Created on
10-24-2019
06:51 AM
Edited on
01-14-2025
06:29 AM
By
Stephen_G
Description
This article describes how to handle cases where syslog has been masking some specific types of logs forwarded from FortiGate.
Diagnosis to verify whether the problem is not related to FortiGate configuration is recommended.
Scope
FortiGate.
Solution
Perform packet capture of various generated logs.
Start a sniffer on port 514 and generate various logs:
Note:
Logs are sent to Syslog servers via UDP port 514. Run the following sniffer command on FortiGate CLI to capture the traffic: If the syslog server is configured on the remote side and the traffic is passing over the tunnel.
diagnose sniffer packet any 'udp port 514' 4 0 l
diagnose sniffer packet any 'udp port 514' 6 0 a
diagnose sniffer packet any 'host x.x.x.x and port 514' 4 0 l <- Where x.x.x.x is Syslog Server IP.
diagnose sniffer packet any 'host x.x.x.x and port 514' 6 0 a <- Where x.x.x.x is Syslog Server IP.
Run all these commands in separate CLI console.
If the syslog server is configured on the remote side and the traffic is passing over any IPSEC tunnel, than the route should be configured correctly and the syslog traffic should be routed through the tunnel interface.
In order to confirm the route on the routing table and to troubleshoot the traffic, the below commands can be useful:
get router info routing-table details x.x.x.x <- Where x.x.x.x is syslog IP address.
diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug flow filter addr x.x.x.x <- Where x.x.x.x is the syslog server IP address.
diag debug flow filter port 514
diag debug flow show function-name enable
diag debug flow trace start 1000
To stop the debug:
diagnose debug disable
diagnose debug reset
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.