Technical Tip: Enabling remote logging to FortiAnalyzer or third-party Syslog server

Licensed-FortiClient user after connecting to telemetry to the EMS-Server can be configured to send logs to either a Fortinet FortiAnalyzer device or a Syslog Server by XML. 

However, before implementing the solution steps, it is important to understand how the logs are sent from FortiClient Agents to the remote FortiAnalyzer and/or a Syslog Server. Despite common belief, the FortiClient logs are not sent to the remote FortiAnalyzer and/or a Syslog Server through the EMS: the logs are sent directly from the agent, which means that there is a need to properly configure a VIP on the firewall, allowing the communication from ALL, towards the FortiAnalyzer/Syslog to the TCP port 514, since the FortiClient agents can be located remotely.

For the configuration, follow the steps below:

1. Connect the FortiClient running on the device to the telemetry (option allow IP, domain, or invite code) to allow it to be managed by the FortiClient EMS Server.

2. Under Endpoint Profiles -> System Settings -> Advanced -> Log level/features, set the 'Log level/features' and 'What to log' parameters. In the example below, the 'Log Level' is set to 'Warning' and 'What to log' is set to 'All events'.

3. Specify the Server's IP address to log to in the 'Remote Logging' section, as well as the logging facilities to be used, and whether the logging device is a Fortinet FortiAnalyzer device or Syslog Server (XML to use will be).

The Event Log Settings 'Log Level' will determine the log level used with a Fortinet FortiAnalyzer/Syslog-Server device. In the example below it used all default values on. 

Note: Wireshark can be used to collect traffic flow between the source and the logging server for troubleshooting purposes.