Configuring logging to a Syslog server or FortiAnalyzer unit

Instead of or in addition to logging locally, you can store log messages remotely on a Syslog server or a FortiAnalyzer unit.


	Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see “Configuring logging to the hard disk”.

Before you can log to a remote location, you must first enable logging. For details, see “Choosing which events to log”. For logging accuracy, you should also verify that the FortiMail unit’s system time is accurate. For details, see “Configuring the time and date”.

5. In IP, enter the IP address of the Syslog server or FortiAnalyzer unit where the FortiMail unit will store the logs.

6. In Port, if the remote host is a FortiAnalyzer unit, enter 514; if the remote host is a Syslog server, enter the UDP port number on which the Syslog server listens for connections (by default, UDP 514). For more information on ports, see Appendix C in FortiMail Administration Guide.

7. From Level, select the severity level that a log message must equal or exceed in order to be recorded to this storage location.

For information about severity levels, see “Log message severity levels”.

8. From Facility, select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.

To easily identify log messages from the FortiMail unit when they are stored on a remote logging server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.


	Do not enable this option if the remote host is a FortiAnalyzer unit. FortiAnalyzer units do not support CSV-formatted log messages.

10. From Log protocol, select Syslog if you want send logs to a Syslog server (including FortiAnalyzer). Select OFTPS if you want to use this secure protocol to send logs to FortiAnalyzer. Also specify the Hash algorithm for OFTPS. Note that FortiAnalyzer supports both Syslog and OFTPS.

11. If you enabled advanced MTA control (see “Configuring advanced MTA control settings”), the Mathced session only option appears. Select this option if you want to send only the matched session logs to the remote server. Otherwise, all logs will be sent.

12. In Logging Policy Configuration, enable the types of logs you want to record to this storage location. Click the arrow to review the options. For details, see “Choosing which events to log”.

14. If the remote host is a FortiAnalyzer unit, confirm with the FortiAnalyzer administrator that the FortiMail unit was added to the FortiAnalyzer unit’s device list, allocated sufficient disk space quota, and assigned permission to transmit logs to the FortiAnalyzer unit. For details, see the FortiAnalyzer Administration Guide.

15. To verify logging connectivity, from the FortiMail unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.

For example, if you have chosen to record event log messages to the remote host if they are more severe than information, you could log in to the web UI or download a backup copy of the FortiMail unit’s configuration file in order to trigger an event log message.

If the remote host does not receive the log messages, verify the FortiMail unit’s network interfaces (see “Configuring the network interfaces” and “About the management IP”) and static routes (see “Configuring static routes”), and the policies on any intermediary firewalls or routers. If ICMP ECHO (ping) is enabled on the remote host, you can use the execute traceroute command to determine the point where connectivity fails. For details, see the FortiMail CLI Reference.