Technical Tip: Syslog server not receiving all logs from a FortiGate
Description
This article describes a possible cause for not receiving all log events on the syslog servers.
Scope
FortiOS v7.2 and above.
Solution
A possible root cause is that the logging options for a specific feature or event log in the syslog server settings may not be enabled.
This must be configured from the FortiGate CLI, with the following command:
FGT# config log syslogd filter
FGT (filter) # get <----- To display the current config (the example below is from 4.0 MR2).
FGT (filter) # get <----- To display the current config (the example below is from 4.0 MR2).
app-ctrl : enable
attack : enable
dlp : enable
email : enable
forward-traffic : enable
invalid-packet : enable
local-traffic : enable
netscan : enable
severity : information
traffic : enable
virus : enable
voip : enable
web : enable
analytics : enable
anomaly : enable
app-ctrl-all : enable
blocked : enable
discovery : enable
dlp-all : enable
dlp-docsource : enable
email-log-google : enable
email-log-imap : enable
email-log-msn : enable
email-log-pop3 : enable
email-log-smtp : enable
email-log-yahoo : enable
ftgd-wf-block : enable
ftgd-wf-errors : enable
infected : enable
multicast-traffic : enable
oversized : enable
scanerror : enable
signature : enable
suspicious : enable
switching-protocols : enable
url-filter : disable
vulnerability : enable
web-content : enable
web-filter-activex : enable
web-filter-applet : enable
web-filter-command-block: enable
web-filter-cookie : enable
web-filter-ftgd-quota: enable
web-filter-ftgd-quota-counting: enable
web-filter-ftgd-quota-expired: enable
web-filter-script-other: enable
attack : enable
dlp : enable
email : enable
forward-traffic : enable
invalid-packet : enable
local-traffic : enable
netscan : enable
severity : information
traffic : enable
virus : enable
voip : enable
web : enable
analytics : enable
anomaly : enable
app-ctrl-all : enable
blocked : enable
discovery : enable
dlp-all : enable
dlp-docsource : enable
email-log-google : enable
email-log-imap : enable
email-log-msn : enable
email-log-pop3 : enable
email-log-smtp : enable
email-log-yahoo : enable
ftgd-wf-block : enable
ftgd-wf-errors : enable
infected : enable
multicast-traffic : enable
oversized : enable
scanerror : enable
signature : enable
suspicious : enable
switching-protocols : enable
url-filter : disable
vulnerability : enable
web-content : enable
web-filter-activex : enable
web-filter-applet : enable
web-filter-command-block: enable
web-filter-cookie : enable
web-filter-ftgd-quota: enable
web-filter-ftgd-quota-counting: enable
web-filter-ftgd-quota-expired: enable
web-filter-script-other: enable
The command set <option> enable/disable to enable or disable any of the items in the list can be used.
Example:
FGT (filter) # set url-filter enable
FGT (filter) # end
FGT (filter) # end
A test log can be generated with the CLI command 'diagnose log test'.
In FortiOS v7.2 and above, the command 'config log syslogd filter' has fewer filters compared to older versions. However, more advanced filtering features replace the missing options, such as the free-style log filters. See the related articles.
Challenger-kvm100 # config log syslogd filter
Challenger-kvm100 (filter) # get
severity: information
forward-traffic: enable
local-traffic : enable
multicast-traffic: enable
sniffer-traffic : enable
ztna-traffic : enable
anomaly: enable
VoIP : enable
gtp : enable
severity: information
forward-traffic: enable
local-traffic : enable
multicast-traffic: enable
sniffer-traffic : enable
ztna-traffic : enable
anomaly: enable
VoIP : enable
gtp : enable
Related articles:
How to perform a syslog and log test on a FortiGate with the 'diagnose log test' command
Troubleshooting Tip: Syslog and log troubleshooting via CLI
Technical Tip: Syslog troubleshooting use cases
Technical Tip: Configuring advanced syslog free-style filters