Description
This article explains how to enable FortiAnalyzer Logging on FortiGate via FortiManager.
Scope
FotiManager, FortiGate, FortiAnalyzer.
Solution
There are multiple ways to achieve this:
- Device database GUI.
- Device database CLI Configurations.
- System Template. <- Multiple FortiGates.
- CLI Template. <- Multiple FortiGates.
- CLI Script. <- Multiple FortiGates.
- Check the FortiGate first. In this case, it does not have 'logging' enabled to FortiAnalyzer:
get log fortianalyzer setting
- Device database GUI:
- Go under Device Manager -> Device & Groups -> Managed FortiGate, andselect FortiGate -> Log & Report -> Log Settings (If Log & Report is not visible, enable it using the 'Feature Visibility' Option). There is no option to set the serial number of the FortiAnalyzer here.
- Use the 'Install Wizard' and push the changes to the FortiGate. Repeat the process for all FortiGates.
- Select Next.
- Select 'Install Preview' to see if FortiManager is pushing the correct config to the FortiGate.
- The config is correct, select Close.
- Select Install.
- The install is successful:
- On the FortiGate, go to Security Fabric -> Fabric Connectors -> FortiAnalyzer Logging:
- A window will appear to verify the serial number of the FortiAnalyzer:
- The Connector is now UP:
Note:
In the FortiGate GUI under FortiAnalyzer Status, the "Log queued" and "Failed logs" status indicate the following:
Log queued: This represents the number of logs currently waiting to be sent from the FortiGate to the connected FortiAnalyzer. Logs may be queued due to network delays, FortiAnalyzer being temporarily unavailable, or heavy log traffic.
Failed logs: This shows the number of logs that failed to be sent to FortiAnalyzer. Failures are typically due to connectivity issues, FortiAnalyzer being offline, or the queue buffer on the FortiGate being full.
- On FortiAnalzyer ('root' ADOM) Device Manager the, FortiGates now appear as unauthorized devices:
- Select the FortiGate and select Authorize:
- Select the ADOM the device should be authorized to and assign names for the devices, select OK.
- Devices are successfully authorized, select Close:
- The FortiGate will now show as UP in FortiAnalyzer and send the logs:
- Device Database CLI Configurations
- Go under Device Manager -> Devices & Groups -> Managed FortiGates, select the FortiGate -> CLI Configurations.
- Search for 'log', select 'fortianalyzer' -> Setting
- Set the serial of FortiAnalyzer and the IP address under server.
- Toggle the status button to enable.
- Select Apply.
- Use the Install Wizard to push config: Install device settings only.
- The FortiGate will show up in FortiAnalyzer as unauthorized, which then can be authorized to any ADOM.
- System Template(can be assigned to multiple devices)
- Go under Device Manager -> Provisioning Templates -> System Templates, select 'Create New', and select Blank Template or default template:
- Scroll down and toggle the Log Settings button to enable and enable 'Send Logs to FortiAnalyzer/FortiManager'
- From 'Send to' select the appropriate option and select OK to save.
This FortiManager: Select this option if the current FortiManager has the FortiAnalyzer Features enabled and can receive logs. Refer to this article for FortiAnalyzer Features in FortiManager: Technical Tip: How to enable FortiAnalyzer features in FortiManager
Specify IP Address: Set the IP address of the external FortiAnalyzer.
Managed FortiAnalyzer: Select this option if FortiManager is managing a FortiAnalyzer. A drop-down will appear to select the managed FortiAnalyzer.
Note:
The 'Specify Serial Number' option is not available in System Templates in FortiManager v 7.4, nor in older versions.
- Select the newly created template and select 'Assign to Device/Group':
- Select the FortiGate(s) and select the right arrow in the middle:
- Select OK:
- A message appears confirming the template has been assigned:
- Go under Device & Groups > Managed FortiGate > The ForiGate status is now showing as modified and under the column 'Provisioning Templates' the system template is now showing:
- Use the Install Wizard to push config: Install device settings only.
- CLI Templates(can be assigned to multiple devices)
- Go under Device Manager -> Provisioning Templates -> CLI -> Create New -> CLI Template:
- Create the below script in the Script Details, select OK to save:
config log fortianalyzer setting
set status enable
set server "<FAZ IP address>"
set serial "<FAZ Serial Number>"
set reliable enable
set upload-option realtime
end
- Select the CLI Template and select 'Assign to Device/Group':
- It lists all the FortiGates including VDOMs (e.g. global and root VDOMs for the same FortiGate-81E). Select the desired FortiGates/VDOMs and select the right arrow:
- Select OK:
- A message appears confirming the template has been assigned:
- Go under Device & Groups -> Managed FortiGate. The ForiGate status is now showing as modified and under the column 'Provisioning Templates' the CLI template is now showing:
- Use the Install Wizard to push config: Install device settings only.
- CLI Script (can run on multiple devices).
- Go to Device Manager -> Scripts -> Create New -> Script.
- Create the below script, select Run script on 'Device Database' (can also select Run on 'Remote FortiGate Directly', then pushing config to FortiGate is not required):
config global <----- Required only if FortiGate has VDOMs enabled.
config log fortianalyzer setting
set status enable
set server "<FAZ IP address>"
set serial "<FAZ Serial Number>"
set reliable enable
set upload-option realtime
end
- Select Run Script:
- Select the FortiGate (can select multiple) to run the script on then select the right arrow in the middle:
- Select Run Now:
- Select OK:
- Script is successful:
- To confirm the change on the Device Database, go under Device Manager -> Device & Groups -> Managed FortiGate, select the FortiGate -> CLI Configurations -> Search for 'log', select 'fortianalyzer' -> Setting.
- Use the Install Wizard to push config: Install device settings only.
Related articles:
