Description
This article describes connecting the Syslog server over IPsec VPN and sending VPN logs.
Scope
FortiGate.
Solution
The setup example for the syslog server FGT1 -> IPSEC VPN -> FGT2 -> Syslog server.
In this scenario, the logs will be self-generating traffic.
Hence it will use the least weighted interface in FortiGate.
As a result, there are two options to make this work.
So that the FortiGate can reach syslog servers through IPsec tunnels.
Option 1.
Use a particular source IP in the syslog configuration on FGT1.
So that the traffic of the Syslog server reaches FGT2 with a particular source.
Can also specify the outgoing interface
Related document:
log syslogd setting
config log syslogd setting
set source-ip x.x.x.x <-- IP address.
set interface-select-method specify <-- Specify how to select outgoing interface to reach server
set interface "FortiGate interface name" <-- Specify outgoing interface to reach server
end
end
Option 2.
Assign an IP address to the VPN tunnel so that the FortiGate self-generated traffic will come with the tunnel IP address.
After adding the source IP still facing issues, verify if the correct specified source IP of the local interface is used and check if the logs are being forwarded or not following the below steps:
- Run the sniffer from the CLI and verify.
diagnose sniffer packet any “host x.x.x.x and port 514” 4 0 l
x.x.x.x is the Syslog server IP. For this example, port 514 is used. If using a custom port, adjust it accordingly.
- Run the packet capture on the IPsec tunnel interface from the GUI of the FortiGate refer to this article:
Using the packet capture tool.
- Verifying the logs under Local traffic is also possible as the syslog traffic is self-generated. Below is an example screenshot of Syslog logs. 192.168.10.1 is the source IP specified under syslogd LAN interface and 192.168.200.1 is the remote syslog server IP.
Related documents:
Configuring tunnel interfaces
Troubleshooting: Connection Failures between FortiGate and FortiAnalyzer/Syslog
