Customizing the log view
The log message list can show raw or formatted, real time or historical logs. The columns in the log message list can be customized to show only relevant information in your preferred order.
Log display
By default, historical formatted logs are shown in the log message list. You can change the view to show raw logs and both raw and formatted real time logs.
To view real time logs, in the log message list, select Tools, then select Real-time Log from the drop-down menu. To return to the historical log view, select Tools, then select Historical Log from the drop-down menu.
To view raw logs, in the log message list, select View, then select Display Raw from the drop-down menu, Figure 95. To return to the formatted log view, select Tools, then select Display Formatted from the drop-down menu.
Figure 95:Log view (raw display)
This page displays the following information and options:
Refresh | Select to refresh the log view.
This option is only available when viewing historical logs. |
Search | Enter a search term to search the log messages. See “To perform a text search:” on page 139. Select GO in the toolbar to apply the filter. |
Latest Search Select the latest search icon to repeat previous searches, select favorite searches, or quickly add filters to your search. The filters available will vary based on device and log type.
Clear Search | Select to clear search filters. |
Help | Hover your mouse over the help icon, for example search syntax. See “Examples” on page 140. |
Device | Select the device or log array in the drop-down list. Select Manage Log Arrays in the Tools menu to create, edit, or delete log arrays. |
Time Period | Select a time period from the drop-down list. Options include: Last 30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, or Custom, . See “To customize the time period:” on page 140.
This option is only available when viewing historical logs. |
GO | Select to apply the time period and limit to the displayed log entries. A progress bar is displayed in the lower toolbar. |
Create Custom View Select to create a new custom view. You can select to create multiple custom views in log view. Each custom view can display a select device or log array with specific filters and time period. See “To create a new custom view:” on page 138.
This option is only available when viewing historical logs.
Pause Resume | Pause or resume real-time log display. These two options are only available when viewing real-time logs. |
Tools | The tools button provides options for changing the manner in which the logs are displayed, and search options. You can manage log arrays and it also provides an option for downloading logs, see “Download log messages” on page 141. |
Real-time Log
Historical Log |
Select to change view from Real-time Log to Historical Log. |
Display Formatted | Select to change view from raw log display to formatted log display. |
Download | Select to download logs. A download dialog box is displayed. Select the log file format, compress with gzip, the pages to include and select Apply to save the log file to the management computer.
This option is only available when viewing historical logs in formatted display. |
Manage Log Arrays | Select to create new, edit, and delete log arrays. Once you have created a log array, you can select the log array in the Device drop-down menu in the Log View toolbar. |
Case Sensitive
Search |
Select to enable case sensitive search. |
Detailed Information | Detailed information on the log message selected in the log message list. The item is not available when viewing raw logs. |
Status Bar | Displays the log view status as a percentage. |
Pagination | Adjust the number of logs that are listed per page and browse through the pages. |
Limit | Select the maximum number of log entries to be displayed from the drop-down list. Options include: 1000, 5000, 10000, 50000, or All. |
The selected log view will affect the other options that are available in the View drop-down menu. Real-time logs cannot be downloaded, and raw logs to not have the option to customize the columns.
Columns
The columns displayed in the log message list can be customized and reordered as needed. Filters can also be applied to the data in a column.
To customize the displayed columns:
- In the log message list, right-click on a column heading.
The Column Settings pop-up menu opens.
Figure 96:Column settings pop-up
- Select a column to hide or display, select Reset to Default to reset to the default columns, or select More Columns to open the Column Settings
Figure 97:Column settings window
- In the Column Settings window, multiple columns can be added or removed as required, and the order of the displayed columns can be adjusted by dragging and dropping the column names.
- To reset to the default columns, select Reset to Default.
- Select OK to apply your changes.
To filter column data:
- In the log message list, select Tools, then select Enable Column Filter from the drop-down menu to enable column filters.
- In the heading of the column you need to filter, select the filter icon, . The filter icon will only be shown on columns that can filtered.
The Filter Settings dialog box opens.
Figure 98:Filter settings
- Enable the filter, then enter the required information to filter the selected column.
The filter settings will vary based on the selected column.
- Select Apply to apply the filter to the data.
The column’s filter icon will turn green when the filter is enabled, . Downloading the current view will only download the log messages that meet the current filter criteria.
Custom views
Select Create Custom View in the toolbar to create a new custom log view. Use Custom View to save a custom search, device selection, and time period so that you can select this view at any time to view results without having to re-select these criteria.
To create a new custom view:
- In the Log View pane, select a log type.
- Enter a search term, select a device or devices, select a time period, limit the number of logs to display as needed, then select Custom View.
The Create New Custom View dialog box is displayed.
Figure 99:Create new custom view
- Enter a name for the new custom view. All other fields are read-only.
The new custom view is saved to the Custom View folder in the ADOM.
To edit a custom view:
- In the Log View pane, select the Custom View folder in the tree menu.
- Select the custom view you would like to edit.
- Edit the custom search, devices, time period, limit the number of logs to display, and select
GO.
- Right-click the name of the custom view and select Save to save your changes.
To rename a custom view:
- In the Log View pane, select an ADOM, and select the Custom View folder.
- Right-click the name of the custom view and select Rename in the menu.
The Rename Custom View dialog box opens.
- Edit the name and select OK to save your changes.
To delete a custom view:
- In the Log View pane, select an ADOM, and select the Custom View folder.
- Right-click the name of the custom view and select Delete in the menu.
- Select OK in the confirmation dialog box to delete the view.
Searching log messages
Log messages can be searched based on a text string and/or time period. Recent searches can be quickly repeated, a time period can be specified or customized, and the number of displayed logs can be limited. A text string search can be case sensitive or not as required.
To perform a text search:
- In the log message list, select Tools, then either select or deselect Case Sensitive Search from the drop-down menu to enable or disable case sensitivity in the search string.
- In the log message list, enter a text string in the search field in the following ways:
- Manually type in the text that you are searching for. Wildcard characters are accepted.
- Right-click on the element in the list that you would like to add to the search and select to search for strings that either match or don’t match that value.
- Select a previous search or default filter, using the history icon, . The available filters will vary depending on the selected log type and displayed columns.
Figure 100:Search history
- Paste a saved search into the search field.
- Select GO to search the log message list.
To customize the time period:
- In the log message list, open the time period drop-down menu, and select ...
The Custom Timeframe dialog box opens.
Figure 101:Custom timeframe
- Specify the desired time period using the From and To fields, or select Any Time to remove any time period from the displayed data.
- Select Apply to create the custom time period.
A calendar icon, , will be shown next to the time period drop-down list. Select it to adjust the custom time period settings.
- Select GO to apply your settings to the log message list.
Examples
To view example text search strings, hover your cursor over the help icon, .
Figure 102:Example searches
- The first example will search for log messages with a source IP address of 172.16.86.11 and a service of HTTP. Because it is not specified, the and operator is assumed, meaning that both conditions must be met for the log message to be included in the search results.
- The second example will search for any log messages with source IP addresses that start with either 172.16 or 172.18. Notice the use of the * The use of the or operator means that either condition can be met for the log message to be included in the search results.
- The third example will search for any log message that do not have a source IP address of 172.16.86.11 and a service of HTTP. The use of the and operator means that both conditions must be met for the log message to be excluded from the search results.
Download log messages
Log messages can be downloaded to the management computer as a text or CSV file. Real time logs cannot be downloaded.
To download log messages:
- In the log message list, select Tools, then select Download.
The Download dialog box opens.
Figure 103:Download log messages
- Select a log format from the drop down list, either Text or CSV.
- Select Compress with gzip to compress the downloaded file.
- Select Current Page to download only the current log message page, or All Pages to download all of the pages in the log message list.
- Select Apply to download the log messages to the management computer.
Log arrays
Log Array has been relocated to Log View in the FortiView tab from the Device Manager tab. Upon upgrading to FortiAnalyzer v5.2.0 and later, all previously configured log arrays will be imported. In FortiAnalyzer v5.0.6 and earlier, when creating a Log Array with both devices and VDOMs, you need to select each device and VDOM to add it to the Log Array. In FortiAnalyzer v5.2.0 and later, when selecting to add a device with VDOMs, all VDOMs are automatically added to the Log Array.
To create a new log array:
- In the Log View pane, select the Tools button, and select Manage Log Arrays.
The Manage Log Arrays dialog box opens.
- Select Create New in the dialog box toolbar.
The Create New Log Array dialog box opens.
Figure 104:Create new log array
- Enter the following:
Name | Enter a unique name for the log array. |
Comments | Enter optional comments for the log array. |
Devices | Select the add icon, , and select devices and VDOMs to add to the log array. Select OK in the device selection window. |
- Select OK to create the new log array.
- Select the close icon, , to close the Manage Log Arrays dialog box.
To edit a log array:
- In the Log View pane, select Tools, and select Manage Log Arrays.
The Manage Log Arrays dialog box is displayed.
- Select a log array entry and select Edit in the toolbar.
The Edit Log Array dialog box is displayed.
- Edit the log array name, comments, and devices as needed.
- Select OK to save the log array.
- Select the close icon, , to close the Manage Log Arrays dialog box.
To delete a log array:
- In the Log View pane, select Tools, and select Manage Log Arrays.
The Manage Log Arrays dialog box is displayed.
- Select the log array entry and select Delete in the toolbar.
- Select OK in he confirmation dialog box to delete the log array.
- Select the close icon, , to close the Manage Log Arrays dialog box.