Fortinet FortiLog-100, FortiLog-400, FortiLog-800 Log policy

Managing the FortiLog unit Config

FortiLog Administration Guide 05-16000-0082-20050115 45

Log policy

Select Config Policy to configure the FortiLog unit to send event log messages to a

local or remote syslog server.

Enable Event Log to record management and activity events. Management events

include changes to the FortiLog unit configuration as well as administrator and user

logins and logouts. Activity events include system activities such as IPSec negotiation

events

Figure 16:Config log polic y

Level Select the severity level for which you want to record log messages to a

remote syslog server. The FortiLog unit logs all levels of severity down to,

but not lower than, the level you select. For example, if you want to record

emergency, alert, critical, and error messages, select Error. “Log policy”

on page45 lists the log message le vels.

Config Policy Select Config policy for which activities you want the FortiLog unit to

record log messages.

CSV format Enable CSV format to record log messages in comma-separated value

(CSV) formatted files. Log message fields are separated by commas.

Levels Description Generated by

0 - Emergency The system has become unstable. Emergency messages not

available.

1 - Alert Immediate action is required. NIDS attack log messages.

2 - Critical Functionality is affected. DHCP

3 - Error An error condition exists and functionality

could be affected. Error messages not available.

4 - Warning Functionality could be affected. Antivirus, Web filter, email filter,

and system event log messages.

5 - Notice Information about normal events. Antivirus, Web filter, and email

filter log messages.

6 - Information General information about system

operations. Antivirus, Web filter, email filter log

messages, and other event log

messages.

Contents

Main FortiLog Administration Guide Page Table of Contents 4 Page 6 Introduction 8 Operational Modes Active Mode Introduction Operational Modes FortiLog Administration Guide 05-16000-0082-20050115 9 Figure 3: FortiLog Active mode network architecture Passive Mode Figure 4: FortiLog unit in Passive mode Internet About this guide FortiLog documentation Related documentation FortiGate documentation 12 FortiManager documentation FortiClient documentation FortiMail documentation Fortinet Knowledge Center Customer service and technical support Page Setting up the FortiLog unit Checking the package contents 16 FortiLog-800 Accessories for each model Back Front Hardware specifications Dimensions Planning the installation Connecting the FortiLog unit Configuring the FortiLog unit Using the web-based manager 20 Using the command line interface Page Page Connecting to the FortiLog Unit Sending device logs to the FortiLog unit Configuring FortiGate unit running FortiOS 2.8 24 Configuring FortiGate devices running FortiOS 2.5 Configuring FortiMail devices 26 Configuring the FortiLog unit Adding a device Defining device port interfaces 28 Creating Device Groups Managing the FortiLog unit Status Status Page Changing the FortiLog host name Changing operating modes 32 Viewing system resources information Changing the firmware Installing firmware from a system reboot Page Testing a new firmware image 36 Installing a backup firmware image Page 38 Switching to a backup firmware image Switching to the default firmware image Backing up system settings Downlading the FortiLog debug log 40 Restoring system settings Restore factory default system settings ! RAID 42 Config Network RAID To configure the FortiLog RAID level and check the RAID disk space, go to System > Config > RAID. 44 Log settings Log policy 46 Time Options Admin Configure Administrator access 48 Administrator account levels Administrator options Changing the Administrator password Devices (Active mode) Page Alert Email Server 52 Local Device (Active mode) Creating a new device alert Page Alerts Network Sharing Defining IP aliases Page Reports Creating and generating a report 58 Configuring report parameters Configuring a report query 60 Creating a query profile Selecting the devices for the report Creating a device profile Select filtering options 62 Creating a filter profile Setting a report schedule Creating a report schedule profile Choosing the report destination and format 64 Creating a report destination and format profile Reports on demand Viewing reports Page Vulnerability reports Creating and generating a report 68 Selecting report result parameters Selecting plug-ins Creating a plug-in profile Selecting the scan targets for the report 70 Creating a scan target profile Choosing the report destination and format Creating a report destination and format profile 72 Viewing the vulnerability report Using Logs The Log view interface The log viewer interface provides a means of viewing device log files. Viewing logs The log viewer interface provides a display of log data that you can organize and format. Finding log information Page Importing log files Log Search Log watch (Active mode) Event correlation (Active mode) Page Using the FortiLog unit as a NAS Connecting to the FortiLog file system 82 Providing access to the FortiLog hard disk Selecting a file sharing protocol Adding and modifying user accounts Adding and modifying group accounts Assigning access to folders Page Modifying the user or group folder access Setting folder and file properties FortiLog CLI reference CLI documentation conventions 88 Connecting to the CLI Connecting to the FortiLog-800 console Setting administrative access for SSH or Telnet 90 Connecting to the FortiLog CLI using SSH Connecting to the FortiLog CLI using Telnet ! CLI commands The FortiLog CLI commands include: execute branch get branch set branch unset branch execute branch 92 get branch Use get to display settings, logs, or system information. Page 94 set branch Use set to configure settings, logs, or system information. set alertemail Use set alertemail to configure alert mails. Page Page set console Use set console to set console configuration. 98 set log Use set log to configure log settings Page Page Page Page set NAS 104 set report Use set system to configure the FortiLog system settings. Use set report to configure the FortiLog report settings. set system Page Page Page Page Page 110 unset branch Use unset to remove configuration of alert email, log, and system. Page Page Appendix A: Log Report Types Network Activity Web Activity 114 FTP Activity FTP reports record total FTP access activities including traffic direction, sites and connections. Terminal Activity Terminal activity reports record total Terminal/CLI access activities. Mail activity reports record Email traffic and connections. Mail Activity 116 Intrusion Activity Intrusion activity reports record top network attacks and top attacks by a specific time. Antivirus Activity Web Filter Activity Mail Filter Activity 118 VPN Activity Content Activity Page Page Index A B C D 122 L M N O