FortiGate Logging, Monitoring, and FortiAnalyzer Integration
FortiGate logging is the recording and analysis of traffic, event, and security logs. Logs can be sent to local disk, syslog, FortiCloud, or FortiAnalyzer; FortiAnalyzer provides central collection, correlation, and reporting.
FortiGate Logging Types
FortiGate logging falls into three main categories: traffic logs (session data), event logs (system/admin events), and security logs (UTM events such as antivirus, IPS, web filtering).
Traffic logs show which source reached which destination under which policy. Event logs include admin logins, HA status, and system alerts. Security logs record blocked threats and UTM profile triggers.
For logging to be effective, the log option must be enabled on the relevant firewall policies; otherwise no record is produced for that traffic.
To understand which UTM events get logged, see our UTM security profiles guide.
Log Destinations and Retention
Log destinations can be the device's local disk, memory, an external syslog server, FortiCloud, and FortiAnalyzer. In production, an external destination is preferred for central, persistent storage.
Local disk logs have limited capacity, and memory logs are lost on reboot. That is why organizations with compliance and forensic needs direct logs to FortiAnalyzer or a SIEM.
| Destination | Property |
|---|---|
| Memory | Temporary, lost on reboot |
| Local disk | Limited capacity, single device |
| Syslog | Stream to an external server |
| FortiCloud | Cloud-based storage |
| FortiAnalyzer | Central collection, correlation, reporting |
Central Logging with FortiAnalyzer
FortiAnalyzer is an analytics platform that collects, correlates, and reports the logs of multiple FortiGates from one place; it boosts visibility with FortiView dashboards and built-in reports.
FortiAnalyzer provides a central view instead of inspecting each device's logs separately in distributed environments. Threat, traffic, and compliance reports can be generated automatically; FortiView dashboards quickly reveal the most-targeted sources and applications.
Through event correlation, attack patterns invisible in individual logs can be surfaced. This accelerates incident-response processes.
Central logging is also critical for monitoring failover events in HA clusters; see FortiGate HA configuration.
Monitoring, Alerting, and SIEM Integration
Monitoring and alerting involve generating automatic notifications on critical events and exporting logs to an enterprise SIEM to evaluate them in a broader security context.
FortiGate and FortiAnalyzer can raise alerts when certain thresholds are crossed or critical signatures fire. By forwarding logs to a SIEM via syslog or connectors (e.g., a central security operations center), you can correlate with other sources.
This integration turns FortiGate from an isolated device into part of enterprise security operations.
Best Practices in Logging and Monitoring
Best practices are to log the right events, set adequate retention, use a central destination, ensure time synchronization, and review reports regularly.
- Log critical traffic and all security events; limit unnecessary logs to reduce noise.
- Set a retention period aligned with compliance requirements.
- Use a central destination (FortiAnalyzer/SIEM).
- Ensure time sync via NTP; accurate timestamps are essential for correlation.
- Review threat and traffic reports regularly.
To balance the performance impact of logging, see our performance optimization guide, and for overall architecture our what is FortiGate guide.
Frequently Asked Questions
What log types does FortiGate produce?
Mainly traffic logs (session data), event logs (system and admin events), and security logs (UTM events such as antivirus, IPS, web filtering).
Why should I send logs to FortiAnalyzer?
Local disk and memory are limited; FortiAnalyzer provides central collection, event correlation, and automated reporting in multi-device environments, strengthening visibility and compliance.
What is FortiView?
FortiView is an analytics interface that presents traffic and threat data in visual dashboards. It lets you quickly see the most-targeted sources, users, and applications.
Can I export FortiGate logs to a SIEM?
Yes. Logs can be forwarded to an enterprise SIEM via syslog or connectors, enabling correlation with other security sources for broader context.
How should I set the log retention period?
Retention is set by your industry's compliance requirements and forensic needs. Allocate adequate capacity on a central destination and define an archiving policy.
Why is time synchronization important?
Without accurate timestamps, logs from different devices cannot be reliably correlated. Synchronizing all device clocks via NTP is critical for correlation and forensics.
Conclusion
FortiGate logging and FortiAnalyzer integration make security events visible and enable rapid response. With central collection, proper retention, and SIEM integration, FortiGate becomes a strong part of enterprise security operations.
To build your central logging and monitoring architecture, talk to the Sora Yazılım team.