Understanding the logs
Log messages record important events on your FortiRecorder for extensive monitoring over extended periods of time.
FortiRecorder appliances can log many different activities including:
- camera recording events
- administrator-triggered events such as logout and configuration changes
- system-triggered events including system failures
You can select a priority level that log messages must meet in order to be recorded.
The FortiRecorder appliance can save log messages to its memory, or to a remote location such as a Syslog server or FortiAnalyzer appliance. For details, see Configuring log settings.
Avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. |
To download a log file
- Go to one of the log types, such as Monitor > Log > Event.
- Right click a log.
-
Click Export to Table.
FortiRecorder converts the log entry to a CSV file, and then your web browser downloads it.
Log severity levels
Each log message contains a Severity (pri
) field that indicates the severity of the event
that caused the log
message, such as pri=warning
.
Level (0 is greatest) |
Name |
Description |
---|---|---|
0 |
Emergency |
The system has become unusable. |
1 |
Alert |
Immediate action is required. |
2 |
Critical |
Functionality is affected. |
3 |
Error |
An error condition exists and functionality could be affected. |
4 |
Warning |
Functionality could be affected. |
5 |
Notification |
Information about normal events. |
6 |
Information |
General information about system operations. |
For each location where the FortiRecorder appliance can store log files (disk, Syslog or FortiAnalyzer), you can define a severity threshold. The FortiRecorder appliance stores all log messages equal to or exceeding the log severity level selected.
For example, if you select Error, the FortiRecorder appliance stores log messages whose log severity level is Error, Critical, Alert, and Emergency.
Avoid recording log messages using low log severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and premature failure. |
Displaying and organizing logs
You can show, hide, and re-order the display of logs.
To display or hide columns in logs
- Go to one of the log types, such as Monitor > Log > Event.
- Select the Configure View drop-down menu.
-
Click Show/Hide Columns.
- Enable or disable the columns.
- Click OK.
To arrange the columns and rows
- Select and drag the column into the position.
- Hover your mouse cursor over one of the column headings. An arrow will appear on the right side of the heading. Click the arrow to display a drop-down menu, then select either Sort Ascending or Sort Descending to sort the rows from either first to last, or last to first, based upon the contents of that column.
- Column settings do not usually persist when you go to another location in the GUI, nor from session to session. If you want to keep the settings, you must select Save View from the Configure View drop-down menu.
Searching logs
When viewing logs, you can locate a specific log message by searching for it.
- Go to one of the log types, such as Monitor > Log > Event.
-
Click Search.
-
Configure the following settings:
Setting Name
Description
Keyword
Type the word or phrase to search. The word may appear in any of the fields of the log message (for example, Action and/or Message) or in any part of that field's value. If entering multiple words, they must occur uninterrupted in that exact order.
For example, entering
admin
as a keyword will include results such as:User admin2 logout from GUI(172.16.1.15)
where part of the word appears in the middle of the log message. However, entering:
User logout
would not yield any results, because in the log messages, those words are always interrupted by the name of the account, and therefore do not exactly match your search key phrase.
This setting is optional.
Message
Type all or part of the exact value of the Message field (
msg
field when viewing a raw, downloaded log file) of the log messages that you want to find.This setting is optional.
Subtype
Enter the subtype, such as
admin
orsystem
code>.Match condition
Select whether your match criteria are specified exactly (Contain) or you have indicated multiple possible matches using an asterisk in Keyword (Wildcard).
Time
Select the date and time range that contains the log message that you are searching for.
This setting is optional.
Note: The date fields default to the current date. If you want to search for a previous event, you must configure this setting.
- Click Search.
Viewing logs
The event log section displays every administrative event that occurs on the FortiRecorder system, such as unsuccessful login attempts and system failures.
Camera log displays the start and stop recording events, factory rests, and various other camera-related events on FortiRecorder.
Detection log displays instances of camera detections, such as motion detection.
You can use the GUI to view and download locally stored log messages. (You cannot use the GUI to view log
messages that are stored remotely on Syslog or FortiAnalyzer devices.) Log messages are in human-readable
format, where each log field's name, such as Message (msg
field when viewing a raw,
downloaded log file),
indicates its contents.
To view log messages
- Go to Monitor > Log > Event. Columns and appearance varies slightly by the log type.
- From the Level and Type dropdown lists, select the level of severity and type of log you are searching for.
- Double-click the row of a log file for a more detailed description of the log message.
Contents of the log section (some settings are only available in certain log types):
Setting Name |
Description |
---|---|
Level |
Select a severity level to hide log messages that are below this threshold (see Log severity levels). |
Subtype |
Select a subcategory (corresponding to the Subtype column) to hide log messages whose subtype field does not match. |
Go to line |
Type the index number of the log message (corresponding to the # column) that you want to jump to in the display. |
Search |
Click to find log messages matching specific criteria. |
Back |
Click to return to the list of log files stored on the hard drive of FortiRecorder. |
Save View |
Click to keep your current log view settings for subsequent views and sessions. |
# |
The index number of the log message within the log file. By default, the rows are sorted by timestamp in descending order, starting with the most recent log message. Note: In the current log file, each log's index number changes as new log messages are added, pushing older logs further down the stack. To find the same log message later, remember its timestamp and Message, not its #. |
Date |
The date on which the log message was recorded. When in raw format, this is the log's |
Time |
The time at which the log message was recorded. When in raw format, this is the log's |
Action |
The action the camera performed, such as stopping and starting recording. |
Subtype |
The category of the log message, such as When in raw format, this is the log's |
Log ID |
A dynamic log identifier within the system, not predictable, indicative of the cause nor necessarily a unique identifier. When in raw format, this is the log's |
Detection Type/Subtype |
The particular kind of detection the camera registered, such as motion. |
Message |
The log message that describes the specific occurrence of a recordable event. |