Configuring logging
You can configure the FortiWeb appliance to store log messages either locally (that is, in RAM or to the hard disk) and or remotely (that is, on a Syslog or ArcSight server or FortiAnalyzer appliance). Your choice of storage location may be affected by several factors, including the following.
• Rebooting the FortiWeb appliance clears logs stored in memory.
• Logging only locally may not satisfy your requirements for off-site log storage.
• Attack logs and traffic logs cannot be logged to local memory.
• Very frequent logging may cause undue wear when stored on the local hard drive. A low severity threshold is one possible cause of frequent logging. For more information on severity levels, see
“Log severity levels”.
• Very frequent logging, such as when the severity level is low, may rapidly consume all available log space when stored in memory. If the available space is consumed, and if the FortiWeb appliance is configured to do so, it may store any new log message by overwriting the oldest log message. For high traffic volumes, this may occur so rapidly that you cannot view old log messages before they are replaced.
• Usually, fewer log messages can be stored in memory. Logging to a Syslog server or FortiAnalyzer appliance may provide you with additional log storage space.
For information on viewing locally stored log messages, see
“Viewing log messages”.
To configure logging
2. Group Syslog, FortiAnalyzer, and SIEM settings and select those groups in
Trigger Action settings throughout the configuration of web protection features. See
“Configuring triggers”.
4. If you want to log attacks, select an
Alert option as the
Action setting when configuring attack protection.
5. Monitor your log messages via the web UI or through alert email for events that require action from network administrators. See
“Viewing log messages” and
“Alert email”. Configure reports that are derived from log data to review trends in your network. See
“Reports”.