Due to log storage limitations in FortiMail Cloud instances (60 days), some users need to send logs to an external server to keep a larger retention period of logs. It can be accomplished by configuring an external remote log server entry.

As described in the technical document Technical Tip: Enable the external syslog in a FortiMail-Cloud instance, the request must be submitted through the Fortinet TAC.

Then the TAC engineer should create a remote logging entry using the provided parameters by the customer, including IP Address, Protocol, and port. The destination server could be a FortiAnalyzer or a Syslog Server. More information in the following technical document:

Logging to a Syslog server or FortiAnalyzer unit

Since FortiMail Cloud is a shared cloud-hosted platform, some logs are specific to platform Administrators and must not be shared with final users. Based on this, the following settings must be disabled in Remote log entry configuration:

Only the options 'Configuration-Admin', 'Configuration-User', and 'Admin activity' must be enabled under System Event settings. This way, only configuration changes and admin access logs will be shared with the user.

This can also be configured through the CLI by executing the following commands:

config log setting remote
    edit remote-log-server <---
        set server x.x.x.x
        set sysevent-log-category configuration configuration-user admin
    next
end