Description
For high volume log data, Fortinet recommends sending logs to a remote log destination such as FortiAnalyzer/FortiManager, FortiCloud or syslog server.
However, it some cases, it is advisable to send event logging to disk (for models with a local disk). This is particularly true for HA clusters because this helps to ensure that all HA-related logs are captured in Master & Slave units during HA transitions.
To filter what type of logs are sent to disk, use the "log disk filter". This filter does not explicitly mention event logs. Instead the same level of event logging is sent to all log destinations.
So the key is to enable disk logging BUT disable all configurable options in the "log disk filter". You can use the template below. Use the "get" command to check whether your firmware release has any other log sub-types which must be disabled in addition to the ones included in the template.
End Result: You are left with only event logging sent to disk.
Solution
Template:
You can copy and paste the following into the CLI.
config vdom
edit <VDOM NAME>
config log disk filter
set forward-traffic disable
set local-traffic disable
set multicast-traffic disable
set sniffer-traffic disable
set anomaly disable
set netscan-discovery disable
set netscan-vulnerability disable
set voip disable
set dlp-archive disable
end
Confirm that all options are "disabled":
get log disk filter
Ensure disk logging is enabled:
config log disk setting
set status enable
end
