All FortiMail log messages are comprised of a log header and a log body.

For example, in the following event log, the bold section is the header and the italic section is the body.

Depending on where you view log messages, log formats may vary slightly. For example, if you view logs on the FortiMail web UI or download them to your local PC, the log messages do not contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the device ID field will be added.

Starting from v5.0 release, two new fields -- policy ID and domain -- have been added to history logs.

The policy ID is in the format of x:y:z, where:

If the value of x, y, and z is 0, it means that no policy is matched.

If the matched recipient-based policy is incoming, the protected domain will be logged in the domain field.

If the matched recipient-based policy is outgoing, the domain field will be empty.

Starting from 4.0 MR3, a field called endpoint was added to the history and antispam logs. This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is not enabled in the session profiles.

For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field, log_part, which provides numbered identification (such as 00, 01, and 02) when a log message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log message length was reduced.

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers. For explanation of these numbers, see the “Classifiers and dispositions in history logs”.