Skip to main content
mic_pin
mic_pin
New Member
August 31, 2023
Solved

Successful VPN login event not sent to external syslog server

  • August 31, 2023
  • 2 replies
  • 2747 views

FortiGate 1100E with FortiOS v6.4.14 build2093 (GA) 

We have a SIEM to collect and correlate events from multiple sources. On Fortigate we have configured SIEM as an external syslog server and it work well BUT i've noticed that only failed ssl-vpn login were sent. 

 

Any idea how to configure Fortigate to sent also successful ssl-vpn login to external syslog?

 

Thanks

Best answer by srajeswaran

The severity for success and failure logs might be different and that could be the reason for the behavior.

Can you check the severity for both events and then check the syslogd filter config using "get log syslogd filter".

You can modify the filter under config log syslogd filter

ref: https://docs.fortinet.com/document/fortigate/6.4.6/cli-reference/435620/config-log-syslogd-filter
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-syslog-filters-on-to-send-only-specific-logs/ta-p/194032



 

 

2 replies

srajeswaran
Staff
srajeswaranAnswer
Staff
August 31, 2023

The severity for success and failure logs might be different and that could be the reason for the behavior.

Can you check the severity for both events and then check the syslogd filter config using "get log syslogd filter".

You can modify the filter under config log syslogd filter

ref: https://docs.fortinet.com/document/fortigate/6.4.6/cli-reference/435620/config-log-syslogd-filter
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-syslog-filters-on-to-send-only-specific-logs/ta-p/194032



 

 

mic_pin
mic_pinAuthor
New Member
August 31, 2023

Thanks for your prompt and kindly reply. Lowering syslog min notification level to "information" let me collect also successful VPN login.

madra29
madra29
New Member
August 31, 2023

We had this same issue a few weeks ago, but they were trying to do it against our clientless vpn. Fortunately everything on our CVPN has it's own web front now so we didn't have a need for it anymore and we just shut it down. Our client requires an email address so you can't even attempt just a username.
I had opened a ticket with support and was told they couldn't tell me how they were attempting the logins to generate the log but that the firewall was handling them as designed by not allowing them because they weren't in the allowed list.

Terms & ConditionsAccessibility statement