This article describes the configuration scenario of multiple Syslog servers in the FortiGate and cloud FortiGate VM when the source IP cannot be defined as falling over to a secondary FortiGate VM with a different interface IP.
FortiGate.
The traffic scenario would be FortiGate --> IPsec --> Cloud Fortigate VM (in HA) --> Syslog server 2.
In this scenario, the Syslog server configuration with a defined source IP or interface-select-method with a specific interface sends logs to only one server.
Also, in cloud setup, the interface IP is changed when failover happens, and the only way to send the log is to manually change the configuration for the defined source IP.
Sample config with an interface selected for Syslog server 1.
FGT-A # sh log syslogd setting
config log syslogd setting
set status enable
set server "192.168.100.103"
set interface-select-method specify
set interface "port2"
end
Sample config with an interface selected for Syslog server 2.
FGT-A # sh log syslogd2 setting
config log syslogd2 setting
set status enable
set server "192.168.200.104"
set interface-select-method specify
set interface "port2"
end
With this setup, traffic is only forwarded to only on-prem Syslog server. No logs were forwarded to the 2nd Syslog server over the IPsec tunnel.
FGT-A # di sniffer packet any "port 514" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 514]
2024-08-26 14:41:36.169579 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 565
2024-08-26 14:41:41.170147 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 621
2024-08-26 14:41:41.170617 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 622
2024-08-26 14:41:44.171480 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 621
2024-08-26 14:41:54.180369 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 565
Defining the source IP under the Syslog server will address the issue and send the traffic over the IPsec tunnel, but after HA failover, it will not work as the source interface IP will be different.
To resolve this issue, configure the 2nd Syslog server with the interface as IPsec tunnel interface. Also, configure the syslog server IP in phase2 of the tunnel.
FGT-A # sh log syslogd setting
config log syslogd setting
set status enable
set server "192.168.100.103"
set interface-select-method specify
set interface "port2"
end
FFGT-A # sh log syslogd2 setting
config log syslogd2 setting
set status enable
set server "192.168.200.104"
set interface-select-method specify
set interface "Azure_test"
end
FGT-A # di sniffer packet any "port 514" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 514]
2024-08-26 14:49:29.440462 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 621
2024-08-26 14:49:29.440537 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 621
2024-08-26 14:49:39.439824 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 565
2024-08-26 14:49:39.439914 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 565
2024-08-26 14:49:52.439921 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 692
2024-08-26 14:49:52.440000 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 692
2024-08-26 14:49:52.440108 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 621
2024-08-26 14:49:52.440127 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 621
2024-08-26 14:49:52.440203 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 622
2024-08-26 14:49:52.440222 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 622
2024-08-26 14:49:52.440355 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 565
2024-08-26 14:49:52.440376 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 565
Related articles:
Technical Tip: Configuring multiple SYSLOG servers
Technical Tip: Syslog server over IPSEC VPN and sending VPN logs
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.