Technical Tip: Logging on FortiController

vjoshi_FTNT · ‎03-15-2021

Description
This article describes how to enable logging on FortiController and configure it to send logs to syslog server or a FortiAnalyzer(with syslog ADOM).

Solution
Settings required On FortiAnalyzer.

- Enable ADOM on FortiAnalyzer (skip this step if ADOM is already enabled).
- Create New ADOM (syslog).

Settings required on Forticontroller.

Syslog related config is only available in the CLI and below commands are required to enable the syslog:

# config log syslogd setting
set status enable
set server "10.5.21.82" <----- 10.5.21.82 is the FortiAnalyzer IP in this case.
end

By default, ALL the syslog filters are disabled as shown below:

# config log syslogd filter
set event disable
set severity information
end

Once the 'set event enable' is applied, it will be possible to see the various event filters which are by default disabled as shown below:

# config log syslogd filter
    set event enable
    set severity information
    set base-switch-config disable
    set base-switch-general disable
    set base-switch-trunk disable
    set fabric-switch-config disable
    set fabric-switch-general disable
    set fabric-switch-stp disable
    set fabric-switch-trunk disable
    set system-config disable
    set system-general disable
end

In order to receive basic events, enable the below:

# config log syslogd filter
set event enable
set system-general enable
end

For testing, login and logout of the FortiController to see an event on the syslog.

Once the above settings are applied, Forticontroller will start sending the logs to the configured syslog server (in this case FortiAnalyzer).
On the FortiAnalyzer, authorize the Forticontroller to start seeing the logs.

Technical Tip: Logging on FortiController

You are leaving our website