FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpoluri
Staff
Staff
Article Id 191166

Description

 

This article provides a general guide of how to override the syslog general settings so that a specific VDOM can send logs to a different syslog server. 
This also applies when it is needed for just one VDOM to be able to send logs to a syslog server.
This article also demonstrates an example of configuring the FortiGate to send logs to a Tftpd64 Syslog Server.


Solution

 

From the CLI, execute the following commands:
 
conf vdom
    edit "VDOM_NAME"
conf log syslogd override-setting
    set override enable
    set status enable
    set server x.x.x.x      <- Where x.x.x.x is the IP address of syslog server.
    set port 514
    set source-ip x.x.x.x   <- Optional to specify the source IP from where the connections will originate.
end

In 6.4.x, to enable syslog server override under VDOM:

From the CLI, execute the following command:
 
config vdom
    edit "VDOM_NAME"
config log setting
    set syslog-override enable
end
 
When syslog-override is enabled, the following CLI commands are available for configuring VDOM override:

To configure VDOM override for a syslog server:
 
  1. Configure the syslog override settings.

config log syslogd/syslogd2/syslogd3/syslogd4 override-setting
    set status enable
    set server x.x.x.x      <- Where x.x.x.x is the IP address of syslog server.
    set port 514
    set source-ip x.x.x.x   <- Optional to specify the source IP from where the connections will originate.
end

 

  1. Configure the override filters:

 

config log syslogd/syslogd2/syslogd3/syslogd4 override-filter

    set severity information

    set forward-traffic enable

    set local-traffic enable

    set multicast-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip enable

    set dns enable

    set ssh enable

    set ssl enable

end

 
The change can now be verified from the GUI.
 
Below is an example of configuring the FortiGate to send logs to the Tftpd64 Syslog Server:
 
Configure the IP address form the FortiGate and from the Client where the Tftpd64 Syslog Server is installed.
 
10.101.20.123/20 is configured on port3 of the FortiGate,
10.101.20.124/20 is configured on the Ethernet port of the Client running on Windows 10. As a gateway, it is assigned the IP address of port3 on the FortiGate.
 

Screenshot_1.jpg

 

Screenshot_2.png

 

Execute the following commands to configure syslog settings on the FortiGate:

 

config log syslogd setting
    set status enable
    set server "10.101.20.124"

    set source-ip "10.101.20.123"

end

 

Install Tftpd64 on the client. After the installation is finished, open the application and choose the interface as below:

 

Screenshot_3.jpg

 

After choosing the interface, the logs will start to come to the Tftpd64 Syslog Server, as below:

 

Screenshot_4.png