Technical Tip: Forward and roll local log to FTP server

1. To Configure the FortiAnalyzer: Login to the CLI with Putty or any terminal client and run the following command:

config system locallog disk setting

      set upload enable
      set uploadip <ipv4_address>
      set uploaduser <string>
      set uploadpass <passwd>
      set uploadzip {enable | disable}
      set upload-delete-files {enable | disable}
      set roll-schedule {none | daily | weekly}
      set roll-time <hh:mm>

end

For example:
In the following configuration, the local log is rolled and forwarded to the FTP server(10.111.28.128) at 11:12 AM daily.
The local logs will remain in FortiAnalyzer after forwarding.

config system locallog disk setting
    set upload enable
    set uploadip 10.111.28.128
    set uploaduser locallog
　　 set uploadpass password
　 　set uploadzip enable
　 　set upload-delete-files disable
　 　set roll-schedule daily
 　　set roll-time 11:12
end

2. To check local logs are rolled and forwarded to the FTP server: Go to GUI LogView -> FortiAnalyzer -> Event and check the log. If successful, the following log will be output.

id=7377578397964173312 bid=4200094 dvid=1083 itime=1717726327 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0001010038" subtype="system" type="event" level="information" time="11:12:07" date="2024-06-07" msg="Log elog.locallog.20230914114744 uploaded to 10.111.28.128 successfully" devlog="locallog" lnk_path="elog.locallog.20230914114744" remote_ip="10.111.28.128" uploading_oper=0 uploading_pid=11685 uploading_server_type=0 desc="Log upload successful" operation="system log" performed_on="10.111.28.128" changes="Log elog.locallog.20230914114744 uploaded to 10.111.28.128 successfully" tz="+0900" devid="FAZ-VMTMXXXXXXXX" devname="FAZ-01"

id=7377578393669206017 bid=4200095 dvid=1083 itime=1717726326 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0001010038" subtype="system" type="event" level="information" time="11:12:06" date="2024-06-07" msg="Log /var/log/locallog/elog.268 is compressed to /var/log/locallog/pending_upload/elog.locallog.20230914114744.gz successfully" devlog="locallog" log_path="/var/log/locallog/elog.268" remote_ip="10.111.28.128" uploading_oper=0 uploading_pid=11685 uploading_server_type=0 zip_path="/var/log/locallog/pending_upload/elog.locallog.20230914114744.gz" desc="Log upload successful" operation="system log" performed_on="10.111.28.128" changes="Log /var/log/locallog/elog.268 is compressed to /var/log/locallog/pending_upload/elog.locallog.20230914114744.gz successfully" tz="+0900" devid="FAZ-VMTMXXXXXXXX" devname="FAZ-01"

id=7377578393669206016 bid=4200094 dvid=1083 itime=1717726326 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0001010036" subtype="system" type="event" level="information" time="11:12:06" date="2024-06-07" msg="Log has been rolled and are uploading as file 'elog.locallog.20240607111201'. size=2111191 bytes(2.01MB)" file="elog.locallog.20240607111201" log_size=2111191 desc="Log rolling and uploading" operation="system log" performed_on="locallog" changes="Log has been rolled and are uploading as file 'elog.locallog.20240607111201'. size=2111191 bytes(2.01MB)" tz="+0900" devid="FAZ-VMTMXXXXXXXX" devname="FAZ-01"

Note:

It works only once a day.

For example.

• The roll time is set to '08:00', and it works.
• if it is set to '09:00' after that, it will not work, and it will work at 9:00 a.m. the next day.