FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Article Id 332007
Description This article describes how to verify if the logs are being sent out from the FortiGate to the Syslog server.
Scope FortiGate.
Solution

Make sure FortiGate's Syslog settings are correct before beginning the verification.

Technical Tip: How to configure syslog on FortiGate

 

For the traffic in question, the log is enabled.  

Technical Tip: View historic SSL VPN user connectivity logs


Next, initiate a packet capture on the FortiGate to observe the traffic. Use the tool located under Network -> Packet Capture or Network -> Diagnostics -> Packet Capture, and enter the IP address or port number of the Syslog server using the Filter. 

 Troubleshooting Tip: Packet Capture on FortiOS GUI 


The default port is 514, however, in the example below, the Syslog server is configured on port 515: 

 

syslogpcfilter.PNG

 

As seen in the snippet of the packet capture below, tested a failed SSL VPN login with the username 'abcde' after initiating the capture. It is evident from the packet capture that FortiGate's specified port 515 was used to send logs to the Syslog server.

 

syslogpc.png

 

Related Articles:

Technical Tip: How to configure syslog on FortiGate

Technical Tip: How to perform a syslog and log test on a FortiGate with the 'diagnose log test' comm... 

Technical Tip: View historic SSL VPN user connectivity logs

Troubleshooting Tip: Packet Capture on FortiOS GUI