导出日志
导出日志
通过 GUI 导出
提示
通过 GUI 单次最多可以下载最近的 400,000 条日志条目。如日志条目数超过 400,000,需导出全部日志,请使用 FTP/TFTP/USB 方式导出。
在“日志 & 报表”中进入想要下载的日志类型页面,这里以转发流量为例。
过滤想要下载的特定日志(这里以目标 IP 223.5.5.5 为例),在右上角选择存储日志的位置(这里以硬盘为例),选择日志时间范围(这里以最近 7 天为例)。
点击左上角的下载按钮,即可下载明文日志文件,后缀为
.log,如disk-traffic-forward-2025-11-27_17-00.log。
通过 FTP/TFTP/USB 导出
通过如下 CLI 命令可以以 LZ4 压缩格式导出当前硬盘/内存的全部/单类日志到 FTP/TFTP/USB。
execute backup [disk | memory] alllogs [ftp | tftp | usb] <ftp server>[:ftp port] <user> <passwd> uncompressed execute backup [disk | memory] log [ftp | tftp | usb] <ftp server>[:ftp port] <user> <passwd> <log_type> uncompressedalllogs:备份所有以下类型日志。log:可在<log_type>字段定义要备份的一种日志类型,包含traffic、event、virus、webfilter、ips、emailfilter、anomaly、voip、dlp、app-ctrl、waf、dns、ssh、ssl、file-filter、icap、sctp-filter、forti-switch、virtual-patch、casb、debug。uncompressed:表示以未压缩方式备份日志。提示
如果日志备份命令不携带
uncompressed参数,或使用compressed,则会以 LZ4 压缩格式备份日志,需要使用解压工具进行解压才能看到原始日志(详见 https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Transferring-historical-logs-from-a-FortiGate-hard/ta-p/193850 )。
在导出日志前,使用如下 CLI 可以查看预估导出特定分类日志的大小(包含压缩大小和未压缩大小),并根据日志文件大小规划 FTP/TFTP 服务器或 USB 的剩余空间。如下所示,查看系统日志(
1: event)的日志文件大小(未压缩大小为 4 MB,压缩大小为 400 KB)。execute log list <category> Available categories: 0: traffic 1: event 2: utm-virus 3: utm-webfilter 4: utm-ips 5: utm-emailfilter 7: utm-anomaly 8: utm-voip 9: utm-dlp 10: utm-app-ctrl 12: utm-waf 15: utm-dns 16: utm-ssh 17: utm-ssl 19: utm-file-filter 20: utm-icap 22: utm-sctp-filter 23: forti-switch 24: utm-virtual-patch 25: utm-casb 26: debug FortiGate # execute log list 1 elog.65447 106538 18156 Thu Nov 20 00:00:00 2025 elog.65446 108001 18558 Fri Nov 21 00:00:00 2025 elog.65445 105451 17813 Sat Nov 22 00:00:00 2025 elog.65444 113756 20098 Sun Nov 23 00:00:00 2025 elog.65443 106007 17791 Mon Nov 24 00:00:00 2025 elog.65442 105157 17607 Tue Nov 25 00:00:00 2025 elog.65441 162282 32429 Wed Nov 26 00:00:00 2025 elog.65440 132276 25886 Thu Nov 27 00:00:00 2025 elog.65439 3286179 241574 Thu Nov 27 18:03:17 2025 9 elog file(s) found. Uncompressed Total: 4 MB Compressed Total: 400 KB这里以备份硬盘中的系统日志到 FTP 服务器为例,FortiGate 会将所有系统日志分段(如需)发送到 FTP 服务器(未压缩日志体积大于压缩文件,系统会给出提示信息,按
y继续导出)。提示
并非所有型号包含硬盘,可以通过
execute disk list命令查看。如设备不包含硬盘,可以选择memory或usb方式。FortiGate # execute backup disk log ftp 192.168.90.253 user1 password event uncompressed WARNING: The size of uncompressed log files can be very large. Please check uncompressed log size for each log category before uploading to FTP server by command "execute log list [logcategory]. And uploading uncompressed files to FTP server could take hours. Do you want to continue? (y/n)y Upload uncompressed log to FTP server! Connect to ftp server 192.168.90.253 ... Please wait... uploading 24255B/241001B(10%) uploading 50519B/241001B(20%) uploading 75236B/241001B(31%) uploading 102429B/241001B(42%) uploading 125595B/241001B(52%) uploading 150578B/241001B(62%) uploading 174505B/241001B(72%) uploading 197624B/241001B(82%) uploading 224653B/241001B(93%) uploading 241001B/241001B(100%) uploaded file size:241001B Sent log file elog.65439 to ftp server as disk-event_FG101FTK20007637_root_20251127_175317_65439 OK. Connect to ftp server 192.168.90.253 ... Please wait... uploading 4081B/25886B(15%) uploading 6522B/25886B(25%) uploading 12769B/25886B(49%) uploading 15420B/25886B(59%) uploading 20131B/25886B(77%) uploading 23349B/25886B(90%) uploading 25886B/25886B(100%) uploaded file size:25886B Sent log file elog.65440 to ftp server as disk-event_FG101FTK20007637_root_20251127_000000_65440 OK. ......导出的日志可以直接使用文本工具打开查看。