| Description | This article describes how to configure secure log-forwarding to a syslog server using an SSL certificate and its common problems. |
| Scope | Secure log forwarding. |
| Solution |
Configuration Details.
Create a Log Forwarding server under System Settings -> Log Forwarding with the following options enabled:
set fwd-reliable <----- This can be enabled in GUI or CLI. set fwd-secure <----- This can only be enabled in CLI].
- On Fortianalyzer, upload the signing CA certificate for the SSL certificate used by Syslog server.
- The log forward daemon on FortiAnalyzer uses the same certificate as oftp daemon and that can be configured under ‘# config sys certificate oftp' CLI. By default, it uses Fortinet’s self-signed certificate.
- In the latest 7.0.x/7.2.x there is a new ‘peer-cert-cn’ verification added. It can be enabled optionally and verification will be done as per filled CN. If empty, verification will be ignored.
Common Problems: - Server certificate used in OFTP not trusted by Remote server.
1) If the remote server can trust Fortinet’s self-signed CA certificates, then upload 'Fortinet_CA' and 'Fortinet_SUBCA' to it. 2) If not, obtain new certificate for FortiAnalyzer, which should be signed by a publicly trusted CA (like Digicert), and use that as an OFTP certificate. (This option would also need to upload CA certificate on all FortiGates sending logs).
- Log format not supported by Syslog server: FortiAnalyzer follows RFC 5424 protocol. But, the syslog server may show errors like 'Invalid frame header; header=''. This usually means the Syslog server does not support the format in which FortiAnalyzer is forwarding logs.
Related articles: Technical Tip: Integrate FortiAnalyzer and FortiSIEM Technical Tip: Forwarding Logs from FortiAnalyzer to Syslog server |
