Skip to Content

How to forward and roll local log to FTP server

By: Author Alex Lim

Posted on

Categories Process

This article describes how to configure the FortiAnalyzer to forward and roll local logs to a FTP server, and note when configuring.

Scope

FortiAnalyzer.

Solution

To Configure the FortiAnalyzer

Login to the CLI with Putty or any terminal client and run the following command:

config system locallog disk setting
set upload enable
set uploadip <ipv4_address>
set uploaduser <string>
set uploadpass <passwd>
set uploadzip {enable | disable}
set upload-delete-files {enable | disable}
set roll-schedule {none | daily | weekly}
set roll-time <hh:mm>
end

For example

In the following configuration, the local log is rolled and forwarded to the FTP server(10.111.28.128) at 11:12 AM daily.
The local logs will remain in FortiAnalyzer after forwarding.

config system locallog disk setting
set upload enable
set uploadip 10.111.28.128
set uploaduser locallog
   set uploadpass password
   set uploadzip enable
   set upload-delete-files disable
   set roll-schedule daily
  set roll-time 11:12
end

To check local logs are rolled and forwarded to the FTP server

Go to GUI LogView > FortiAnalyzer > Event and check the log. If successful, the following log will be output.

id=7377578397964173312 bid=4200094 dvid=1083 itime=1717726327 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0001010038" subtype="system" type="event" level="information" time="11:12:07" date="2024-06-07" msg="Log elog.locallog.20230914114744 uploaded to 10.111.28.128 successfully" devlog="locallog" lnk_path="elog.locallog.20230914114744" remote_ip="10.111.28.128" uploading_oper=0 uploading_pid=11685 uploading_server_type=0 desc="Log upload successful" operation="system log" performed_on="10.111.28.128" changes="Log elog.locallog.20230914114744 uploaded to 10.111.28.128 successfully" tz="+0900" devid="FAZ-VMTMXXXXXXXX" devname="FAZ-01"

id=7377578393669206017 bid=4200095 dvid=1083 itime=1717726326 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0001010038" subtype="system" type="event" level="information" time="11:12:06" date="2024-06-07" msg="Log /var/log/locallog/elog.268 is compressed to /var/log/locallog/pending_upload/elog.locallog.20230914114744.gz successfully" devlog="locallog" log_path="/var/log/locallog/elog.268" remote_ip="10.111.28.128" uploading_oper=0 uploading_pid=11685 uploading_server_type=0 zip_path="/var/log/locallog/pending_upload/elog.locallog.20230914114744.gz" desc="Log upload successful" operation="system log" performed_on="10.111.28.128" changes="Log /var/log/locallog/elog.268 is compressed to /var/log/locallog/pending_upload/elog.locallog.20230914114744.gz successfully" tz="+0900" devid="FAZ-VMTMXXXXXXXX" devname="FAZ-01"

id=7377578393669206016 bid=4200094 dvid=1083 itime=1717726326 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0001010036" subtype="system" type="event" level="information" time="11:12:06" date="2024-06-07" msg="Log has been rolled and are uploading as file 'elog.locallog.20240607111201'. size=2111191 bytes(2.01MB)" file="elog.locallog.20240607111201" log_size=2111191 desc="Log rolling and uploading" operation="system log" performed_on="locallog" changes="Log has been rolled and are uploading as file 'elog.locallog.20240607111201'. size=2111191 bytes(2.01MB)" tz="+0900" devid="FAZ-VMTMXXXXXXXX" devname="FAZ-01"

Note: It works only once a day.

For example.

  • The roll time is set to ’08:00′, and it works.
  • if it is set to ’09:00′ after that, it will not work, and it will work at 9:00 a.m. the next day.