log siem-message-policy

Use this command to configure the FortiWeb appliance to send its log messages to a remote ArcSight SIEM (security information and event management) server.

Logs sent to the ArcSight server are controlled by SIEM policies and trigger actions that you configure on the FortiWeb appliance, and are associated with various types of violations.


	Usually, you should set trigger actions for specific types of violations. Failure to do so will result in the FortiWeb appliance logging every occurrence, which could result in high log volume and reduced system performance. Excessive logging for an extended period of time may cause premature hard disk failure.


	Logs stored remotely cannot be viewed from the web UI, and cannot be used by FortiWeb to build reports. If you require these features, record logs locally as well as remotely.


Variable	Description	Default
siem-policy <policy_name>	Type the name of an existing SIEM policy to use when storing log information remotely. The maximum length is 35 characters. To view a list of the existing SIEM policies, type: set siem-policy ?	No default.
severity {alert \| critical \| debug \| emergency \| error \| information \| notification \| warning}	Select the severity level that a log message must meet or exceed in order to cause the FortiWeb appliance to save it to the ArcSight server.	information
status {enable \| disable}	Enable to record event log messages to the ArcSight server if it meets or exceeds the severity level specified by severity.	disable

This example enables ArcSight SIEM logging and recording of the log messages. Only the log messages with a severity of error or higher are recorded.