Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
lingky88
Staff
Staff

Created on ‎10-03-2023 08:06 AM Edited on ‎09-22-2024 11:08 PM By Community Manager

Article Id 277214

Technical Tip: How to configure and troubleshoot Log Forwarding on FortiAnalyzer

Description This article describes how FortiAnalyzer allows the forwarding of logs to an external syslog server, Common Event Format (CEF) server, or another FortiAnalyzer via Log Forwarding. This article illustrates the configuration and some troubleshooting steps for Log Forwarding on FortiAnalyzer.
Scope FortiAnalyzer.
Solution
  1. On the FortiAnalyzer GUI, configure Log Forwarding Settings under System Settings -> Log Forwarding -> Create New.

 

1. Log Forwarding GUI.png

 

  1. The configuration can be done through the FortiAnalyzer CLI as follows:

     

    config system log-forward

        edit 1

            set mode forwarding

            set fwd-max-delay realtime

            set server-name "ABC"

            set server-addr "10.35.81.33"

            set fwd-server-type syslog

                config device-filter

                    edit 1

                        set adom "root"

                        set device "FGVM02TM19005470"

                    next

                end

            set log-filter-status enable

                config log-filter

                    edit 1

                        set value "event"

                    next

                    edit 2

                        set field level

                        set oper >=

                        set value "information"

                    next

                end

            set signature 175067477637460517

        next

    end

     

     

  2. Run the following debug commands to check the log forwarding status via the CLI as follows:

     

    diagnose test application logfwd 2 -> shows the thread pool status.

    diagnose test application logfwd 3 -> shows the log forwarding configurations.

    diagnose test application logfwd 4 -> shows the log forwarding status.

    diagnose test application logfwd 7  -> shows the runtime logs.

     

  3. Finally, it is also possible to check the Receive Rate versus the Forwarding Graph under System Settings -> Dashboard. The graph displays the log forwarding rate (logs/second) to the server.

     

    2. Receive Rate vs Forwarding Rate.png

 

Note: Log forwarding may also be optimized in terms of bandwidth by using compression (only when sending to FortiAnalyzer):

 

config system log-forward

    edit "x"

        set fwd-compression enable

end

 

Troubleshooting:

 

Enable debug on logfwd process and restart logfwd:

 

diagnose debug application logfwd 8

diagnose debug en

diagnose test application logfwd 99

 

Let it run for a few minutes and disable debug:

 

diagnose debug disable

 

Note:

By default, not selecting any device in Log Forwarding Filters -> Device Filters means all devices in the ADOM are forwarding the logs.

 

Note:

There is no feature for FortiAnalyzer to create reports for its system events. It has to be a device other than the FortiAnalyzer itself.

 

Related articles:

Log forwarding to SIEM: Technical Tip: Integrate FortiAnalyzer and FortiSIEM

Log forwarding to FortiAnalyzer: Technical Tip: Log forwarding from Collector mode FortiAnalyzer to Analyzer mode FortiAnalyzer
Labels:
5497
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.