FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 197588
Description
It is  possible to configure different syslog and FortiAnalyzer on HA cluster units.
VDOMs can also override global syslog server settings.

This articles describes this feature.

Solution


To configure the primary HA unit.
Configure a global syslog server:
# config global
# config log syslog setting

    set status enable
    set server 172.16.200.44
    set facility local6
    set format default
end
end
Set up a VDOM exception to enable setting the global syslog server on the secondary HA unit:
# config global
# config system vdom-exception

    edit 1
        set object log.syslogd.setting
    next
end
end
To configure the secondary HA unit.
Configure a global syslog server
# config global
# config log syslogd setting

    set status enable
    set server 172.16.200.55
    set facility local5
end
end
After the primary and secondary unit synchronize, generate logs on the secondary unit.

To confirm that logs are been sent to the syslog server configured on the secondary unit.

On the primary unit, retrieve the following packet capture from the secondary unit's syslog server:
# diagnose sniffer packet any "host 172.16.200.55" 6
interfaces=[any]
filters=[host 172.16.200.55]

266.859494 port2 out 172.16.200.2.7434 -> 172.16.200.55.514: udp 278
0x0000   0000 0000 0000 0009 0f09 0004 0800 4500        ..............E.
0x0010   0132 f3c7 0000 4011 9d98 ac10 c802 ac10        .2....@.........
0x0020   c837 1d0a 0202 011e 4b05 3c31 3734 3e64        .7......K.<174>d
0x0030   6174 653d 3230 3230 2d30 332d 3134 2074        ate=2020-03-14.t
0x0040   696d 653d 3132 3a30 303a 3035 2064 6576        ime=12:00:05.dev
0x0050   6e61 6d65 3d22 466f 7274 6947 6174 652d        name="FGT-81E-Sl
0x0060   3831 455f 4122 2064 6576 6964 3d22 4647        ave-A".devid="FG
0x0070   5438 3145 3451 3136 3030 3030 3438 2220        T81E4Q16000048".
0x0080   6c6f 6769 643d 2230 3130 3030 3230 3032        logid="010002002
0x0090   3722 2074 7970 653d 2265 7665 6e74 2220        7".type="event".
0x00a0   7375 6274 7970 653d 2273 7973 7465 6d22        subtype="system"
0x00b0   206c 6576 656c 3d22 696e 666f 726d 6174        .level="informat
0x00c0   696f 6e22 2076 643d 2276 646f 6d31 2220        ion".vd="vdom1".
0x00d0   6576 656e 7474 696d 653d 3135 3834 3231        eventtime=158421
0x00e0   3234 3035 3835 3938 3335 3639 3120 747a        2405859835691.tz
0x00f0   3d22 2d30 3730 3022 206c 6f67 6465 7363        ="-0700".logdesc
0x0100   3d22 4f75 7464 6174 6564 2072 6570 6f72        ="Outdated.repor
0x0110   7420 6669 6c65 7320 6465 6c65 7465 6422        t.files.deleted"
0x0120   206d 7367 3d22 4465 6c65 7465 2031 206f        .msg="Delete.1.o
0x0130   6c64 2072 6570 6f72 7420 6669 6c65 7322        ld.report.files"
Configure a different syslog server in the root VDOM on a secondary HA unit.





To configure the primary HA unit.
Configure a global syslog server:
# config global
# config log syslog setting

    set status enable
    set server 172.16.200.44
    set facility local6
    set format default
end
end
Set up a VDOM exception to enable syslog-override in the secondary HA unit root VDOM.
# config global
# config system vdom-exception

    edit 1
        set object log.syslogd.override-setting
        set scope inclusive
        set vdom root
    next
end
end
In the VDOM, enable syslog-override in the log settings, and set up the override syslog server.
# config root
# config log setting

    set syslog-override enable
end
# config log syslog override-setting
    set status enable
    set server 172.16.200.44
    set facility local6
    set format default
end
end
After syslog-override is enabled, an override syslog server must be configured, as logs will not be sent to the global syslog server.

To configure the secondary HA unit.
Configure an override syslog server in the root VDOM:
# config root
# config log syslogd override-setting

    set status enable
    set server 172.16.200.55        
    set facility local5
    set format default
end
end
After the primary and secondary unit synchronize, generate logs in the root VDOM on the secondary unit.

To confirm that logs are been sent to the syslog server configured for the root VDOM on the secondary unit.

1) On the primary unit, retrieve the following packet capture from the syslog server configured in the root VDOM on the secondary unit:
# diagnose sniffer packet any "host 172.16.200.55" 6
interfaces=[any]
filters=[host 172.16.200.55]
156.759696 port2 out 172.16.200.2.1165 -> 172.16.200.55.514: udp 277
0x0000   0000 0000 0000 0009 0f09 0004 0800 4500        ..............E.
0x0010   0131 f398 0000 4011 9dc8 ac10 c802 ac10        .1....@.........
0x0020   c837 048d 0202 011d af5f 3c31 3734 3e64        .7......._<174>d
0x0030   6174 653d 3230 3230 2d30 332d 3134 2074        ate=2020-03-14.t
0x0040   696d 653d 3131 3a33 353a 3035 2064 6576        ime=11:35:05.dev
0x0050   6e61 6d65 3d22 466f 7274 6947 6174 652d        name="FGT-81E-Sl
0x0060   3831 455f 4122 2064 6576 6964 3d22 4647        ave-A".devid="FG
0x0070   5438 3145 3451 3136 3030 3030 3438 2220        T81E4Q16000048".
0x0080   6c6f 6769 643d 2230 3130 3030 3230 3032        logid="010002002
0x0090   3722 2074 7970 653d 2265 7665 6e74 2220        7".type="event".
0x00a0   7375 6274 7970 653d 2273 7973 7465 6d22        subtype="system"
0x00b0   206c 6576 656c 3d22 696e 666f 726d 6174        .level="informat
0x00c0   696f 6e22 2076 643d 2272 6f6f 7422 2065        ion".vd="root".e
0x00d0   7665 6e74 7469 6d65 3d31 3538 3432 3130        venttime=1584210
0x00e0   3930 3537 3539 3334 3132 3632 2074 7a3d        905759341262.tz=
0x00f0   222d 3037 3030 2220 6c6f 6764 6573 633d        "-0700".logdesc=
0x0100   224f 7574 6461 7465 6420 7265 706f 7274        "Outdated.report
0x0110   2066 696c 6573 2064 656c 6574 6564 2220        .files.deleted".
0x0120   6d73 673d 2244 656c 6574 6520 3220 6f6c        msg="Delete.2.ol
0x0130   6420 7265 706f 7274 2066 696c 6573 22          d.report.files"

Contributors