Technical Tip: Configuring multiple Syslog servers

dsharma · ‎04-02-2019

Description

This article describes the Syslog server configuration information on FortiGate.

Scope

FortiGate.

Solution

FortiGate can send syslog messages to up to 4 syslog servers.
Separate SYSLOG servers can be configured per VDOM.

CLI command to configure SYSLOG:

config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting

set status {enable | disable}
set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | # kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
set reliable {enable | disable}
set server <address_ipv4 | FQDN>
set source-ip <address_ipv4>

end

Configuring the source interface in the Syslogd configuration is now possible starting with FortiOS v7.6.0 and higher.

config log syslogd setting
set status enable

set source-ip-interface < Interface_name>
end

Refer to the below documentation for more information:
Set the source interface for syslog and NetFlow settings | FortiGate / FortiOS 7.6.0 | Fortinet Docu...

CLI command to check Syslog filter settings:

config log syslogd filter

show full-configuration

end

Value descriptions:

status {enable | disable}: Enter 'enable' to enable logging to a remote syslog server.

csv {enable | disable}: Enter 'enable' to enable the FortiGate unit to produce the log in the Comma Separated Value (CSV) format.

Note: If CSV format is not enabled, the output will be in plain text.

facility { kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }

kernel Kernel messages.

user        Random user-level messages.
mail        Mail system.
daemon      System daemons.
auth        Security/authorization messages.
syslog      Messages generated internally by syslog.
lpr         Line printer subsystem.
news        Network news subsystem.
uucp        Network news subsystem.
cron        Clock daemon.
authpriv    Security/authorization messages (private).
ftp         FTP daemon.
ntp         NTP daemon.
audit       Log audit.
alert       Log alert.
clock       Clock daemon.
local0      Reserved for local use.
local1      Reserved for local use.
local2      Reserved for local use.
local3      Reserved for local use.
local4      Reserved for local use.
local5      Reserved for local use.
local6      Reserved for local use.
local7      Reserved for local use.

port <port_integer>: Enter the port number for communication with the syslog server.

reliable {enable | disable}: Enable reliable delivery of syslog messages to the syslog server. When enabled, the FortiGate unit implements the RAW profile of RFC 3195 for reliable delivery of log messages to the syslog server. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order.

server <address_ipv4 | FQDN>: Enter the IP address of the syslog server that stores the logs.

source-ip <address_ipv4>: Enter the source IP address for syslogd, syslog2, syslog3 and syslog4.

This information is in the FortiOS 6.0 CLI Reference - Syslog.

Refer to the following CLI command to configure SYSLOG in FortiOS 6.4 or above:

config log {syslogd | syslogd2 | syslogd3 | syslogd4} setting

set status {enable | disable}

set server {address_ipv4 | FQDN}

set mode {udp | legacy-reliable | reliable}

set port {port_integer}

set source-ip {address_ipv4}

set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp |

syslog | user | uucp}

set priority {default | low}

set max-log-rate <integer>

set interface-select-method {auto | sdwan | specify}

end

mode {udp | legacy-reliable | reliable}

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages over TCP).

priority {default | low}

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

max-log-rate

Enter an integer value from <0> to <100000>.

interface-select-method

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

In the GUI:

For instructions on configuring separate syslog servers per VDOM, refer to the article below:

Setting up syslog in a Multi-VDOM setup - Fortinet Community

To send logs to a different syslog server than the one specified in the global settings for a specific VDOM, refer to the article below:

How to send logs to a different syslog se... - Fortinet Community

Note:
Configuring multiple syslog server connections consumes system resources on the firewall. If there are multiple syslog servers configured, it may result in increased resource usage, including CPU and memory. This could potentially impact the overall performance of the firewall, especially if it is already operating at maximum capacity.

Each Syslog server connection generates network traffic from the firewall to the servers. If there are multiple syslog servers configured, it can result in higher network utilization and increased bandwidth consumption. This might be a concern, especially in environments where network resources are limited or bandwidth is a critical factor.

It is recommended to carefully assess the need for multiple syslog servers and consider the potential impact on the firewall's performance, and network resources.

Technical Tip: Configuring multiple Syslog servers

You are leaving our website