Description | This article describes how to optimize FortiGate to syslog server commnication in a multi-VDOM setup. |
Scope | FortiGate. |
Solution |
The Syslog server is configured to send the FortiGate logs to a syslog server IP. In a multi-VDOM setup, syslog communication works as explained below.
Scenario 1: If a syslog server is configured in Global and syslog-override is disabled in the VDOM:
config global config log syslogd setting set status enable end
config log setting set syslog-override disable end
FortiGate will use the management VDOM to generate the syslog traffic to the server '192.168.5.7' and send it via a routable interface in the management VDOM.
dia sniffer packet any "port 1514" 4 0 l
get router info routing-table details 192.168.5.7 Routing table for VRF=0
If the syslog server is over another VDOM, it is required to create a policy to allow the traffic on the other VDOM.
Example :
Root will send out syslog traffic to Root-to-Prod 1. A firewall policy on Prod VDOM is needed to allow traffic from Root-to-Prod 2, to port2.
If there is no policy, this situation could cause high CPU usage on syslogd due to the loop created by syslog traffic getting denied by implicit deny policy, creating implicit deny logs, and syslogd will try to send the implicit deny logs to the syslog server again.
Scenario 2: If the syslog server is set in global and a Syslog server is also set up in a management VDOM by enabling syslog-override, then syslog communication will happen with the syslog server configured in the VDOM.
Global:
config log syslogd setting set status enable end
Root VDOM:
config log setting set syslog-override enable end
config log syslogd override-setting set status enable end
dia sniffer packet any "port 1514" 4 0 l
Scenario 3: When configuring a Syslog server globally by enabling syslog-override in the management VDOM and without configuring a Syslog server under syslogd override-setting in the VDOM, there is no traffic generated by the FortiGate.
show log syslogd setting config log syslogd setting set status enable end
show log setting config log setting set syslog-override enable end
show log syslogd override-setting config log syslogd override-setting end
dia sniffer packet any "port 1514" 4 0 l Using Original Sniffing Mode |