Description
This article explains how to enable FortiAuthenticator to send debug logs to remote logging servers.
Scope
Any supported version of FortiAuthenticator.
Solution
In 6.3.0 firmware and above, FortiAuthenticator supports sending debug logs to remote logging servers. Previously, it was only possible to send the general logs.
Use the Send debug logs to remote Syslog servers toggle option under Logging -> Log Config -> Log Settings.
Syslog servers must first be added under Logging -> Log Config -> Syslog Server -> Create New.
Keep in mind that the OFTP mode for FortiAnalyzer is not yet supported. Unless certificate exchange is selected, the syslog message will be sent unencrypted to the log server. As such, control whether the logs are sent as required, and run a packet capture on FortiAuthenticator via SSH or CLI:
exec tcpdump -nnvvi any port 514
Example output:
08:57:30.379772 port1 Out IP (tos 0x0, ttl 64, id 5685, offset 0, flags [DF], proto UDP (17), length 389)
192.168.38.3.54376 > 192.168.38.2.514: SYSLOG, length: 361
Facility local6 (22), Severity info (6)
Msg: 2024-08-23T08:57:30.379627+02:00 FortiAuthenticator db[20138]: devid=FAC-VMTM19001421 vd=root faclogindex=180650 logid=20101 logdesc=AUTH_FAIL_NOUSER type=event subtype=Authentication level=information user="sdfsdf" nas="" userip="" action="Login" status="Failed" msg="Remote LDAP user authentication from 10.191.31.254 with no token failed: invalid user"
08:57:31.387351 port1 Out IP (tos 0x0, ttl 64, id 5890, offset 0, flags [DF], proto UDP (17), length 349)
192.168.38.3.54376 > 192.168.38.2.514: SYSLOG, length: 321
Facility local6 (22), Severity info (6)
Msg: 2024-08-23T08:57:31.387188+02:00 FortiAuthenticator db[17540]: devid=FAC-VMTM19001421 vd=root faclogindex=180651 logid=20994 logdesc=AUTH_ADMIN_LOGIN_GUI type=event subtype=Authentication level=information user="sdfsdf" nas="10.191.31.254" userip="" action="Login" status="Failed" msg="Web access denied to 'sdfsdf'"
08:57:36.068094 port1 Out IP (tos 0x0, ttl 64, id 6443, offset 0, flags [DF], proto UDP (17), length 389)
192.168.38.3.54376 > 192.168.38.2.514: SYSLOG, length: 361
Facility local6 (22), Severity info (6)
Msg: 2024-08-23T08:57:36.067947+02:00 FortiAuthenticator db[20138]: devid=FAC-VMTM19001421 vd=root faclogindex=180652 logid=20101 logdesc=AUTH_FAIL_NOUSER type=event subtype=Authentication level=information user="sdfsdf" nas="" userip="" action="Login" status="Failed" msg="Remote LDAP user authentication from 10.191.31.254 with no token failed: invalid user"
08:57:36.069075 port1 Out IP (tos 0x0, ttl 64, id 6444, offset 0, flags [DF], proto UDP (17), length 491)
192.168.38.3.54376 > 192.168.38.2.514: SYSLOG, length: 463
Facility local6 (22), Severity info (6)
Msg: 2024-08-23T08:57:36.068950+02:00 FortiAuthenticator db[20138]: devid=FAC-VMTM19001421 vd=root faclogindex=180653 logid=20366 logdesc=AUTH_FAIL_LOCK_IP type=event subtype=Authentication level=information user="sdfsdf" nas="" userip="" action="Login" status="Failed" msg="Remote LDAP user authentication from 10.191.31.254 with no token failed: lock IP as reached maximum attempts.Too many failed login attempts from 10.191.31.254, IP locked for 60 seconds."
Note: FortiAnalyzer can be used to receive FortiAuthenticator debug logs, but only when FortiAnalyzer has a separate ADOM configured to operate in syslog mode (NOT in regular mode). Instructions on how to set up the FortiAnalyzer as a syslog server can be found in the following article: Technical Tip: Setup FortiAnalyzer to be a Syslog server.
