Reliable, Real-time log forwarding

Question

Currently I have multiple Fortigate units sending logs to Fortianalyzer. This seems like a good solution as the logging is reliable and encrypted.    I have another backend system that I would like to use for some additional storage and processing of logs. The problem is, I have yet to find any way to guarantee the logs are received by my secondary system. So far, these seem to be my options:     1. Put the fortianalyzer in collector mode and send the logs to my secondary system with syslog   2. Roll and backup the logs daily, and have my secondary system digest them from there   3. Send logs over a VPN to the secondary system directly from the Fortigate units (bypassing the FAZ) using Reliable Syslog    The problem with the first option is while syslog will be fairly reliable on the local network, if anything takes down my secondary system, I' ll loose logs.    The problem with the second option is I won' t have anything in real-time for reporting.    The problem with the third option is Reliable Syslog isn' t well supported and the VPN adds complexity.    My question is, is there any option for getting logs out of the fortianalyzer in near-realtime and in a reliable way?    Thanks,

Sean_Toomey_FTNT · Answer

Hi jlozen,    I' ve managed large FortiGate environments that had such a need, to log to both FortiAnalyzer as well as a secondary system, in our case a SIEM.    If you are looking for guarantees then option 2 is your best choice because at that point there is little to go wrong, but as you point out it' s hardly real time, and also sounds like a pain in the rear unless you can fully automate it.    Reliable syslog (or syslog over TCP 514 for those who don' t know) is supported by a decent number of syslog servers and SIEMs, though it is a newer concept.  It does address some of your concern.    Another option is that if the FortiAnalyzer is local to the secondary system, you can also forward logs from FAZ -> secondary system over UDP syslog (not sure if FAZ support reliable syslog out, will need to check).  But this means it is coming from a central point that is local on the network and could also work.    Hope this helps.    Cheers!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded