This article describes how to enable Security Event logging when Security Fabric is enabled.

It applies to both Fabric root and subordinate FortiGates.

When the FortiGates are a part of a security Fabric, then logging is by default set to 'All Session' logging.

Users cannot directly change the logging to the Security Events as the option is greyed out.

In some networks, it might be required to log only Security Events to avoid generating too many logs as a result of all sessions.

As shown below, the security fabric is enabled, and local FortiGate is the Fabric root:

As seen below, in the policy, the option to select Security Event logging is greyed out:

Although the CLI will give us an option to select the log traffic to 'UTM', it will never change it in the GUI and will continue to log all traffic.

To resolve this, set the configuration-sync to use 'local' instead of the 'default'. This can be achieved as shown below:

After making the change, set the logging to Security Events from the GUI:

Note: There are 2 options that configuration-sync can be set to, which are:

• Default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to the root node.
• Local: Do not synchronize configuration with the root node.

As mentioned, setting it to local will prevent the device from synchronizing the configuration with the root node.

Note: The 'set configuration-sync local' command is available only on a downstream FortiGate; in a root FortiGate, it is not available and therefore has been removed in FortiOS 7.6.1 and onwards.

Refer to the article below for details to know how to enable 'set configuration-sync local' on a downstream device affects Security Fabric devices: Technical Tip: The impact of 'set configuration-sync local' on the Security Fabric.