Enable to record log messages to the local hard disk on the FortiWeb appliance.

If the FortiWeb appliance is logging to its hard disk, you can use the web UI to view log messages stored locally on the FortiWeb appliance. For details, see “Viewing log messages”.

Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see “Log severity levels”.

Caution: Avoid recording log messages using low severity thresholds such as information or notification to the local hard disk for an extended period of time. A low log severity threshold is one possible cause of frequent logging. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure.

Select what the FortiWeb appliance will do when the local disk is full and a new log message occurs, either:

 

Type the maximum file size of the current log file.

When the current log file reaches its maximum size, the next log message received will begin a new, separate file.

The valid range is between 10 MB and 200 MB.

Enable to record log messages in the local random access memory (RAM) of the FortiWeb appliance.

If the FortiWeb appliance is logging to memory, you can use the web UI to view log messages that are stored locally on the FortiWeb appliance. For details, see “Viewing log messages”.

Note: Attack cannot be stored in memory.

Caution: Log messages stored in memory should not be regarded as permanent. Unlike logs stored on disk, logs stored in memory cannot be downloaded. All log entries stored in memory are cleared when the FortiWeb appliance restarts. When available memory space for log messages is full, the FortiWeb appliance will store any new log message by overwriting the oldest log message.

Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see “Log severity levels”.

Enable to store log messages remotely on a Syslog server.

Caution: Enabling Syslog could result in excessive log messages being recorded in Syslog.

Syslog entries are controlled by Syslog policies and trigger actions associated with various types of violations. If this option is enabled, but a trigger action is not selected for a specific type of violation, every occurrence of that violation will be transmitted to the Syslog server in the Syslog Policy field.

Note: Logs stored remotely cannot be viewed from the FortiWeb web UI.

Select the settings to use when storing log messages remotely. The Syslog settings include the address of the remote Syslog server and other connection settings. For more information see “Configuring Syslog settings”.

Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see “Log severity levels”.

Select the facility identifier that the FortiWeb appliance will use to identify itself when sending log messages to the first Syslog server.

To easily identify log messages from the FortiWeb appliance when they are stored on the Syslog server, enter a unique facility identifier, and verify that no other network devices use the same facility identifier.

Enable to store log messages remotely on a FortiAnalyzer appliance.

Compatibility varies. See the FortiAnalyzer Release Notes. For example, FortiAnalyzer 5.0.6 is tested compatible with FortiWeb 5.1.1 and 5.0.5.

Log entries to FortiAnalyzer are controlled by FortiAnalyzer policies and trigger actions associated with various types of violations. If this option is enabled, but a trigger action has not been selected for a specific type of violation, every occurrence of that violation will be recorded to the FortiAnalyzer specified in FortiAnalyzer Policy.

Note: Before enabling this option, verify that log frequency is not too great. If logs are very frequent, enabling this option could decrease performance and cause the FortiWeb appliance to send many log messages to FortiAnalyzer.

Note: Logs stored remotely cannot be viewed from the FortiWeb web UI.

Select the settings to use when storing log messages remotely. FortiAnalyzer settings include the address and other connection settings for the remote FortiAnalyzer. For more information see “Configuring FortiAnalyzer policies”.

Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see “Log severity levels”.

Enable to store log messages remotely on an ArcSight SIEM (security information and event management) server.

FortiWeb sends log entries to ArcSight in CEF (Common Event Format).

If this option is enabled, but a trigger action has not been selected for a specific type of violation, FortiWeb records every occurrence of that violation to the ArcSight server specified by SIEM Policy.

Note: Before enabling this option, verify that log frequency is not too great. If logs are very frequent, enabling this option could decrease performance and cause the FortiWeb appliance to send many log messages to the ArcSight server.

Note: You cannot view logs stored remotely from the FortiWeb web UI.

Select the severity level that a log message must equal or exceed in order to be recorded to this storage location. For information about severity levels, see “Log severity levels”.

Select the settings to use when storing log messages remotely. SIEM settings include the address and other connection settings for the ArcSight server. For more information see “Configuring SIEM policies”.