Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Giovanna
New Contributor III

Created on ‎07-02-2025 05:41 AM Edited on ‎07-02-2025 05:51 AM

Categorization of Logs in FortiGate

Dear all,

Could you please let me know which category the following logs:

- Anomaly

 

- APP-CTRL


- DLP


- DNS


- EmailFilter


- FILE-FILTER


- FORTI-SWITCH


- GTP


- ICAP


- IPS


- SSH


- SSL


- Virus


- VoIP


- WAF


- Webfilter

 

 in FortiGate belong to, based on the categories shown in the image from fortigate GUI? I found this categories in the table from "Log Reference" section in fortigate guide. I can't understand for example the "anomaly" logs which category do they belog according to the fortigate list in gui (shown in immage).


Thank you in advance for your support.

Best regards,

fortigate.jpg

Labels:
330
0 Kudos
2 Solutions
funkylicious
SuperUser
SuperUser

Created on ‎07-02-2025 10:53 AM

hi,

usually those logs ( for Application Control, Web Filtering, DNS Filter, etc which are security profiles )  are found under Security Events when they are used in policies ( either UTM or Log all session enabled ) and in the actual profiles is set to log different traffic ( Monitor/Block )  , https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/876272/security-events-log-p... and Anomaly should be contain DoS policy events if a DoS policy is set and when it is triggered ,

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
276
funkylicious
SuperUser
SuperUser
In response to Giovanna

Created on ‎07-03-2025 04:11 AM Edited on ‎07-03-2025 04:14 AM

if you are refering to SSL/SSH Inspection - which is a security profile, then it should be found under Security Events, a separate view for each one ( SSH and SSL )

 

L.E. i see that you are running a older version than 7.2 , in which case they should be found under SSL .

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
235
6 REPLIES 6
funkylicious
SuperUser
SuperUser

Created on ‎07-02-2025 10:53 AM

hi,

usually those logs ( for Application Control, Web Filtering, DNS Filter, etc which are security profiles )  are found under Security Events when they are used in policies ( either UTM or Log all session enabled ) and in the actual profiles is set to log different traffic ( Monitor/Block )  , https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/876272/security-events-log-p... and Anomaly should be contain DoS policy events if a DoS policy is set and when it is triggered ,

"jack of all trades, master of none"
"jack of all trades, master of none"
277
Giovanna
New Contributor III
In response to funkylicious

Created on ‎07-03-2025 04:03 AM

Many thanks for your reply!

Do you happen to know which category SSH logs belong to, in the fortigate gui I can't see them while the others are present (immage below)? I don’t see them listed under “Security Events,” and I was wondering whether this is something that needs to be configured, or if such logs are generated by default.

I tried to monitor logs while opening an SSH session and traced them in the syslog collector. The log appears with ID 32002, type: event, and category: system — not the “SSH” type I expected.

fortiLogs.jpg

240
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Giovanna

Created on ‎07-03-2025 04:11 AM Edited on ‎07-03-2025 04:14 AM

if you are refering to SSL/SSH Inspection - which is a security profile, then it should be found under Security Events, a separate view for each one ( SSH and SSL )

 

L.E. i see that you are running a older version than 7.2 , in which case they should be found under SSL .

"jack of all trades, master of none"
"jack of all trades, master of none"
236
Giovanna
New Contributor III
In response to funkylicious

Created on ‎07-03-2025 05:13 AM

yes, thanks again!

219
0 Kudos
Giovanna
New Contributor III
In response to funkylicious

Created on ‎07-03-2025 09:10 AM

I’d like to ask you one more question.
In my opinion, only the "event" and "traffic" log types are available by default. All the others in the list below (such as APP-CTRL, DLP, etc.) are linked to security profiles, whose use requires a separate purchase.

Do you think this statement is correct?

191
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Giovanna

Created on ‎07-03-2025 09:33 AM

security profiles require UTM license ( L7 traffic ), which is subscription baed for a period of time.

traffic - forward ; this is traffic matched by a firewall ( L3/L4 traffic if the rules has Log all sessions ) and this doesnt require a subscription to work. basic routing is available out of the box

traffic - local ; traffic to or from a local interface

events - are just that, different events on the fgt ; link up/down, config changes, etc

"jack of all trades, master of none"
"jack of all trades, master of none"
179
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.