Description
This article describes the configuration of log forwarding from Collector FortiAnalyzer to Analyzer mode FortiAnalyzer. Log forwarding is a feature in FortiAnalyzer to forward logs received from logging device to external server including Syslog, FortiAnalyzer, Common Event Format (CEF) and Syslog Pack.
Scope
FortiAnalyzer.
Solution
Configuration of log forwarding can be performed from GUI or CLI.
From GUI, follow the steps described in this document: https://docs2.fortinet.com/document/fortianalyzer/6.0.5/administration-guide/576889/configuring-log-....
Configure from CLI with the command below:
# config system log-forward
edit 1
set mode forwarding
set fwd-max-delay <realtime/ Every 1 Minute / Every 5 Minute>
set server-name <name>
set server-addr <FortiAnalyzer FQDN / IP>
set fwd-reliable <enable / disable>
set signature 5589806427576299787
next
end
After the log forwarding is configured from FortiAnalyzer A, the logging device will appear in FortiAnalyzer B Device Manager as an Unauthorized device. In FortiAnalyzer B, the user needs to authorize the device in order to receive logs from the device.
After the device is authorized, the FortiGate log forwarded from FortiAnalyzer A can be seen in Log View.
Note:
Note that the logging reliable option depends on the log forwarding configuration in FortiAnalyzer. For example, FortiGate logging reliability is disabled:
FortiAnalyzer A directly connected to FortiGate logging status will establish a connection without the padlock logo indicating reliable disabled:
On the other hand, FortiAnalyzer B received a log from FortiAnalyzer A log forwarding with reliability enabled will have a padlock in logging status indicating reliable enabled:
Related documents:
- Technical Tip: Forwarding Logs from FortiAnalyzer to Syslog server
- Technical Tip: Integrate FortiAnalyzer and FortiSIEM
