Fortinet white logo
Fortinet white logo

CLI Reference

log fortianalyzer

log forti-analyzer

Use this command to configure the FortiWeb appliance to send its log messages to a remote FortiAnalyzer appliance.

You must first define one or more FortiAnalyzer policies using log fortianalyzer-policy.

Logs sent to FortiAnalyzer are controlled by FortiAnalyzer policies and trigger actions that you configure on the FortiWeb appliance, and are associated with various types of violations.

Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require these features, record logs locally as well as remotely.

Usually, you should set trigger actions for specific types of violations. Failure to do so will result in the FortiWeb appliance logging every occurrence, which could result in high log volume and reduced system performance. Excessive logging for an extended period of time may cause premature hard disk failure.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log forti-analyzer

set fortianalyzer-policy "<policy_name>"

set status {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

set traffic_packet {enable | disable}

set logtype {elog | tlog | alog}

set traffic_packet_size <integer>

end

Variable Description Default

fortianalyzer-policy "<policy_name>"

Enter the name of an existing FortiAnalyzer policy to use when storing log information remotely. The maximum length is 63 characters.

To view a list of the existing FortiAnalyzer policies, enter :

set fortianalyzer-policy ?

No default.

status {enable | disable}

Enable to record event log messages to FortiAnalyzer if it meets or exceeds the severity level configured in severity. disable

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the severity level that a log message must meet or exceed in order to cause the FortiWeb appliance to save it to FortiAnalyzer. information

traffic_packet {enable | disable}

Enable to append traffic packet log to the traffic logs sent to FortiAnalyzer. The packet information may be helpful for troubleshooting.

To use this feature, you must already have enabled packet-log in config log traffic-log.

Please note that enabling this might consume system resources, thus decreasing the performance of sending logs to FortiAnalyzer.

disable

logtype {elog | tlog | alog}

Select the log types to be stored on FortiAnalyzer.

Please note if a particular log type is not saved on local hard disk, it cannot be saved on an external log server, as the logs must be transferred from local storage to remote servers.

elog tlog alog

traffic_packet_size <integer>

The maximum size of the traffic packet payload sent to log servers was 1024 bytes before version 7.4.3. This was extended to 4096 bytes in version 7.4.3.

Starting from version 7.6.0, you can set this maximum size yourself with this command.

The default value is 1024, and the valid range is 1-4096.

Please note that larger packet logs cost more time for FortiWeb to encrypt and compress if the log server requires, increasing the likelihood of the logd queue reaching 80% capacity, which may result in some traffic logs being dropped.

1024

Example

This example enables FortiAnalyzer logging and recording of the log messages. Only the log messages with a severity of error or higher are recorded.

config log forti-analyzer

set status enable

set severity error

end

Related topics

log fortianalyzer

log forti-analyzer

Use this command to configure the FortiWeb appliance to send its log messages to a remote FortiAnalyzer appliance.

You must first define one or more FortiAnalyzer policies using log fortianalyzer-policy.

Logs sent to FortiAnalyzer are controlled by FortiAnalyzer policies and trigger actions that you configure on the FortiWeb appliance, and are associated with various types of violations.

Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require these features, record logs locally as well as remotely.

Usually, you should set trigger actions for specific types of violations. Failure to do so will result in the FortiWeb appliance logging every occurrence, which could result in high log volume and reduced system performance. Excessive logging for an extended period of time may cause premature hard disk failure.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log forti-analyzer

set fortianalyzer-policy "<policy_name>"

set status {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

set traffic_packet {enable | disable}

set logtype {elog | tlog | alog}

set traffic_packet_size <integer>

end

Variable Description Default

fortianalyzer-policy "<policy_name>"

Enter the name of an existing FortiAnalyzer policy to use when storing log information remotely. The maximum length is 63 characters.

To view a list of the existing FortiAnalyzer policies, enter :

set fortianalyzer-policy ?

No default.

status {enable | disable}

Enable to record event log messages to FortiAnalyzer if it meets or exceeds the severity level configured in severity. disable

severity {alert | critical | debug | emergency | error | information | notification | warning}

Select the severity level that a log message must meet or exceed in order to cause the FortiWeb appliance to save it to FortiAnalyzer. information

traffic_packet {enable | disable}

Enable to append traffic packet log to the traffic logs sent to FortiAnalyzer. The packet information may be helpful for troubleshooting.

To use this feature, you must already have enabled packet-log in config log traffic-log.

Please note that enabling this might consume system resources, thus decreasing the performance of sending logs to FortiAnalyzer.

disable

logtype {elog | tlog | alog}

Select the log types to be stored on FortiAnalyzer.

Please note if a particular log type is not saved on local hard disk, it cannot be saved on an external log server, as the logs must be transferred from local storage to remote servers.

elog tlog alog

traffic_packet_size <integer>

The maximum size of the traffic packet payload sent to log servers was 1024 bytes before version 7.4.3. This was extended to 4096 bytes in version 7.4.3.

Starting from version 7.6.0, you can set this maximum size yourself with this command.

The default value is 1024, and the valid range is 1-4096.

Please note that larger packet logs cost more time for FortiWeb to encrypt and compress if the log server requires, increasing the likelihood of the logd queue reaching 80% capacity, which may result in some traffic logs being dropped.

1024

Example

This example enables FortiAnalyzer logging and recording of the log messages. Only the log messages with a severity of error or higher are recorded.

config log forti-analyzer

set status enable

set severity error

end

Related topics