FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpoluri
Staff
Staff
Article Id 191166

Description

 

This article demonstrates how to override global syslog settings so that a specific VDOM can send logs to a different syslog server. 
This also applies when just one VDOM should send logs to a syslog server.
This article also demonstrates configuring a FortiGate to send logs to a Tftpd64 Syslog Server.
 

Scope 

 

FortiGate.

 

Solution 

 

If syslog-override is disabled for a VDOM, that VDOM's logs will be forwarded according to the global syslog configuration. While syslog-override is disabled, the syslog setting under Select VDOM -> Log & Report -> Log Settings will be grayed out and shows the global syslog configuration, since it is not possible to configure VDOM-specific syslog servers in this case.

 

0.PNG


If syslog-override is enabled for a VDOM, the logs generated by the VDOM ignore global syslog settings. Any logs generated by that VDOM are forwarded according to 'config log syslogd/syslogd2/syslogd3/syslogd4 override-setting', including not sending any logs if there is no syslog server configured.

 

When syslog-override is enabled, VDOM-specific syslog logging is configurable in Select VDOM -> Log & Report -> Log Settings.

 

1.PNG

 

Note: all logs have an assigned VDOM including 'Global' logs such as system performance statistics and global configuration. Such logs are assigned to the management VDOM, so overriding syslog configuration for the management VDOM can change how these logs are sent. The default management VDOM is 'root'. See the following article if needing to change management VDOM: 'How to change management VDOM from GUI and CLI'.


See below for examples of how to override global syslog settings for a VDOM.

 

Solution 1 (The firmware versions 6.0.x and before):

 

The command 'set override enable' is available under the command 'config log syslogd override-setting', and the commands below can be used to configure the override.

 

From the CLI, execute the following commands:
 
config vdom
edit "VDOM_NAME"
config log syslogd override-setting
set override enable
set status enable
set server x.x.x.x      <- Where x.x.x.x is the IP address of the syslog server.
set port 514
set source-ip x.x.x.x   <- Optional to specify the source IP from where the connections will originate.
end
end

Solution 2 (the firmware version 6.2.x and above):

 

The command 'set override enable' is not available under the command 'conf log syslogd override-setting' as of FortiOS 6.2 and later. Instead, a new VDOM-wide 'set syslog-override enable' setting has been introduced to enable multiple FortiAnalyzer/syslog servers per VDOM (see FortiGate 6.2.0 new features).

From the CLI, execute the following command:
 
config vdom
    edit "VDOM_NAME"
        config log setting
            set syslog-override enable
end
 
Once syslog-override is enabled, the following CLI commands are available for configuring VDOM override:

To configure VDOM override for a Syslog server:
 
  1.      Configure the syslog override settings.

config log syslogd/syslogd2/syslogd3/syslogd4 override-setting
    set status enable
    set server x.x.x.x      <- Where x.x.x.x is the IP address of syslog server.
    set port 514
    set source-ip x.x.x.x   <- Optional to specify the source IP from where the connections will originate.
end

 

  1.      Configure the override filters:

 

config log syslogd/syslogd2/syslogd3/syslogd4 override-filter

    set severity information

    set forward-traffic enable

    set local-traffic enable

    set multicast-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip enable

    set dns enable

    set ssh enable

    set ssl enable

end

 
The change can now be verified from the GUI.
 
Below is an example of configuring the FortiGate to send logs to the Tftpd64 Syslog Server:
 
Configure the IP address form the FortiGate and from the Client where the Tftpd64 Syslog Server is installed.
 
10.101.20.123/20 is configured on port3 of the FortiGate.
10.101.20.124/20 is configured on the Ethernet port of the Client running on Windows 10. As a gateway, it is assigned the IP address of port3 on the FortiGate.
 

Screenshot_1.jpg

 

Screenshot_2.png

 

Execute the following commands to configure syslog settings on the FortiGate:

 

config log syslogd setting
    set status enable
    set server "10.101.20.124"

    set source-ip "10.101.20.123"

end

 

Install Tftpd64 on the client. After the installation is finished, open the application and choose the interface as below:

 

Screenshot_3.jpg

 

After choosing the interface, the logs will start to come to the Tftpd64 Syslog Server, as below:

 

Screenshot_4.png