Log message severity levels
Each log message contains a field that indicates the severity level of the log message, such as pri=warning.
Table 63:Log severity levels
| Levels | Description |
| 0 – Emergency | Indicates the system has become unusable. |
| 1 – Alert | Indicates immediate action is required. |
| 2 – Critical | Indicates functionality is affected. |
| 3 – Error | Indicates an error condition exists and functionality could be affected. |
| 4 – Warning | Indicates functionality could be affected. |
| 5 – Notification | Provides information about normal events. |
| 6 – Information | Provides general information about system operations. |
For each location where the FortiMail unit can store log files, you can define the severity threshold of the log messages to be stored there.
Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.
The FortiMail unit stores all log messages equal to or exceeding the severity level you select. For example, if you select Error, the FortiMail unit stores log messages whose severity level is Error, Critical, Alert, or Emergency.
Classifiers and dispositions in history logs
Each history log contains one field called Classifier and another called Disposition.
The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email messages was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.
The following tables map the hex numbers with English terms.
Table 64:Classifiers
| Hex number | Classifier | Hex Number | Classifier |
| 0x00 | Not Spam | 0x1B | Content Monitor as Spam |
| 0x01 | User White | 0x1C | Attachment as Spam |
| 0x02 | User Black | 0x1D | Image Spam |
| 0x03 | System White | 0x1E | Sender Reputation |
| 0x04 | System Black | 0x1F | Access Control |
| 0x05 | DNSBL | 0x20 | Whitelist Word |
| 0x06 | SURBL | 0x21 | Domain White |
| 0x07 | FortiGuard AntiSpam | 0x22 | Domain Black |
| 0x08 | FortiGuard AntiSpam-White | 0x23 | SPF |
| 0x09 | Bayesian | 0x24 | Domain Key |
| 0x0A | Heuristic | 0x25 | DKIM |
| 0x0B | Dictionary Filter | 0x26 | Recipient Verification |
| 0x0C | Banned Word | 0x27 | Bounce Verification |
| 0x0D | Deep Header | 0x28 | Endpoint Reputation |
| 0x0E | Forged IP | 0x29 | TLS Enforcement |
| 0x0F | Quarantine Control | 0x2A | Message Cryptography |
| 0x10 | Virus as Spam
(before v4.3 release) |
0x2B | Delivery Control |
| 0x11 | Attachment Filter
(see note below) |
0x2C | Encrypted Content |
| 0x12 | Grey List | 0x2D | SPF Failure as Spam |
| 0x13 | Bypass Scan On Auth | 0x2E | Fragmented email |
| 0x14 | Disclaimer | 0x2F | Email contains image |
| 0x15 | Defer Delivery | 0x30 | Content Requires Encryption |
| 0x16 | Session Domain | 0x31 | FortiGuard AntiSpam-IP |
| 0x17 | Session Limits | 0x32 | Session Remote |
| 0x18 | Session White | 0x33 | FortiGuard Phishing |
| 0x19 | Session Black | 0x34 | AntiVirus |
| 0x1A | Content Monitor and Filter | 0x35 | Sender Address Rate Control |
| 0x36 | SMTP Auth Failure |
Table 65:Dispositions
| Hex number | Disposition | Hex Number | Disposition |
| 0x00 | Accept | 0x1000 | Disclaimer Header |
| 0x01 | Accept | 0x2000 | Defer |
| 0x04 | Reject | 0x4000 | Quarantine to Review |
| 0x08 | Add Header | 0x8000 | Content Filter as Spam |
| 0x10 | Modify Subject | 0x10000 | Encrypt |
| 0x20 | Quarantine | 0x20000 | Decrypt |
| 0x40 | Accept | 0x40000 | Alternate Host |
| 0x80 | Discard | 0x80000 | BCC |
| 0x100 | Replace | 0x100000 | Archive |
| 0x200 | Delay | 0x200000 | Customized repackage |
| 0x400 | Rewrite | 0x400000 | Repackage |
| 0x800 | Disclaimer Body | 0x800000 | Notification |
how long does the logs last in the fortimail?
Depends on a wide variety of things. Amount of logs being generated, amount of storage on the device, etc…
in fortigate logs, we have field logid=0315012546 where the last digit of this field i.e. ‘012546’ is referred as message id and it helps in understanding the logs in detail.
Does such thing applies in log_id field of fortimail as well?
I am almost exclusively using session ID log quantifiers now to review FortiMail logs.