FortiMail® Secure Messaging Platform 5.0.

0
Log Message Reference
FortiMail® Secure Messaging Platform 5.0.0 Log Message Reference
May 22, 2014
2nd Edition
Copyright © 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and
FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance
and other metrics contained herein were attained in internal lab tests under ideal conditions,
and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents
any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or
implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be
binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the
same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants,
representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves
the right to change, modify, transfer, or otherwise revise this publication without notice, and the
most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback techdocs@fortinet.com
Table of contents

About FortiMail logs ......................................................................................... 8

Accessing FortiMail log messages .......................................................................... 8
Log message syntax ................................................................................................ 8
Log types ................................................................................................................. 9
Subtypes................................................................................................................ 11
Severity/Priority levels............................................................................................ 12
Log message cross search.................................................................................... 13
History/Statistics logs.................................................................................... 14
Policy ID and domain fields ................................................................................... 14
Log message dispositions and classifiers ............................................................. 14
Event Config logs ........................................................................................... 17
FortiGuard autoupdate settings............................................................................. 19
System update setting ........................................................................................... 19
interface IP address ............................................................................................... 19
Access methods/status ......................................................................................... 20
Interface status ...................................................................................................... 20
Interface status/PPPoE status ............................................................................... 20
Interface status/PPPoE settings ............................................................................ 20
Management IP...................................................................................................... 21
Interface access methods...................................................................................... 21
MTU change .......................................................................................................... 21
Interface status ...................................................................................................... 21
Addressing mode of interface access methods .................................................... 22
Connect option of interface access methods........................................................ 22
DNS change........................................................................................................... 22
Primary DNS and secondary DNS ......................................................................... 22
Default gateway ..................................................................................................... 23
Route entry ............................................................................................................ 23
Route with destination IP address/netmask .......................................................... 23
Routing entry ......................................................................................................... 23
System timezone ................................................................................................... 24
Daylight saving time............................................................................................... 24
NTP server settings................................................................................................ 24
System time ........................................................................................................... 24
Console pageNo setting ........................................................................................ 25
Console mode setting............................................................................................ 25

Page 3
 Idle timeout ............................................................................................................ 25
Authentication timeout........................................................................................... 25
System language ................................................................................................... 25
LCD PIN number.................................................................................................... 26
LCD PIN protection................................................................................................ 26
GUI refresh interval ................................................................................................ 26
System idle and auth timeout ................................................................................ 26
Admin addition....................................................................................................... 27
Admin change ........................................................................................................ 27
Admin deletion ....................................................................................................... 27
Admin password change ....................................................................................... 27
HA settings ............................................................................................................ 28
SNMP status .......................................................................................................... 28
SNMP config info................................................................................................... 28
SNMP CPU threshold ............................................................................................ 28
SNMP memory threshold ...................................................................................... 28
SNMP Logdisk threshold ....................................................................................... 29
SNMP maildisk threshold ...................................................................................... 29
SNMP deferred mqueue threshold ........................................................................ 29
SNMP virus detection threshold ............................................................................ 29
SNMP spam detection threshold........................................................................... 30
SNMP community entry......................................................................................... 30
SNMP community and host entry.......................................................................... 30
FortiMail disclaimer in header for outgoing messages .......................................... 30
FortiMail disclaimer in body for incoming messages ............................................ 31
FortiMail disclaimer in header for incoming messages ......................................... 31
Local domains........................................................................................................ 31
POP3 server port number ...................................................................................... 31
Relay server name ................................................................................................. 32
SNMP memory threshold ...................................................................................... 32
SMTP auth ............................................................................................................. 32
SMTP over ssl........................................................................................................ 32
SMTP server port number ..................................................................................... 32
Status of email archiving........................................................................................ 33
Email archiving account......................................................................................... 33
Email archiving rotate setting ................................................................................ 33
Archiving settings on local server .......................................................................... 33
Archiving settings on remote server ...................................................................... 34
Archiving policy...................................................................................................... 34
Archiving exempt ................................................................................................... 34

Table of contents Page 4 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 System quarantine account ................................................................................... 34
System quarantine rotate setting........................................................................... 34
System quarantine quota settings ......................................................................... 35
System quarantine settings ................................................................................... 35
Mail server settings ................................................................................................ 35
FortiMail appearance information .......................................................................... 35
FortiMail mail gw user group ................................................................................. 36
Permission of mail.................................................................................................. 36
Mail server access ................................................................................................. 36
Local domain deletion............................................................................................ 36
Local domain addition ........................................................................................... 37
Local user .............................................................................................................. 37
Local domain name ............................................................................................... 37
User group ............................................................................................................. 37
Mail user addition/deletion .................................................................................... 38
Mail server user addition........................................................................................ 38
Mail server user set with information ..................................................................... 38
Mail server user added with information................................................................ 38
Mail server user deletion........................................................................................ 39
Disk quota of email archiving account................................................................... 39
Password of email archiving account .................................................................... 39
Forwarding address for email archiving................................................................. 39
Password of system quarantine account .............................................................. 40
Forwarding address for system quarantine ........................................................... 40
Password of mail user ........................................................................................... 40
Display name of mail user...................................................................................... 40
User alias ............................................................................................................... 41
POP3 auth profile................................................................................................... 41
IMAP auth profile ................................................................................................... 41
Email banned word ................................................................................................ 41
Local log setting..................................................................................................... 42
Memory log setting ................................................................................................ 42
Log setting ............................................................................................................. 42
Log setting elog ..................................................................................................... 42
Log policy .............................................................................................................. 42
Alertemail setting ................................................................................................... 43
Alertemail SMTP server ......................................................................................... 43
Alertemail target email addresses.......................................................................... 43
Alertemail configuration ......................................................................................... 43

Table of contents Page 5 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Event System logs .......................................................................................... 44
DNS servers ........................................................................................................... 44
System restart........................................................................................................ 44
System shutdown .................................................................................................. 44
System reload ........................................................................................................ 45
System reset .......................................................................................................... 45
System firmware upgrade...................................................................................... 45
Upgrade system firmware failed ............................................................................ 45
System mode......................................................................................................... 46
Event Update logs .......................................................................................... 47
FortiGuard update result........................................................................................ 47
Event SMTP logs ............................................................................................ 48
SMTP-related events ............................................................................................. 48
Starting flgrptd ....................................................................................................... 48
Virus db loaded...................................................................................................... 48
FortiGuard antispam rule (FSAR) loading .............................................................. 49
FASR readme......................................................................................................... 49
FortiGuard antispam rule (FSAR) loaded ............................................................... 49
Mail aliases rebuilt ................................................................................................. 49
Antivirus database loaded ..................................................................................... 50
Updated daemon restarted.................................................................................... 50
Antivirus database loading .................................................................................... 50
Antivirus database loaded ..................................................................................... 50
Bayesian database training.................................................................................... 50
Bayesian database training completed ................................................................. 51
Event Admin logs............................................................................................ 52
User login............................................................................................................... 52
Webmail login ........................................................................................................ 52
User login failure .................................................................................................... 52
WebMail GUI failure ............................................................................................... 53
Message retrieval failure ........................................................................................ 53
Message cannot be read ....................................................................................... 53
Attachment saving failure ...................................................................................... 53
LCD login ............................................................................................................... 54
LCD login failure .................................................................................................... 54
Event POP3 logs ............................................................................................. 55
POP3-related events.............................................................................................. 55
Event IMAP logs ............................................................................................. 56
IMAP-related events .............................................................................................. 56

Table of contents Page 6 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Event HA logs.................................................................................................. 57
Master startup........................................................................................................ 57
Slave startup .......................................................................................................... 57
HA role change ...................................................................................................... 58
Heartbeat check .................................................................................................... 58
Synchronization activities ...................................................................................... 58
Event Webmail logs........................................................................................ 59
User login............................................................................................................... 59
Antivirus logs .................................................................................................. 60
Virus infection ........................................................................................................ 60
Antispam logs ................................................................................................. 61
Spam-related events.............................................................................................. 61
Encryption logs............................................................................................... 62
Email encryption .................................................................................................... 62
Index ................................................................................................................ 63

Table of contents Page 7 FortiMail® Secure Messaging Platform 5.0.0 Log Message
About FortiMail logs

FortiMail logs can provide information on network email activity that helps identify security
issues such as viruses detected within an email.
For information about configuring logging in FortiMail, see the FortiMail Administration Guide.
This section provides information on the following topics:
• Accessing FortiMail log messages
• Log message syntax
• Log types
• Subtypes
• Severity/Priority levels
• Log message cross search

Accessing FortiMail log messages

There are several ways you can access FortiMail log messages:
• On the FortiMail web UI, you can view log messages by going to Monitor > Log. For details,
see the FortiMail Administration Guide.
• On the FortiMail web UI, under Monitor > Log, you can download log messages to your local
PC and view them later.
• You can send log messages to a FortiAnalyzer unit by going to Log and Report > Log Settings
> Remote Log Settings and view them on FortiAnalyzer.
• You can send log messages to any Syslog server by going to Log and Report > Log Settings
> Remote Log Settings.

Log message syntax

All FortiMail log messages are comprised of a log header and a log body.
• Header — Contains the time and date the log originated, a log identifier, the type of log, the
severity level (priority) and where the log message originated.
• Body — Describes the reason why the log was created, plus any actions that the FortiMail
appliance took to respond to it. These fields may vary by log type.

Page 8
 Figure 1: Log message header and body

For example, in the following event log, the bold section is the header and the italic section is
the body.
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504
log_id=0001001623 type=event subtype=admin pri=information user=admin
ui=GUI(172.20.120.26) action=login status=success reason=none msg="User
admin login successfully from GUI(172.20.120.26)"
Device ID field
Depending on where you view log messages, log formats may vary slightly. For example, if you
view logs on the FortiMail web UI or download them to your local PC, the log messages do not
contain the device ID field. If you send the logs to FortiAnalyzer or other Syslog servers, the
device ID field will be added.
Endpoint field
Starting from 4.0 MR3, a field called endpoint was added to the history and antispam logs.
This field displays the endpoint’s subscriber ID, MSISDN, login ID, or other identifiers. This field
is empty if the sender IP is not matched to any endpoint identifier or if the endpoint reputation is
not enabled in the session profiles.
Log_part field
For FortiMail 3.0 MR3 and up, the log header of some log messages may include an extra field,
log_part, which provides numbered identification (such as 00, 01, and 02) when a log
message has been split. Log splitting occurs in FortiMail 3.0 MR3 and up because the log
message length was reduced.
Hex numbers in history logs
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the
dispositions and classifiers are displayed in English terms. However, if you download log files
from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed
in hex numbers. For explanation of these numbers, see the “Log message dispositions and
classifiers” on page 14.

Log types

FortiMail logs record per recipient, presenting log information in a very different way than most
other logs do. By recording logs per recipient, log information is presented in layers, which
means that one log file type contains the what and another log file type contains the why. For

About FortiMail logs Page 9 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 example, a log message in the history log contains an email message that the FortiMail unit
flagged as spam (the what) and the antispam log contains why the FortiMail unit flagged the
email message as spam (the why).
FortiMail logs are divided into the following types:

Log Types Default Description

File Name

History alog Records all email traffic going through the FortiMail unit.
(statistics)

Event elog Records management and email related activities. Management activity
events include changes to the system configuration as well as
administrator and user log in and log outs. Activity events include system
activities.

Antispam slog Records spam detection events.

(spam)

Antivirus vlog Records virus intrusion events.

(virus)

Encryption nlog Records detection of IBE-related events.

(encrypt)

Email related logs contain a session identification (ID) number, which is located in the session ID
field of the log message. The session ID corresponds to all the relevant log types so that the
administrator can get all the information about the event or activity that occurred on their
network.

History/statistics logs
History logs are used to quickly determine the disposition of a message. History logs describe
what action was taken by the FortiMail unit. Administrators use the history logs to quickly
determine the status of a message for a specific recipient, then either right-click that log
message and select Cross Search, or click the Session ID link. (See “Log message cross
search” on page 13). All correlating history, event, antivirus and antispam log messages appear
in a new tab where you can find out why that particular action was taken.
In the following log messages, the bolded information indicates what an administrator looks for
when using history logs to find out what action was taken, and the antispam log to find out why
the action was taken.
date=2012-07-16 time=12:22:56 device_id=FE100C3909600504
log_id=0200001075 type=statistics pri=information
session_id="q6GJMuPu003642-q6GJMuPv003642"
client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint=""
from="user@external.lab" to="user5@external.lab" subject=""
mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject"
classifier="Recipient Verification" message_length="188"
From the disposition, “Reject”, we know that the FortiMail unit rejected the email message. We
then do a session ID cross search to find it within the antispam logs, as in the following:
date=2012-07-16 time=12:22:56 device_id=FE100C3909600504
log_id=0300001075 type=spam pri=information
session_id="q6GJMuPu003642-q6GJMuPv003642"
client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint=""

About FortiMail logs Page 10 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 from="user@external.lab" to="user5@external.lab" subject=""
msg="<user5@external.lab>... User unknown"
In the above antispam log message, we now know why the FortiMail unit rejected the message
because the message failed the recipient verification (User unknown), which is shown in the
message field.

Event logs
Event logs contain log messages that concern network or system activities and events, such as
firmware upgrades or password changes. This log type shows what is occurring at the protocol
level, as well as the TCP level.
The event log does not have the same relationship with the history log as the antispam or
antivirus log does. The event log is not necessarily used for finding the reason why an event
occurred because there may not be a corresponding session ID number. Event logs are also
usually self-explanatory, meaning they usually give the what and why within the log message.

Antispam logs
Antispam logs provide information pertaining to email messages that are classified as Spam or
Ham messages. The antispam logs describe why they were classified, as was shown in the
example in “History/statistics logs” on page 10.
Antispam log messages describe spammy URI’s, black/white listed IP addresses, or other
techniques the FortiMail unit used to classify the message. Antispam log messages may also
describe message processing errors, such as not handling email that was sent from a specific
user.

Antivirus logs
Antivirus logs provide information pertaining to email messages that are classified as virus or
suspicious messages. These log messages describe what virus is contained in the email
message or in a file attached to the email message.
Administrators use antivirus logs to determine why an attachment was stripped from a file after
someone informed them about not receiving an attachment. Administrators may also use this
log type to verify why the history log detected a virus.
The session ID is not usually used when looking up an antivirus log message; the time stated in
the time field of the log message is usually used as well as using the search method.

Encryption logs
Encryption logs provide information pertaining to IBE email encryption and decryption.
IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate
encryption keys that can be used for encrypting and decrypting electronic messages.
Compared with traditional public-key cryptography, IBE greatly simplifies the encryption
process for both users and administrators. Another advantage is that a message recipient does
not need any certificate or key pre-enrollment or specialized software to access the email.

Subtypes

FortiMail logs are grouped into categories by log type and subtype as shown in the table below:

About FortiMail logs Page 11 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Log Type Subtype

event config
admin
system
ha
update
pop3
imap
smtp
webmail

virus infected

spam (no subtype)

statistics (no subtype)

encrypt ((no subtype)

Severity/Priority levels

When you define a logging severity level, the FortiMail unit logs all messages at and above the
selected severity level. For example, if you select Error, the FortiMail unit logs Error, Critical,
Alert, and Emergency level messages.

Levels Name Description

(0 is highest)

0 Emergency The system has become unstable

1 Alert Immediate action is required.

2 Critical Functionality is affected.

3 Error An error condition exists and functionality could be affected.

4 Warning Functionality could be affected.

5 Notice Information about normal events.

6 Information General information about system operation.

FortiMail units log messages when the DNS server is unreachable. The severity level of the log
message varies by the number of times that the DNS server could not be reached.
• Warning severity level log message: 15 failures in 5 minutes
• Alert severity level log message: 40 failures in 5 minutes

About FortiMail logs Page 12 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Log message cross search

Since different types of log files record different events/activities, the same SMTP session (with
one or more email messages sent during the session) or the same email message may be
logged in different types of log files. For example, if the FortiMail units detects a virus in an email
messages, this event will be logged in the following types of log files:
• History log: because the history log records the metadata of all sent and undelivered email
messages.
• AntiVirus log: because a virus is detected. The antivirus log has more descriptions of the
virus than the history log does.
• Event log: because the FortiMail system’s antivirus process has been started and stopped.
To find and display all log messages triggered by the same SMTP session or the same email
message, you can use the cross-search feature.

The cross-search searches log files recorded five minutes before and after the log entry (this
design is for performance purpose). Therefore, the search may cover multiple log files but may
not cover all the related log files if any log files are recorded out of the ten minutes interval.

Figure 2: Sample log message cross search results

To do a cross-search of the log messages

1. Go to Monitor > Log.
2. When viewing a log message on the History, Even, AntiVirus, or AntiSpam tab, right-click the
log message that has a message ID. From the pop-up menu, select:
• Cross Search (Session) to search for the log messages triggered by the same SMTP
session. This may result in multiple email messages if multiple messages were sent in the
same SMTP session.
• Cross Search (Message) to search for the log messages triggered by the same email
message.
You can also click the session ID of the log message to search for the log messages
triggered by the same SMTP session. This is equivalent to the Cross Search (Session)
pop-up menu.
All correlating history, event, antivirus and antispam log messages will appear in a new tab.

About FortiMail logs Page 13 FortiMail® Secure Messaging Platform 5.0.0 Log Message
History/Statistics logs

This chapter contains information regarding history, or statistics log messages. History log
messages record all mail traffic going through the FortiMail unit.
History logs are used to quickly determine the disposition of a message. History logs describe
what action was taken by the FortiMail unit. Administrators use the history logs to quickly
determine the status of a message for a specific recipient, then either right-click that log
message and select Cross Search, or click the Session ID link. All correlating history, event,
antivirus and antispam log messages appear in a new tab where you can find out why that
particular action was taken.
For more information about log message cross search, see “Log message cross search” on
page 13.

Example
If you export the FortiMail log messages to a remote Syslog server (including FortiAnalyzer), a
history/statistics log would look like the following and the log fields would appear in the
following order:
date=2013-02-25 time=07:01:34 device_id=FE100C3909600504
log_id=0200025843 type=statistics pri=information
session_id="r1PF1YTh025836-r1PF1YTh025836"
client_name="172.20.140.108" dst_ip="172.20.140.13" endpoint=""
from="aaa@bbb.com" to="user1@example.com" polid="0:1:0" domain=""
subject="" mailer="proxy" resolved="" direction="unknown" virus=""
disposition="0x200" classifier="0x17" message_length="199986"

Policy ID and domain fields

Starting from v5.0 release, two new fields -- policy ID and domain -- have been added to history
logs.
The policy ID is in the format of x:y:z, where:
• x is the ID of the global access control policy.
• y is the ID of the IP-based policy.
• z is the ID of the recipient-based policy.
If the value of x, y, and z is 0, it means that no policy is matched.
If the matched recipient-based policy is incoming, the protected domain will be logged in the
domain field.
If the matched recipient-based policy is outgoing, the domain field will be empty.

Log message dispositions and classifiers

Each history log contains one field called Classifier and another called Disposition.
The Classifier field displays which FortiMail scanner applies to the email message. For example,
“Banned Word” means the email messages was detected by the FortiMail banned word
scanner. The Disposition field specifies the action taken by the FortiMail unit.

Page 14
 If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the
dispositions and classifiers are displayed in English terms. However, if you download log files
from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed
in hex numbers.
The following tables map the numbers with English terms.

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also
displayed. This field is for debug purpose only.

Table 1: Classifiers

Hex number Classifier Hex Number Classifier

0x00 Undefined 0x21 Domain White

0x01 User White 0x22 Domain Black

0x02 User Black 0x23 SPF

0x03 System White 0x24 Domain Key

0x04 System Black 0x25 DKIM

0x05 DNSBL 0x26 Recipient Verification

0x06 SURBL 0x27 Bounce Verification

0x07 FortiGuard AntiSpam 0x28 Endpoint Reputation

0x08 FortiGuard AntiSpam-White 0x29 TLS Enforcement

0x09 Bayesian 0x2A Message Cryptography

0x0A Heuristic 0x2B Delivery Control

0x0B Dictionary Filter 0x2C Encrypted Content

0x0C Banned Word 0x2D SPF Failure as Spam

0x0D Deep Header 0x2E Fragmented email

0x0E Forged IP 0x2F Email contains image

0x0F Quarantine Control 0x30 Content Requires Encryption

0x10 Virus as Spam 0x31 FortiGuard AntiSpam-IP

(before v4.3 release)

0x11 Attachment Filter 0x32 Session Remote

(see note above)

0x12 Grey List 0x33 FortiGuard Phishing

0x13 Bypass Scan On Auth 0x34 AntiVirus

0x14 Disclaimer 0x35 Sender Address Rate Control

0x15 Defer Delivery 0x36 SMTP Auth Failure

History/Statistics logs Page 15 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 0x16 Session Domain 0x37 Access Control List Reject

0x17 Session Limits 0x38 Access Control List Discard

0x18 Session White 0x39 Access Control List Bypass

0x19 Session Black 0x3a FortiGuard Antispam Webfilter

0x1A Content Monitor and Filter 0x3b Newsletter Suspicious

0x1B Content Monitor as Spam 0x3c TLS Streaming

0x1C Attachment as Spam 0x3d Policy Match

0x1D Image Spam 0x3e Dynamic White List

0x1E Sender Reputation 0x3f Sender Verification

0x1F Access Control 0x40 Behavior Analysis

0x20 Whitelist Word

Table 2: Dispositions

Hex number Disposition Hex Number Disposition

0x00 Accept 0x1000 Disclaimer Header

0x01 Accept 0x2000 Defer

0x04 Reject 0x4000 Quarantine to Review

0x08 Add Header 0x8000 Content Filter as Spam

0x10 Modify Subject 0x10000 Encrypt

0x20 Quarantine 0x20000 Decrypt

0x40 Accept 0x40000 Alternate Host

0x80 Discard 0x80000 BCC

0x100 Replace 0x100000 Archive

0x200 Delay 0x200000 Customized repackage

0x400 Rewrite 0x400000 Repackage

0x800 Disclaimer Body 0x800000 Notification

The disposition field in a log message may contain one or more dispositions/actions.

History/Statistics logs Page 16 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Event Config logs

This chapter contains information about Event Config log messages.

Event Config is a subtype log of the Event log type. Event Config logs record all configuration
changes made to the system of the FortiMail unit, configuration setting, administration,
including POP3, SMTP, and IMAP changes.
You can cross-search an Event Config log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

Example
If you send the FortiMail log messages to a remote Syslog server (including FortiAnalyzer), a
config event log would look like the following and the log fields would appear in the following
order:
date=2012-08-09 time=12: 42:48 device_id=FE100C3909600504
log_id=0000000920 type=event subtype=config pri=information user=admin
ui=172.20.120.26 module=unknown submodule=unknown msg="changed settings
for 'log setting local'"

Page 17
 The config event logs contain the following messages:
FortiGuard autoupdate Idle timeout FortiMail disclaimer in header
settings for incoming messages
Authentication timeout
System update setting Local domains
System language
interface IP address POP3 server port number
LCD PIN number
Access methods/status Relay server name
LCD PIN protection
Interface status SNMP memory threshold
GUI refresh interval
Interface status/PPPoE status SMTP auth
System idle and auth timeout
Interface status/PPPoE SMTP over ssl
Admin addition
settings
SMTP server port number
Admin change
Management IP
Status of email archiving
Admin deletion
Interface access methods
Email archiving account
Admin password change
MTU change
Email archiving rotate setting
HA settings
Interface status
Archiving settings on local
SNMP status
Addressing mode of interface server
access methods SNMP config info
Archiving settings on remote
Connect option of interface SNMP CPU threshold server
access methods
SNMP memory threshold Archiving policy
DNS change
SNMP Logdisk threshold Archiving exempt
Primary DNS and secondary
SNMP maildisk threshold System quarantine account
DNS
SNMP deferred mqueue System quarantine rotate
Default gateway
threshold setting
Route entry
SNMP virus detection threshold System quarantine quota
Route with destination IP settings
SNMP spam detection threshold
address/netmask
System quarantine settings
SNMP community entry
Routing entry
Mail server settings
SNMP community and host entry
System timezone
FortiMail appearance
FortiMail disclaimer in header for
Daylight saving time information
outgoing messages
NTP server settings FortiMail mail gw user group
FortiMail disclaimer in body for
System time incoming messages
Console pageNo setting
Console mode setting

Event Config logs Page 18 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Permission of mail Password of email archiving Memory log setting
account
Mail server access Log setting
Forwarding address for email
Local domain deletion Log setting elog
archiving
Local domain addition Log policy
Password of system quarantine
Local user account Alertemail setting
Local domain name Forwarding address for system Alertemail SMTP server
quarantine
User group Alertemail target email
Password of mail user addresses
Mail user addition/deletion
Display name of mail user Alertemail configuration
Mail server user addition
User alias
Mail server user set with
information POP3 auth profile
Mail server user added with IMAP auth profile
information
Email banned word
Mail server user deletion
Local log setting
Disk quota of email archiving
account

FortiGuard autoupdate settings

Type Event
Subtype Config
Severity Information
Message msg=“Autoupdate settings have been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator has changed the autoupdate settings using the CLI.

System update setting

Type Event
Subtype Config
Severity Information
Message msg=“System update setting has been changed by user <user_name> via GUI
(<ip_address>)”
Meaning An administrator changed a system update setting using the web-based
manager.

interface IP address

Type Event
Subtype Config

Event Config logs Page 19 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Severity Information
Message msg=“interface {port1|port2|...} ip address changed by user <user_name> via
CLI (console|telnet|ssh)”
Meaning An administrator changed an interface IP address using the CLI.

Access methods/status

Type Event
Subtype Config
Severity Information
Message msg=“Interface {port1|port2|...} {access methods | status} has been changed by
user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator changed the access methods or status of an interface using the
CLI.

Interface status

Type Event
Subtype Config
Severity Information
Message msg=“interface {port1|port2|...} status changed by user<user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed the status of an interface using the CLI.

Interface status/PPPoE status

Type Event
Subtype Config
Severity Information
Message msg=“interface {port1|port2|...} status changed by user<user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed the status of an interface using the CLI.

Interface status/PPPoE settings

Type Event
Subtype Config
Severity Information
Message user=<user_ name> ui={console|SSH(<ip_address>)|telnet(<ip_address>)}
module=system submodule=interface msg=“PPPoE settings have been
changed by user <user_name> via {console|SSH(<ip_address>)|telnet
(<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed PPPoE settings using the CLI or GUI.

Event Config logs Page 20 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Management IP

Type Event
Subtype Config
Severity Information
Message msg=“Management IP has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed the management IP using the CLI.

Interface access methods

Type Event
Subtype Config
Severity Information
Message msg=“Interface {port1|port2|...} access methods has been changed by user
<user name> via GUI
(<ip_ address>)”
Meaning An administrator changed access methods on an interface using the web-based
manager.

MTU change

Type Event
Subtype Config
Severity Information
Message msg=“MTU has been {enabled | disabled} for interface {port1|port2|...} by user
<user_name> via GUI(<ip_address>)”
Meaning An administrator enabled or disabled MTU for an interface using the web-based
manager.

Interface status

Type Event
Subtype Config
Severity Information
Message msg=“Interface {port1|port2|...} has been brought up by user <user_name> via
GUI(<ip_address>)”
Meaning An administrator changed an interface to up using the web-based manager.

Event Config logs Page 21 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Addressing mode of interface access methods

Type Event
Subtype Config
Severity Information
Message msg=“Addressing mode of interface {port1|port2|...} access methods has been
changed by user <user_name> via GUI(<ip_address>)”
Meaning An administrator changed the access methods of an interface’s addressing
mode using the web-based manager.

Connect option of interface access methods

Type Event
Subtype Config
Severity Information
Message msg=“Connect option of interface {port1|port2|...} access methods has been
changed by user <user_name> via GUI(<ip_address>)”
Meaning An administrator changed the access methods of a connect option for an
interface using the web-based manager.

DNS change

Type Event
Subtype Config
Severity Information
Message msg=“DNS has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed DNS settings using the CLI.

Primary DNS and secondary DNS

Type Event
Subtype Config
Severity Information
Message msg=“DNS has been changed to <primary_dns> and <secondary_dns> by user
<user_name> via GUI (<ip_ address>)”
Meaning An administrator changed the primary DNS and secondary DNS using the
web-based manager.

Event Config logs Page 22 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Default gateway

Type Event
Subtype Config
Severity Information
Message msg=“default gateway has been changed to <gateway_ip_address> by user
<user_name> via GUI (<ip_ address>)”
Meaning An administrator changed the default gateway IP address using the web-based
manager.

Route entry

Type Event
Subtype Config
Severity Information
Message msg=“Route entry <number> has been deleted by user<user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator deleted a route entry using the CLI or web-based manager.

Route with destination IP address/netmask

Type Event
Subtype Config
Severity Information
Message msg=“A route to <destination_ip_address>/<destination_netmask> has been
added by user <user_name> via {console|SSH(<ip_address>)|telnet
(<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator added a route with destination address/netmask using either
the CLI or web-based manager.

Routing entry

Type Event
Subtype Config
Severity Information
Message msg=“Routing entry <number> has been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed a routing entry using the CLI or web-based manager.

Event Config logs Page 23 FortiMail® Secure Messaging Platform 5.0.0 Log Message
System timezone

Type Event
Subtype Config
Severity Information
Message msg=“System timezone has been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed the system timezone using the CLI or web-based
manager.

Daylight saving time

Type Event
Subtype Config
Severity Information
Message msg=“Automatically adjust clock for Daylight Saving time has been changed by
user<user_name> via GUI (<ip_address>)”
Meaning An administrator changed the option of automatically adjusting clock for daylight
saving time using the web-based manager.

NTP server settings

Type Event
Subtype Config
Severity Information
Message msg=“NTP server settings have been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed NTP server settings using the CLI or web-based
manager.

System time

Type Event
Subtype Config
Severity Information
Message msg=“System time has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed the system time using the CLI.

Event Config logs Page 24 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Console pageNo setting

Type Event
Subtype Config
Severity Information
Message msg=“Console pageNo setting has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed the console page number setting using the CLI.

Console mode setting

Type Event
Subtype Config
Severity Information
Message msg=“Console mode setting has been changed to {line | batch} mode by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator changed the console mode setting to line or batch mode using
the CLI.

Idle timeout

Type Event
Subtype Config
Severity Information
Message msg=“Idle timeout value has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed the idle timeout value using the CLI.

Authentication timeout

Type Event
Subtype Config
Severity Information
Message msg=“Authentication timeout value has been changed by user <user_name> via
CLI (console|telnet|ssh)”
Meaning An administrator changed authentication timeout value using the CLI.

System language

Type Event
Subtype Config

Event Config logs Page 25 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Severity Information
Message msg=“System language has been changed to {en|ja|ko|ch|tra} by user
<user_name> via {console|SSH(<ip_address>)|telnet
(<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed the system language to another language using the
CLI or web-based manager.

LCD PIN number

Type Event
Subtype Config
Severity Information
Message msg=“LCD PIN number has been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed the LCD PIN number using the CLI or web-based
manager.

LCD PIN protection

Type Event
Subtype Config
Severity Information
Message msg=“LCD PIN protection has been {enable|disable} by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed LCD PIN protection enabled or disabled using the CLI
or web-based manager.

GUI refresh interval

Type Event
Subtype Config
Severity Information
Message msg=“GUI refresh interval set to <interval> by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed web-based manager refresh interval set to another
interval using the CLI.

System idle and auth timeout

Type Event
Subtype Config
Severity Information

Event Config logs Page 26 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Message msg=“{System idle and auth timeout | auth timeout} has been changed by user
<user_name> via GUI (<ip_address>)”
Meaning An administrator changed both system idle and auth timeout or just auth timeout
using the web-based manager.

Admin addition

Type Event
Subtype Config
Severity Information
Message msg=“Admin <user_name> has been added by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator has added another administrator using the CLI or web-based
manager.

Admin change

Type Event
Subtype Config
Severity Information
Message msg=“Admin <user_name> has been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed another administrator using the CL or web-based
manager.

Admin deletion

Type Event
Subtype Config
Severity Information
Message msg=“Admin <user_name> has been deleted by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator deleted another administrator using the CLI or web-based
manager.

Admin password change

Type Event
Subtype Config
Severity Information
Message msg=“admin <user_name> password has been changed by user <user_name>
via GUI (<ip_address>)”
Meaning An administrator changed another administrator’s password using the
web-based manager.

Event Config logs Page 27 FortiMail® Secure Messaging Platform 5.0.0 Log Message
HA settings

Type Event
Subtype Config
Severity Information
Message msg=“HA settings have been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed HA settings using the CLI.

SNMP status

Type Event
Subtype Config
Severity Information
Message msg=“SNMP has been {enabled|disabled} by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator enabled/disabled SNMP using the CLI.

SNMP config info

Type Event
Subtype Config
Severity Information
Message msg=“SNMP config info changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed SNMP config information using the CLI.

SNMP CPU threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP CPU threshold value has been changed by user <user_name> via
CLI (console|telnet|ssh)”
Meaning An administrator changed SNMP CPU threshold value using the CLI.

SNMP memory threshold

Type Event
Subtype Config

Event Config logs Page 28 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Severity Information
Message msg=“SNMP Memory threshold value has been changed by user <user_name>
via CLI (console|telnet|ssh)”
Meaning An administrator changed the SNMP memory threshold value using the CLI.

SNMP Logdisk threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP Logdisk threshold value has been changed by user <user_name>
via CLI (console|telnet|ssh)”
Meaning An administrator changed SNMP log disk threshold value using the CLI.

SNMP maildisk threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP maildisk threshold value has been changed by user <user_name>
via CLI (console|telnet|ssh)”
Meaning An administrator changed the SNMP mail disk threshold value using the CLI.

SNMP deferred mqueue threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP Deferred mqueue threshold value has been changed by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator changed the SNMP deferred mqueue using the CLI.

SNMP virus detection threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP Virus detection threshold value has been changed by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator changed SNMP virus detection threshold value using the CLI.

Event Config logs Page 29 FortiMail® Secure Messaging Platform 5.0.0 Log Message
SNMP spam detection threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP Spam detection threshold value has been changed by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator changed the SNMP Spam detection threshold value using the
CLI.

SNMP community entry

Type Event
Subtype Config
Severity Information
Message msg=“SNMP community entry <number> has been deleted by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator deleted an SNMP community entry using the CLI.

SNMP community and host entry

Type Event
Subtype Config
Severity Information
Message msg=“SNMP community entry <entry_number> host <host_number> has been
deleted by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator deleted an SNMP community entry and host using the CLI.

FortiMail disclaimer in header for outgoing messages

Type Event
Subtype Config
Severity Information
Message msg=“FortiMail disclaimer in header for outgoing messages has been changed
by user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has changed a FortiMail disclaimer header for outgoing
messages using the CLI.

Event Config logs Page 30 FortiMail® Secure Messaging Platform 5.0.0 Log Message
FortiMail disclaimer in body for incoming messages

Type Event
Subtype Config
Severity Information
Message msg=“FortiMail disclaimer in body for incoming messages has been changed by
user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has changed a FortiMail disclaimer body for incoming
messages using the CLI.

FortiMail disclaimer in header for incoming messages

Type Event
Subtype Config
Severity Information
Message msg=“FortiMail disclaimer in header for incoming messages has been changed
by user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has changed a FortiMail disclaimer header for incoming
messages using the CLI.

Local domains

Type Event
Subtype Config
Severity Information
Message msg=“Local domains has been modified by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator has modified local domains using the CLI.

POP3 server port number

Type Event
Subtype Config
Severity Information
Message msg=“POP3 server port number has been modified to <port number> by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified a POP3 server using the CLI.

Event Config logs Page 31 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Relay server name

Type Event
Subtype Config
Severity Information
Message msg=“Relay server name has been modified to <server name> by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified a relay server name using the CLI.

SNMP memory threshold

Type Event
Subtype Config
Severity Information
Message msg=“SNMP Memory threshold value has been changed by user <user_name>
via CLI (console|telnet|ssh)”
Meaning An administrator has changed SNMP Memory threshold value using the CLI.

SMTP auth

Type Event
Subtype Config
Severity Information
Message msg=“smtp auth has been modified to <auth_profile_name> by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified SMTP authentication using the CLI.

SMTP over ssl

Type Event
Subtype Config
Severity Information
Message msg=“smtp over ssl has been modified to {enabled|disabled} by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified SMTP over SSL using the CLI.

SMTP server port number

Type Event
Subtype Config

Event Config logs Page 32 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Severity Information
Message msg=“SMTP server port number has been modified to <port_ number> by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified SMTP server port number using the CLI.

Status of email archiving

Type Event
Subtype Config
Severity Information
Message msg=“status of email archiving has been modified by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator has modified the status of email archiving using the CLI.

Email archiving account

Type Event
Subtype Config
Severity Information
Message msg=“email archiving account has been modified by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator has modified the status of the email archiving account using
the CLI.

Email archiving rotate setting

Type Event
Subtype Config
Severity Information
Message msg=“email archiving rotate setting has been modified by user <user_name>
via CLI (console|telnet|ssh)”
Meaning An administrator has modified an email archiving rotate setting using the CLI.

Archiving settings on local server

Type Event
Subtype Config
Severity Information
Message msg=“Archiving settings on local server has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified archiving settings on the local server using the
CLI.

Event Config logs Page 33 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Archiving settings on remote server

Type Event
Subtype Config
Severity Information
Message msg=“Archiving settings on remote server has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified archiving settings on a remote server using the
CLI.

Archiving policy

Type Event
Subtype Config
Severity Information
Message msg=“Archiving policy has been modified by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator has modified an archiving policy using the CLI.

Archiving exempt

Type Event
Subtype Config
Severity Information
Message msg=“Archiving exempt has been modified by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator has modified an archiving exempt setting using the CLI.

System quarantine account

Type Event
Subtype Config
Severity Information
Message msg=“system quarantine account has been modified by user <user_name> via
CLI (console|telnet|ssh)”
Meaning An administrator has modified the system quarantine account using the CLI.

System quarantine rotate setting

Type Event
Subtype Config

Event Config logs Page 34 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Severity Information
Message msg=“system quarantine rotate setting has been modified by user <user_name>
via CLI (console|telnet|ssh)”
Meaning An administrator has modified a system quarantine rotate setting using the CLI.

System quarantine quota settings

Type Event
Subtype Config
Severity Information
Message msg=“System quarantine quota settings on local server has been modified by
user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has modified system quarantine quota settings using the CLI.

System quarantine settings

Type Event
Subtype Config
Severity Information
Message msg=“System quarantine settings have been changed by user <use_ name>
via {console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator has changed system quarantine settings using the CLI or
web-based manager.

Mail server settings

Type Event
Subtype Config
Severity Information
Message msg=“Mail Server settings have been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator has changed mail server settings using the CLI or web-based
manager.

FortiMail appearance information

Type Event
Subtype Config
Severity Information
Message msg=“FortiMail appearance information has been changed by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has changed FortiMail appearance information using the CLI.

Event Config logs Page 35 FortiMail® Secure Messaging Platform 5.0.0 Log Message
FortiMail mail gw user group

Type Event
Subtype Config
Severity Information
Message msg=“FortiMail mail gw user group has been {changed | deleted} by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator has changed or deleted a FortiMail mail gateway user group
using the CLI.

Permission of mail

Type Event
Subtype Config
Severity Information
Message msg=“Permission of mail from <email_address> is {set to
(OK|REJECT|RELAY|DISCARD) | deleted} by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator set or deleted permission of mail using the CLI or web-based
manager.

Mail server access

Type Event
Subtype Config
Severity Information
Message msg=“Mail server access <string> is deleted by user <user_name> via
GUI(<ip_address>)”
Meaning An administrator deleted mail server access using the web-based manager.

Local domain deletion

Type Event
Subtype Config
Severity Information
Message msg=“local domain <domain_name> is deleted by user <user_name> via CLI
(console|telnet|ssh)”
Message An administrator deleted a local domain using the CLI.

Event Config logs Page 36 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Local domain addition

Type Event
Subtype Config
Severity Information
Message msg=“Local domain name <domain_ name> is added by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Message An administrator added a local domain using the CLI or web-based manager.

Local user

Type Event
Subtype Config
Severity Information
Message msg=“Local user <user_ name> has been {added | modified | deleted} by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator added, modified, or deleted a local user using the CLI.

Local domain name

Type Event
Subtype Config
Severity Information
Message msg=“Local domain name <domain_name> is added by user <user_name> via
GUI(<ip_address>)”
Meaning An administrator added a local domain name using the web-based manager.

User group

Type Event
Subtype Config
Severity Information
Message msg=“User group <group_name> has been {modified | deleted} by user
<user_name> via {console|SSH(<ip_address>)|telnet
(<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator modified or deleted a user group using the CLI or web-based
manager.

Event Config logs Page 37 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Mail user addition/deletion

Type Event
FortiMail version 3.0
Severity Information
Message msg=“mail user <user_address> has been {added | deleted} by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator added or deleted a mail user using the CLI.

Mail server user addition

Type Event
Subtype Config
Severity Information
Message msg=“Mail server user <email_address> is added with information: displayname
<display_name> by user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator added a specified mail server user using the CLI.

Mail server user set with information

Type Event
Subtype Config
Severity Information
Message msg=“Mail server user <email_address> is set with information: displayname
<display_name> by user <user_name> via {console|SSH(<ip_address>)|telnet
(<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator sets a mail server user with information using the CLI or
web-based manager.

Mail server user added with information

Type Event
Subtype Config
Severity Information
Message msg=“Mail server user <email_address> is added with information:
displayname <display_name> by user <user_name> via GUI(<ip_address>)”
Meaning An administrator added a mail server user with information using the web-based
manager.

Event Config logs Page 38 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Mail server user deletion

Type Event
Subtype Config
Severity Information
Message msg=“Mail Server User <email_address> is deleted by user <user_name> via
GUI(<ip_address>)”
Meaning An administrator deletes a mail server user using the web-based manager.

Disk quota of email archiving account

Type Event
Subtype Config
Severity Information
Message msg=“disk quota of email archiving account has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the disk quota of the email archiving account using
the CLI.

Password of email archiving account

Type Event
Subtype Config
Severity Information
Message msg=“password of email archiving account has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the email archiving account password using the CLI.

Forwarding address for email archiving

Type Event
Subtype Config
Severity Information
Message msg=“forwarding address for email archiving has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the forwarding address for email archiving using the
CLI.

Event Config logs Page 39 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Password of system quarantine account

Type Event
Subtype Config
Severity Information
Message msg=“password of system quarantine account has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the system quarantine account password using the
CLI.

Forwarding address for system quarantine

Type Event
Subtype Config
Severity Information
Message msg=“forwarding address for system quarantine has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the system quarantine forwarding address using the
CLI.

Password of mail user

Type Event
Subtype Config
Severity Information
Message msg=“password of mail user <user_email_address> has been modified by user
<user name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the password of a mail user using the CLI.

Display name of mail user

Type Event
Subtype Config
Severity Information
Message msg=“display name of mail user <user_address> has been modified by user
<user_name> via CLI (console|telnet|ssh)”
Meaning An administrator modified the display name of a specific mail user using the CLI.

Event Config logs Page 40 FortiMail® Secure Messaging Platform 5.0.0 Log Message
User alias

Type Event
Subtype Config
Severity Information
Message msg=“User alias <alias_name> has been {added | modified | deleted} by user
<user_name> via GUI(<ip_address>)”
Meaning An administrator added, modified, or deleted a user alias using the web-based
manager.

POP3 auth profile

Type Event
Subtype Config
Severity Information
Message msg=“POP3 auth profile <profile_name> has been {added | renamed | modified
| deleted} by user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator added, renamed, modified, or deleted a POP3 auth profile
using the CLI.

IMAP auth profile

Type Event
Subtype Config
Severity Information
Message msg=“IMAP auth profile <profile_name> has been {added | modified | deleted}
by user <user_name> via CLI (console|telnet|ssh)”
Meaning An administrator added, modified, or deleted an IMAP auth profile using the CLI.

Email banned word

Type Event
Subtype Config
Severity Information
Message msg=“email banned word was removed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator removed an email banned word using the CLI.

Event Config logs Page 41 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Local log setting

Type Event
Subtype Config
Severity Information
Message msg=“Local log setting has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed a local log setting using the CLI.

Memory log setting

Type Event
Subtype Config
Severity Information
Message msg=“Memory logsetting has been changed by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator changed memory log setting using the CLI.

Log setting

Type Event
Subtype Config
Severity Information
Message msg=“Log setting has been changed by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator changed a log setting using the CLI or web-based manager.

Log setting elog

Type Event
Subtype Config
Severity Information
Message msg=“Log setting elog has been cleared by user <user_name> via CLI
(console|telnet|ssh)”
Meaning An administrator cleared elog using the CLI.

Log policy

Type Event
Subtype Config

Event Config logs Page 42 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Severity Information
Message msg=“Log Policy has been modified by user admin via GUI(<ip_address>)”
Meaning An administrator has edited a log policy using the web-based manager.

Alertemail setting

Type Event
Subtype Config
Severity Information
Message msg=“Alertemail setting has been changed by user admin via CLI
(console|telnet|ssh)”
Meaning An administrator changed the alert email setting using the CLI.

Alertemail SMTP server

Type Event
Subtype Config
Severity Information
Message msg=“Alertemail SMTP server has been changed to <server_name> and user
has been changed to <user_name> by user <user_name> via
GUI(<ip_address>)”
Meaning An administrator changed the alertemail SMTP server to and a user was
changed using the web-based manager.

Alertemail target email addresses

Type Event
Subtype Config
Severity Information
Message msg=“Alertemail target email addresses have been changed by user
<user_name> via GUI (<ip_address>)”
Meaning An administrator changed alert email target email addresses using the
web-based manager.

Alertemail configuration

Type Event
Subtype Config
Severity Information
Message msg=“Alertemail configuration has been modified by user <user_name> via
GUI(<ip_address>)”
Meaning An administrator modified alert email configuration using the web-based
manager.

Event Config logs Page 43 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Event System logs

This chapter contains information regarding Event System log messages.

Event System is a subtype log of the Event log type. Event System log messages inform you of
system changes made to your FortiMail unit. For example, the log message may record a user
that shuts down the system from the console, or a user that restarts the FortiMail unit from a
system reboot from the console.
You can cross-search an Event System log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.
The system event logs contain the following messages:

DNS servers System reload Upgrade system firmware failed

System restart System reset System mode
System shutdown System firmware upgrade

DNS servers

Type Event
Subtype System
Severity Warning
Message msg= “DNS: Connection timed out. No servers could be reached.”
Meaning An administrator could not reach any DNS servers before a time out
occurred.

System restart

Type Event
Subtype System
Severity Warning
Message msg=“System has been restarted by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator restarted the system using the CLI or web-based
manager.

System shutdown

Type Event
Subtype System
Severity Warning

Page 44
 Message msg=“System has been shutdown by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)”
Meaning An administrator shut down the system using the CLI or web-based
manager.

System reload

Type Event
Subtype System
Severity Warning
Message msg=“System has been reloaded by user <user_name> via
{console|SSH(<ip_address>)|telnet (<ip_address>)|GUI(<ip_address>)”
Meaning An administrator reloaded the system using the CLI or web-based manager.

System reset

Type Event
Subtype System
Severity Warning
Messages msg=“System has been reset to factory default by user <user_name> via
{console|SSH (<ip_address>)|telnet(<ip_address>)|GUI(<ip_address>) |
LCD}”
Meaning An administrator reset the system to factory default using the CLI,
web-based manager, or LCD.

System firmware upgrade

Type Event
Subtype System
Severity Warning
Messages msg=“System firmware has been {upgraded | downgraded} by user
<user_name> via {console|SSH(<ip_address>)|telnet(<ip_address>)
|GUI(<ip_address>)}”
Meaning An administrator upgraded/downgraded system firmware using the CLI or
web-based manager.

Upgrade system firmware failed

Type Event
Subtype System
Severity Warning

Event System logs Page 45 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Message msg=“Upgrade system firmware failed by user <user_name> via
{console|SSH(<ip_address>) |telnet(<ip_address>)|GUI(<ip_address>)}”
Meaning An administrator upgraded system firmware unsuccessfully using the CLI,
console, telnet, or web-based manager.

System mode

Type Event
Subtype System
Severity Warning
Messages msg=“System has been changed to {gateway | server | transparent} mode
by {user <user_name> | user LCD} via
console|SSH(<ip_address>)|telnet(<ip_address>)|GUI(<ip_address>)”
Meaning An administrator or LCD user changed the mode to gateway, server, or
transparent mode using the CLI, web-based manager or LCD.

Event System logs Page 46 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Event Update logs

This chapter contains information regarding Event Update log messages.

Event Update log is a subtype log of the Event log type. Event Update log messages contain
information about the success or failure of an update of FortiGuard services, such as updating
the virus database.
You can cross-search an Event Update log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

FortiGuard update result

Type Event
Subtype Update
Severity Warning
Message msg=”Update result: virusdb:<yes|no>, avengine:<yes|no>,
spamdb:<yes|no>, asengine:<yes|no>
Meaning The FortiMail unit updated the following FortiGuard services:
• Antivirus engine
• Virus database
• Spam database
• AntiSpam engine

Page 47
Event SMTP logs

This chapter contains information regarding Event-SMTP log messages.

Event SMTP log is a subtype log of the Event log type. Event SMTP log messages inform you of
any SMTP-related events that occur.
You can cross-search an Event SMTP log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.
The SMTP event logs contain the following messages:

SMTP-related events FortiGuard antispam rule (FSAR) Antivirus database loaded

loaded
Starting flgrptd Bayesian database training
Mail aliases rebuilt
Virus db loaded Bayesian database training
Antivirus database loaded completed
FortiGuard antispam rule
(FSAR) loading Updated daemon restarted
FASR readme Antivirus database loading

SMTP-related events

Type Event
Subtype SMTP
Severity All severity levels
Message msg=“<log_message_information>”
Meaning Any SMTP-related events.

Starting flgrptd

Type Event
Subtype SMTP
Severity Information
Message msg= “Starting flgrptd”
Meaning The reporting daemon is starting.
The reporting daemon generates the reports that are available in the
web-based manager, Log & Report > Reports. The reporting daemon
generates the reports by parsing the various log files.

Virus db loaded

Type Event
Subtype SMTP

Page 48
 Severity Information
Message msg= “Successfully loaded virus db: /var/spool/etc/vir”
Meaning The antivirus database is successfully loaded.

FortiGuard antispam rule (FSAR) loading

Type Event
Subtype SMTP
Severity Information
Message msg= “Initializing FASR /var/spool/etc/antispam…”
Meaning The FortiGuard Antispam Rule (FSAR) database is loading.

FASR readme

Type Event
Subtype SMTP
Severity Information
Message msg= “Parsing FASR Readme /var/spool/etc/antispam/README…”
Meaning Parsing the accompanying README file which includes version information
about the database.

FortiGuard antispam rule (FSAR) loaded

Type Event
Subtype SMTP
Severity Information
Message msg= “Initializing FASR /var/spool/etc/antispam done!”
Meaning The parsing of the rule set is finished.

Mail aliases rebuilt

Type Event
Subtype SMTP
Severity Notification
Message user=mail ui=mail action=unknown status=success msg=“*@*: alias
database /var/spool/etc/mail/aliases has been rebuilt”
Meaning Mail aliases have been rebuilt.

Event SMTP logs Page 49 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Antivirus database loaded

Type Event
Subtype SMTP
Severity Information
Message msg=“Successfully loaded virus db: /var/spool/etc/virus”
Meaning The antivirus database is loaded successfully.

Updated daemon restarted

Type Event
Subtype SMTP
Severity Warning
Message msg=“Restart the updated daemon to re-load default avengine and
virusdb…”
Meaning Updated daemon is restarted to reload default antivirus engine and
database.

Antivirus database loading

Type Event
Subtype SMTP
Severity Information
Message msg= “Loading virusdb: /var/spool/etc/vir...”
Meaning The user is loading the antivirus database.

Antivirus database loaded

Type Event
Subtype SMTP
Severity Information
Message msg= “Successfully loaded virus db: /var/spool/etc/vir”
Meaning The user successfully uploaded the antivirus database.

Bayesian database training

Type Event
Subtype SMTP
Severity Information

Event SMTP logs Page 50 FortiMail® Secure Messaging Platform 5.0.0 Log Message
 Message msg= “Bayesian Training user global bayesian”
Meaning The FortiMail unit is training a specific bayesian database.

Bayesian database training completed

Type Event
Subtype SMTP
Severity Information
Message msg= “Bayesian Training: <integer> messages finished”
Meaning A specific number of messages have completed the bayesian training.

Event SMTP logs Page 51 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Event Admin logs

This chapter contains information regarding Event Admin log messages.

Event Admin log is a subtype log of the Event log type. Event Admin log messages inform you
of administration changes made to your FortiMail unit.
You can cross-search an Event Admin log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.
The admin event logs contain the following messages:

User login Message cannot be read

Webmail login Attachment saving failure
User login failure LCD login
WebMail GUI failure LCD login failure
Message retrieval failure

User login

Type Event
Subtype Admin
Severity Information
Message msg=“User <user_name> login successfully from {GUI(<ip_address>) |
console|SSH(<ip_address>)|telnet(<ip_address>)}”
Meaning An administrator successfully logged in using the web-based manager or
CLI.

Webmail login

Type Event
Subtype Admin
Severity Information
Message msg=“User <user_name> from <ip_address> logged in”
Meaning An administrator from a specified IP address logged into the WebMail.

User login failure

Type Event
Subtype Admin
Severity Information

Page 52
 Message msg=“User <user_name> login failed from
{console|SSH(<ip_address>)|telnet(<ip_address>)}”
Meaning An administrator failed to log in using the console, SSH, or telnet.

WebMail GUI failure

Type Event
Subtype Admin
Severity Information
Message msg=“mailbox_get_header: failed”
Meaning The WebMail GUI cannot display the email message, or the quarantined
message in the web-based manager.

Message retrieval failure

Type Event
Subtype Admin
Severity Information
Message msg=“mailbox_get_num_parts: failed”
Meaning Specific information in a message cannot be retrieved.

Message cannot be read

Type Event
Subtype Admin
Severity Information
Message msg=“Could not get message part”
Meaning The message cannot be read from the mailbox.

Attachment saving failure

Type Event
Subtype Admin
Severity Information
Message msg=“Could not save attachment”
Meaning An unknown failure occurred when trying to prepare the attachment for a
user to download.

Event Admin logs Page 53 FortiMail® Secure Messaging Platform 5.0.0 Log Message
LCD login

Type Event
Subtype Admin
Severity Information
Message msg=“Login from LCD successfully”
Meaning An administrator successfully logged in using the LCD.

LCD login failure

Type Event
Subtype Admin
Severity Information
Message msg=“Login from LCD failed”
Meaning An administrator failed to log in using the LCD.

Event Admin logs Page 54 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Event POP3 logs

This chapter contains information regarding Event POP3 log messages.

Event POP3 log is a subtype log of the Event log type. Event POP3 log messages inform you of
any POP3-related events that occur.
You can cross-search an Event POP3 log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

POP3-related events

Log Type Event

Subtype POP3
Severity All severity levels
Message msg=“<log_message_information>”
Meaning Any POP3-related events.

Page 55
Event IMAP logs

This chapter contains information regarding Event IMAP log messages.

Event IMAP log is a subtype log of the Event log type. Event IMAP log messages inform you of
any IMAP-related messages.
You can cross-search an Event IMAP log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

IMAP-related events

Log type Event

Subtype IMAP
Severity All severity levels
Message msgs=“<log_message_information>”
Meaning Any IMAP-related events.

Page 56
Event HA logs

This chapter contains information regarding Event HA (high availability) log messages.
Event HA log is a subtype log of the Event log type. Event HA log messages inform you of any
high availability problems that may occur within a high availability cluster.
You can cross-search an Event HA log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

Example
If you send the FortiMail log messages to a remote Syslog server (including FortiAnalyzer), an
HA log would look like the following and the log fields would appear in the following order:
date=2012-08-09 time=10:30:31 device_id=FE100C3909600504
log_id=0004001036 type=event subtype=ha pri=notice user=ha ui=ha
action=none status=success msg="hahbd: heart beat status changed to
primary-hearbeat-port1=FAILED;secondary-hearbeat-port2=OK"
The HA event logs contain the following messages:

Master startup Heartbeat check

Slave startup Synchronization activities
HA role change

Master startup

Log type Event

Subtype HA
Severity Information
Message msgs=“monitord: main loop starting, entering MASTER mode”
Meaning The FortiMail unit is entering master mode.

Slave startup

Log type Event

Subtype HA
Severity Information
Message msgs=“configd: main loop starting, entering slave mode”
Meaning The FortiMail unit is entering slave mode.

Page 57
HA role change

Log type Event

Subtype HA
Severity Information
Message msgs=“monitord: ** reached retry limit, assuming MASTER role”
Meaning The FortiMail unit is assuming the primary unit role because the retry limit
was reached for connecting to the original primary unit.

Heartbeat check

Log type Event

Subtype HA
Severity Notice
Message msg="hahbd: <message_text>"
Meaning Heartbeat related activities.

Synchronization activities

Log type Event

Subtype HA
Severity Notice
Message msg="hasyncd: <message_text>"
Meaning Synchronization related information.

Event HA logs Page 58 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Event Webmail logs
This chapter contains information regarding Event Webmail log messages.
Event Webmail log is a subtype log of the Event log type. Event Webmail log messages inform
you of any webmail-related events.
You can cross-search an Event Webmail log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

User login

Log type Event

Subtype Webmail
Severity All severity levels
Message msgs=“User <user_name> from <IP address> logged in.”
Meaning A user logged into the FortiMail webmail.

Event Webmail logs Page 59 FortiMail® Secure Messaging Platform 5.0.0 Log Message
Antivirus logs

This chapter contains information regarding antivirus log messages, including an example of an
antivirus log message.
Antivirus log messages have a subtype called “infected”. Antivirus log messages inform you of
viruses detected by your FortiMail unit.
Antivirus uses a dynamic error reporting scheme. This scheme is unable to create a definitive list
of log messages that you may encounter. Errors are logged in a format similar to the following
example.
You can cross-search an antivirus log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

Example
If you send the FortiMail log messages to a remote Syslog server (including FortiAnalyzer), an
antivirus log would look like the following and the log fields would appear in the following order:
date=2012-07-24 time=17:07:42 device_id=FE100C3909600504
log_id=0100000924 type=virus subtype=infected pri=information
from="syntax@www.ca" to="user2@1.ca" src=172.20.140.94
session_id="q6OL7fsQ018870-q6OL7fsR018870" msg="The file
inline-16-69.dat is infected with EICAR_TEST_FILE."

Virus infection

Log Type encrypt

Subtype infected
Severity information
Message msg=“The file name is infected with <virus_name>”
Meaning The file contains the specified virus.

Page 60
Antispam logs

This chapter contains information regarding spam log messages, including an example of a
Antispam log message. Antispam log messages notify you of any spammed email.
The FortiMail Antispam uses a dynamic error reporting scheme. This scheme is unable to create
a definitive list of log messages that you may encounter. Errors are logged in a format similar to
the following example.
You can cross-search an antispam log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

Example
If you send the FortiMail log messages to a remote Syslog server (including FortiAnalyzer), an
antispam log would look like the following and the log fields would appear in the following order:
date=2012-07-20 time=14:33:26 device_id=FE100C3909600504
log_id=0300000924 type=spam pri=information
session_id="q6KIXPZe008097-q6KIXPZf008097"
client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint=""
from="syntax@www.ca" to="user1@1.ca" subject="Email with wd, excel, and
rtf test" msg="Detected by BannedWord test"

Spam-related events

Log Type spam

Severity Information
Message msg=“<log_message_information>”
Meaning Any spam-related events.

Page 61
Encryption logs

This chapter contains information regarding encryption log messages, including an example of
an encryption log message. Encryption log messages inform you of any FortiMail IBE
encryption activities.
You can cross-search an encryption log message to get more information about it. For more
information about log message cross search, see “Log message cross search” on page 13.

Example
If you send the FortiMail log messages to a remote Syslog server (including FortiAnalyzer), an
encryption log would look like the following and the log fields would appear in the following
order:
date=2012-08-09 time=10:45:27 device_id=FE100C3909600504
log_id=0400005355 type=encrypt pri=information
session_id="q79EiV8S007017-q79EiV8T0070170001474" msg="User user1@1.ca
read secure message, id:'q79EiV8S007017-q79EiV8T0070170001474', sent
from: 'user2@2.ca', subject: 'ppt file'"

Email encryption

Log Type encrypt

Severity Information
Message msg=“<IBE email encryption related information>”
Meaning The log message records when FortiMail encrypts and decrypts an email,
when the email notification is send to the recipient, when the recipient read
the encrypted email, and when any IBE user status expires.

Page 62
Index

A E
antispam 61 event admin 52
spam-related events 61 attachment saving failure 53
antivirus 60, 62 LCD login 54
file name infection 60, 62 LCD login failure 54
message cannot be read 53
message retrieval failure 53
user login 52
user login failure 52
webmail GUI failure 53
webmail login 52

Page 63
event config 17 mail server user deletion 39
access methods/status 20 mail server user set with information 38
addressing mode of interface access methods 22 mail user addition/deletion 38
admin addition 27 management IP 21
admin change 27 memory log setting 42
admin deletion 27 MTU change 21
admin password change 27 NTP server settings 24
alertemail configuration 43 password of email archiving account 39
alertemail setting 43 password of mail user 40
alertemail SMTP server 43 password of system quarantine account 40
alertemail target email addresses 43 permission of mail 36
archiving exempt 34 POP3 auth profile 41
archiving policy 34 POP3 server port number 31
archiving settings on local server 33 primary DNS and secondary DNS 22
archiving settings on remote server 34 relay server name 32
authentication timeout 25 route entry 23
connect option of interface access methods 22 route with destination IP address/netmask 23
console mode setting 25 routing entry 23
console pageNo setting 25 SMTP auth 32
daylight saving time 24 SMTP over ssl 32
default gateway 23 SMTP server port number 32
disk quota of email archiving account 39 SNMP community and host entry 30
display name of mail user 40 SNMP community entry 30
DNS change 22 SNMP config info 28
email archiving account 33 SNMP CPU threshold 28
email archiving rotate setting 33 SNMP deferred mqueue threshold 29
email banned word 41 SNMP Logdisk threshold 29
FortiGuard autoupdate settings 19 SNMP maildisk threshold 29
FortiMail appearance information 35 SNMP memory threshold 28, 32
FortiMail disclaimer in body for incoming messages SNMP spam detection threshold 30
31 SNMP status 28
FortiMail disclaimer in header for incoming SNMP virus detection threshold 29
messages 31 status of email archiving 33
FortiMail disclaimer in header for outgoing system idle and auth timeout 26
messages 30 system language 25
FortiMail mail gw user group 36 system quarantine account 34
forwarding address for email archiving 39 system quarantine quota settings 35
forwarding address for system quarantine 40 system quarantine settings 35
GUI refresh interval 26 system time 24
HA settings 28 system timezone 24
idle timeout 25 system update setting 19
IMAP auth profile 41 user alias 41
interface access methods 21 user group 37
interface IP address 19 event HA 57
interface status 20, 21 master mode 57
interface status/PPPoE settings 20 master role 58
interface status/PPPoE status 20 slave mode 57
LCD PIN number 26 event IMAP 56
LCD PIN protection 26 IMAP-related events 56
local domain addition 37 event POP3 55
local domain deletion 36 POP3-related events 55
local domain name 37
local domains 31
local log setting 42
local user 37
log policy 42
log setting 42
log setting elog 42
mail server access 36
mail server settings 35
mail server user added with information 38
mail server user addition 38

Index Page 64 FortiMail® Secure Messaging Platform 5.0.0 Log Message

event SMTP 48 event update 47
antivirus database loaded 50 event webmail 59
antivirus database loading 50 user login 59
bayesian database training 50
bayesian database training completed 51 L
FASR readme 49 log
FortiGuard antispam rule (FSAR) loaded 49 cross search 13
FortiGuard antispam rule (FSAR) loading 49 messages 8
mail aliases rebuilt 49 severity levels 12
SMTP-related events 48 subtypes 11
starting flgrptd 48 types 9
updated daemon restarted 50 log type
virus db loaded 48 history 14
event system 44
FortiGuard update result 47 S
system firmware upgrade 45 system quarantine rotate setting 34
system mode 46
system reload 45
system reset 45
system restart 44
system shutdown 44
upgrade system firmware failed 45

Index Page 65 FortiMail® Secure Messaging Platform 5.0.0 Log Message