About FortiMail logging
FortiMail units can log many different email activities and traffic including:
- system-related events, such as system restarts and HA activity
- virus detections
- spam filtering results
- POP3, SMTP, IMAP and webmail events
You can select which severity level an activity or event must meet in order to be recorded in the logs. For more information, see Log message severity levels.
A FortiMail unit can save log messages to its hard disk or a remote location, such as a Syslog server or a Fortinet FortiAnalyzer unit. For more information, see Configuring logging. It can also use log messages as the basis for reports. For more information, see Configuring report profiles and generating reports.
Accessing FortiMail log messages
There are several ways you can access FortiMail log messages:
- On the FortiMail GUI, you can view log messages by going to Monitor > Log. From here you can download log messages to your computer by clicking Export and view them later.
- Go to Log & Report > Log Setting > Remote and add a FortiAnalyzer unit as a remote host in order to send log messages to FortiAnalyzer. You can send log messages to any Syslog server from here.
Log message syntax
All FortiMail log messages are comprised of a log header and a log body.
- Header — Contains the time and date the log originated, a log identifier, the type of log, the severity level (priority) and where the log message originated.
- Body — Describes the reason why the log was created, plus any actions that the FortiMail appliance took to respond to it. These fields may vary by log type.
Log message header and body
For example, in the following event log, the bold section is the header and the italic section is the body.
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=kevent subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)"
Device ID field
Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail GUI or download them to your computer, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.
Policy ID and domain fields
FortiMail 5.0 added two new fields -- policy ID and domain -- to history logs.
The policy ID is in the format of x:y:z, where:
- x is the ID of the global access control policy.
- y is the ID of the IP-based policy.
- z is the ID of the recipient-based policy.
If the value of x, y, and z is 0, it means that no policy is matched.
If the matched recipient-based policy is incoming, the protected domain will be logged in the domain field.
If the matched recipient-based policy is outgoing, the domain field will be empty.
Endpoint field
FortiMail 4.0 MR3 added a field called endpoint to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.
Log_part field
In FortiMail 3.0 MR3 and newer, the log header of some log messages may include an extra field, log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.
Hex numbers in history logs
If you view the log messages on the FortiMail GUI or send the logs to a Syslog server, the dispositions and classifiers are described. However, if you download log files from FortiMail GUI to your computer and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the Classifiers and dispositions in history logs.
See also
FortiMail log types
FortiMail units can record the following types of log messages. Event logs also include several subtypes. You can view and download these logs from the Log submenu of the Monitor tab.
Log types
|
Log Types |
Default File Name |
Description |
|---|---|---|
|
History (statistics) |
alog |
Records all email traffic going through the FortiMail unit (SMTP relay or proxy). |
|
System Event (kevent) |
klog |
Records system management activities, including changes to the system configuration as well as administrator and user log in and log outs. |
|
Mail Event (event) |
elog |
Records webmail, SMTP, POP3, and IMAP events. |
|
Antispam (spam) |
slog |
Records spam detection events. |
|
Antivirus (virus) |
vlog |
Records virus detection events. |
|
Encryption (encrypt) |
nlog |
Records detection of IBE-related events. See also.Configuring encryption profiles. |
Email related logs contain a session identification (ID) number, which is located in the session ID field of the log message. The session ID corresponds to all the relevant log types so that the administrator can get all the information about the event or activity that occurred on their network.
For more information about these specific log types, see the FortiMail Log Reference.
|
Avoid recording highly frequent log types to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. |
See also
Subtypes
FortiMail logs are grouped into categories by log type and subtype as shown in the table below:
|
Log Type |
Subtype |
|---|---|
|
kevent |
admin config config-user dns ha system update |
|
event |
imap pop3 smtp webmail |
|
virus |
infected malware-outbreak file-signature |
|
spam |
default admin user |
|
statistics |
(no subtype) |
|
encrypt |
(no subtype) |
Log message severity levels
Each log message contains a field that indicates the severity level of the log message, such as pri=warning.
Log severity levels
|
Levels (0 is highest) |
Name |
Description |
|---|---|---|
|
0 |
Emergency |
The system has become unstable |
|
1 |
Alert |
Immediate action is required. |
|
2 |
Critical |
Functionality is affected. |
|
3 |
Error |
An error condition exists and functionality could be affected. |
|
4 |
Warning |
Functionality could be affected. |
|
5 |
Notice |
Information about normal events. |
|
6 |
Information |
General information about system operation. |
For each location where the FortiMail unit can store log files, you can define the severity threshold of the log messages to be stored there.
|
|
Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. |
The FortiMail system stores all log messages equal to or exceeding the severity level you select. However, the relevant information level logs are always stored for any other level log selection. For example, if you select Error, the FortiMail system stores log messages whose severity level is Error, Critical, Alert, or Emergency. And the relevant information level logs are also stored.
Classifiers and dispositions in history logs
Each history log contains one field called Classifier and another called Disposition.
The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email messages was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.
|
If you view the log messages on the FortiMail GUI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail GUI to your computer and open them, the dispositions and classifiers are displayed in hex numbers. |
The following tables map the hex numbers for classifiers with their description.
Classifiers
|
Hex Number |
Classifier |
Hex Number |
Classifier |
|---|---|---|---|
|
0x00 |
Undefined |
0x2A |
Message Cryptography |
|
0x01 |
User Safe |
0x2B |
Delivery Control |
|
0x02 |
User Discard |
0x2C |
Encrypted Content |
|
0x03 |
System Safe |
0x2D |
SPF Failure as Spam |
|
0x04 |
System Discard |
0x2E |
Fragmented Email |
|
0x05 |
RBL |
0x2F |
Email Contains Image |
|
0x06 |
SURBL |
0x30 |
Content Requires Encryption |
|
0x07 |
FortiGuard AntiSpam |
0x31 |
FortiGuard AntiSpam Block IP |
|
0x08 |
FortiGuard AntiSpam-Safe |
0x32 |
Session Remote |
|
0x09 |
Bayesian |
0x33 |
FortiGuard Phishing |
|
0x0A |
Heuristic |
0x34 |
AntiVirus |
|
0x0B |
Dictionary Scanner |
0x35 |
Sender Address Rate Control |
|
0x0C |
Banned Word |
0x36 |
SMTP Auth Failure |
|
0x0D |
Deep Header |
0x37 |
Access Control List Reject |
|
0x0E |
Forged IP (before v5.2 release) |
0x38 |
Access Control List Discard |
|
0x0F |
Quarantine Control |
0x39 |
Access Control List Bypass |
|
0x10 |
Tagged virus (before v4.3 release) |
0x3A |
FortiGuard Antispam Webfilter |
|
0x11 |
Attachment Filter (see note above) |
0x3B |
Newsletter Suspicious |
|
0x12 |
Grey List |
0x3C |
TLS Streaming |
|
0x13 |
Bypass Scan On Auth |
0x3D |
Policy Match |
|
0x14 |
Disclaimer |
0x3E |
Dynamic Safe List |
|
0x15 |
Defer Delivery |
0x3F |
Sender Verification |
|
0x16 |
Session Domain |
0x40 |
Behavior Analysis |
|
0x17 |
Session Limits |
0x41 |
FortiGuard Spam Outbreak |
|
0x18 |
Session Safe |
0x42 |
Newsletter |
|
0x19 |
Session Block |
0x43 |
DMARC |
|
0x1A |
Content Monitor and Filter |
0x44 |
File Signature |
|
0x1B |
Content Monitor as Spam |
0x45 |
Sandbox |
|
0x1C |
Attachment as Spam |
0x46 |
Malware Outbreak |
|
0x1D |
Image Spam |
0x47 |
DLP Filter |
|
0x1E |
Sender Reputation |
0x48 |
DLP Treated as Spam |
|
0x1F |
Access Control List Relay Denied |
0x49 |
DLP Requires Encryption |
|
0x20 |
Safelist Word |
0x4A |
Access Control List Safe |
|
0x21 |
Domain Safe |
0x4B |
Virus Outbreak |
|
0x22 |
Domain Block |
0x4C |
FortiGuard Antispam Webfilter |
|
0x23 |
SPF (not in use) |
0x4D |
Impersonation Analysis |
|
0x24 |
Domain Key (not in use) |
0x4E |
Session Action |
|
0x25 |
DKIM (not in use) |
0x4F |
SPF Sender Alignment |
|
0x26 |
Recipient Verification |
0x50 |
SPF Check |
|
0x27 |
Bounce Verification |
0x51 |
Sandbox URL |
|
0x28 |
Endpoint Reputation |
0x52 |
Sandbox No Result |
|
0x29 |
SSL Profile Check |
0x53 |
Content Modification |
|
|
|
0x54 |
DKIM Failure |
|
|
When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only. |
Dispositions
|
Hex number |
Disposition |
Hex Number |
Disposition |
|---|---|---|---|
|
0x00 |
Undefined |
0x10000 |
Encryption |
|
0x01 |
Accept the message |
0x20000 |
Decryption |
| 0x02 | Move to a specified folder |
0x40000 |
Deliver the message to an alternate host |
|
0x04 |
Send a reject to the SMTP client |
0x80000 |
Deliver the message to a set of recipients |
|
0x08 |
Add a header to the message |
0x100000 |
Archive the message |
|
0x10 |
Modify the subject line |
0x200000 |
Encase the original message with customizable text |
|
0x20 |
Quarantine the message |
0x400000 |
Wrap the original message |
|
0x40 |
Insert disclaimer content |
0x800000 |
Notification |
|
0x80 |
Block the message |
0x1000000 |
Sign the message using SMIME/CMS |
|
0x100 |
Replace banned attachments |
0x2000000 |
Defer the message disposition |
|
0x200 |
Delay and greylist the message |
0x4000000 |
Convert HTML attachment to text |
|
0x400 |
Forward the message to a review account |
0x8000000 |
Remove active HTML content |
|
0x800 |
Added a disclaimer to the body |
0x10000000 |
Remove URLs from processed HTML attachments |
|
0x1000 |
Added a disclaimer to the headers |
0x20000000 |
Deliver to original host |
|
0x2000 |
Defer message delivery |
0x40000000 |
Content Disarm and Reconstruction |
|
0x4000 |
Quarantine for review |
0x80000000 |
URL Click Protection |
|
0x8000 |
Treat as spam |
0x100000000 |
Domain quarantine |
|
|
The disposition field in a log message may contain one or more dispositions or actions. For example, “Accept” and “Defer” dispositions may appear in the same message. Defer disposition is added when an email message is deferred for either of the following two reasons: FortiGuard antispam outbreak and FortiSandbox scan. |
|
|
The "Accept" disposition is logged when any other actions are not taken. |
See also