Fortinet white logo
Fortinet white logo

Administration Guide

Configuring logging

Configuring logging

The Log Setting submenu allows you to:

  • set the severity level
  • configure which types of log messages to record
  • specify where to store the logs

You can configure the FortiMail unit to store log messages locally (that is, in RAM or to the hard disk), remotely (that is, on a Syslog server or FortiAnalyzer unit), or the FortiAnalyzer Cloud (license required).

Your choice of storage location may be affected by several factors, including the following:

  • Local logging by itself may not satisfy your requirements for off-site log storage.
  • Very frequent logging may cause undue wear when stored on the local hard drive. A low severity threshold is one possible cause of frequent logging. For more information on severity levels, see Log message severity levels.

For information on viewing locally stored log messages, see Viewing log messages.

Note

When the following system resource usages exceed the predefined thresholds, the events will be logged.

  • CPU usage: 85%
  • Memory usage: 85%
  • System load: 85%
  • Mail disk usage: 95%
  • Log disk usage: 95%

See also

Logging to a Syslog server or FortiAnalyzer unit

Logging to the hard disk

Logging to FortiAnalyzer Cloud

Logging to the hard disk

You can store log messages locally on the hard disk of the FortiMail unit.

To ensure that local hard disk has sufficient disk space to store new log messages and that it does not overwrite existing logs, you should regularly download backup copies of the oldest log files to your management computer or other storage, and then delete them from the FortiMail unit (alternatively, you could configure logging to a remote host).

You can view and download these logs from the Log submenu of the Monitor tab. For more information, see Viewing log messages.

For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see Configuring the time and date.

To configure logging to the local hard disk
  1. Go to Log & Report > Log Setting > Local.
  2. Configure the following settings:

    Setting

    Description

    Status

    Select to enable logging to this location.

    Log file size

    Enter the maximum file size of the current log file in megabytes (MB).

    Log time

    At hour

    Enter the maximum age (in days) of the log file, and the hour of the day (24-hour format) when FortiMail will rotate the current log file. Valid range is from 1 to 365 days.

    When a log file reaches either the age or file size limit, the FortiMail unit closes the current log file and starts a new one ("rotates"): it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on), then creates a new current log file. For example, if you set the log time to 10 days at hour 23, the log file will be rotated at 23rd hour of the 10th day (23:00).

    Note: Large log files may decrease display and search performance.

    Log level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For details, see Log message severity levels.

    Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

    Log retention period

    Enter how long (in days) the logs will be kept. Valid range is 0 to 1461 days. 0 means no limit.

    Log options when disk full

    Select what you want to do when the log partition of the local disk is almost full, meaning that less than 5 percent of the disk space or 1.5 GB, whichever is smaller, is left.

    • Do not log: Discard all new log messages.
    • Overwrite: Delete the oldest log file in order to free disk space, and store the new log messages. Oldest files of all log types will be deleted until 15 percent of the disk space or 22.5 GB, whichever is smaller, is reached.

    Logging Policy Configuration

    Select which categories of log messages to send to the remote server:

    • System Event
      • Configuration-Admin: Configuration changes by an administrator, such as editing policies, profiles, and domains.
      • Configuration-User: Configuration changes by a quarantine or webmail user, such as personal safe/block lists.
      • Admin activity: Administrative events such as logins and viewing log messages.
      • System activity: System events, such as rebooting the FortiMail unit or IP address configuration via DHCP.
      • HA
      • Update: Both successful and unsuccessful attempts to download firmware and FortiGuard updates.
      • DNS
    • Mail Event
      • Webmail
      • POP3
      • IMAP
      • SMTP
    • History: SMTP relay or proxy events related to mail delivery.
    • AntiVirus
    • AntiSpam
    • Encryption: IBE events. See also Configuring encryption profiles.
  3. Click Apply.
See also

Log message severity levels

Logging to a Syslog server or FortiAnalyzer unit

Instead of or in addition to logging locally, you can store log messages remotely on a Syslog server or a FortiAnalyzer unit. For information about how many remote Syslog servers your FortiMail model can support, see Appendix B: Maximum Values.

Note

Logs stored remotely cannot be viewed from theFortiMail GUI. If you require this, also enable local storage. For details, see Logging to the hard disk.

Before you can log to a remote location, you must first enable logging. For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see Configuring the time and date.

To configure logging to a Syslog server or FortiAnalyzer unit

  1. Go to Log & Report > Log Setting > Remote.

  2. Click New to create a new entry or double-click an existing entry to modify it.

    A dialog appears.

  3. Configure the following settings:

    Setting

    Description

    Status Select to enable logging to this location.
    Name Enter a unique name for this configuration.
    Server name/IP Enter the IPv4, IPv6, or domain name (FQDN) address of the Syslog server or FortiAnalyzer that will store the logs.

    Server port

    If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the port number on which the Syslog server listens.

    See also Appendix C: Port Numbers.

    Protocol

    Select the protocol used to communicate with the remote log server.

    • Syslog: Any compatible third-party Syslog server or FortiAnalyzer. If the server uses Syslog over TCP or secure transport, also configure Mode.
    • OFTPS: FortiAnalyzer only. Also configure Hash algorithm.

    Mode

    Enter the transport layer protocol used for delivering the log to the remote Syslog server:

    • TCP: Slower, but more reliable than UDP: the server asks the FortiMail unit to retransmit if the server did not correctly receive the log message, compliant with RFC 6587 (Transmission of syslog Messages over TCP).

      Note: Requires that the log server supports the octet counting method.

    • TCP (legacy): TCP, but with legacy options for message delimiters instead of octet counting, compliant with RFC 3195 (Reliable Delivery for Syslog) and, for example, old versions of Kiwi Syslog Server.
    • TCP over TLS: TCP, but more secure: data in the channel is encrypted during transit using TLS, compliant with RFC 5427 (Transport Layer Security Transport Mapping for Syslog). FortiMail requires that the server present a valid certificate to identify itself, and the server may also require that FortiMail unit present a valid client certificate to authenticate. Otherwise, the connection fails. Also configure Local certificate.
    • TCP over TLS (legacy): TLS, but with the same legacy options as tcp-legacy.
    • UDP: Faster, but less reliable than TCP, and not secure: the server does not confirm if it did not correctly receive the log message, and does not encrypt log messages in transit.

    This setting is applicable if Protocol is Syslog.

    Caution: Do not use UDP or TCP without encryption if logs are transmitted through untrusted networks such as the Internet. Sensitive information could be intercepted by unauthorized persons, compromising the security of your network. Use a TLS option instead. For stronger security, you can configure encryption settings. For details, see config system global in the FortiMail CLI Reference.

    Local certificate

    Select which certificate to use in TLS to encrypt the Syslog session to the remote Syslog server.

    This setting is available if Mode is TCP over TLS or TCP over TLS (legacy).

    Hash algorithm

    Select the hash algorithm to use in OFTPS encryption.

    This setting is available if Protocol is OFTPS.

    Matched session only

    Select this option if you want to send only the matched session logs to this storage location. Otherwise, all logs will be sent.

    This option appears if you enabled advanced MTA control (see Configuring advanced MTA control settings).

    Level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For details, see Log message severity levels.

    Facility

    Select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.

    To easily identify log messages from the FortiMail unit when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

    CSV format

    Enable if you want to send log messages in comma-separated value (CSV) format.

    Note: Do not enable this option if the log destination is a FortiAnalyzer unit. FortiAnalyzer units do not support logs in CSV format.

    Comment

    Enter a descriptive comment.

    Logging Policy Configuration

    Select which categories of log messages to send to the remote server:

    • System Event
      • Configuration-Admin: Configuration changes by an administrator, such as editing policies, profiles, and domains.
      • Configuration-User: Configuration changes by a quarantine or webmail user, such as personal safe/block lists.
      • Admin activity: Administrative events such as logins and viewing log messages.
      • System activity: System events, such as rebooting the FortiMail unit or IP address configuration via DHCP.
      • HA
      • Update: Both successful and unsuccessful attempts to download firmware and FortiGuard updates.
      • DNS
    • Mail Event
      • Webmail
      • POP3
      • IMAP
      • SMTP
    • History: SMTP relay or proxy events related to mail delivery.
    • AntiVirus
    • AntiSpam
    • Encryption: IBE events. See also Configuring encryption profiles.

  4. Click Create.

  5. If the remote host is a FortiAnalyzer unit, confirm with the FortiAnalyzer administrator that the FortiMail unit was added to the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer Administration Guide.

  6. To verify logging connectivity, from the FortiMail unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

    For example, if you have chosen to record event log messages to the remote host if they are more severe than information, you could log in to the GUI or download a backup copy of the FortiMail unit’s configuration file in order to trigger an event log message.

    If the remote host does not receive the log messages, verify the FortiMail unit’s network interfaces (see Configuring the network interfaces and About the management IP) and static routes (see Configuring static routes ), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, you can use the execute traceroute command to determine the point where connectivity fails. For details, see the FortiMail CLI Reference.

See also

Log message severity levels

Logging to the hard disk

Logging to FortiAnalyzer Cloud

Logging to FortiAnalyzer Cloud

If you have the FortiAnalyzer Cloud Storage Subscription license, you can log to the cloud service. In addition to the following procedures, you must configure FortiAnalyzer Cloud to accept FortiMail logs. For information about how to configure FortiAnalyzer Cloud, see the FortiAnalyzer Cloud Deployment Guide.

Note

Logs stored remotely cannot be viewed from the GUI of the FortiMail unit. If you require the ability to view logs from the GUI, also enable local storage. For details, see Logging to the hard disk.

Before you can log to a remote location, you must first enable logging. For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see Configuring the time and date.

To configure logging to FortiAnalyzer Cloud

  1. Go to to Dashboard > Status.

  2. Under License Information, for FortiCloud, click Activate.

  3. Enter your FortiCare license information.

  4. Go to Log & Report > Log Setting > FortiAnalyzer Cloud.

  5. Enable the status and click Apply. If FortiMail has the correct license registered with FortiCare, then a connection is established with FortiAnalyzer Cloud. You can also use the Test connection button to test and troubleshoot network connections.

  6. From Log level, select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For information about severity levels, see Log message severity levels.

  7. In Logging Policy Configuration, enable the types of logs you want to record to this storage location.

  8. Click Apply.

See also

Log message severity levels

Logging to the hard disk

Logging to a Syslog server or FortiAnalyzer unit

Downloading log files

You can download log files to your management computer. Downloading log files can be useful if you want to view log messages on your management computer, or if you want to download a backup copy of log files to another location before deleting them from the FortiMail unit’s hard disk.

To download a log file

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. Select the row(s) corresponding to the log file(s) that you want to download and click Export > Export Selected. You can select multiple non-contiguous rows by holding Ctrl while selecting the log files.

    The log file downloads in comma-separated value (CSV) format with a file extension of .csv. You can view this format in a spreadsheet application such as Microsoft Excel.

  4. If your web browser prompts you for the location to save the file, browse to select or enter the name of the folder.

To download all log files

  1. Go to Monitor > Log.

  2. Click a log type tab.

  3. Click Export > Export All.

    The log file downloads in comma-separated value (CSV) format with a file extension of .csv.

  4. If your web browser prompts you for the location to save the file, browse to select or enter the name of the folder.

See also

Configuring logging

Viewing log messages

Emptying the current log file

You can empty the current log file to remove all of the log messages contained in that file, without deleting the log file itself.

This can be useful in cases such as when you want to delete all old log messages from the FortiMail unit’s hard disk, because rolled log files can be deleted but the current log file cannot.

Note

Only the current log file can be emptied. Rolled log files cannot be emptied, but may be deleted instead. For more information, see Deleting rotated log files.

Caution

Back up the current log file before emptying the current log file. When emptying the log file, log messages are permanently removed, and cannot be recovered. For instructions on how to download a backup copy of the current log file, see Downloading log files.

To empty the current log file

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. In the row corresponding to the current log file, click Empty Log.

    A confirmation dialog appears, such as:

    Are you sure you want to delete: alog?

  4. Click OK.

See also

Configuring logging

Viewing log messages

Deleting rotated log files

You can delete rotated (also called "rolled") log files. This can be useful if you want to free disk space used by old log files to make disk space available for newer log files.

Note

Only rolled log files can be deleted. Current log files cannot be deleted, but may be emptied instead. For more information, see Emptying the current log file.

Caution

Back up the current log file before deleting a log file. When deleting a log file, log messages are permanently removed, and cannot be recovered. For instructions on how to download a backup copy of a log file, see Downloading log files.

To delete a rolled log file

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. In the Action column, in the row corresponding to the log file that you want to delete, click Delete.

    A confirmation dialog appears, such as:

    Are you sure you want to delete: 2008-06-16-14:45:15_2007-10-16-22:52:20.alog?

  4. Click OK.

To delete multiple rolled log files

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. If you want to delete selected log files, mark the checkbox in each row corresponding to a log file that you want to delete.

  4. If you want to delete all rolled log files, mark the checkbox in the column heading for the column that contains checkboxes. This automatically marks all other checkboxes.

  5. Click Delete Selected Items.

    A dialog appears:

    Are you sure you want to delete: selected log files?

  6. Click OK.

See also

Viewing log messages

Configuring logging

Configuring logging

Configuring logging

The Log Setting submenu allows you to:

  • set the severity level
  • configure which types of log messages to record
  • specify where to store the logs

You can configure the FortiMail unit to store log messages locally (that is, in RAM or to the hard disk), remotely (that is, on a Syslog server or FortiAnalyzer unit), or the FortiAnalyzer Cloud (license required).

Your choice of storage location may be affected by several factors, including the following:

  • Local logging by itself may not satisfy your requirements for off-site log storage.
  • Very frequent logging may cause undue wear when stored on the local hard drive. A low severity threshold is one possible cause of frequent logging. For more information on severity levels, see Log message severity levels.

For information on viewing locally stored log messages, see Viewing log messages.

Note

When the following system resource usages exceed the predefined thresholds, the events will be logged.

  • CPU usage: 85%
  • Memory usage: 85%
  • System load: 85%
  • Mail disk usage: 95%
  • Log disk usage: 95%

See also

Logging to a Syslog server or FortiAnalyzer unit

Logging to the hard disk

Logging to FortiAnalyzer Cloud

Logging to the hard disk

You can store log messages locally on the hard disk of the FortiMail unit.

To ensure that local hard disk has sufficient disk space to store new log messages and that it does not overwrite existing logs, you should regularly download backup copies of the oldest log files to your management computer or other storage, and then delete them from the FortiMail unit (alternatively, you could configure logging to a remote host).

You can view and download these logs from the Log submenu of the Monitor tab. For more information, see Viewing log messages.

For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see Configuring the time and date.

To configure logging to the local hard disk
  1. Go to Log & Report > Log Setting > Local.
  2. Configure the following settings:

    Setting

    Description

    Status

    Select to enable logging to this location.

    Log file size

    Enter the maximum file size of the current log file in megabytes (MB).

    Log time

    At hour

    Enter the maximum age (in days) of the log file, and the hour of the day (24-hour format) when FortiMail will rotate the current log file. Valid range is from 1 to 365 days.

    When a log file reaches either the age or file size limit, the FortiMail unit closes the current log file and starts a new one ("rotates"): it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on), then creates a new current log file. For example, if you set the log time to 10 days at hour 23, the log file will be rotated at 23rd hour of the 10th day (23:00).

    Note: Large log files may decrease display and search performance.

    Log level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For details, see Log message severity levels.

    Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

    Log retention period

    Enter how long (in days) the logs will be kept. Valid range is 0 to 1461 days. 0 means no limit.

    Log options when disk full

    Select what you want to do when the log partition of the local disk is almost full, meaning that less than 5 percent of the disk space or 1.5 GB, whichever is smaller, is left.

    • Do not log: Discard all new log messages.
    • Overwrite: Delete the oldest log file in order to free disk space, and store the new log messages. Oldest files of all log types will be deleted until 15 percent of the disk space or 22.5 GB, whichever is smaller, is reached.

    Logging Policy Configuration

    Select which categories of log messages to send to the remote server:

    • System Event
      • Configuration-Admin: Configuration changes by an administrator, such as editing policies, profiles, and domains.
      • Configuration-User: Configuration changes by a quarantine or webmail user, such as personal safe/block lists.
      • Admin activity: Administrative events such as logins and viewing log messages.
      • System activity: System events, such as rebooting the FortiMail unit or IP address configuration via DHCP.
      • HA
      • Update: Both successful and unsuccessful attempts to download firmware and FortiGuard updates.
      • DNS
    • Mail Event
      • Webmail
      • POP3
      • IMAP
      • SMTP
    • History: SMTP relay or proxy events related to mail delivery.
    • AntiVirus
    • AntiSpam
    • Encryption: IBE events. See also Configuring encryption profiles.
  3. Click Apply.
See also

Log message severity levels

Logging to a Syslog server or FortiAnalyzer unit

Instead of or in addition to logging locally, you can store log messages remotely on a Syslog server or a FortiAnalyzer unit. For information about how many remote Syslog servers your FortiMail model can support, see Appendix B: Maximum Values.

Note

Logs stored remotely cannot be viewed from theFortiMail GUI. If you require this, also enable local storage. For details, see Logging to the hard disk.

Before you can log to a remote location, you must first enable logging. For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see Configuring the time and date.

To configure logging to a Syslog server or FortiAnalyzer unit

  1. Go to Log & Report > Log Setting > Remote.

  2. Click New to create a new entry or double-click an existing entry to modify it.

    A dialog appears.

  3. Configure the following settings:

    Setting

    Description

    Status Select to enable logging to this location.
    Name Enter a unique name for this configuration.
    Server name/IP Enter the IPv4, IPv6, or domain name (FQDN) address of the Syslog server or FortiAnalyzer that will store the logs.

    Server port

    If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the port number on which the Syslog server listens.

    See also Appendix C: Port Numbers.

    Protocol

    Select the protocol used to communicate with the remote log server.

    • Syslog: Any compatible third-party Syslog server or FortiAnalyzer. If the server uses Syslog over TCP or secure transport, also configure Mode.
    • OFTPS: FortiAnalyzer only. Also configure Hash algorithm.

    Mode

    Enter the transport layer protocol used for delivering the log to the remote Syslog server:

    • TCP: Slower, but more reliable than UDP: the server asks the FortiMail unit to retransmit if the server did not correctly receive the log message, compliant with RFC 6587 (Transmission of syslog Messages over TCP).

      Note: Requires that the log server supports the octet counting method.

    • TCP (legacy): TCP, but with legacy options for message delimiters instead of octet counting, compliant with RFC 3195 (Reliable Delivery for Syslog) and, for example, old versions of Kiwi Syslog Server.
    • TCP over TLS: TCP, but more secure: data in the channel is encrypted during transit using TLS, compliant with RFC 5427 (Transport Layer Security Transport Mapping for Syslog). FortiMail requires that the server present a valid certificate to identify itself, and the server may also require that FortiMail unit present a valid client certificate to authenticate. Otherwise, the connection fails. Also configure Local certificate.
    • TCP over TLS (legacy): TLS, but with the same legacy options as tcp-legacy.
    • UDP: Faster, but less reliable than TCP, and not secure: the server does not confirm if it did not correctly receive the log message, and does not encrypt log messages in transit.

    This setting is applicable if Protocol is Syslog.

    Caution: Do not use UDP or TCP without encryption if logs are transmitted through untrusted networks such as the Internet. Sensitive information could be intercepted by unauthorized persons, compromising the security of your network. Use a TLS option instead. For stronger security, you can configure encryption settings. For details, see config system global in the FortiMail CLI Reference.

    Local certificate

    Select which certificate to use in TLS to encrypt the Syslog session to the remote Syslog server.

    This setting is available if Mode is TCP over TLS or TCP over TLS (legacy).

    Hash algorithm

    Select the hash algorithm to use in OFTPS encryption.

    This setting is available if Protocol is OFTPS.

    Matched session only

    Select this option if you want to send only the matched session logs to this storage location. Otherwise, all logs will be sent.

    This option appears if you enabled advanced MTA control (see Configuring advanced MTA control settings).

    Level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For details, see Log message severity levels.

    Facility

    Select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.

    To easily identify log messages from the FortiMail unit when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

    CSV format

    Enable if you want to send log messages in comma-separated value (CSV) format.

    Note: Do not enable this option if the log destination is a FortiAnalyzer unit. FortiAnalyzer units do not support logs in CSV format.

    Comment

    Enter a descriptive comment.

    Logging Policy Configuration

    Select which categories of log messages to send to the remote server:

    • System Event
      • Configuration-Admin: Configuration changes by an administrator, such as editing policies, profiles, and domains.
      • Configuration-User: Configuration changes by a quarantine or webmail user, such as personal safe/block lists.
      • Admin activity: Administrative events such as logins and viewing log messages.
      • System activity: System events, such as rebooting the FortiMail unit or IP address configuration via DHCP.
      • HA
      • Update: Both successful and unsuccessful attempts to download firmware and FortiGuard updates.
      • DNS
    • Mail Event
      • Webmail
      • POP3
      • IMAP
      • SMTP
    • History: SMTP relay or proxy events related to mail delivery.
    • AntiVirus
    • AntiSpam
    • Encryption: IBE events. See also Configuring encryption profiles.

  4. Click Create.

  5. If the remote host is a FortiAnalyzer unit, confirm with the FortiAnalyzer administrator that the FortiMail unit was added to the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer Administration Guide.

  6. To verify logging connectivity, from the FortiMail unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

    For example, if you have chosen to record event log messages to the remote host if they are more severe than information, you could log in to the GUI or download a backup copy of the FortiMail unit’s configuration file in order to trigger an event log message.

    If the remote host does not receive the log messages, verify the FortiMail unit’s network interfaces (see Configuring the network interfaces and About the management IP) and static routes (see Configuring static routes ), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, you can use the execute traceroute command to determine the point where connectivity fails. For details, see the FortiMail CLI Reference.

See also

Log message severity levels

Logging to the hard disk

Logging to FortiAnalyzer Cloud

Logging to FortiAnalyzer Cloud

If you have the FortiAnalyzer Cloud Storage Subscription license, you can log to the cloud service. In addition to the following procedures, you must configure FortiAnalyzer Cloud to accept FortiMail logs. For information about how to configure FortiAnalyzer Cloud, see the FortiAnalyzer Cloud Deployment Guide.

Note

Logs stored remotely cannot be viewed from the GUI of the FortiMail unit. If you require the ability to view logs from the GUI, also enable local storage. For details, see Logging to the hard disk.

Before you can log to a remote location, you must first enable logging. For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see Configuring the time and date.

To configure logging to FortiAnalyzer Cloud

  1. Go to to Dashboard > Status.

  2. Under License Information, for FortiCloud, click Activate.

  3. Enter your FortiCare license information.

  4. Go to Log & Report > Log Setting > FortiAnalyzer Cloud.

  5. Enable the status and click Apply. If FortiMail has the correct license registered with FortiCare, then a connection is established with FortiAnalyzer Cloud. You can also use the Test connection button to test and troubleshoot network connections.

  6. From Log level, select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For information about severity levels, see Log message severity levels.

  7. In Logging Policy Configuration, enable the types of logs you want to record to this storage location.

  8. Click Apply.

See also

Log message severity levels

Logging to the hard disk

Logging to a Syslog server or FortiAnalyzer unit

Downloading log files

You can download log files to your management computer. Downloading log files can be useful if you want to view log messages on your management computer, or if you want to download a backup copy of log files to another location before deleting them from the FortiMail unit’s hard disk.

To download a log file

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. Select the row(s) corresponding to the log file(s) that you want to download and click Export > Export Selected. You can select multiple non-contiguous rows by holding Ctrl while selecting the log files.

    The log file downloads in comma-separated value (CSV) format with a file extension of .csv. You can view this format in a spreadsheet application such as Microsoft Excel.

  4. If your web browser prompts you for the location to save the file, browse to select or enter the name of the folder.

To download all log files

  1. Go to Monitor > Log.

  2. Click a log type tab.

  3. Click Export > Export All.

    The log file downloads in comma-separated value (CSV) format with a file extension of .csv.

  4. If your web browser prompts you for the location to save the file, browse to select or enter the name of the folder.

See also

Configuring logging

Viewing log messages

Emptying the current log file

You can empty the current log file to remove all of the log messages contained in that file, without deleting the log file itself.

This can be useful in cases such as when you want to delete all old log messages from the FortiMail unit’s hard disk, because rolled log files can be deleted but the current log file cannot.

Note

Only the current log file can be emptied. Rolled log files cannot be emptied, but may be deleted instead. For more information, see Deleting rotated log files.

Caution

Back up the current log file before emptying the current log file. When emptying the log file, log messages are permanently removed, and cannot be recovered. For instructions on how to download a backup copy of the current log file, see Downloading log files.

To empty the current log file

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. In the row corresponding to the current log file, click Empty Log.

    A confirmation dialog appears, such as:

    Are you sure you want to delete: alog?

  4. Click OK.

See also

Configuring logging

Viewing log messages

Deleting rotated log files

You can delete rotated (also called "rolled") log files. This can be useful if you want to free disk space used by old log files to make disk space available for newer log files.

Note

Only rolled log files can be deleted. Current log files cannot be deleted, but may be emptied instead. For more information, see Emptying the current log file.

Caution

Back up the current log file before deleting a log file. When deleting a log file, log messages are permanently removed, and cannot be recovered. For instructions on how to download a backup copy of a log file, see Downloading log files.

To delete a rolled log file

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. In the Action column, in the row corresponding to the log file that you want to delete, click Delete.

    A confirmation dialog appears, such as:

    Are you sure you want to delete: 2008-06-16-14:45:15_2007-10-16-22:52:20.alog?

  4. Click OK.

To delete multiple rolled log files

  1. Go to Monitor > Log.

  2. Click a log type tab, such as History.

  3. If you want to delete selected log files, mark the checkbox in each row corresponding to a log file that you want to delete.

  4. If you want to delete all rolled log files, mark the checkbox in the column heading for the column that contains checkboxes. This automatically marks all other checkboxes.

  5. Click Delete Selected Items.

    A dialog appears:

    Are you sure you want to delete: selected log files?

  6. Click OK.

See also

Viewing log messages

Configuring logging