Technical Tip: FortiAnalyzer secure log forwarding

Configuration Details.

Create a Log Forwarding server under System Settings -> Log Forwarding with the following options enabled:

set fwd-reliable <----- This can be enabled in GUI or CLI.

set fwd-secure  <----- This can only be enabled in CLI.

• On FortiAnalyzer, upload the signing CA certificate (as 'CA Certificate') for the SSL certificate used by the Syslog server.

• The log forward daemon on FortiAnalyzer uses the same certificate as oftp daemon and that can be configured under 'config sys certificate oftp' CLI.

By default, it uses Fortinet’s self-signed certificate.

• In the latest 7.0.x/7.2.x there is a new ‘peer-cert-cn’ verification added. It can be enabled optionally and verification will be done as per filled CN. If empty, verification will be ignored.

Common Problems:

• Server certificate used in OFTP not trusted by Remote server.

1. If the remote server can trust Fortinet’s self-signed CA certificates, then upload 'Fortinet_CA' and 'Fortinet_SUBCA' to it.
2. If not, obtain a new certificate for FortiAnalyzer, which should be signed by a publicly trusted CA (like DigiCert), and use that as an OFTP certificate. (This option would also need to upload a CA certificate on all FortiGates sending logs).

• Log format not supported by Syslog server:

FortiAnalyzer follows RFC 5424 protocol. But, the syslog server may show errors like 'Invalid frame header; header=''.

This usually means the Syslog server does not support the format in which FortiAnalyzer is forwarding logs.

Note:

Log forwarding is not supported on FortiManager, including when FortiAnalyzer features are enabled.

Related articles:

• Technical Tip: Integrate FortiAnalyzer and FortiSIEM
• Technical Tip: Forwarding Logs from FortiAnalyzer to Syslog server
• Technical Note: Forwarding logs between FortiAnalyzers