Description
It can be a case when syslog has been masking some specific type of logs forwarded from FortiGate.
Therefore diagnosis to verify whether problem is not related to FortiGate configuration can proof the point.
Solution
Packet capture of generated various logs.
Start sniffer on port 514 and generate various logs
Then run capture and issue command to generate logs sample :
# diagnose log test ( output may vary depending on the FortiOS version )
generating a system event message with level - warning
generating an infected virus message with level - warning
generating a blocked virus message with level - warning
generating a URL block message with level - warning
generating a DLP message with level - warning
generating an IPS log message
generating an anomaly log message
generating an application control IM message with level - information
generating an IPv6 application control IM message with level - information
generating deep application control logs with level - information
generating an antispam message with level - notification
generating an allowed traffic message with level - notice
generating a multicast traffic message with level - notice
generating a ipv6 traffic message with level - notice
generating a wanopt traffic log message with level - notification
generating a HA event message with level - warning
generating a VOIP event message with level - information
generating authentication event messages
generating a Forticlient message with level - information
generating a URL block message with level - warning
generating a DNS message with level - warning
generating an ssh-command pass log with level - notification
generating an ssh-channel block with level – warning
VerificationOpen collected capture and check packets content if is matching logs that have been generated.
