Description
This article explains how to send FortiManager's local logs to a FortiAnalyzer.
Scope
FortiManager and FortiAnalyzer v5.0, v5.2, v5.4, v5.6, v6.0, v6.2, v7.0, v7.2.
Solution
It is possible to configure the FortiManager to send local logs to the FortiAnalyzer either by using the GUI or from the CLI.
- Configuration from the GUI.
This option is available only if the FortiAnalyzer feature is enabled in FortiManager.
Under System Settings -> Advanced -> Device Log Settings -> Local Device Log, enable the option to 'Send the local event logs to FortiAnalyzer/FortiManager' and enter the IP address of the FortiAnalyzer.
Choose the Upload Option and the Severity Level. Select Apply to save the settings.
- Configuration from the CLI.
In FortiManager v5.0 or v5.2:
config system log fortianalyzer
set status {disable | enable}
set ip <ipv4>
set secure_connection {disable | enable}
set localid <string>
set psk <password_string>
set username <username_string>
set passwd <password_string>
set auto_install {enable | disable}
end
config system locallog fortianalyzer setting
set status enable
set severity {emergency | alert | critical | error | warning | notification | information | debug}
end
In FortiManager v5.4 and higher:
config system locallog {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
set severity {emergency | alert | critical | error | warning | notification | information | debug}
set server <FortiAnalyzer server FQDN, hostname, or IP address>
set secure-connection {enable | disable}
set status {disable | realtime | upload}
set upload-time <hh:mm>
end
Once the configuration has been completed on the FortiManager, the FortiAnalyzer must also be configured to accept the FortiManager logs. FortiManager needs to be authorized in the FortiAnalyzer to allow FortiAnalyzer to start receiving logs from FortiManager.
Related articles:
