Fortinet black logo

config log

config log

Use the config log commands to set the logging type, the logging severity level, and the logging location for the system:

config log custom-field

Use the following command to customize the log fields with a name and/or value. The custom name and/or value will appear in the log message.

Syntax

config log custom-field

edit <id>

set name <name>

set value <int>

end

Variable

Description

Default

<id >

Enter the identification string for the custom log.

No default

name <name>

Enter a name to identify the log. You can use letters, numbers, (‘_‘), but no special characters such as the number symbol (#). The name cannot exceed 16 characters.

No default

value <int>

Enter an integer value to associate with the log.

No default

Example

This example shows how to configure a customized field for a log:

config log custom-field

edit 1

set name "Vlan"

set value 3

end

config log eventfilter

Use this command to configure event logging.

Syntax

config log eventfilter

set event {enable | disable}

set router {enable | disable}

set system {enable | disable}

set user {enable | disable}

end

Variable

Description

Default

event {enable | disable}

Log event messages. Must be enabled to make the following fields available.

enable

router {enable | disable}

Log router activity messages.

enable

system {enable | disable}

Log system activity messages.

enable

user {enable | disable}

Log user activity messages.

enable

Example

This example shows how to configure event logging:

config log eventfilter

set event enable

set router enable

set system enable

set user enable

end

config log gui

Use this command to select the device from which logs are displayed in the Web-based manager.

Syntax

config log gui

set log-device memory

end

Variable

Description

Default

log-device memory

Select the device from which logs are displayed in the Web-based manager.

Currently, only logging to memory is available.

memory

config log memory filter

Use this command to configure the filter for the memory buffer.

Syntax

config log memory filter

set severity {alert | critical | debug | emergency | error |
information | notification | warning}

end

Variable

Description

Default

severity

{alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The system logs all messages at and above the logging severity level you select. For example, if you select error, the system logs error, critical, alert and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

information

Example

This example shows how to configure the memory log filter:

config log memory filter

set severity alert

end

config log memory global-setting

Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the FortiSwitch system memory.

The FortiSwitch system memory has a limited capacity and displays only the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the system begins to overwrite the oldest log messages. All log entries are deleted when the system restarts.

Syntax

config log memory global-setting

set full-final-warning-threshold <int>

set full-first-warning-threshold <int>

set full-second-warning-threshold <int>

set hourly-upload {disable | enable}

set max-size <int>

end

Variable

Description

Default

full-final-warning-threshold <int>

Enter to configure the final warning before reaching the threshold. You can enter a number between 3 and 100.

95

full-first-warning-threshold <int>

Enter to configure the first warning before reaching the threshold. You can enter a number between 1 and 98.

75

full-second-warning-threshold <int>

Enter to configure the second warning before reaching the threshold. You can enter a number between 2 and 99.

90

hourly-upload {disable | enable}

Enter enable to have log uploads occur hourly.

disable

max-size <int>

Enter the maximum size of the memory buffer log, in bytes.

98304

Example

This example shows how to configure log threshold warnings and the maximum buffer lines:

config log memory global-setting

set full-final-warning-threshold 45

set full-first-warning-threshold 25

set full-second-warning-threshold 45

set hourly-upload enable

set max-size 12288

end

config log memory setting

Use this command to configure log settings for logging to the system memory.

The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.

Syntax

config log memory setting

set status {disable | enable}

set diskfull overwrite

end

Variable

Description

Default

status {disable | enable}

Enter enable to enable logging to system memory.

disable

diskfull overwrite

Overwrite the oldest log when the log device is full.

No default

Example

This example shows how to configure log settings:

config log memory setting

set status enable

set diskfull overwrite

end

config log {syslogd | syslogd2 | syslogd3} filter

Use this command to configure log filter options. Log filters define the types of log messages sent to each log location.

Syntax

config log {syslogd | syslogd2 | syslogd3} filter

set severity {alert | critical | debug | emergency | error |
information | notification | warning}

end

Variable

Description

Default

severity

{alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The system logs all messages at and above the logging severity level you select. For example, if you select error, the system logs error, critical, alert and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

information

status {enable | disable}

Enable or disable remote syslog logging.

disable

Example

This example shows how to configure log filter options:

config log syslogd filter

set severity information

end

config log {syslogd | syslogd2 | syslogd3} setting

Use this command to configure log settings for logging to the system memory.

The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.

Syntax

config log {syslogd | syslogd2 | syslogd3} setting

set status {disable | enable}

set enc-algorithm {disable | high | high-medium | low}

set certificate <certificate_name>

set server <server_name>

set mode {legacy-reliable | reliable | udp}

set port <port_number>

set csv {enable | disable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set source-ip <IPv4_address>

end

Variable

Description

Default

status {disable | enable}

Enter enable to start logging to system memory.

disable

enc-algorithm {disable | high | high-medium | low}

Set to high, high-medium, or low to specify which encryption algorithm that SSL communication uses for reliable syslog. Set to disable if you do not want to use reliable syslog.

disable

certificate <certificate_name>

Specify the certificate to use to communicate with the syslog server.

No default

server <server_name>

This field is available with status is set to enable. Enter the address of the remote syslog server.

No default

mode {legacy-reliable | reliable | udp}

Set to legacy-reliable to use RFC 3195 for reliable syslog. Set to reliable to use RFC 6587 for reliable syslog. Set to udp to use syslog over UDP.

This field is available with status is set to enable. This field was previously named reliable.

udp

port <port_number>

Set the port number that the server listens to.

If the mode is set to reliable, the default port is 514. If the mode is set to legacy-reliable, the default port is 601. If the mode is set to udp, the default port is 6514.

This field is available with status is set to enable.

514

csv {enable | disable}

Enable or disable comma-separated values.

This field is available with status is set to enable.

disable

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

This field is available with status is set to enable. Select the facility for remote syslog:
  • alert—Use the log alert.
  • audit—Use the log audit.
  • auth—Use the security/authorization messages.
  • authpriv—Use the private security/authorization messages.
  • clock—Use the clock daemon.
  • cron—Use the clock daemon.
  • daemon—Use the system daemon.
  • ftp—Use the FTP daemon.
  • kernel—Use kernel messages.
  • local0—Reserved for local use.
  • local1—Reserved for local use.
  • local2—Reserved for local use.
  • local3—Reserved for local use.
  • local4—Reserved for local use.
  • local5— Reserved for local use.
  • local6— Reserved for local use.
  • local7—Reserved for local use.
  • lpr—Use the line printer subsystem.
  • mail—Use the mail system.
  • news—Use the network news subsystem.
  • ntp—Use the NTP system.
  • syslog—Use memssages generated internally by the syslog daemon.
  • user—Use random user-level messages.
  • uucp—Use the network news subsystem.

local7

source-ip <IPv4_address>

This field is available with status is set to enable. Enter the source IPv4 address of the syslog.

0.0.0.0

Example

This example shows how to configure log settings:

config log syslogd setting

set status enable

set server "1.2.3.4"

set port 5

end

config log

Use the config log commands to set the logging type, the logging severity level, and the logging location for the system:

config log custom-field

Use the following command to customize the log fields with a name and/or value. The custom name and/or value will appear in the log message.

Syntax

config log custom-field

edit <id>

set name <name>

set value <int>

end

Variable

Description

Default

<id >

Enter the identification string for the custom log.

No default

name <name>

Enter a name to identify the log. You can use letters, numbers, (‘_‘), but no special characters such as the number symbol (#). The name cannot exceed 16 characters.

No default

value <int>

Enter an integer value to associate with the log.

No default

Example

This example shows how to configure a customized field for a log:

config log custom-field

edit 1

set name "Vlan"

set value 3

end

config log eventfilter

Use this command to configure event logging.

Syntax

config log eventfilter

set event {enable | disable}

set router {enable | disable}

set system {enable | disable}

set user {enable | disable}

end

Variable

Description

Default

event {enable | disable}

Log event messages. Must be enabled to make the following fields available.

enable

router {enable | disable}

Log router activity messages.

enable

system {enable | disable}

Log system activity messages.

enable

user {enable | disable}

Log user activity messages.

enable

Example

This example shows how to configure event logging:

config log eventfilter

set event enable

set router enable

set system enable

set user enable

end

config log gui

Use this command to select the device from which logs are displayed in the Web-based manager.

Syntax

config log gui

set log-device memory

end

Variable

Description

Default

log-device memory

Select the device from which logs are displayed in the Web-based manager.

Currently, only logging to memory is available.

memory

config log memory filter

Use this command to configure the filter for the memory buffer.

Syntax

config log memory filter

set severity {alert | critical | debug | emergency | error |
information | notification | warning}

end

Variable

Description

Default

severity

{alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The system logs all messages at and above the logging severity level you select. For example, if you select error, the system logs error, critical, alert and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

information

Example

This example shows how to configure the memory log filter:

config log memory filter

set severity alert

end

config log memory global-setting

Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the FortiSwitch system memory.

The FortiSwitch system memory has a limited capacity and displays only the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the system begins to overwrite the oldest log messages. All log entries are deleted when the system restarts.

Syntax

config log memory global-setting

set full-final-warning-threshold <int>

set full-first-warning-threshold <int>

set full-second-warning-threshold <int>

set hourly-upload {disable | enable}

set max-size <int>

end

Variable

Description

Default

full-final-warning-threshold <int>

Enter to configure the final warning before reaching the threshold. You can enter a number between 3 and 100.

95

full-first-warning-threshold <int>

Enter to configure the first warning before reaching the threshold. You can enter a number between 1 and 98.

75

full-second-warning-threshold <int>

Enter to configure the second warning before reaching the threshold. You can enter a number between 2 and 99.

90

hourly-upload {disable | enable}

Enter enable to have log uploads occur hourly.

disable

max-size <int>

Enter the maximum size of the memory buffer log, in bytes.

98304

Example

This example shows how to configure log threshold warnings and the maximum buffer lines:

config log memory global-setting

set full-final-warning-threshold 45

set full-first-warning-threshold 25

set full-second-warning-threshold 45

set hourly-upload enable

set max-size 12288

end

config log memory setting

Use this command to configure log settings for logging to the system memory.

The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.

Syntax

config log memory setting

set status {disable | enable}

set diskfull overwrite

end

Variable

Description

Default

status {disable | enable}

Enter enable to enable logging to system memory.

disable

diskfull overwrite

Overwrite the oldest log when the log device is full.

No default

Example

This example shows how to configure log settings:

config log memory setting

set status enable

set diskfull overwrite

end

config log {syslogd | syslogd2 | syslogd3} filter

Use this command to configure log filter options. Log filters define the types of log messages sent to each log location.

Syntax

config log {syslogd | syslogd2 | syslogd3} filter

set severity {alert | critical | debug | emergency | error |
information | notification | warning}

end

Variable

Description

Default

severity

{alert | critical | debug | emergency | error | information | notification | warning}

Select the logging severity level. The system logs all messages at and above the logging severity level you select. For example, if you select error, the system logs error, critical, alert and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

information

status {enable | disable}

Enable or disable remote syslog logging.

disable

Example

This example shows how to configure log filter options:

config log syslogd filter

set severity information

end

config log {syslogd | syslogd2 | syslogd3} setting

Use this command to configure log settings for logging to the system memory.

The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.

Syntax

config log {syslogd | syslogd2 | syslogd3} setting

set status {disable | enable}

set enc-algorithm {disable | high | high-medium | low}

set certificate <certificate_name>

set server <server_name>

set mode {legacy-reliable | reliable | udp}

set port <port_number>

set csv {enable | disable}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

set source-ip <IPv4_address>

end

Variable

Description

Default

status {disable | enable}

Enter enable to start logging to system memory.

disable

enc-algorithm {disable | high | high-medium | low}

Set to high, high-medium, or low to specify which encryption algorithm that SSL communication uses for reliable syslog. Set to disable if you do not want to use reliable syslog.

disable

certificate <certificate_name>

Specify the certificate to use to communicate with the syslog server.

No default

server <server_name>

This field is available with status is set to enable. Enter the address of the remote syslog server.

No default

mode {legacy-reliable | reliable | udp}

Set to legacy-reliable to use RFC 3195 for reliable syslog. Set to reliable to use RFC 6587 for reliable syslog. Set to udp to use syslog over UDP.

This field is available with status is set to enable. This field was previously named reliable.

udp

port <port_number>

Set the port number that the server listens to.

If the mode is set to reliable, the default port is 514. If the mode is set to legacy-reliable, the default port is 601. If the mode is set to udp, the default port is 6514.

This field is available with status is set to enable.

514

csv {enable | disable}

Enable or disable comma-separated values.

This field is available with status is set to enable.

disable

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}

This field is available with status is set to enable. Select the facility for remote syslog:
  • alert—Use the log alert.
  • audit—Use the log audit.
  • auth—Use the security/authorization messages.
  • authpriv—Use the private security/authorization messages.
  • clock—Use the clock daemon.
  • cron—Use the clock daemon.
  • daemon—Use the system daemon.
  • ftp—Use the FTP daemon.
  • kernel—Use kernel messages.
  • local0—Reserved for local use.
  • local1—Reserved for local use.
  • local2—Reserved for local use.
  • local3—Reserved for local use.
  • local4—Reserved for local use.
  • local5— Reserved for local use.
  • local6— Reserved for local use.
  • local7—Reserved for local use.
  • lpr—Use the line printer subsystem.
  • mail—Use the mail system.
  • news—Use the network news subsystem.
  • ntp—Use the NTP system.
  • syslog—Use memssages generated internally by the syslog daemon.
  • user—Use random user-level messages.
  • uucp—Use the network news subsystem.

local7

source-ip <IPv4_address>

This field is available with status is set to enable. Enter the source IPv4 address of the syslog.

0.0.0.0

Example

This example shows how to configure log settings:

config log syslogd setting

set status enable

set server "1.2.3.4"

set port 5

end