Docs
Configuration

Fortinet Log Forwarding

Complete guide to configuring Fortinet FortiAnalyzer log forwarding modes

Complete guide to configuring Fortinet FortiAnalyzer log forwarding modes, including Forwarding Mode and Aggregation Mode setup.

Overview

FortiAnalyzer supports two mechanisms for sending logs to another server:

  • Forwarding Mode – Client-only configuration; server requires no setup.
  • Aggregation Mode – Requires configuration on both client and server; designed for centralized log collection.

This document describes configuration steps, parameters, and behavior for both modes.

Forwarding Mode

Summary

  • Enabled from GUI.
  • No configuration required on the receiving server.
  • Sends logs in real-time or periodic intervals based on settings.
  • Supports forwarding to FortiAnalyzer, Syslog, or CEF servers.

Configuring Forwarding Mode (Client Side – GUI)

Steps

  1. Navigate to: System Settings → Log Forwarding
  2. Click Create New.
  3. In the Create New Log Forwarding panel, fill in the fields described below.
  4. Click OK to enable log forwarding.

Configuration Fields

FieldDescriptionRequiredDefault
NameName of the remote server entry.Yes-
StatusON = enable forwarding; OFF = disable.YesOFF
Remote Server TypeChoose: FortiAnalyzer, Syslog, or CEF.Yes-
Server IPIP address of the destination server.Yes-
Server PortPort number (Default 514). Only shown for Syslog/CEF.No514
Reliable ConnectionON = TCP, OFF = UDP. Ensure server supports TCP before enabling.NoOFF
Sending Frequency(FortiAnalyzer only) Real-time, Every 1 Minute, or Every 5 Minutes (default).NoEvery 5 Minutes

Log Forwarding Filters

Device Filters

  • Click Select Device to choose which devices will forward logs.

Log Filters

  • Turn ON to filter forwarded logs.
  • Choose All or Any conditions.
  • Add filter rules:
    • Log Field → Match Criteria → Value

Exclusions (Syslog/CEF only)

  • Turn ON to exclude certain logs.
  • Specify:
    • Device Type
    • Log Type
  • Add excluded log fields under Fields → Select Log Field.

Device Registration Notes

Devices forwarding logs to another FortiAnalyzer appear as unregistered on the receiving server.

You must register them manually: System Settings → Device Manager → Add Device

Aggregation Mode

Summary

  • Configured only via CLI.
  • Requires server-side acceptance of log aggregation.
  • Designed for hierarchical FortiAnalyzer deployments.

Checking Existing Log Forwarding Entries

Use this command on the client to view configured IDs:

Check existing entries
get system log-forward

Server-Side Configuration

  1. Ensure a Super_User admin exists

    • If not, create one.

  2. Enable log aggregation

    Enable log aggregation
    config system log-forward-service
    set accept-aggregation enable
    set aggregation-disk-quota <quota>     # Optional
end

    aggregation-disk-quota defines storage allowed for aggregated logs.

Ensure a Super_User admin account exists on the server before enabling aggregation mode.

Client-Side Configuration (CLI)

  1. Enter log-forward shell

    Enter log-forward configuration
    config system log-forward

  2. Create or edit a forwarding entry

    Create/edit forwarding entry
    edit <log_forwarding_ID>

  3. Set mode to aggregation

    Set aggregation mode
    set mode aggregation

  4. Configure server details

    Configure server details
    set server-name <server_display_name>
set server-ip <xxx.xxx.xxx.xxx>

  5. Enter authentication credentials

    These belong to the Super_User admin created on the server.

    Set authentication credentials
    set agg-user <username>
set agg-password <password>

  6. (Optional) Set aggregation time

    • Value: 0–23 hours
    • Default: 0 (midnight)
    Set aggregation time
    set agg-time <hour>

  7. Apply configuration

    Apply configuration
    end

    After success, FortiAnalyzer displays:

    check for cfg[<log forwarding ID>] svr_disp_name=<server-name>

Summary Comparison

FeatureForwarding ModeAggregation Mode
Server ConfigurationNot requiredRequired
Client ConfigurationGUICLI only
Use CaseSimple forwarding to serversCentralized log aggregation
AuthenticationNot requiredRequires Super_User credentials
Sending FrequencyReal-time or periodicAggregated at set hour

Create New Log Forwarding

Create New Log Forwarding

Environment Variables

Complete reference of all configuration options for Radar deployment

On this page

OverviewForwarding ModeSummaryConfiguring Forwarding Mode (Client Side – GUI)StepsConfiguration FieldsLog Forwarding FiltersDevice FiltersLog FiltersExclusions (Syslog/CEF only)Device Registration NotesAggregation ModeSummaryChecking Existing Log Forwarding EntriesServer-Side ConfigurationClient-Side Configuration (CLI)Summary ComparisonCreate New Log Forwarding