The type and frequency of log messages you intend to save determines the type of log storage to use. For example, if you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The FortiProxy system disk is unable to log traffic and content logs because of their frequency and large file size.
Storing log messages to one or more locations, such as a syslog server, might be a better solution for your logging requirements than the FortiProxy system disk.
This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.
To configure log settings, go to Log > Log Settings.
Configure the following settings:
Memory debugging
Memory on FortiProxy might appear high, even on an unloaded system; however, this level is not usually cause for concern because available memory is used to improve the disk-caching performance and is returned to the system if needed.
To enable debugging of memory status in cases of high memory usage and to confirm that there is no issue, use the following CLI commands to show memory use by each WAD-worker and cache-service memory usages.
CLI syntax
diagnose wad memory <ssl | ssh>
diagnose wad <worker | csvc> memory stats <basic | misc>
The TAC report generated by execute tac report
includes the WAD memory usage statistics.
Local logging and archiving
The FortiProxy system can store log messages on disk. It can store traffic and content logs on the system disk or disks. When the log disk is full, logging to disk can either be suspended, or the oldest logs can be overwritten.
Remote logging to a syslog server
A syslog server is a remote computer running syslog software and is an industry standard for logging. Syslog is used to capture log information provided by network devices. The syslog server is both a convenient and flexible logging device because any computer system, such as Linux, Unix, and Intel-based Windows can run syslog software.
When configuring logging to a syslog server, you need to configure the facility and the log file format, which is either normal or Comma Separated Values (CSV). The CSV format contains commas, whereas the normal format contains spaces. Logs saved in the CSV file format can be viewed in a spreadsheet application, while logs saved in normal format are viewed in a text editor because they are saved as plain text files.
Configuring a facility easily identifies the device that recorded the log file. You can choose from many different facility identifiers, such as daemon or local7.
If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for syslog log messages in the CLI.
If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable delivery option for syslog log messages in the CLI.
From the CLI, you can enable reliable delivery of syslog messages using the following commands:
config log {syslogd | syslogd2 | syslogd3 |syslogd4} setting
set status enable
set reliable enable
end
The FortiProxy unit implements the RAW profile of RFC 3195 for reliable delivery of log messages. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order. This feature is disabled by default.
If more than one syslog server is configured, the syslog servers and their settings appear on the Log Settings page. You can configure multiple syslog servers in the CLI using the config log {syslogd | syslogd2 | syslogd3 | syslogd4} settings CLI command. |
You can specify the source IP address of self-originated traffic when configuring a syslog server; however, this is available only in the CLI. |