Skip to main content
DanielW
DanielW
New Member
March 13, 2015
Solved

Distinct Log settings for different log categories?

  • March 13, 2015
  • 7 replies
  • 11763 views

Hello everyone,

 

I was wondering if someone has a hint for me regarding logging on the FortiAnalyzer. We are using it to aggregate Logs from different central Firewalls which are using different UTM Features.

We now want to seperate the settings for different types of Logs. This means for example: Traffic Log can be deleted after 10 days but UTM Log (AV, IPS, Botnet) should be stored for i.e. 30 days. Perhaps some other german customers understand why we are looking into that.

Since the FA saves all logs as .tlog, there is no way to delete just the logfiles themselves.

 

It does not need to be an option in the settings. Any approach fullfilling the task would be helpful.

Any suggestions?

 

Thanks!

Daniel

Best answer by DanielW

And we have the solution why there are no distinct vlog and alog files in our case. Official Fortinet support:

 

Please be informed that starting from firmware version 5.0.7 there are no log browse files like wlog, alog, vlog, dlog. All security logs are merged with traffic logs and starting from 5.0.7 you should be able to see only tlog files (traffic + security logs) and elog file (event log).

7 replies

L_FTNT
Staff
L_FTNT
Staff
March 17, 2015

I believe this is NOT possible with FAZ today but it would be a very interesting feature to have. It provides much granular control on the log data retention.

 

Do you know if any other similar product in the market today can do this?

DanielW
DanielWAuthor
New Member
May 26, 2015

Nobody has any suggestions how to adress this problem? It is a shame that all logs are aggregated in one log file since 5.0. In times past one could just delete all tlog files

FatalHalt
FatalHalt
New Member
May 26, 2015

I'm not sure what exactly you mean. The FortiAnalyzer keeps different types of logs in different log formats. They all end in the .log extension, but that's trivial. You can view the different types by going to the Log Browse on the Log View tab. 

 

Events: elog

Traffic: tlog

Virus: vlog

App Control: rlog

IPS: alog

Web Filter: wlog

 

I don't think you can specify different settings for these on the Fortianalyzer itself, but - assuming you're backing up the logs to another server, what you can easily do is create a script which handles these different log types based on the type of log it is. 

 

DanielW
DanielWAuthor
New Member
May 27, 2015

Hello,

 

that is true for the old Firmware. Which one are you using? On 4.3 we also had this possibility with the different logs. But Fortinet aggregated them all in tlog in 5.0. Since then, there is no way one can treat variant types of log files differently.... or at least none I am aware of.

FatalHalt
FatalHalt
New Member
May 27, 2015

This is a screenshot of my FortiAnalyzer running 5.0.6. As you can see I have different types of logs. This is just one page, so I can't show you all of the types, but I do have every type I listed in my previous post. 

 

 

DanielW
DanielWAuthor
New Member
May 27, 2015

That looks like the old logging system I used to know. I suppose it depends on the Fortigates you feed the Analyzer with. Are these also upgraded to FOS 5.0 in your case?

FatalHalt
FatalHalt
New Member
May 27, 2015

Yes, I'm running a variety of different FortiGate Models (60,90,100,110,111,300,600,1000), but all are running some version of 5.0.

DanielW
DanielWAuthorAnswer
New Member
May 28, 2015

And we have the solution why there are no distinct vlog and alog files in our case. Official Fortinet support:

 

Please be informed that starting from firmware version 5.0.7 there are no log browse files like wlog, alog, vlog, dlog. All security logs are merged with traffic logs and starting from 5.0.7 you should be able to see only tlog files (traffic + security logs) and elog file (event log).

FatalHalt
FatalHalt
New Member
May 28, 2015

DanielW wrote:

 

All security logs are merged with traffic logs and starting from 5.0.7 you should be able to see only tlog files (traffic + security logs) and elog file (event log).

 

Guess I never saw that in the release notes haha. Seems a bit silly though. 

Terms & ConditionsAccessibility statement