Fortinet white logo
Fortinet white logo

Administration Guide

Searching the HA cluster logs

Searching the HA cluster logs

Go to Centralized Monitor > Log Search > Log Search to configure and conduct log searches across the cluster members based on various search criteria.

To configure HA log search
  1. Go to Centralized Monitor > Log Search > Log Search.
  2. Click New.
  3. Configure the following search criteria. Note that the availability of the following options depends on the Log type selected:
  4. GUI item

    Description

    Select devices

    Either enable All devices to conduct the log search across all cluster members or select the members you wish to search from Available and move them to Members.

    Log type

    Select the type of log to search. Select from the following options:

    • History
    • Mail Event
    • AntiVirus
    • AntiSpam
    • Encryption
    • System Event
    Description Optionally, enter a description of the log you search for reference.
    Keyword

    Enter any word or words to search for within the log messages.

    For example, you might enter starting daemon to locate all log messages containing that exact phrase in any log field.

    Message

    Enter all or part of the message log field.

    This option does not appear for History log searches.

    Subject

    Enter all or part of the subject line of the email message as it appears in the log message.

    This option appears only for History log searches.

    Message-ID

    Enter the unique identifier from the email header.

    From

    Enter all or part of the sender’s email address as it appears in the log message.

    This option does not appear for any event or Encryption log searches.

    Header From

    This option appears only for History log searches.

    To

    Enter all or part of the recipient’s email address as it appears in the log message.

    This option does not appear for any event log searches.

    Session ID

    Enter all or part of the session ID in the log message.

    Log ID

    Enter all or part of the log ID in the log message.

    This option does not appear for any event or Encryption or System Event log searches.

    Client name/IP

    Enter all or part of the domain name or IP address of the SMTP client. For email users connecting to send email, this is usually an IP address rather than a domain name. For SMTP servers connecting to deliver mail, this may often be a domain name.

    This option appears only for History and AntiSpam log searches.

    Classifier

    Enter the classifier in the log message.

    The classifier field displays which FortiMail scanner applies to the email message. For example, Banned Word means the email messages was detected by the FortiMail banned word scanning.

    For information about classifiers, see Classifiers and dispositions in history logs.

    Disposition

    Enter the disposition in the log message.

    The disposition field specifies the action taken by the FortiMail cluster unit(s).

    For information about classifiers, see Classifiers and dispositions in history logs.

    Match condition
    • Contain: searches for the exact match.
    • Wildcard: supports wildcards in the entered search criteria.
    Date

    Select the date and time range of log messages to include in the search results.

    Time span

    Select the time span of log messages to include in the search results.

    For example, you might want to search only log messages that were recorded during the last 10 days and 8 hours previous to the specified End time date. In that case, you would specify the End time date, and also specify the size of the span of time (10 days and 8 hours) before that date.

  5. Click Search.
  6. The primary FortiMail HA unit searches your currently selected HA cluster members for log messages that match your search criteria, and displays any matching log messages.

See also

Viewing log messages

Searching the HA cluster logs

Searching the HA cluster logs

Go to Centralized Monitor > Log Search > Log Search to configure and conduct log searches across the cluster members based on various search criteria.

To configure HA log search
  1. Go to Centralized Monitor > Log Search > Log Search.
  2. Click New.
  3. Configure the following search criteria. Note that the availability of the following options depends on the Log type selected:
  4. GUI item

    Description

    Select devices

    Either enable All devices to conduct the log search across all cluster members or select the members you wish to search from Available and move them to Members.

    Log type

    Select the type of log to search. Select from the following options:

    • History
    • Mail Event
    • AntiVirus
    • AntiSpam
    • Encryption
    • System Event
    Description Optionally, enter a description of the log you search for reference.
    Keyword

    Enter any word or words to search for within the log messages.

    For example, you might enter starting daemon to locate all log messages containing that exact phrase in any log field.

    Message

    Enter all or part of the message log field.

    This option does not appear for History log searches.

    Subject

    Enter all or part of the subject line of the email message as it appears in the log message.

    This option appears only for History log searches.

    Message-ID

    Enter the unique identifier from the email header.

    From

    Enter all or part of the sender’s email address as it appears in the log message.

    This option does not appear for any event or Encryption log searches.

    Header From

    This option appears only for History log searches.

    To

    Enter all or part of the recipient’s email address as it appears in the log message.

    This option does not appear for any event log searches.

    Session ID

    Enter all or part of the session ID in the log message.

    Log ID

    Enter all or part of the log ID in the log message.

    This option does not appear for any event or Encryption or System Event log searches.

    Client name/IP

    Enter all or part of the domain name or IP address of the SMTP client. For email users connecting to send email, this is usually an IP address rather than a domain name. For SMTP servers connecting to deliver mail, this may often be a domain name.

    This option appears only for History and AntiSpam log searches.

    Classifier

    Enter the classifier in the log message.

    The classifier field displays which FortiMail scanner applies to the email message. For example, Banned Word means the email messages was detected by the FortiMail banned word scanning.

    For information about classifiers, see Classifiers and dispositions in history logs.

    Disposition

    Enter the disposition in the log message.

    The disposition field specifies the action taken by the FortiMail cluster unit(s).

    For information about classifiers, see Classifiers and dispositions in history logs.

    Match condition
    • Contain: searches for the exact match.
    • Wildcard: supports wildcards in the entered search criteria.
    Date

    Select the date and time range of log messages to include in the search results.

    Time span

    Select the time span of log messages to include in the search results.

    For example, you might want to search only log messages that were recorded during the last 10 days and 8 hours previous to the specified End time date. In that case, you would specify the End time date, and also specify the size of the span of time (10 days and 8 hours) before that date.

  5. Click Search.
  6. The primary FortiMail HA unit searches your currently selected HA cluster members for log messages that match your search criteria, and displays any matching log messages.

See also

Viewing log messages