Description
Scope
FortiGate.
Solution
If syslog-override is disabled for a VDOM, that VDOM's logs will be forwarded according to the global syslog configuration. While syslog-override is disabled, the syslog setting under Select VDOM -> Log & Report -> Log Settings will be grayed out and shows the global syslog configuration, since it is not possible to configure VDOM-specific syslog servers in this case.
If syslog-override is enabled for a VDOM, the logs generated by the VDOM ignore global syslog settings. Any logs generated by that VDOM are forwarded according to 'config log syslogd/syslogd2/syslogd3/syslogd4 override-setting', including not sending any logs if there is no syslog server configured.
When syslog-override is enabled, VDOM-specific syslog logging is configurable in Select VDOM -> Log & Report -> Log Settings.
Note: all logs have an assigned VDOM including 'Global' logs such as system performance statistics and global configuration. Such logs are assigned to the management VDOM, so overriding syslog configuration for the management VDOM can change how these logs are sent. The default management VDOM is 'root'. See the following article if needing to change management VDOM: 'How to change management VDOM from GUI and CLI'.
See below for examples of how to override global syslog settings for a VDOM.
Solution 1 (The firmware versions 6.0.x and before):
The command 'set override enable' is available under the command 'config log syslogd override-setting', and the commands below can be used to configure the override.
Solution 2 (the firmware version 6.2.x and above):
The command 'set override enable' is not available under the command 'conf log syslogd override-setting' as of FortiOS 6.2 and later. Instead, a new VDOM-wide 'set syslog-override enable' setting has been introduced to enable multiple FortiAnalyzer/syslog servers per VDOM (see FortiGate 6.2.0 new features).
config log syslogd/syslogd2/syslogd3/syslogd4 override-setting
set status enable
set server x.x.x.x <- Where x.x.x.x is the IP address of syslog server.
set port 514
set source-ip x.x.x.x <- Optional to specify the source IP from where the connections will originate.
end
config log syslogd/syslogd2/syslogd3/syslogd4 override-filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set dns enable
set ssh enable
set ssl enable
end
Execute the following commands to configure syslog settings on the FortiGate:
config log syslogd setting
set status enable
set server "10.101.20.124"
set source-ip "10.101.20.123"
end
Install Tftpd64 on the client. After the installation is finished, open the application and choose the interface as below:
After choosing the interface, the logs will start to come to the Tftpd64 Syslog Server, as below:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.