Fortinet black logo

Administration Guide

Home FortiRecorder 6.0.0 Administration Guide
6.0.0
7.2.0
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0

Configuring Log Settings

Configuring Log Settings

Log messages record a variety of important events, such as motion detection, failed log-in attempts, and system failures.

For more information on Logging, such as understanding log threat levels and how to use the logs, see the Analyzing Logging section. To view log messages, go to Monitor > Log > Event.

To diagnose problems or to track actions that the FortiRecorder appliance does as it receives and processes video, configure the FortiRecorder appliance to record log messages.

To configure logging

  1. Go to Logs & Alert > Log Settings > Local. Alternatively, if you want logs to be stored remotely, go to Logs & Alert > Log Settings > Remote.
  2. Configure the following settings if configuring local log storage:

    Setting Name

    Description

    Log file size

    Type the file size limit of the current log file in megabytes (MB). The log file size limit must be between 1 MB and 1000 MB.

    Note: Large log files may decrease display and search performance.

    Log time

    Type the time (in days) of the file age limit. If the log is older than this limit, even if has not exceeded the maximum file size, a new current log file will be started.

    Valid range is between 1 and 366 days.

    At hour

    Select the hour of the day (24-hour format) when the file rotation should start.

    When a log file reaches either the age or size limit, the FortiRecorder appliance rotates the current log file: that is, it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on), then creates a new current log file. For example, if you set the log time to 10 days at hour 23, the log file will be rotated at 23 o’clock of the 10th day.

    Log level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For information about severity levels, see “Log severity levels”.

    Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

    Log options when disk is full

    Select what the FortiRecorder will do when the local disk is full and a new log message is caused, either:

    • Do not log — Discard all new log messages.
    • Overwrite — Delete the oldest log file in order to free disk space, and store the new log message.

    Logging Policy Configuration

    Select what type of FortiRecorder events and camera events you want to log.

    You can enable an entire category of event, such as Detection Events or you can enable individual detections within each category by expanding the category and then toggling the event you wish to log.
  3. If configuring remote log storage, click New, then configure the following settings:

    Setting Name

    Description

    IP

    Type the IP address of a Syslog server or FortiAnalyzer.

    Port

    Type the UDP port number on which the Syslog server listens for log messages.

    The default is 514.

    Level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For information about severity levels, see “Log severity levels”.

    Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

    Facility

    Select the facility identifier the FortiRecorder will use to identify itself to the Syslog server if it receives logs from multiple devices.

    To easily identify log messages from the FortiRecorder when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

    CSV format

    Enable if your Syslog server requires comma-separated values (CSV).

    Note: Do not enable this option if the remote host is a FortiAnalyzer. FortiAnalyzer does not support CSV-formatted log messages.

    Logging Policy Configuration

    Select what type of FortiRecorder events and camera events you want to log.
  4. To verify logging connectivity, from FortiRecorder, trigger a log message that matches the type and severity levels that you have chosen to store on the remote Syslog server or FortiAnalyzer. Then, on the remote host, confirm that it has received that log message.
    Note

    If you will be sending logs to a FortiAnalyzer appliance, you must add the FortiRecorder to the FortiAnalyzer’s device list, and allocate enough disk space. Otherwise, depending on its configuration for unknown devices, FortiAnalyzer may ignore the logs. When the allocated disk space is full, it may drop subsequent logs.

    If the remote host does not receive the log messages, verify the FortiRecorder’s static routes (see “FortiRecorder configuration”) and the policies on any intermediary firewalls or routers (they must allow Syslog traffic from the FortiRecorder network interface that is connected to the gateway between it and the Syslog server). To determine the point of connectivity failure along the network path, if the FortiAnalyzer or Syslog server is configured to respond to ICMP ECHO_REQUEST (ping), go to Dashboard > Console and enter the command:

    execute traceroute <syslog_ipv4>

    where <syslog_ipv4> is the IPv4 address of your FortiAnalyzer or Syslog server.

Previous
Next

Configuring Log Settings

Log messages record a variety of important events, such as motion detection, failed log-in attempts, and system failures.

For more information on Logging, such as understanding log threat levels and how to use the logs, see the Analyzing Logging section. To view log messages, go to Monitor > Log > Event.

To diagnose problems or to track actions that the FortiRecorder appliance does as it receives and processes video, configure the FortiRecorder appliance to record log messages.

To configure logging

  1. Go to Logs & Alert > Log Settings > Local. Alternatively, if you want logs to be stored remotely, go to Logs & Alert > Log Settings > Remote.
  2. Configure the following settings if configuring local log storage:

    Setting Name

    Description

    Log file size

    Type the file size limit of the current log file in megabytes (MB). The log file size limit must be between 1 MB and 1000 MB.

    Note: Large log files may decrease display and search performance.

    Log time

    Type the time (in days) of the file age limit. If the log is older than this limit, even if has not exceeded the maximum file size, a new current log file will be started.

    Valid range is between 1 and 366 days.

    At hour

    Select the hour of the day (24-hour format) when the file rotation should start.

    When a log file reaches either the age or size limit, the FortiRecorder appliance rotates the current log file: that is, it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on), then creates a new current log file. For example, if you set the log time to 10 days at hour 23, the log file will be rotated at 23 o’clock of the 10th day.

    Log level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For information about severity levels, see “Log severity levels”.

    Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

    Log options when disk is full

    Select what the FortiRecorder will do when the local disk is full and a new log message is caused, either:

    • Do not log — Discard all new log messages.
    • Overwrite — Delete the oldest log file in order to free disk space, and store the new log message.

    Logging Policy Configuration

    Select what type of FortiRecorder events and camera events you want to log.

    You can enable an entire category of event, such as Detection Events or you can enable individual detections within each category by expanding the category and then toggling the event you wish to log.
  3. If configuring remote log storage, click New, then configure the following settings:

    Setting Name

    Description

    IP

    Type the IP address of a Syslog server or FortiAnalyzer.

    Port

    Type the UDP port number on which the Syslog server listens for log messages.

    The default is 514.

    Level

    Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

    For information about severity levels, see “Log severity levels”.

    Caution: Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

    Facility

    Select the facility identifier the FortiRecorder will use to identify itself to the Syslog server if it receives logs from multiple devices.

    To easily identify log messages from the FortiRecorder when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

    CSV format

    Enable if your Syslog server requires comma-separated values (CSV).

    Note: Do not enable this option if the remote host is a FortiAnalyzer. FortiAnalyzer does not support CSV-formatted log messages.

    Logging Policy Configuration

    Select what type of FortiRecorder events and camera events you want to log.
  4. To verify logging connectivity, from FortiRecorder, trigger a log message that matches the type and severity levels that you have chosen to store on the remote Syslog server or FortiAnalyzer. Then, on the remote host, confirm that it has received that log message.
    Note

    If you will be sending logs to a FortiAnalyzer appliance, you must add the FortiRecorder to the FortiAnalyzer’s device list, and allocate enough disk space. Otherwise, depending on its configuration for unknown devices, FortiAnalyzer may ignore the logs. When the allocated disk space is full, it may drop subsequent logs.

    If the remote host does not receive the log messages, verify the FortiRecorder’s static routes (see “FortiRecorder configuration”) and the policies on any intermediary firewalls or routers (they must allow Syslog traffic from the FortiRecorder network interface that is connected to the gateway between it and the Syslog server). To determine the point of connectivity failure along the network path, if the FortiAnalyzer or Syslog server is configured to respond to ICMP ECHO_REQUEST (ping), go to Dashboard > Console and enter the command:

    execute traceroute <syslog_ipv4>

    where <syslog_ipv4> is the IPv4 address of your FortiAnalyzer or Syslog server.

Previous
Next