Monitoring your system : Logging : Configuring logging
 
Configuring logging
You can configure the FortiWeb appliance to store log messages either locally (that is, in RAM or to the hard disk) and or remotely (that is, on a Syslog or ArcSight server or FortiAnalyzer appliance). Your choice of storage location may be affected by several factors, including the following.
Rebooting the FortiWeb appliance clears logs stored in memory.
Logging only locally may not satisfy your requirements for off-site log storage.
Attack logs and traffic logs cannot be logged to local memory.
Very frequent logging may cause undue wear when stored on the local hard drive. A low severity threshold is one possible cause of frequent logging. For more information on severity levels, see “Log severity levels”.
Very frequent logging, such as when the severity level is low, may rapidly consume all available log space when stored in memory. If the available space is consumed, and if the FortiWeb appliance is configured to do so, it may store any new log message by overwriting the oldest log message. For high traffic volumes, this may occur so rapidly that you cannot view old log messages before they are replaced.
Usually, fewer log messages can be stored in memory. Logging to a Syslog server or FortiAnalyzer appliance may provide you with additional log storage space.
For information on viewing locally stored log messages, see “Viewing log messages”.
To configure logging
1. Set the severity level threshold that log messages must meet or exceed in order to be sent to each log storage device. If you will store logs remotely, also configure connectivity information such as the IP address. See “Configuring log destinations”, “Configuring Syslog settings”, “Configuring FortiAnalyzer policies”, and “Configuring SIEM policies”.
2. Group Syslog, FortiAnalyzer, and SIEM settings and select those groups in Trigger Action settings throughout the configuration of web protection features. See “Configuring triggers”.
3. Enable logging in general. See “Enabling log types, packet payload retention, & resource shortage alerts”.
4. If you want to log attacks, select an Alert option as the Action setting when configuring attack protection.
5. Monitor your log messages via the web UI or through alert email for events that require action from network administrators. See “Viewing log messages” and “Alert email”. Configure reports that are derived from log data to review trends in your network. See “Reports”.