syslogd settings in FortiOS-5 not saving using cli

Is this a bug or am I missing something?

The fgt doesn' t show the factory default values for settings -- if you want to see those default values, use " show full-configuration" . edit: at least I am assuming that' s what your issue is (i.e. setting default values to their default equates to no change at all). If that' s not your issue then you could try adding those missing lines via wordpad then load that edited config into the fgt.

That command show full-configuration does work. Although it does not solve my original problem. My settings are indeed saved but apparently the syslog format has changed and my CyberRoam Iview no longer understands it. I contacted their support and after an exhausting 2 hours of remote work they concluded the problem lies with my update to FortiOS 5. Which overall has been a buggy nightmare. Does anyone know or understand the changes to the syslog stream from version 4 to 5?

I have tried this with KIWI syslog as well and no dice. I can' t seem to get any syslog servers to work. Any help would be much appreciated.

Does anyone know or understand the changes to the syslog stream from version 4 to 5?

Actually researched this for a bit -- only real changes I can see is from both 4.3 MR3 and 5.0. handbooks...4.3 MR3 wants you to set the server address while 5.0 wants you to set the source-ip address.

I will try both of those. Let me run a Wireshark sniff and see if I can see the data.

David, I did see that excerpt from a previous poster when researching this as well. I have put about 20 hours into this between researching and combing through documentation. I appreciate you all taking the time to help out. I did put a wireshark sniffer on the host machine and see no traffic going to the UDP 514, which probably explains the problem. I do however see other UDP traffic moving to the host fine. All firewalls are off and snmp traps are being received. Here is my config, ip has been changed for security. config log syslogd setting set status enable set server " 192.1.10.45" (host running syslog) set reliable disable set port 514 set csv disable set facility local7 set source-ip 192.1.10.1 (this is the fortigate interface) end config log syslogd filter set app-ctrl enable set attack enable set dlp enable set email enable set forward-traffic enable set local-traffic enable set netscan enable set severity debug set traffic enable set virus enable set voip enable set web enable set analytics enable set anomaly enable set app-ctrl-all enable set blocked enable set discovery enable set dlp-all enable set dlp-docsource enable set email-log-google enable set email-log-imap enable set email-log-msn enable set email-log-pop3 enable --More-- set email-log-smtp enable --More-- set email-log-yahoo enable --More-- set ftgd-wf-block enable --More-- set ftgd-wf-errors enable --More-- set infected enable --More-- set multicast-traffic enable --More-- set oversized enable --More-- set scanerror enable --More-- set signature enable --More-- set suspicious enable --More-- set switching-protocols enable --More-- set url-filter enable --More-- set vulnerability enable --More-- set web-content enable --More-- set web-filter-activex enable --More-- set web-filter-applet enable --More-- set web-filter-command-block enable --More-- set web-filter-cookie enable --More-- set web-filter-ftgd-quota enable --More-- set web-filter-ftgd-quota-counting enable --More-- set web-filter-ftgd-quota-expired enable --More-- set web-filter-script-other enable --More-- end Really any help would be a lifesaver. ----------------------------- Update- I installed wireshark on another machine with KiwiSyslog server, configured the " server ip" on the fortigate and still no UPD 514 traffic at all in the logs. Thanks again.

Well I take that back, now that I am actually on the computer (not remotely logged in) I can work with wireshark a bit more. I do see that syslog messages are being sent to the host. Neither IView or Kiwi seem to be able to decipher then. I changed the serial and IPs below, but there is the stream. 142 8.775821000 10.1.10.1 10.1.10.45 Syslog 526 LOCAL7.NOTICE: date=2013-08-13 time=12:04:25 devname=ESC-Primary devid=FG100C3G09690876 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=1921.2.109 srcport=62133 srcintf=" ESCMain" dstip=173.194.74.120 dstport=80 dstintf=" wan1" sessionid=6413 status=close policyid=3 dstcountry=" United States" srccountry=" Reserved" trandisp=snat transip=23.31.163.177 transport=62133 service=HTTP proto=6 applist=" block-p2p" duration=301 sentbyte=2713 rcvdbyte=1598 sentpkt=10 rcvdpkt=14

That looks more like browser traffic to me....

I think Mike is indicating that entire log event is the data stream itself to the syslog server.

Is the output tab delimited ? maybe if the syslog can' t read the fields or is confused on the output format. What does wireshark show with the appropiate filter for syslog. syslog.msg I would start their and build a pcap and read it back in.

Hmm, not sure what you mean by build a pcap. I got the raw logs that our syslog server is receiving. This is directly from the software and not Wireshark date=2013-08-14 time=13:39:56 devname=ESC-Primary devid=FG100C3G045116649 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=192.1.2.4 srcport=5019 srcintf=" ESCMain" dstip=10.1.2.1 dstport=53 dstintf=" root" sessionid=1002625 status=accept policyid=0 dstcountry=" Reserved" srccountry=" Reserved" trandisp=noop service=DNS proto=17 app=" Domain Name Server" duration=181 sentbyte=0 rcvdbyte=135 sentpkt=0 rcvdpkt=1 The setup for that needs to be used for our software is local7, no csv, debug On a side note a 100A running FortiOS 4 mr 3 patch 9 is submitting data just fine.