Technical Tip: How to configure logging to disk on the FortiGate using the GUI or the CLI

hazim · ‎07-06-2022

Description

This article describes how to configure traffic/event logging to the onboard disk storage on the FortiGate. Disk Logging can be enabled by using either the GUI or the CLI.

Scope

FortiGate.

Solution

Before beginning, take note of the following regarding disk logging on the FortiGate:

Generally speaking, FortiGate/FortiWiFi models ending in 1 or 2 will have onboard logging disks (such as the FortiGate-52E, 61F, 101F, 1801F and 4201F), whereas models ending in 0 will not (FortiGate-50E, 60F, 100F, etc.)
- In some cases it is possible for models ending in 0 to support disk logging, and at the same time some low-end FortiGate models may not support disk logging due to the impacts that disk writes have on the lifespan of flash storage.
- Check the model's product datasheet to confirm if the FortiGate model includes a dedicated log disk and/or internal storage.
The default disk logging setting will depend on the model of FortiGate:
- 1U and desktop-tier FortiGates will have disk logging enabled by default. This generally includes models below the 1xxx-series, ranging from desktop units like the FortiGate-51G to rackmount units such as the FortiGate-901G.
- 2U and larger-sized FortiGates will have disk logging disabled by default. This generally includes models at or beyond the 1xxx-series, such as 1001F, 1801F, 4201F, etc.

If the FortiGate has a log disk, it can be enabled/disabled via the GUI or the CLI, based on the administrator's logging requirements:

Enable disk logging via the Web GUI:

Log into FortiGate.
Navigate to Log & Report -> Log Settings, then select the Local Log tab.
- If Virtual Domains (VDOMs) are being utilized on the FortiGate then this configuration will be done on a per-VDOM basis, rather than through the Global VDOM.
Set the Disk logging toggle to Enable.
Select Apply to commit the change.

Enable Disk logging via the CLI:

config log disk setting

set status enable

end

It is also possible to configure additional filters for disk logging within the CLI:

FGT (root) # config log disk filter

FGT (filter) # show full

config log disk filter

set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set dlp-archive enable

end

Or:

FGT # show full log disk filter

config log disk filter

set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set dlp-archive enable

end

Note:
If a log disk is unavailable on the FortiGate then the option to configure the log disk setting will not be present. To check if the log disk is available or not, run the following command and check the output of 'Log hard disk' (status will say 'Available' or 'Not available'):

FGT-60F # get system status | grep Log
Log hard disk: Not available

FGT-61F # get system status | grep Log

Log hard disk: Available

On the FortiGate 30G model, although a log disk is available, it is restricted to 'event' logs only, and logging forward traffic to the disk is not possible. For more information, refer to .

Technical Tip: How to configure logging to disk on the FortiGate using the GUI or the CLI

You are leaving our website