Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jfelix09
Staff
Staff

Created on ‎03-05-2023 06:01 PM Edited on ‎03-25-2025 03:31 AM By Moderator

Article Id 248101

Technical Tip: Send Syslog over TLS to a rsyslog server

Description

This article describes how to configure FortiGate to send encrypted Syslog messages (syslog over TLS) to the Syslog server (rsyslog - Ubuntu Server 24.04).
Scope

FortiGate.
Solution

To send encrypted packets to the Syslog server, FortiGate will verify the Syslog server certificate with the imported Certificate Authority (CA) certificate during the TLS handshake.

 

In this case, FortiGate uses a self-signed certificate using the XCA application:

Creating certificates with XCA

 

The following steps describe the procedure for creating the CA certificate and the server certificate:

  1. Create a CA certificate and export it as a (ca-syslog.pem) file.
  2. Create a Server certificate signed by the CA ca-syslog.pem and export it as a PEM + Key file, syslog-cert.pem: concatenate the certificate and the unencrypted private key in one PEM file.
  3. Create two files: syslog-servercert.pem and syslog-serverkey.key.
  4. Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN CERTIFICATE-----  and  -----END CERTIFICATE-----), then copy and paste it into the syslog-servercert.pem file (created in step 3).
  5. Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN RSA PRIVATE KEY-----  and  -----END RSA PRIVATE KEY-----), then copy and paste it into the syslog-serverkey.key file (created in step 3).
  6. Move the three files (ca-syslog.pem, syslog-servercert.pem, and syslog-serverkey.key) to the syslog server. Place the files in the /home/syslog_cert/ directory.

 

When the rsyslog service is installed and running on an Ubuntu Server (24.04), configure the /etc/rsyslog.conf file as follows:

 

Make the gtls driver the default and define the certificate files:

 

global(

DefaultNetstreamDriver="gtls"

DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem"

DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem"

DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key"

)

 

Load the TCP listener:

 

module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon")

 

Provide TCP syslog reception:

 

input(type="imtcp" port="6514")

 

Restart the rsyslog process and check the status of the service by running the following commands:

 

sudo systemctl restart rsyslog

sudo systemctl status rsyslog

 

Import the CA certificate to the FortiGate as a Remote CA certificate (Under System -> Certificates -> Create/Import -> CA Certificate -> File, upload the 'ca-syslog.pem" file).

 

jfelix09_0-1677955091535.png


Configure the Syslog setting on FortiGate and change the server IP address/name accordingly:

 

config log syslogd setting

    set status enable

    set server "10.191.85.3"

    set mode reliable

    set port 6514

    set enc-algorithm high

end

 

A sniffer/packet capture can be made to check the additional information between FortiGate and Syslog server communication:

 

jfelix09_1-1677955213834.png

 

If the CA is not matching on FortiGate or it is not installed on the FortiGate store, the following error will appear: 'Fatal Error, Description: Unknown CA'.

 

jfelix09_0-1678047842841.png
The content of /etc/rsyslog.conf as reference:

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################
#### MODULES ####
#################

global(net.enableDNS="off")
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability 
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem"
DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem"
DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key"
# provides TCP syslog reception with encryption
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.AuthMode="anon")
input(type="imtcp" port="6514" )
# Enable non-kernel facility klog messages
#$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
Labels:
19212
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.