name. For SMTP servers connecting to deliver mail, this may often be a domain name. |
Classifier |
Enter the classifier in the log message. The classifier field displays which FortiMail scanner applies to the email message. For example, Banned Word means the email messages was detected by the FortiMail banned word scanning. For information about classifiers, see Classifiers and dispositions in history logs. |
Disposition |
Enter the disposition in the log message. The disposition field specifies the action taken by the FortiMail unit. For information about dispositions, see Classifiers and dispositions in history logs. |
Click Search.
The FortiMail unit searches your currently selected log file for log messages that match your search criteria, and displays any matching log messages. For example, if you are currently viewing a history log file, the search locates all matching log messages located in that specific history log file.
To conduct advanced log search tasks
- Go to Monitor > Log.
- Click one of the log type tabs: History, System Event, Mail Event, AntiVirus, AntiSpam, or Encryption.
- Click Advanced Search from the dropdown next to Search.
- Enter your search criteria by configuring one or more of the following:
- Click Search.
A log search task dialog appears.
GUI item |
Description |
Description |
Enter an optional description for the log search task. |
Time Range |
Select a time range of log messages to include in the search results. Either search between two dates and times, or a custom time span. For example, you might want to search only log messages that were recorded during the last 10 days and 8 hours previous to the current date. In that case, you would select Time span and specify the number of days and hours before a specific end date and time. |
Search Filter |
Click Add to apply fields and operations (or match conditions) and define their values. For multiple search filter criterion, apply And/Or search logic under Relationship. |
The FortiMail unit searches your currently selected log file for log messages that match your search criteria, and displays any matching log messages. You can review the results of the search task by going to Monitor > Log > Log Search Task.
Cross-searching log messages
Since different types of log files record different events/activities, the same SMTP session (with one or more email messages sent during the session) or the same email message may be logged in different types of log files. For example, if the FortiMail units detects a virus in an email messages, this event will be logged in the following types of log files:
- History log: because the history log records the metadata of all sent and undelivered email messages.
- AntiVirus log: because a virus is detected. The antivirus log has more descriptions of the virus than the history log does.
- Event log: because the FortiMail system’s antivirus process has been started and stopped.
To find and display all log messages triggered by the same SMTP session or the same email message, you can use the cross-search feature.
The cross-search searches log files recorded five minutes before and after the log entry (this design is for performance purpose). Therefore, the search may cover multiple log files but may not cover all the related log files if any log files are recorded out of the ten minutes interval. |
To do a cross-search of the log messages
- Go to Monitor > Log.
- When viewing a log message on the History, System Event, Mail Event, AntiVirus, or AntiSpam tab, right-click the log message that has a message ID. From the pop-up menu, select:
- Cross Search (Session) to search for the log messages triggered by the same SMTP session. This may result in multiple email messages if multiple messages were sent in the same SMTP session.
- Cross Search (Message) to search for the log messages triggered by the same email message.
You can also click the session ID of the log message to search for the log messages triggered by the same SMTP session. This is equivalent to the Cross Search (Session) pop-up menu.
All correlating history, event, antivirus and antispam log messages will appear in a new tab.
For instances where the search is conducted within 60 minutes, it is recommended to conduct the cross search via SMTP session ID. If the log is not in the same log file but in rotated log files, and it is also not within the 60 minute time frame, the cross search will not retrieve all the related logs. If this occurs, it is recommended to conduct a search in antispam logs. |