This article describes how to configure FortiGate to send encrypted Syslog messages (syslog over TLS) to the Syslog server (rsyslog - Ubuntu Server 24.04).

FortiGate.

To send encrypted packets to the Syslog server, FortiGate will verify the Syslog server certificate with the imported Certificate Authority (CA) certificate during the TLS handshake.

In this case, FortiGate uses a self-signed certificate using the XCA application:

Creating certificates with XCA

The following steps describe the procedure for creating the CA certificate and the server certificate:

1. Create a CA certificate and export it as a (ca-syslog.pem) file.
2. Create a Server certificate signed by the CA ca-syslog.pem and export it as a PEM + Key file, syslog-cert.pem: concatenate the certificate and the unencrypted private key in one PEM file.
3. Create two files: syslog-servercert.pem and syslog-serverkey.key.
4. Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----), then copy and paste it into the syslog-servercert.pem file (created in step 3).
5. Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN RSA PRIVATE KEY-----  and  -----END RSA PRIVATE KEY-----), then copy and paste it into the syslog-serverkey.key file (created in step 3).
6. Move the three files (ca-syslog.pem, syslog-servercert.pem, and syslog-serverkey.key) to the syslog server. Place the files in the /home/syslog_cert/ directory.

When the rsyslog service is installed and running on an Ubuntu Server (24.04), configure the /etc/rsyslog.conf file as follows:

Make the gtls driver the default and define the certificate files:

global(

DefaultNetstreamDriver="gtls"

DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem"

DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem"

DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key"

)

Load the TCP listener:

module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon")

Provide TCP syslog reception:

input(type="imtcp" port="6514")

Restart the rsyslog process and check the status of the service by running the following commands:

sudo systemctl restart rsyslog

sudo systemctl status rsyslog

Import the CA certificate to the FortiGate as a Remote CA certificate (Under System -> Certificates -> Create/Import -> CA Certificate -> File, upload the 'ca-syslog.pem" file).

Configure the Syslog setting on FortiGate and change the server IP address/name accordingly:

config log syslogd setting

    set status enable

    set server "10.191.85.3"

    set mode reliable

    set port 6514

    set enc-algorithm high

end

A sniffer/packet capture can be made to check the additional information between FortiGate and Syslog server communication:

If the CA is not matching on FortiGate or it is not installed on the FortiGate store, the following error will appear: 'Fatal Error, Description: Unknown CA'.

The content of /etc/rsyslog.conf as reference:

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################
#### MODULES ####
#################

global(net.enableDNS="off")
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability 
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem"
DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem"
DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key"
# provides TCP syslog reception with encryption
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.AuthMode="anon")
input(type="imtcp" port="6514" )
# Enable non-kernel facility klog messages
#$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf