About FortiMail logging
FortiMail units can log many different email activities and traffic including:
- system-related events, such as system restarts and HA activity
- virus detections
- spam filtering results
- POP3, SMTP, IMAP and webmail events
You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see Log message severity levels.
A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see Configuring logging. It can also use log messages as the basis for reports. For more information, see Configuring report profiles and generating mail statistic reports.
Accessing FortiMail log messages
There are several ways you can access FortiMail log messages:
- On the FortiMail web UI, you can view log messages by going to Monitor > Log. From here you can download log messages to your local PC by clicking Export and view them later. For details, see the FortiMail Administration Guide.
- Go to Log & Report > Log Setting > Remote and add a FortiAnalyzer unit as a remote host in order to send log messages to FortiAnalyzer. You can send log messages to any Syslog server from here.
Log message syntax
All FortiMail log messages are comprised of a log header and a log body.
- Header — Contains the time and date the log originated, a log identifier, the type of log, the severity level (priority) and where the log message originated.
- Body — Describes the reason why the log was created, plus any actions that the FortiMail appliance took to respond to it. These fields may vary by log type.
Log message header and body
For example, in the following event log, the bold section is the header and the italic section is the body.
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=kevent subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)"
Device ID field
Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail web UI or download them to your local PC, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.
Policy ID and domain fields
Starting from v5.0 release, two new fields -- policy ID and domain -- have been added to history logs.
The policy ID is in the format of x:y:z, where:
- x is the ID of the global access control policy.
- y is the ID of the IP-based policy.
- z is the ID of the recipient-based policy.
If the value of x, y, and z is 0, it means that no policy is matched.
If the matched recipient-based policy is incoming, the protected domain will be logged in the domain field.
If the matched recipient-based policy is outgoing, the domain field will be empty.
Endpoint field
Starting from 4.0 MR3, a field called endpoint was added to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.
Log_part field
For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field, log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.
Hex numbers in history logs
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the Classifiers and dispositions in history logs.
See also
FortiMail log types
FortiMail units can record the following types of log messages. The Event log also contains several subtypes. You can view and download these logs from the Log submenu of the Monitor tab.
Log types
|
Log Types |
Default File Name |
Description |
|---|---|---|
|
History (statistics) |
alog |
Records all email traffic going through the FortiMail unit. |
|
System Event (kevent) |
klog |
Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs. |
|
Mail Event (event) |
elog |
Records mail activities. |
|
Antispam (spam) |
slog |
Records spam detection events. |
|
Antivirus (virus) |
vlog |
Records virus intrusion events. |
|
Encryption (encrypt) |
nlog |
Records detection of IBE-related events. |
Email related logs contain a session identification (ID) number, which is located in the session ID field of the log message. The session ID corresponds to all the relevant log types so that the administrator can get all the information about the event or activity that occurred on their network.
For more information about these specific log types, see the FortiMail Log Reference.
|
Avoid recording highly frequent log types to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. |
See also
Subtypes
FortiMail logs are grouped into categories by log type and subtype as shown in the table below:
|
Log Type |
Subtype |
|---|---|
|
kevent |
admin config dns ha system update |
|
event |
imap pop3 smtp webmail |
|
virus |
infected malware-outbreak file-signature |
|
spam |
default admin user |
|
statistics |
(no subtype) |
|
encrypt |
(no subtype) |
Log message severity levels
Each log message contains a field that indicates the severity level of the log message, such as pri=warning.
Log severity levels
|
Levels (0 is highest) |
Name |
Description |
|---|---|---|
|
0 |
Emergency |
The system has become unstable |
|
1 |
Alert |
Immediate action is required. |
|
2 |
Critical |
Functionality is affected. |
|
3 |
Error |
An error condition exists and functionality could be affected. |
|
4 |
Warning |
Functionality could be affected. |
|
5 |
Notice |
Information about normal events. |
|
6 |
Information |
General information about system operation. |
For each location where the FortiMail unit can store log files, you can define the severity threshold of the log messages to be stored there.
|
|
Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. |
The FortiMail unit stores all log messages equal to or exceeding the severity level you select. For example, if you select Error, the FortiMail unit stores log messages whose severity level is Error, Critical, Alert, or Emergency.
Classifiers and dispositions in history logs
Each history log contains one field called Classifier and another called Disposition.
The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email messages was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.
|
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. |
The following tables map the hex numbers with English terms.
Classifiers
|
Hex Number |
Classifier |
Hex Number |
Classifier |
|---|---|---|---|
|
0x00 |
Undefined |
0x2A |
Message Cryptography |
|
0x01 |
User Safe |
0x2B |
Delivery Control |
|
0x02 |
User Discard |
0x2C |
Encrypted Content |
|
0x03 |
System Safe |
0x2D |
SPF Failure as Spam |
|
0x04 |
System Discard |
0x2E |
Fragmented Email |
|
0x05 |
RBL |
0x2F |
Email Contains Image |
|
0x06 |
SURBL |
0x30 |
Content Requires Encryption |
|
0x07 |
FortiGuard AntiSpam |
0x31 |
FortiGuard AntiSpam Block IP |
|
0x08 |
FortiGuard AntiSpam-Safe |
0x32 |
Session Remote |
|
0x09 |
Bayesian |
0x33 |
FortiGuard Phishing |
|
0x0A |
Heuristic |
0x34 |
AntiVirus |
|
0x0B |
Dictionary Scanner |
0x35 |
Sender Address Rate Control |
|
0x0C |
Banned Word |
0x36 |
SMTP Auth Failure |
|
0x0D |
Deep Header |
0x37 |
Access Control List Reject |
|
0x0E |
Forged IP (before v5.2 release) |
0x38 |
Access Control List Discard |
|
0x0F |
Quarantine Control |
0x39 |
Access Control List Bypass |
|
0x10 |
Tagged virus (before v4.3 release) |
0x3A |
FortiGuard Antispam Webfilter |
|
0x11 |
Attachment Filter (see note above) |
0x3B |
Newsletter Suspicious |
|
0x12 |
Grey List |
0x3C |
TLS Streaming |
|
0x13 |
Bypass Scan On Auth |
0x3D |
Policy Match |
|
0x14 |
Disclaimer |
0x3E |
Dynamic Safe List |
|
0x15 |
Defer Delivery |
0x3F |
Sender Verification |
|
0x16 |
Session Domain |
0x40 |
Behavior Analysis |
|
0x17 |
Session Limits |
0x41 |
FortiGuard Spam Outbreak |
|
0x18 |
Session Safe |
0x42 |
Newsletter |
|
0x19 |
Session Block |
0x43 |
DMARC |
|
0x1A |
Content Monitor and Filter |
0x44 |
File Signature |
|
0x1B |
Content Monitor as Spam |
0x45 |
Sandbox |
|
0x1C |
Attachment as Spam |
0x46 |
Malware Outbreak |
|
0x1D |
Image Spam |
0x47 |
DLP Filter |
|
0x1E |
Sender Reputation |
0x48 |
DLP Treated as Spam |
|
0x1F |
Access Control List Relay Denied |
0x49 |
DLP Requires Encryption |
|
0x20 |
Safelist Word |
0x4A |
Access Control List Safe |
|
0x21 |
Domain Safe |
0x4B |
Virus Outbreak |
|
0x22 |
Domain Block |
0x4C |
FortiGuard Antispam Webfilter |
|
0x23 |
SPF (not in use) |
0x4D |
Impersonation Analysis |
|
0x24 |
Domain Key (not in use) |
0x4E |
Session Action |
|
0x25 |
DKIM (not in use) |
0x4F |
SPF Sender Alignment |
|
0x26 |
Recipient Verification |
0x50 |
SPF Check |
|
0x27 |
Bounce Verification |
0x51 |
Sandbox URL |
|
0x28 |
Endpoint Reputation |
0x52 |
Sandbox No Result |
|
0x29 |
SSL Profile Check |
0x53 |
Content Modification |
|
|
|
0x54 |
DKIM Failure |
|
|
When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only. |
Dispositions
|
Hex number |
Disposition |
Hex Number |
Disposition |
|---|---|---|---|
|
0x00 |
Undefined |
0x10000 |
Encryption |
|
0x01 |
Accept the message |
0x20000 |
Decryption |
| 0x02 | Move to a specified folder |
0x40000 |
Deliver the message to an alternate host |
|
0x04 |
Send a reject to the SMTP client |
0x80000 |
Deliver the message to a set of recipients |
|
0x08 |
Add a header to the message |
0x100000 |
Archive the message |
|
0x10 |
Modify the subject line |
0x200000 |
Encase the original message with customizable text |
|
0x20 |
Quarantine the message |
0x400000 |
Wrap the original message |
|
0x40 |
Insert disclaimer content |
0x800000 |
Notification |
|
0x80 |
Block the message |
0x1000000 |
Sign the message using SMIME/CMS |
|
0x100 |
Replace banned attachments |
0x2000000 |
Defer the message disposition |
|
0x200 |
Delay and greylist the message |
0x4000000 |
Convert HTML attachment to text |
|
0x400 |
Forward the message to a review account |
0x8000000 |
Remove active HTML content |
|
0x800 |
Added a disclaimer to the body |
0x10000000 |
Remove URLs from processed HTML attachments |
|
0x1000 |
Added a disclaimer to the headers |
0x20000000 |
Deliver to original host |
|
0x2000 |
Defer message delivery |
0x40000000 |
Content Disarm and Reconstruction |
|
0x4000 |
Quarantine for review |
0x80000000 |
URL Click Protection |
|
0x8000 |
Treat as spam |
0x100000000 |
Domain quarantine |
|
|
The disposition field in a log message may contain one or more dispositions/actions. For example, “Accept” and “Defer” dispositions may appear in the same message. Defer disposition is added when an email message is deferred for either of the following two reasons: FortiGuard antispam outbreak and FortiSandbox scan. |
|
|
The "Accept" disposition is logged when any other actions are not taken. |
See also