Logs, Reports, and Alerts

Configuring logging

The Log Settings submenu includes two tabs, Local Log Settings and Remote Log Settings, that let you:

  • set the severity level
  • configure which types of log messages to record
  • specify where to store the logs

You can configure the FortiMail unit to store log messages locally (that is, in RAM or to the hard disk), remotely (that is, on a Syslog server or FortiAnalyzer unit), or at both locations.

Your choice of storage location may be affected by several factors, including the following:

  • Local logging by itself may not satisfy your requirements for off-site log storage.
  • Very frequent logging may cause undue wear when stored on the local hard drive. A low severity threshold is one possible cause of frequent logging. For more information on severity levels, see “Log message severity levels” on page 668.

For information on viewing locally stored log messages, see “Viewing log messages” on page 206.

Configuring logging to the hard disk

You can store log messages locally on the hard disk of the FortiMail unit.

To ensure that local hard disk has sufficient disk space to store new log messages and that it does not overwrite existing logs, you should regularly download backup copies of the oldest log files to your management computer or other storage, and then delete them from the FortiMail unit. (Alternatively, you could configure logging to a remote host.)

You can view and download these logs from the Log submenu of the Monitor tab. For more information, see “Viewing log messages” on page 206.

For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see “Configuring the time and date” on page 265.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure logging to the local hard disk

  1. Go to Log and Report > Log Settings > Local Log Settings.

Figure 300:Logging to hard disk

  1. Select the Enable option to allow logging to the local hard disk.
  2. In Log file size, enter the file size limit of the current log file in megabytes (MB). The log file size limit must be between 1 MB and 1000 MB.
  3. In Log time, enter the time (in days) of file age limit. Valid range is between 1 and 366 days.
  4. In At hour, enter the hour of the day (24-hour format) when the file rotation should start.

When a log file reaches either the age or size limit, the FortiMail unit rotates the current log file: that is, it renames the current log file (elog.log) with a file name indicating its sequential relationship to other log files of that type (elog2.log, and so on), then creates a new current log file. For example, if you set the log time to 10 days at hour 23, the log file will be rotated at 23 o’clock of the 10th day.

  1. From Log level, select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

Avoid recording log messages using low severity thresholds such as Information or Notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

For information about severity levels, see “Log message severity levels” on page 668.

  1. From Log options when disk is full, select what the FortiMail unit will do when the local disk is full and a new log message is caused, either:
    • Do not log: Discard all new log messages.
    • Overwrite: Delete the oldest log file in order to free disk space, and store the new log message.
  2. In Logging Policy Configuration, enable the types of logs that you want to record to this storage location. Click the arrow to review the options. For details, see “Choosing which events to log”.
  3. Click Apply.

Choosing which events to log

Both the local and remote server configuration recognize the following events. Select the check boxes of the events you want to log.

GUI item Description
Event Log Select this check box and then select specific events. No event types are logged unless you enable this option.

When configuration Log configuration changes.

has changed

Admin login/logout event Log all administrative events, such as logins, resets, and configuration updates.
System activity event Log all system-related events, such as rebooting the FortiMail unit.
POP3 server event

(server mode only)

Log POP3 events.
IMAP server event

(server mode only)

Log IMAP events.
SMTP server event Log SMTP relay or proxy events.
Update Log both successful and unsuccessful attempts to download FortiGuard updates.
GUI item Description
HA Log all high availability (HA) activity. For more information, see “About logging, alert email and SNMP in HA” on page 311.
WebMail event Log webmail events.
AntiVirus Log Log antivirus events.
AntiSpam Log Log antispam events.
History Log Log both successful and unsuccessful attempts by the built-in MTA or proxies to deliver email.
Encryption Log Log all IBE events. For more information about IBE, see “Configuring IBE encryption” on page 357.

4 thoughts on “Logs, Reports, and Alerts

    1. Mike Post author

      Depends on a wide variety of things. Amount of logs being generated, amount of storage on the device, etc…

      Reply
  1. Nikesh

    in fortigate logs, we have field logid=0315012546 where the last digit of this field i.e. ‘012546’ is referred as message id and it helps in understanding the logs in detail.
    Does such thing applies in log_id field of fortimail as well?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.