By default disk logging has been disabled on FortiOS v5.0. One of the reasons this was done is because the flash memory on some devices are not designed for constant read/writes, so saving logs to it can degrade the disk (resulting in corrupted sectors). Having said that, we've got a few FortiGates that have been logging to disk for a few years now with no problems.
1. Confirm you device has a log disk
Firstly check that your FortiGate has the log disk available. Some units don't come with a log disk. To confirm use the get sys status command and ensure that the variable 'Log hard disk' shows 'Need format'.
fortigate # get sys status
Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVMEV0000000000
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Fri Nov 1 06:24:58 2013
VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Need format
Hostname: fortigate
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
FortiOS x86-64: Yes
System time: Wed Oct 30 15:43:01 2013
If your FortiGate doesn't have a hard disk you'll get the following:
fortigate # get sys status
Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVMEV0000000000
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Fri Nov 1 06:24:58 2013
VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Not available
Hostname: fortigate
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
FortiOS x86-64: Yes
System time: Wed Oct 30 15:43:01 2013
2. Format the log disk
Now enter the command execute formatlogdisk, then press y to confirm. This will format the disk then REBOOT the firewall.
fortigate # execute formatlogdisk
Log disk is /dev/sdb1.
Formatting this storage will erase all data on it, including
logs, quarantine files;
and require the unit to reboot.
Do you want to continue? (y/n)y
3. Enable logging
When the device is back up login to the web GUI and navigate to Log & Report > Log Config > Log Settings. You should now see the 'Disk' option. Select this (and 'Enable local reports' if you want to run reports locally) then click apply. Ensure that 'Display logs from' says Disk.
If you don't have this option via the web GUI you can enable it via the CLI with the following commands:
