<log-destination_name>

Enter a name to identify these remote logging settings.

certificate <certificate_name>

Enter the name of the certificate used by TLS to encrypt the Syslog session to the remote Syslog server.

This setting is available if syslog-mode is tcp-tls or tcp-legacy-tls.

comma-separated-value {enable | disable}

Enable if you want to send log messages in comma-separated value (CSV) format.

Note: Do not enable this option if the log destination is a FortiAnalyzer unit. FortiAnalyzer units do not support logs in CSV format.

comment <comment_str>

Enter a descriptive comment.

encryption-log-status {enable | disable}

Enable or disable IBE event logging to a remote Syslog server or FortiAnalyzer unit. See also system encryption ibe.

event-log-category [{imap pop3 smtp webmail}]

Type all of the mail daemon log types and subtypes that you want to record to this storage location. Separate each type with a space.

• imap: IMAP events.
• pop3: POP3 events.
• smtp: SMTP relay or proxy events. See also history-log-status {enable | disable}.
• webmail: FortiMail webmail events.

event-log-status {enable | disable}

Enable or disable event logging to a remote Syslog server or FortiAnalyzer unit.

facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp}

Type the facility identifier that the FortiMail unit will use to identify itself when sending log messages to the Syslog server.

To easily identify log messages from the FortiMail unit when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

hash-algorithm {sha1 |sha256}

Select the hash algorithm to use in OFTPS encryption.

This setting is available if protocol is oftps.

history-log-status {enable | disable}

Enable to log both successful and unsuccessful attempts by the built-in MTA or SMTP proxy to deliver email. See also event-log-category [{imap pop3 smtp webmail}].

loglevel {alert | critical | debug | emergency | error | information | notification | warning}

Type one of the following severity levels:

• emergency
• alert
• critical
• error
• warning
• notification
• information
• debug

This log destination will receive log messages greater than or equal to this severity level. However, the relevant information level logs are always sent for any other log level selection. For details, see the FortiMail Administration Guide.

matched-session-status {enable | disable}

Enable to send only matching session logs to the remote server. Otherwise, FortiMail will send all logs.

This option appears if you enabled advanced MTA control.

name <log-destination_name>

Enter a unique name for this configuration.

port <port_int>

If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the port number on which the Syslog server listens.

protocol {syslog | oftps}

Enter the protocol used to communicate with the remote log server.

• syslog: Any compatible third-party Syslog server or FortiAnalyzer. Also configure syslog-mode {tcp | tcp-legacy | tcp-legacy-tls | tcp-tls | udp}.
• oftps: FortiAnalyzer only. Also configure hash-algorithm {sha1 |sha256}.

server <syslog_ipv4>

Type the IPv4, IPv6, or domain name (FQDN) address of the Syslog server or FortiAnalyzer unit.

spam-log-status {enable | disable}

Enable to log all antispam events.

status {enable | disable}

Enable to send log messages to a remote Syslog server or FortiAnalyzer unit.

sysevent-log-category [{admin configuration configuration-user dns ha system update}]

Type all of the system event log types and subtypes that you want to record to this storage location. Separate each type with a space.

• admin: Administrative events such as logins and viewing log messages.
• configuration: Configuration changes by an administrator, such as editing policies, profiles, and domains.
• configuration-user: Configuration changes by a quarantine or webmail user, such as personal safe/block lists.
• dns: DNS queries.
• ha: High availability (HA) activity.

• system: System events, such as rebooting the FortiMail unit or IP address configuration via DHCP.

  Note: This category does not include events from mail daemons, which are configured in event-log-category [{imap pop3 smtp webmail}].

• update: Both successful and unsuccessful attempts to download firmware and FortiGuard updates.

sysevent-log-status {enable | disable}

Enable to log system events.

syslog-mode {tcp | tcp-legacy | tcp-legacy-tls | tcp-tls | udp}

Enter the transport layer protocol used for delivering the log to the remote Syslog server:

• tcp: Slower, but more reliable than UDP: the server asks the FortiMail unit to retransmit if the server did not correctly receive the log message, compliant with RFC 6587 (Transmission of syslog Messages over TCP).

  Note: Requires that the log server supports the octet counting method.

• tcp-legacy: TCP, but with legacy options for message delimiters instead of octet counting, compliant with RFC 3195 (Reliable Delivery for Syslog) and, for example, old versions of Kiwi Syslog Server.
• tcp-tls: TCP, but more secure: data in the channel is encrypted during transit using TLS, compliant with RFC 5427 (Transport Layer Security Transport Mapping for Syslog). FortiMail requires that the server present a valid certificate to identify itself, and the server may also require that FortiMail unit present a valid client certificate to authenticate. Otherwise, the connection fails. Also configure certificate <certificate_name>.
• tcp-legacy-tls: TLS, but with the same legacy options as tcp-legacy.

• udp: Faster, but less reliable than TCP, and not secure: the server does not confirm if it did not correctly receive the log message, and does not encrypt log messages in transit.

This setting is applicable if protocol {syslog | oftps} is syslog.

Caution: Do not use UDP or TCP without encryption if logs are transmitted through untrusted networks such as the Internet. Sensitive information could be intercepted by unauthorized persons, compromising the security of your network. Use a TLS option instead. For stronger security, you can configure strong-crypto {enable | disable} and ssl-versions {ssl3 tls1_0 tls1_1 tls1_2 tls1_3}.