Device logs – FortiAnalyzer – FortiOS 6.2.3

Device logs

The FortiAnalyzer allows you to log system events to disk. You can control device log file size and the use of the FortiAnalyzer unit’s disk space by configuring log rolling and scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks: l Verifies whether the log file has exceeded its file size limit. l Checks to see if it is time to roll the log file if the file size is not exceeded.

When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the GUI, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2017-09-29-08-03-54.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.

Log rolling and uploading can be enabled and configured using the GUI or CLI.

Configuring rolling and uploading of logs using the GUI

Go to System Settings > Advanced > Device Log Setting to configure device log settings.

Configure the following settings, and then select Apply:

Registered Device Logs  
Roll log file when size exceeds Enter the log file size, from 10 to 500MB. Default: 200MB.
Roll log files at scheduled time Select to roll logs daily or weekly.

Daily: select the hour and minute value in the dropdown lists.

Weekly: select the day, hour, and minute value in the dropdown lists.

Upload logs using a standard file transfer protocol Select to upload logs and configure the following settings.
Upload Server Type Select one of FTP, SFTP, or SCP.
Upload Server IP Enter the IP address of the upload server.
User Name Enter the username used to connect to the upload server.
Password Enter the password used to connect to the upload server.
Remote Directory Enter the remote directory on the upload server where the log will be uploaded.
Upload Log Files Select to upload log files when they are rolled according to settings selected under Roll Logs, or daily at a specific hour.
Upload rolled files in gzip file format Select to gzip the logs before uploading. This will result in smaller logs and faster upload times.
Delete files after uploading Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the Upload Server.
Local Device Log  
Send the local event logs to FortiAnalyzer / FortiManager Select to send local event logs to another FortiAnalyzer or FortiManager device.
IP Address Enter the IP address of the FortiAnalyzer or FortiManager.
Upload Option Select to upload logs in real time or at a scheduled time.

When selecting a scheduled time, you can specify the hour and minute to upload logs each day.

Severity Level Select the minimum log severity level from the dropdown list. This option is only available when Upload Option is Realtime.
Reliable log transmission Select to use reliable log transmission.
Secure connection Select to use a secure connection for log transmission. This option is only available when Reliable log transmission is selected.

Configuring rolling and uploading of logs using the CLI

Log rolling and uploading can be enabled and configured using the CLI. For more information, see the FortiAnalyzer CLI Reference.

Enable or disable log file uploads

Use the following CLI commands to enable or disable log file uploads.

To enable log uploads:

config system log settings config rolling-regular set upload enable

end

To disable log uploads:

config system log settings config rolling-regular set upload disable

end

Roll logs when they reach a specific size

Use the following CLI commands to specify the size, in MB, at which a log file is rolled.

To roll logs when they reach a specific size:

config system log settings config rolling-regular set file-size <integer>

end

Roll logs on a schedule

Use the following CLI commands to configure rolling logs on a set schedule, or never.

To disable log rolling:

config system log settings config rolling-regular set when none

end

To enable daily log rolling:

config system log settings config rolling-regular set upload enable set when daily set hour <integer> set min <integer>

end

To enable weekly log rolling:

config system log settings config rolling-regular set when weekly

set days {mon | tue | wed | thu | fri | sat | sun} set hour <integer> set min <integer>

end

Upload logs to cloud storage

The FortiAnalyzer can be set to upload logs to cloud storage. Before enabling this feature, you must have a valid Storage Connector Service license. See License Information widget on page 162.

For information on setting up a storage fabric connector, see Creating or editing storage connectors on page 33.

To upload logs to cloud storage:

  1. Go to System Settings > Advanced > Device Log Settings.
  2. Select Create New.
  3. Complete the following options, and click OK.

l Enter a name for the cloud storage. l In the Cloud Storage Connector list, select a Fabric Connector. l In the Remote Path box, type the bucket or container name from the storage account.

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.