Technical Tip: How to send Syslog from Linux (Ubuntu) based to FortiAnalyzer
| Description | This article describes how to send syslog from a Linux (Ubuntu) based system to FortiAnalyzer. |
| Scope | FortiAnalyzer and Linux (Ubuntu). |
| Solution | The Ubuntu workstation needs to have the EMS/FortiClient installed on the workstation.
Configure FortiAnalyzer at the EMS system settings. From the FortiAnalyzer side, two authorization devices will pop up at Device Manager: (enable ADOM):
To ensure Ubuntu sends logs to FortiAnalyzer, it is possible to enable the configuration-based guide below:
Log in as root:
login as: root
Access to/etc folder:
root@preve-kvm39:~# cd /etc
Edit rsyslog.conf file (syslog config):
root@preve-kvm39:/etc# vi rsyslog.conf
Add FortiAnalyzer info:
# Include all config files in /etc/rsyslog.d/ *.*@10.47.5.XX:514 #For UDP
The following sniffer can be used to verify that traffic is reaching the FortiAnalyzer :
FortiAnalyzer# diagnose sniffer packet any ' host 10.10.10.10 ' 3 0 l <----- 10.10.10.10 is the Linux server IP.
Follow the steps below in the screenshot to collect the packets from the GUI to see the packets in PCAP format:
After selecting OK, select the Play button to start the packet capture, then download it using the Download button:
Refresh the FortiAnalyzer, and it will show the event log of Ubuntu.
|
