Logging and Reporting

This chapter describes new logging and reporting features added to FortiOS 5.4.

A new error log message is recorded when the Antispam engine request does not get a response from FortiGuard (265255)

Error code is 'sp_ftgd_error'.

New Report database construction (280398 267019)

This will improve performance with reports and FortiView without requiring any configuration changes.

Communication between FortiGate and FortiAnalyzer supports IPv6 addresses (245620)

When configuring your FortiGate to send logs to a FortiAnalyzer you can specify an IPv4 or an IPv6 address.

Context menu on Log & Report > Forward Traffic has been updated (293188)

Now includes Policy Table and Device Quarantine controls.

Filtering allows control of the log messages sent to each log device (262061)

This includes disk log, memory log, FortiAnalyzer and syslog servers and allows inclusion/exclusion based on type, severity, and log ID.

Use the following CLI command:

config log <device> filter

set filter <new-filter-settings>

set filter-type <include | exclude>

end

Log messages in plain text LZ4 compressed format (271477 264704)

Log messages are stored on disk and transmitted to FortiAnalyzer as plain text in LZ4 compressed format. This change improves performance and reduces disk log size and reduces log transmission time and bandwidth usage.

Action and Security Action fields are improved (282691)

Action and Security Action fields in logs more clearly distinguishing between different uses of Action. Examples include traffic blocking by policy versus traffic blocking by security profile, or different result messages of Actions such as initiating session.

Log disk is full Event logs are deleted last (251467)

This feature should improve troubleshooting and diagnostics.

Send log messages to up to four syslog servers (279637)

You can use the CLI command config log {syslogd | syslogd2 | syslogd3 | syslogd4} to configure up to four remote syslog servers.

Changes to SNMP MIBs add the capability of logging dynamic routing activity (168927)

Examples include sending OSPF routing events or changes to a syslog server or FortiAnalyzer or changes in neighborhood status.

The syntax in the CLI for enabling the feature on BGP, OSPF and OSPF for IPv6 is as follows:

config router bgp

set log-neighbour-changes [enable | disable]

end

 

config router ospf

set log-neighbour-changes [enable | disable]

end

 

config router ospf6

set log-neighbour-changes [enable | disable]

end

Improve dynamic routing event logging (231511)

Major dynamic routing events such as neighbor down/up for BGP and OSPF are logged, without having to evoke debugging commands.

Adding option for VDOM logs through management VDOM (232284)


FortiOS supports the definition of per VDOM FortiAnalyzers. However it is required that each VDOM logs independently to its FortiAnalyzer server.

A new option, use-management-vdom, has been added to the CLI.

config vdom

edit xxx

config log fortianalyzer override-setting

set use-management-vdom enable/disable

end

end

 

If this option is enabled, source-ip will become hidden and when FortiGate sends logs to FortiAnalyzer, it uses management vdom ip setting as source ip. Also if IPsec is enabled, the tunnel is created in management vdom and source ip belongs to management vdom.

The Log Settings GUI page displays information about current log storage (271318)

The Log Settings GUI page (Log & Report > Log Settings) displays information about current log storage including the amount of space available on the selected storage location and so on.

Log backup and restore tools (265285)

Local disk logs can now be backed up and restored, using new CLI commands.

exec log backup <filename>

exec log restore <filename>

 

Restoring logs will wipe the current log and report content off the disk.

IPS logging optimization (254954)

The handling of IPS logs has been improved. No changes needed, just increased performance on the backend.

Export log messages to USB drive (258913 267501)

Logs can now be exported to a USB storage device, as Lz4 compressed files, from both CLI and GUI.

When you insert a USB drive into the FortiGate's USB port the USB menu appears on the GUI. The menu shows the amount of storage on the USB disk and the log file size and includes a Copy to USB option that you can use to copy the log file to the USB drive.

From the CLI you can use the following command to export all log messages stored in the FortiGate log disk to a USB drive:

execute backup disk alllogs usb

You can also use the following command to backup just traffic logs to a USB drive:

execute backup disk log usb traffic

Disable performance status logging by default (253700)

Performance statistic logging is now disabled by default. It can be re-enabled in CLI, to occur every 1-15 minutes (enter 0 to disable):

config system global

set sys-perf-log-interval <number from 0-15>

end

Add a field for the central NAT id to traffic log messages (257800)

Field name is 'centralnatid'.

Add http.referrer url to web filter logs (260538)

Field name is 'referralurl'.

Improve log viewer filters and bottom pane (258873)

The performance status message now shows useful information (254613)

Sample information looks like this, showing percentages and information:

'Performance statistics: average CPU: 0, memory: 10, concurrent sessions: 8, setup-rate: 0'

New log message whenever a NAT VDOM is restarted using execute router restart (267562)

Message is 'Router is manually restarted'.

New GTP logs category (292096)

GTP logs are now handled separately from default Event logs, because of the possible volume of GTP logging.