Log message syntax

All FortiMail log messages are comprised of a log header and a log body.

• Header — Contains the time and date the log originated, a log identifier, the type of log, the severity level (priority) and where the log message originated.
• Body — Describes the reason why the log was created, plus any actions that the FortiMail appliance took to respond to it. These fields may vary by log type.

Figure 299:Log message header and body

For example, in the following event log, the bold section is the header and the italic section is the body.

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg=”User admin login successfully from GUI(172.20.120.26)” Device ID field

Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail web UI or download them to your local PC, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.

Policy ID and domain fields

Starting from v5.0 release, two new fields — policy ID and domain — have been added to history logs.

The policy ID is in the format of x:y:z, where:

• x is the ID of the global access control policy.
• y is the ID of the IP-based policy.
• z is the ID of the recipient-based policy.

If the value of x, y, and z is 0, it means that no policy is matched.

If the matched recipient-based policy is incoming, the protected domain will be logged in the domain field.

If the matched recipient-based policy is outgoing, the domain field will be empty.

Endpoint field

Starting from 4.0 MR3, a field called endpoint was added to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.

Log_part field

For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field, log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.

Hex numbers in history logs

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the “Classifiers and dispositions in history logs” on page 668.

FortiMail log types

FortiMail units can record the following types of log messages. The Event log also contains several subtypes. You can view and download these logs from the Log submenu of the Monitor tab.

Table 62:Log types