This article shows how to forward logs to FortiAnalyzer on a multi-VDOM FortiGate.
Some troubleshooting commands are also given to check the connectivity status.
FortiGate above 6.4.
FortiGate usually send the log to the FortiAnalyzer from the root VDOM.
But other VDOM’s may require sending logs to the FortiAnalyzer from respective VDOM’s.
In this example we have considered three VDOMs:
Root (management VDOM)
VDOM-1
And FortiAnalyzer with IP address of 172.16.1.100.
Let's consider to send logs from VDOM-1.
Prerequisite: FortiAnalyzer-1 must be reachable from the management root VDOM.
1) Go to Global -> Logs & Report -> Log Settings.
2) Enable Send logs to FortiAnalyzer/FortiManager.
3) Enter the FortiAnalyzer IP. In our example it is 172.16.1.100
4) Then select upload option
CLI Command Reference:
# config log setting
set faz-override enable
end
# config log fortianalyzer override-setting
set status enable
set server 172.16.1.100
set upload-option realtime
end
Note.
Real-time upload option in this configuration example.
Checking FortiAnalyzer connectivity.
To use the diagnose command to check FortiAnalyzer connectivity:
- Check the global FortiAnalyzer status:
# diagnose test application miglogd 1
faz: global, enabled
server=172.16.1.100, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_172.16.200.55, reliable=1
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
SNs: last sn update:1369 seconds ago.
Sn list:
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer
anomaly: anomaly
- Check the VDOM-1 override FortiAnalyzer status:
# diagnose test application miglogd 3101
faz: vdom, enabled, override
server= 172.16.1.100, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_root_ 172.16.1.100, reliable=1
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
SNs: last sn update:1369 seconds ago.
Sn list:
(FAZ-VM0000000001,age=17s)
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer
anomaly: anomaly
server: vdom, id=0, fd=72, ready=1, ipv6=0, 172.16.1.100/514
oftp-state=5
Related link:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.