Description
This article describes how to set up a syslog to keep track of all changes made under the FortiManager.
Note: The same settings are available under FortiAnalyzer.
Scope
FortiManager and FortiAnalyzer.
Solution
Syslog is a common format for event logs. It uses UDP / TCP on port 514 by default.
Depending on the server's capabilities can be used a custom certificate to create a TLS connection.
Syslog is used for system management and security auditing as well as general information, analysis, and debugging messages.
Syslog uses a client-server architecture where a Syslog server listens for and logs messages coming from clients.
The message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.
There are few main standards BSD, CSV and CEF (only under FortiAnalyzer or FortiManager with FortiAnalyzer feature).
The configuration is based on two parts.
To set up the settings of syslog server (IP, UDP/TCP, Port, Certificate):
config system syslog
(syslog)# edit Syslog_net_vlan2
new entry 'Syslog_net_vlan2' added
(Syslog_net_vlan2)# set ?
*ip Syslog server IP address or hostname.
local-cert Select the local certificate used for a secure connection.
peer-cert-cn Certificate common name of syslog server. null or '-' means not checking the certificate CN of the syslog server.
*port Syslog server port.
*reliable Enable/disable reliable connection with syslog server.
secure-connection Enable/disable connection secured by TLS/SSL.
Under the GUI:
System Settings -> Advanced -> Syslog Server -> Create New.
The other part is to configure the 'syslogd' settings (Syslog name, Status, Severity, Reliable, Facility).
Note: There is an option to setup up to 3 syslogd servers which can send log data simultaneously.
config system locallog syslogd setting
(setting)# set ?
cert Select the local certificate used for a secure connection.
csv CSV format.
facility Remote syslog facility.
reliable Enable/disable reliable real-time logging.
severity Least severity level to log.
status Remote syslog log.
syslog-name Remote syslog server name.
There is an option to send only specific information to the syslog server with the filter options.
Example:
The following steps will provide the basic setup of the syslog service.
System Settings (1) -> Advanced (2) -> Syslog Server (3) -> Create New (4).
The same settings under the CLI:
config system syslog
edit "Syslog_net_vlan2"
set ip "10.5.49.73"
set reliable enable
next
end
The next step is to set and enable the same under the 'syslogd' settings.
config system locallog syslogd setting
(setting)# get
cert : (null)
csv : disable
facility : syslog
reliable : disable
severity : debug
status : enable
syslog-name : Syslog_net_vlan2
Troubleshooting:
The following commands will provide the current configuration regarding 'syslog'.
get system syslog
get system locallog syslogd setting
To test the current syslog configuration:
diagnose test connection syslogserver <server-name>
diagnose test application logfwd
|
logfwd <integer> ... |
Logfwd daemon test usage:
|
diagnose debug application logfwd <integer> Set the debug level of the logfwd.
diagnose debug enable
After the test:
diagnose debug disable
diagnose debug reset
If the connection between the FortiManager and the syslog server is plain (without using SSL and certificate) could use the sniffing tool to capture the output.
Use the packet capturing options in the FortiManager under the GUI System settings -> Network Interfaces -> Packet capture.
Or under CLI:
diagnose sniffer packet any "host x.x.x.x and port 514" 3 0 a
Also, basic network checks should be made.
diagnose system route list
execute ping x.x.x.x
execute telnet x.x.x.x 514
Note: Command parameters are case-sensitive. Quotes are always used around the parameters like in this example 'my_Account'.
Related documents:
