Fortinet black logo

CLI Reference

log siem-message-policy

log siem-message-policy

Use this command to configure the FortiWeb appliance to send its log messages to one or more a remote ArcSight SIEM (security information and event management) servers.

You must first define one or more SIEM policies using log siem-policy.

Logs sent to the ArcSight server are controlled by SIEM policies and trigger actions that you configure on the FortiWeb appliance, and are associated with various types of violations.

Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require these features, record logs locally as well as remotely.

Usually, you should set trigger actions for specific types of violations. Failure to do so will result in the FortiWeb appliance logging every occurrence, which could result in high log volume and reduced system performance. Excessive logging for an extended period of time may cause premature hard disk failure.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log siem-message-policy

set siem-policy "<policy_name>"

set severity {alert | critical | debug | emergency | error | information | notification | warning}

set status {enable | disable}

end

Variable Description Default

siem-policy "<policy_name>"

Enter the name of an existing SIEM policy to use when storing log information remotely. The maximum length is 63 characters.

To view a list of the existing SIEM policies, enter:

set siem-policy ?

No default.

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the severity level that a log message must meet or exceed in order to cause the FortiWeb appliance to save it to the ArcSight server. information

status {enable | disable}

Enable to record event log messages to the ArcSight server if it meets or exceeds the severity level specified by severity {alert | critical | debug | emergency | error | information | notification | warning}. disable

Example

This example enables ArcSight SIEM logging and recording of the log messages. Only the log messages with a severity of error or higher are recorded.

config log siem-message-policy

set status enable

set severity error

set siem-policy SIEM_Policy1

end

Related topics

log siem-message-policy

Use this command to configure the FortiWeb appliance to send its log messages to one or more a remote ArcSight SIEM (security information and event management) servers.

You must first define one or more SIEM policies using log siem-policy.

Logs sent to the ArcSight server are controlled by SIEM policies and trigger actions that you configure on the FortiWeb appliance, and are associated with various types of violations.

Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require these features, record logs locally as well as remotely.

Usually, you should set trigger actions for specific types of violations. Failure to do so will result in the FortiWeb appliance logging every occurrence, which could result in high log volume and reduced system performance. Excessive logging for an extended period of time may cause premature hard disk failure.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log siem-message-policy

set siem-policy "<policy_name>"

set severity {alert | critical | debug | emergency | error | information | notification | warning}

set status {enable | disable}

end

Variable Description Default

siem-policy "<policy_name>"

Enter the name of an existing SIEM policy to use when storing log information remotely. The maximum length is 63 characters.

To view a list of the existing SIEM policies, enter:

set siem-policy ?

No default.

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the severity level that a log message must meet or exceed in order to cause the FortiWeb appliance to save it to the ArcSight server. information

status {enable | disable}

Enable to record event log messages to the ArcSight server if it meets or exceeds the severity level specified by severity {alert | critical | debug | emergency | error | information | notification | warning}. disable

Example

This example enables ArcSight SIEM logging and recording of the log messages. Only the log messages with a severity of error or higher are recorded.

config log siem-message-policy

set status enable

set severity error

set siem-policy SIEM_Policy1

end

Related topics