Generate CA and local/server certificate using OpenSSL:

• CA key:

Linux # openssl genrsa -out rootCA.key 4096

• CA Certificate:

Linux # openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 3650 -out rootCA.pem

• Server key:

Linux # openssl genrsa -out syslog.key 2048

• Server certificate:

Linux # openssl req -new -key syslog.key -out syslog.csr

Linux # openssl x509 -req -in syslog.csr -CA rootCA.pem -CAkey rootCA.key -out syslog.crt -days 365 -CAcreateserial

• View server certificate:

Linux # openssl x509 -test -noout -in syslog.crt

Update the rsyslog config file:

Linux # vi /etc/rsyslog.con 

# set certificate files
global(
DefaultNetstreamDriverCAFile="/etc/pki/tls/syslog_cert/rootCA.pem"
DefaultNetstreamDriverCertFile="/etc/pki/tls/syslog_cert/syslog.crt"
DefaultNetstreamDriverKeyFile="/etc/pki/tls/syslog_cert/syslog.key"
)

# load TCP listener
module(
load="imtcp"
StreamDriver.Name="ossl"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/certvalid"
)

# start up listener at port 6514
input(
type="imtcp"
port="6514"
)

Import the CA & local/server certificate to FortiAnalyzer:

Configure FortiAnalyzer log forwarding settings:

FAZ # config system log-forward

    edit 1

        set mode forwarding

        set fwd-max-delay realtime

        set server-name "rsyslog-server"

        set server-addr "thi-centos.fortilab.com"

        set server-port 6514

        set fwd-server-type syslog

        set fwd-server-type syslog

        set fwd-reliable enable
        set fwd-secure enable

        set peer-cert-cn "thi-centos.fortilab.com"

    next
end

• If 'peer-cert-cn' is unset/(null), FortiAnalyzer will not check for peer-cert-cn during negotiation: 'peer-cert-cn' is optional, not mandatory.

• If 'peer-cert-cn' is set: Make sure it is set to the correct server certificate CN value.

Before configuring 'certificate oftp', perform the following in FortiGate to ensure FortiAnalyzer receives the FortiGate log successfully:

1. Import the CA certificate that signs the local/server certificate to all the connected FortiGate.
2. Disable 'certificate-verification' in the FortiAnalyzer setting.

Configure 'certificate oftp' in FortiAnalyzer:

FAZ # config system certificate oftp

    set mode local

    set local syslog

end

• If 'certificate oftp' is not set to the correct server certificate, rsyslog will prompt 'Certificate error':

Linux # sudo journalctl -f -u rsyslog

• If 'certificate oftp' is set but FortiGate does not have a CA certificate or 'certificate-verification' is enabled, 'exe log fortianalyzer test-connectivity' in FortiGate will show 'log not received'.

Restart oftpd and logfwd daemon in FortiAnalyzer:

FAZ # diag test application oftpd 99

FAZ # diag test application logfwd 99

Verify the connections:

• FortiAnalyzer connection to FortiGate:

FAZ # diag test application oftpd 3

FGT # exec log fortianalyzer test-connectivity

• FortiAnalyzer logs forwarding to rsyslog server:

FAZ # diag test application logfwd 4

Related articles:

Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity

Technical Tip: How to configure and troubleshoot Log Forwarding on FortiAnalyzer