Description
This article explains how to send FortiManager's local logs to a FortiAnalyzer.
Scope
FortiManager and FortiAnalyzer 5.0, 5.2, 5.4, 5.6, 6.0, 6.2, 7.0, 7.2.
Solution
It is possible to configure the FortiManager to send local logs to the FortiAnalyzer either by using the GUI or from the CLI.
1) Configuration from the GUI:
This option is available only if the FortiAnalyzer feature is enabled in the FortiManager.
Under System Settings -> Advanced -> Device Log Settings -> Local Device Log, enable the option to 'Send the local event logs to FortiAnalyzer/FortiManager' and enter the IP address of the FortiAnalyzer.
Choose the Upload Option and the Severity Level. Select Apply to save the settings.
2) Configuration from the CLI:
In FortiManager 5.0 or 5.2:
# config system log fortianalyzer
set status {disable | enable}
set ip <ipv4>
set secure_connection {disable | enable}
set localid <string>
set psk <password_string>
set username <username_string>
set passwd <password_string>
set auto_install {enable | disable}
end
# config system locallog fortianalyzer setting
set status enable
set severity {emergency | alert | critical | error | warning | notification | information | debug}
end
In FortiManager 5.4 and higher:
# config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
set severity {emergency | alert | critical | error | warning | notification | information | debug}
set server <FortiAnalyzer server FQDN, hostname, or IP address>
set secure-connection {enable | disable}
set status {disable | realtime | upload}
set upload-time <hh:mm>
end
Once the configuration has been completed on the FortiManager, the FortiAnalyzer must also be configured to accept the FortiManager logs.
Related article:
