Configuring log aggregation – Fortinet FortiAnalyzer 3.0 MR7 User Manual

FortiAnalyzer Version 3.0 MR7 Administration Guide

58

05-30007-0082-20080908

Config

System

Configuring log aggregation

Log aggregation is a method of collecting log data from one or more FortiAnalyzer
units to a central FortiAnalyzer unit.

Log aggregation involves one or more FortiAnalyzer units configured to act as
aggregation clients, and a FortiAnalyzer unit configured to act as an aggregation
server. The aggregation client sends all of its device logs, including quarantined or
content archived files, to the aggregation server. The transfer includes the active
log to the point of aggregation (for example, tlog.log) and all rolled logs stored

on the aggregation client (tlog.1.log, tlog.2.log, tlog.3.log …).

Subsequent log aggregations include only changes; the aggregation client does
not re-send previously aggregated logs.

On the aggregation server, additional devices will appear in the device list,
corresponding to those devices which log to the aggregation clients. You can
easily identify these devices, as they do not have Rx and Tx permissions.

Log file should be
rolled... even if size
is not exceeded

Select the frequency of when the FortiAnalyzer unit renames the

current log file and starts a new active log file.
•

Daily: Roll log files daily, even if the log file has not yet reached
maximum file size.

•

Weekly: Roll log files weekly, even if the log file has not yet
reached maximum file size.

•

Optional: Roll log files only when the log file reaches the
maximum file size, regardless of time interval.

This option appears only when Use System Device Log Settings is

disabled.

Log to Host

Select to send log messages generated by the FortiAnalyzer unit to

another host, such as a Syslog server.

IP

Enter the IP address of the Syslog server.

Port

Enter the Syslog port. The default port is 514.

Log Level

Select the severity level for the log messages recorded to the Syslog

server. The FortiAnalyzer unit logs all levels of severity down to, but

not less severe than, the level you select. For example, if you want to

record emergency, critical, and error messages, select Error.

Format

Enable CSV format to record log messages in comma-separated

value (CSV) formatted files. Log message fields are separated by

commas. When disabled, logs are recorded as standard log files.

Event Log

Select to configure which FortiAnalyzer unit events the FortiAnalyzer

unit records to the log. Events can be logged locally on the

FortiAnalyzer unit, or to the host indicated in Log to Host. Loggable

event types include When configuration has changed, IPSec

negotiation event, Admin login/logout event, and System activity

event.

Automatcially
Delete

Select to configure automatic deletion of older logs. Enable the type

of log or report you wish to automatically delete (Logs older than,

Network analyzer logs older than, Local logs older than, Reports

older than, Content archive files older than), then select from Hours,

Weeks, Days or Months, and enter the value for the age unit.