This article describes how to enable Security Event logging when Security Fabric is enabled.

It applies to both Fabric root and subordinate FortiGates.

When the FortiGates are a part of a security Fabric, then logging is by default set to 'All Session' logging.

Users cannot directly change the logging to the Security Events as the option is greyed out.

In some networks, it might be required to log only Security Events to avoid generating too many logs as a result of All sessions.

As shown below, the security fabric is enabled and local FortiGate is the Fabric root -

As seen below, in the policy the option to select Security Event logging is greyed out -

Although the CLI will give us an option to select the logtraffic to 'UTM', it would never change it in the GUI and will continue to log all traffic.

To resolve this, set the configuration-sync to use 'local' instead of the 'default'. This can be achieved as shown below -

After making the change, set the logging to Security Events from the GUI-

Note: There are 2 options that configuration-sync can be set to, which are

Default - Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

Local- Do not synchronize configuration with the root node.

As mentioned, setting it to local will prevent the device to synchronize the configuration with the root node.