Skip to main content
vraev
Staff
vraev
Staff
July 6, 2023

Technical Tip: FortiManager/FortiAnalyzer local event logs setup for the external SYSLOG server

  • July 6, 2023
  • 0 replies
  • 3808 views
Description

 

This article describes how to set up a syslog to keep track of all changes made under the FortiManager.

 

Note:

The same settings are available under FortiAnalyzer.

 

Scope

 

FortiManager and FortiAnalyzer.

 

Solution

 

Syslog is a common format for event logs. It uses UDP / TCP on port 514 by default. Depending on the server's capabilities can be used a custom certificate to create a TLS connection.

 

Syslog is used for system management and security auditing as well as general information, analysis, and debugging messages. Syslog uses a client-server architecture where a Syslog server listens for and logs messages coming from clients.

 

The message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.

There are a few main standards: BSD and CSV. For more information about log forwarding review, see Technical Tip: FortiAnalyzer log forwarding CEF version.

 

vraev_0-1688653604543.png

 

The configuration is based on two parts. To set up the settings of the Syslog server (IP, UDP/TCP, Port, Certificate):

 

config system syslog

    (syslog)# edit Syslog_net_vlan2

     new entry 'Syslog_net_vlan2' added

 

        (Syslog_net_vlan2)# set ?

*ip                       Syslog server IP address or hostname.

local-cert                Select the local certificate used for a secure connection.

peer-cert-cn              Certificate common name of syslog server. null or '-' means not checking the certificate CN of the syslog server.

*port                     Syslog server port.

*reliable                 Enable/disable reliable connection with syslog server.

secure-connection         Enable/disable connection secured by TLS/SSL.

 

Under the GUI: go in System Settings -> Advanced -> Syslog Server -> Create New. The other part is to configure the 'syslogd' settings (Syslog name, Status, Severity, Reliable, Facility).

 

Note:

There is an option to set up to 3 syslogd servers, which can send log data simultaneously.

config system locallog syslogd setting

 

    (setting)# set ?

 cert                     Select the local certificate used for a secure connection.

 csv                      CSV format.

 facility                 Remote syslog facility.

 reliable                 Enable/disable reliable real-time logging.

 severity                 Least severity level to log.

 status                   Remote syslog log.

 syslog-name              Remote syslog server name.

 

There is an option to send only specific information to the syslog server with the filter options.

 

CLI Command:

 

config sys locallog syslogd filter

(filter)# 
set   <----- Modify value.

 

 

Example: to disable the fgfm logging to syslog servers as below:

 

config sys locallog syslogd filter
    set fgfm disable 
end

 

Screenshot to show all options:

 

vraev_2-1688654166121.png

 

Example:

The following steps will provide the basic setup of the syslog service.

 

vraev_3-1688654204190.png

 

Go under System Settings  -> Advanced -> Syslog Server  -> Create New.

 

The same settings under the CLI:

 

config system syslog

    edit "Syslog_net_vlan2"

        set ip "10.5.49.73"

        set reliable enable

    next

end

 

The next step is to set and enable the same under the 'syslogd' settings.

 

config system locallog syslogd setting

    (setting)# get

cert                        : (null)

csv                          : disable

facility                   : syslog

reliable                  : disable

severity                  : debug

status                     : enable

syslog-name         : Syslog_net_vlan2

 

Troubleshooting:

The following commands will provide the current configuration regarding 'syslog'.

 

get system syslog

get system locallog syslogd setting

 

To test the current syslog configuration:

 

diagnose test connection syslogserver <server-name>

diagnose test application logfwd

 

logfwd <integer> ...

Logfwd daemon test usage: 

  • 1: Daemon info (PID, meminfo, backtrace ..)
  • 2: Dump thread-pool status
  • 3: Dump log-forward configurations
  • 4: Dump log-forwarding status
  • 5: Overall and converter stats
  • 6: Dump HA CID info
  • 7: show runtime logs. option format: pid=0:current,-1:all,PID duration=DURA filter=STR
  • 8: show cfile list status [all: for all cfiles]
  • 9: show max durationof loss in memory mode, 120 seconds default, 0 to disable memory mode
  • 10: Force logfwd to run in disk mode [1:enable, 0:disable]
  • 97: memory check
  • 98: Reset log-forwarding stats
  • 99: Restart logfwd

 

diagnose debug application logfwd <integer>      Set the debug level of the logfwd.

diagnose debug enable

 

After the test:

 

diagnose debug disable

diagnose debug reset

 

If the connection between the FortiManager and the syslog server is plain (without using SSL and a certificate) can use the sniffing tool to capture the output.

 

Use the packet capturing options in the FortiManager under the GUI System settings -> Network Interfaces -> Packet capture.

 

Or under CLI:


diagnose sniffer packet any "host x.x.x.x and port 514" 3 0 a

 

Also, basic network checks should be made.

 

diagnose system route list

execute ping x.x.x.x

execute telnet x.x.x.x 514 --> Does not exist on FortiAnalyzer; any telnet tests must be performed from FortiGate with this command, or a third-party tool that offers telnet capabilities.

 

Note:

Command parameters are case-sensitive. Quotes are always used around the parameters, like in this example 'my_Account'.

 

Related documents:

Technical Tip: How to verify the running SSH server version

System syslog

Test

    Terms & ConditionsAccessibility statement