Technical Tip: Forward local log to Syslog server
Description
This article describes how to configure the FortiAnalyzer to forward local logs to a Syslog server.
Scope
FortiAnalyzer.
Solution
Step 1:
Log in to the FortiAnalyzer Web UI and browse to System Settings -> Advanced -> Syslog Server. Select the 'Create New' button as shown in the screenshot below.
Provide the name for the syslog profile along with the IP address. The port number may be changed if the syslog server is running on a different port than the default.
Step 2: Log in to the CLI with Putty or any terminal client and run the following command:
Log in to the FortiAnalyzer Web UI and browse to System Settings -> Advanced -> Syslog Server. Select the 'Create New' button as shown in the screenshot below.
Provide the name for the syslog profile along with the IP address. The port number may be changed if the syslog server is running on a different port than the default.
Step 2: Log in to the CLI with Putty or any terminal client and run the following command:
config system locallog syslogd setting
set status enable
set syslog-name <syslog profile name>
set status enable
set syslog-name <syslog profile name>
For example:
config system locallog syslogd setting
set status enable
set syslog-name "kiwi_syslog"
end
set status enable
set syslog-name "kiwi_syslog"
end
Note:
In recent versions, the FortiAnalyzer can support sending its local event logs to up to 3 syslog servers. These can be configured exclusively through the CLI:
config system locallog (syslogd | syslogd2 | syslogd3) setting
Verify by trying to log in to the Web UI admin page with an unauthorized user. It will be possible to see logs in the syslog server, as shown below:
03-25-2016 11:59:38 Local7.Alert 192.168.146.76 date=2016-03-25 time=11:59:57 devname=FAZ2000B device_id=FL-2KB3R10600008 log_id=0001010019 type=event subtype=system pri=alert user="adda" userfrom="GUI(192.168.242.88)" msg="User 'adda' login failed from GUI(192.168.242.88), reason:Authentication failure. Please try again..." adminprof=""
As an additional verification step, a packet capture can be initiated on FortiAnalyzer while generating a local event (for example, login or logout) to confirm log transmission to the syslog server. When using standard syslog (port 514), the traffic is unencrypted, and log details are visible within the packet payload.
diagnose sniffer packet any "host <syslog server IP> and port <syslog port>"