|
As of v7.4.8, FortiGate does not cache FQDNs with an A DNS TTL (Time To Live) of 0.
It should send a DNS query for the FQDN every time before sending syslog if the TTL is 0, since it doesn't have a cache entry for it.
However, FortiGate does not send a DNS query, which is considered a bug.
Note that this issue will be fixed in the upcoming releases of FortiGate versions v7.4.10.
To resolve the issue of FQDN syslog not working after upgrading to FortiGate v7.4.8, follow these steps:
- Check the DNS response for the FQDN and verify that the A DNS TTL is set to 0.
If the TTL is 0, the FortiGate will not cache the resolved IP address and will not even send a syslog-related FQDN DNS query, and this behavior is confirmed as a bug.
config log syslogd setting
set status enable
set server "docker.lab.com"
set mode udp
set port 514
set facility local7
set source-ip ''
set format cef
set priority default
set max-log-rate 0
set interface-select-method auto
end
-
Verify that the FortiGate is configured to send syslog messages to the correct FQDN.
-
Try setting the IP address instead of the FQDN in the syslog configuration or the A DNS TTL to anything other than 0.
In the fixed version, it is also important to note that a DNS TTL value of 0 is not recommended, as it can cause increased DNS traffic and higher server load. For a logging server, this can result in each log delivery triggering a DNS query to the DNS server, which can cause performance issues and unreliability.
|
