Description
This article describes how to send FortiManager local event logs to FortiAnalyzer without enabling FortiAnalyzer features.
Scope
FortiManager, FortiAnalyzer.
Solution
Enabling FortiAnalyzer Features in FortiManager consumes system resources and with some other circumstances, will disable these features permanently which causes limitations.
It is necessary to disable FortiAnalyzer features before forming a FortiManager HA:
FortiManager verifies if FortiAnalyzer features are disabled before forming HA cluster
Despite the limitations that accidentally occur, the objective to send FortiManager local event logs to FortiAnalyzer without enabling FortiAnalyzer features can be done by following steps:
Configuration in FortiManager:
- Configure Syslog Server (FAZ) in System Settings -> Syslog Server -> Create New.
It is possible to define in CLI:
config system syslog
edit "faz"
set ip "10.47.X.X"
next
end
- Enable sending local logs to Syslog Server (FAZ) in CLI:
config system locallog syslogd setting
set severity information
set status enable
set syslog-name "faz"
end
Action in FortiAnalyzer:
- Authorize FortiManager in Device Manager
- View the logs in Log View -> FortiManager -> Event, it will probably take some time to populate the logs:
- Trigger the logs by sending the Test log from FortiManager:
Related articles:
How to send local FortiManager logs to a FortiAnalyzer
Configure FortiManager to send logs to a syslog server
How to send FortiManager local event logs to FortiAnalyzer FortiManager/FortiAnalyzer local event logs setup for the external SYSLOG server
