Description
This article describes connecting the Syslog server over IPSEC VPN and sending VPN logs.
Scope
FortiGate.
Solution
The setup example for the syslog server FGT1 -> IPSEC VPN -> FGT2 -> Syslog server.
In this scenario, the logs will be self-generating traffic.
Hence it will use the least weighted interface in FortiGate.
Hence here, are two options to make this work.
So that the FortiGate can reach syslog servers through IPsec tunnels
Option 1.
Use a particular source IP in the syslog configuration on FGT1.
So that the traffic of the Syslog server reaches FGT2 with a particular source.
Related document:
log syslogd setting
config log syslogd setting
set source-ip x.x.x.x <-- IP address.
end
end
Option 2.
Assign an IP address to the VPN tunnel so that the FortiGate self-generated traffic will come with the tunnel IP address.
After adding the source IP still facing issues, verify if the correct specified source IP of the local interface is used and check if the logs are being forwarded or not following the below steps:
- Run the sniffer from CLI and verify.
diagnose sniffer packet any “host x.x.x.x and port 514” 4 0 l
x.x.x.x is the Syslog server IP. For this example, let's use port 514. If using a custom port, adjust it accordingly.
- Run the packet capture on the IPsec tunnel interface from the GUI of the FortiGate refer to the below articles:
- Verifying the logs under Local traffic is also possible as the syslog traffic is self-generated. Below is an example screenshot of Syslog logs. 192.168.10.1 is the source IP specified under syslogd LAN interface and 192.168.200.1 is the remote syslog server IP.
Related documents:
Configuring tunnel interfaces
Troubleshooting: Connection Failures between FortiGate and FortiAnalyzer/Syslog
