Fortinet black logo

Administration Guide

Home FortiProxy 7.0.0 Administration Guide

Log Settings

7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0
Copy Link
Copy Doc ID 51c0b602-01d1-11ec-8f3f-00505692583a:707542
Download PDF

Log Settings

The type and frequency of log messages you intend to save determines the type of log storage to use. For example, if you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The FortiProxy system disk is unable to log traffic and content logs because of their frequency and large file size.

Storing log messages to one or more locations, such as a syslog server, might be a better solution for your logging requirements than the FortiProxy system disk.

This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.

To configure log settings, go to Log > Log Settings.

Configure the following settings:

Memory

Enable to store logs in the unit’s memory.

Disk

Enable to store logs on the unit’s disk. Enabling disk logging is required to produce data for all FortiView consoles. Logs older than 7 days are deleted from the disk.

Enable Local Reports

Enable to create local reports.

Enable Historical FortiView

Enabling Historical FortiView is required to product data for all FortiView consoles.

Send Logs to FortiAnalyzer/FortiManager

Select to send logs to a FortiAnalyzer or a FortiManager unit.

HTTP transaction logs are also sent to a FortiAnalyzer unit to generate additional details in reports.

IP Address

The IP address of the FortiAnalyzer or FortiManager unit.

Select Test Connectivity to test the connectivity with the device.

Upload option

Select how often to upload log entries: Real Time, Every Minute, or Every 5 Minutes.

Encrypt log transmission

Enable to encrypt logs. Encrypted logs are sent using SSL communication.

Send Logs to FortiCloud

This option is not available.

Send Logs to Syslog

Enable to send logs to a syslog server.

IP Address/FQDN

If you enable Send Logs to Syslog, enter the IP address or fully qualified domain name of the syslog server.

Log Settings

Event Logging

Select All or select Customize and then select the events to log: System activity event, User activity event, Router activity event, Explicit web proxy event, HA event, Compliance Check Event, and Security audit event.

Local Traffic Log

Select All or select Customize and then select the local traffic to log: Log Allowed Traffic, Log Denied Unicast Traffic, Log Local Out Traffic, and Log Denied Broadcast Traffic.

GUI Preferences

Display Logs From

Select where logs are displayed from: Memory or Disk.

Resolve Hostnames

Enable to resolve host names using reverse DNS lookup.

Resolve Unknown Applications

Enable to resolve unknown applications using the Internet Service Database.

Memory debugging

Memory on FortiProxy might appear high, even on an unloaded system; however, this level is not usually cause for concern because available memory is used to improve the disk-caching performance and is returned to the system if needed.

To enable debugging of memory status in cases of high memory usage and to confirm that there is no issue, use the following CLI commands to show memory use by each WAD-worker and cache-service memory usages.

CLI syntax
diagnose wad memory <ssl | ssh>
diagnose wad <worker | csvc> memory stats <basic | misc>

The TAC report generated by execute tac report includes the WAD memory usage statistics.

Local logging and archiving

The FortiProxy system can store log messages on disk. It can store traffic and content logs on the system disk or disks. When the log disk is full, logging to disk can either be suspended, or the oldest logs can be overwritten.

Remote logging to a syslog server

A syslog server is a remote computer running syslog software and is an industry standard for logging. Syslog is used to capture log information provided by network devices. The syslog server is both a convenient and flexible logging device because any computer system, such as Linux, Unix, and Intel-based Windows can run syslog software.

When configuring logging to a syslog server, you need to configure the facility and the log file format, which is either normal or Comma Separated Values (CSV). The CSV format contains commas, whereas the normal format contains spaces. Logs saved in the CSV file format can be viewed in a spreadsheet application, while logs saved in normal format are viewed in a text editor because they are saved as plain text files.

Configuring a facility easily identifies the device that recorded the log file. You can choose from many different facility identifiers, such as daemon or local7.

If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for syslog log messages in the CLI.

If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for syslog log messages in the CLI.

From the CLI, you can enable reliable delivery of syslog messages using the following commands:

config log {syslogd | syslogd2 | syslogd3 |syslogd4} setting

set status enable

set reliable enable

end

The FortiProxy unit implements the RAW profile of RFC 3195 for reliable delivery of log messages. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order. This feature is disabled by default.

If more than one syslog server is configured, the syslog servers and their settings appear on the Log Settings page. You can configure multiple syslog servers in the CLI using the config log {syslogd | syslogd2 | syslogd3 | syslogd4} settings CLI command.

You can specify the source IP address of self-originated traffic when configuring a syslog server; however, this is available only in the CLI.
Previous
Next

Log Settings

The type and frequency of log messages you intend to save determines the type of log storage to use. For example, if you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The FortiProxy system disk is unable to log traffic and content logs because of their frequency and large file size.

Storing log messages to one or more locations, such as a syslog server, might be a better solution for your logging requirements than the FortiProxy system disk.

This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.

To configure log settings, go to Log > Log Settings.

Configure the following settings:

Memory

Enable to store logs in the unit’s memory.

Disk

Enable to store logs on the unit’s disk. Enabling disk logging is required to produce data for all FortiView consoles. Logs older than 7 days are deleted from the disk.

Enable Local Reports

Enable to create local reports.

Enable Historical FortiView

Enabling Historical FortiView is required to product data for all FortiView consoles.

Send Logs to FortiAnalyzer/FortiManager

Select to send logs to a FortiAnalyzer or a FortiManager unit.

HTTP transaction logs are also sent to a FortiAnalyzer unit to generate additional details in reports.

IP Address

The IP address of the FortiAnalyzer or FortiManager unit.

Select Test Connectivity to test the connectivity with the device.

Upload option

Select how often to upload log entries: Real Time, Every Minute, or Every 5 Minutes.

Encrypt log transmission

Enable to encrypt logs. Encrypted logs are sent using SSL communication.

Send Logs to FortiCloud

This option is not available.

Send Logs to Syslog

Enable to send logs to a syslog server.

IP Address/FQDN

If you enable Send Logs to Syslog, enter the IP address or fully qualified domain name of the syslog server.

Log Settings

Event Logging

Select All or select Customize and then select the events to log: System activity event, User activity event, Router activity event, Explicit web proxy event, HA event, Compliance Check Event, and Security audit event.

Local Traffic Log

Select All or select Customize and then select the local traffic to log: Log Allowed Traffic, Log Denied Unicast Traffic, Log Local Out Traffic, and Log Denied Broadcast Traffic.

GUI Preferences

Display Logs From

Select where logs are displayed from: Memory or Disk.

Resolve Hostnames

Enable to resolve host names using reverse DNS lookup.

Resolve Unknown Applications

Enable to resolve unknown applications using the Internet Service Database.

Memory debugging

Memory on FortiProxy might appear high, even on an unloaded system; however, this level is not usually cause for concern because available memory is used to improve the disk-caching performance and is returned to the system if needed.

To enable debugging of memory status in cases of high memory usage and to confirm that there is no issue, use the following CLI commands to show memory use by each WAD-worker and cache-service memory usages.

CLI syntax
diagnose wad memory <ssl | ssh>
diagnose wad <worker | csvc> memory stats <basic | misc>

The TAC report generated by execute tac report includes the WAD memory usage statistics.

Local logging and archiving

The FortiProxy system can store log messages on disk. It can store traffic and content logs on the system disk or disks. When the log disk is full, logging to disk can either be suspended, or the oldest logs can be overwritten.

Remote logging to a syslog server

A syslog server is a remote computer running syslog software and is an industry standard for logging. Syslog is used to capture log information provided by network devices. The syslog server is both a convenient and flexible logging device because any computer system, such as Linux, Unix, and Intel-based Windows can run syslog software.

When configuring logging to a syslog server, you need to configure the facility and the log file format, which is either normal or Comma Separated Values (CSV). The CSV format contains commas, whereas the normal format contains spaces. Logs saved in the CSV file format can be viewed in a spreadsheet application, while logs saved in normal format are viewed in a text editor because they are saved as plain text files.

Configuring a facility easily identifies the device that recorded the log file. You can choose from many different facility identifiers, such as daemon or local7.

If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for syslog log messages in the CLI.

If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for syslog log messages in the CLI.

From the CLI, you can enable reliable delivery of syslog messages using the following commands:

config log {syslogd | syslogd2 | syslogd3 |syslogd4} setting

set status enable

set reliable enable

end

The FortiProxy unit implements the RAW profile of RFC 3195 for reliable delivery of log messages. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order. This feature is disabled by default.

If more than one syslog server is configured, the syslog servers and their settings appear on the Log Settings page. You can configure multiple syslog servers in the CLI using the config log {syslogd | syslogd2 | syslogd3 | syslogd4} settings CLI command.

You can specify the source IP address of self-originated traffic when configuring a syslog server; however, this is available only in the CLI.
Previous
Next