Created on
‎03-05-2023
06:01 PM
Edited on
‎03-25-2025
03:31 AM
By
Jean-Philippe_P
Description |
This article describes how to configure FortiGate to send encrypted Syslog messages (syslog over TLS) to the Syslog server (rsyslog - Ubuntu Server 24.04). |
Scope |
FortiGate. |
Solution |
To send encrypted packets to the Syslog server, FortiGate will verify the Syslog server certificate with the imported Certificate Authority (CA) certificate during the TLS handshake.
In this case, FortiGate uses a self-signed certificate using the XCA application: Creating certificates with XCA
The following steps describe the procedure for creating the CA certificate and the server certificate:
When the rsyslog service is installed and running on an Ubuntu Server (24.04), configure the /etc/rsyslog.conf file as follows:
Make the gtls driver the default and define the certificate files:
global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem" DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem" DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key" )
Load the TCP listener:
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon")
Provide TCP syslog reception:
input(type="imtcp" port="6514")
Restart the rsyslog process and check the status of the service by running the following commands:
sudo systemctl restart rsyslog sudo systemctl status rsyslog
Import the CA certificate to the FortiGate as a Remote CA certificate (Under System -> Certificates -> Create/Import -> CA Certificate -> File, upload the 'ca-syslog.pem" file).
Configure the Syslog setting on FortiGate and change the server IP address/name accordingly:
config log syslogd setting set status enable set server "10.191.85.3" set mode reliable set port 6514 set enc-algorithm high end
A sniffer/packet capture can be made to check the additional information between FortiGate and Syslog server communication:
If the CA is not matching on FortiGate or it is not installed on the FortiGate store, the following error will appear: 'Fatal Error, Description: Unknown CA'.
# /etc/rsyslog.conf configuration file for rsyslog |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.