Description
This article describes the Syslog server configuration information on FortiGate.
Scope
FortiGate.
Solution
- FortiGate can send syslog messages to up to 4 syslog servers.
- Separate SYSLOG servers can be configured per VDOM.
CLI command to configure SYSLOG:
config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting
set status {enable | disable}
set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | # kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
set reliable {enable | disable}
set server <address_ipv4 | FQDN>
set source-ip <address_ipv4>
end
Configuring the source interface in the Syslogd configuration is now possible starting with FortiOS v7.6.0 and higher.
config log syslogd setting
set status enable
set source-ip-interface < Interface_name>
end
Refer to the below documentation for more information:
Set the source interface for syslog and NetFlow settings | FortiGate / FortiOS 7.6.0 | Fortinet Docu...
CLI command to check Syslog filter settings:
config log syslogd filter
show full-configuration
end
Value descriptions:
status {enable | disable}: Enter 'enable' to enable logging to a remote syslog server.
csv {enable | disable}: Enter 'enable' to enable the FortiGate unit to produce the log in the Comma Separated Value (CSV) format.
Note: If CSV format is not enabled, the output will be in plain text.
facility { kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }
kernel Kernel messages.
user Random user-level messages.
mail Mail system.
daemon System daemons.
auth Security/authorization messages.
syslog Messages generated internally by syslog.
lpr Line printer subsystem.
news Network news subsystem.
uucp Network news subsystem.
cron Clock daemon.
authpriv Security/authorization messages (private).
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
local0 Reserved for local use.
local1 Reserved for local use.
local2 Reserved for local use.
local3 Reserved for local use.
local4 Reserved for local use.
local5 Reserved for local use.
local6 Reserved for local use.
local7 Reserved for local use.
port <port_integer>: Enter the port number for communication with the syslog server.
reliable {enable | disable}: Enable reliable delivery of syslog messages to the syslog server. When enabled, the FortiGate unit implements the RAW profile of RFC 3195 for reliable delivery of log messages to the syslog server. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order.
server <address_ipv4 | FQDN>: Enter the IP address of the syslog server that stores the logs.
source-ip <address_ipv4>: Enter the source IP address for syslogd, syslog2, syslog3 and syslog4.
This information is in the FortiOS 6.0 CLI Reference - Syslog.
Refer to the following CLI command to configure SYSLOG in FortiOS 6.4 or above:
config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting
set status {enable | disable}
set server {address_ipv4 | FQDN}
set mode {udp | legacy-reliable | reliable}
set port {port_integer}
set source-ip {address_ipv4}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp |
syslog | user | uucp}
set priority {default | low}
set max-log-rate <integer>
set interface-select-method {auto | sdwan | specify}
end
mode {udp | legacy-reliable | reliable}
udp Enable syslogging over UDP.
legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).
reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages over TCP).
priority {default | low}
default Set Syslog transmission priority to default.
low Set Syslog transmission priority to low.
max-log-rate
Enter an integer value from <0> to <100000>.
interface-select-method
auto Set outgoing interface automatically.
sdwan Set outgoing interface by SD-WAN or policy routing rules.
specify Set outgoing interface manually.
In the GUI:
Note:
Configuring multiple syslog server connections consumes system resources on the firewall. If there are multiple syslog servers configured, it may result in increased resource usage, including CPU and memory. This could potentially impact the overall performance of the firewall, especially if it is already operating at maximum capacity.
Each Syslog server connection generates network traffic from the firewall to the servers. If there are multiple syslog servers configured, it can result in higher network utilization and increased bandwidth consumption. This might be a concern, especially in environments where network resources are limited or bandwidth is a critical factor.
It is recommended to carefully assess the need for multiple syslog servers and consider the potential impact on the firewall's performance, and network resources.
