FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
singhl
Staff
Staff
Article Id 231000
Description This article describes how to configure secure log-forwarding to a syslog server using an SSL certificate and its common problems.
Scope Secure log forwarding.
Solution

Configuration Details.

 

Create a Log Forwarding server under System Settings -> Log Forwarding with the following options enabled:

 

set fwd-reliable <----- This can be enabled in GUI or CLI.

set fwd-secure  <----- This can only be enabled in CLI].

 

secure_logfwd.png

 

- On Fortianalyzer, upload the signing CA certificate for the SSL certificate used by Syslog server.

 

- The log forward daemon on FortiAnalyzer uses the same certificate as oftp daemon and that can be configured under ‘# config sys certificate oftp' CLI.

By default, it uses Fortinet’s self-signed certificate.

 

- In the latest 7.0.x/7.2.x there is a new ‘peer-cert-cn’ verification added. It can be enabled optionally and verification will be done as per filled CN. If empty, verification will be ignored.

 

Common Problems:

- Server certificate used in OFTP not trusted by Remote server.

 

1) If the remote server can trust Fortinet’s self-signed CA certificates, then upload 'Fortinet_CA' and 'Fortinet_SUBCA' to it.

2) If not, obtain new certificate for FortiAnalyzer, which should be signed by a publicly trusted CA (like Digicert), and use that as an OFTP certificate. (This option would also need to upload CA certificate on all FortiGates sending logs).

 

- Log format not supported by Syslog server:

FortiAnalyzer follows RFC 5424 protocol. But, the syslog server may show errors like 'Invalid frame header; header=''.

This usually means the Syslog server does not support the format in which FortiAnalyzer is forwarding logs.

 

Related articles:

Technical Tip: Integrate FortiAnalyzer and FortiSIEM

Technical Tip: Forwarding Logs from FortiAnalyzer to Syslog server

Technical Note: Forwarding logs between FortiAnalyzers