Description
This article provides he commands to configure FortiManager/FortiAnalyzer to send local-logs (events, not managed devices) to a syslog server that have changed since release 5.0.7.
With release 5.0.7 and above it is a two-step process. The first step can be done via GUI or CLI; the second step is CLI only.
With release 5.0.7 and above it is a two-step process. The first step can be done via GUI or CLI; the second step is CLI only.
Scope
FortiManager v4.3.x, v7.0.x, v7.2.x and v7.4.x.
Solution
CLI commands are:
config fmsystem locallog syslogd setting
set server <IP address> Address of remote syslog server
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)
set status <enable | disable>
set csv Whether to enable CSV.
set facility Which facility for remote syslog.
set port Port that server listens at
end
FortiManager v5.0.x, up to v5.0.6.
CLI commands are:
config system locallog syslogd setting
set server <IP address> Address of remote syslog server
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)
set status <enable | disable>
set csv Whether to enable CSV.
set facility Which facility for remote syslog.
set port Port that server listens at.
end
Note:
The default severity for remote logging solutions is 'Notification', and to get all local logs, the severity needs to be changed to 'Information'.
FortiManager v5.0.7 and above.
The Syslog server is defined, then the FortiManager is configured to send a local log to this server.
Step 1: Define Syslog servers.
This can be done through the GUI in System Settings -> Advanced -> Syslog Server.
FortiManager v7.0.x and v7.2.x.
FortiManager v7.4.x and above.
Note:
|
Reliable Connection |
Enable or disable a reliable connection with the syslog server. The default is disabled. |
|
Secure Connection |
Enable/disable connection secured by TLS/SSL. The default is disabled. This option is only available when Reliable Connection is enabled. |
|
Local Certificate CN |
Enter one of the available local certificates used for secure connection: Fortinet_Local or Fortinet_Local2. The default is Fortinet_Local. This option is only available when Secure Connection is enabled. |
|
Peer Certificate CN |
Enter the certificate common name of syslog server. Null means no certificate CN for the syslog server. This option is only available when Secure Connection is enabled. |
The server can also be defined with CLI commands:
config system syslog
edit <server name>
set ip <syslog server IP>
end
Example:
config system syslog
edit Syslog-serv1
set ip 11.11.11.11
set reliable enable
set secure-connection enable
set local-cert <Certificate Name>
set peer-cert-cn <Peer Certificate CN>
next
end
Note:
Reliable by default is disabled; it is possible to enable it for using TCP/514, and that should be enabled in both places otherwise it will fall to UDP/514.
Step 2: Enable sending FortiManager local logs to the Syslog server.
This can only be configured via CLI with commands:
config system locallog syslogd setting
set syslog-name < Remote syslog server name, defined at previous step>
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)set status <enable | disable>
set csv Whether to enable CSV.
set facility Which facility for remote syslog.
set port Port that server listens at
end
Example:
config system locallog syslogd setting
set severity information
set status enable
set syslog-name "Syslog-serv1"
end
(setting)# get
cert : (null)
csv : disable
facility : local7
reliable : disable
severity : notification
status : enable
syslog-name : Syslog-serv1
Debug:
diagnose debug application logd 8
diagnose debug enable
diagnose test connection syslog <Syslog server name>
